Page 1: Configuration Guide
® 3Com Switch 8800 Family Configuration Guide Switch 8807 Switch 8810 Switch 8814 www.3Com.com Part No. 10015594, Rev. AA Published: January 2007...
Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
Page 3: Table Of Contents
Command Line Interface Command Line View Features and Functions of Command Line OGGING IN TO WITCH Setting Up Configuration Environment through the Console Port Setting up Configuration Environment through Telnet Setting Up Configuration Environment through Modem Dial-up NTERFACE ONFIGURATION User Interface Overview...
Page 4 GARP&GVRP C ONFIGURATION Configuring GARP Configuring GVRP THERNET ONFIGURATION Ethernet Port Overview Ethernet Port Configuration Setting the Interval of Performing Statistics on Ports Displaying and Debugging Ethernet Port Ethernet Port Configuration Example Ethernet Port Troubleshooting GGREGATION ONFIGURATION Overview Link Aggregation Configuration...
Page 5 MAC Address Table Management Configuration Maximum MAC Address Number Learned by Ethernet Port and Forwarding Option Configuration Configuring Max Number of MAC Addresses that can be Learned in a VLAN Displaying and Debugging MAC Address Tables Resetting MAC Addresses MAC Address Table Management Configuration Example...
Page 6 Displaying and Debugging AAA and RADIUS Protocol AAA and RADIUS/HWTACACS Protocol Configuration Examples Troubleshooting AAA and RADIUS/HWTACACS ORTAL ONFIGURATION Portal Overview Basic Portal Configuration Portal Authentication-free User and Free IP Address Configuration Portal Rate Limit Function Configuration Portal User Deletion IP R OUTING ROTOCOL VERVIEW...
Page 7 Typical BGP Configuration Examples Troubleshooting BGP IP R OUTING OLICY ONFIGURATION Introduction to IP Routing Policy Configuring IP Routing Policy Displaying and Debugging the Routing Policy Typical IP Routing Policy Configuration Example Troubleshooting Routing Policy OUTE APACITY ONFIGURATION Route Capacity Configuration ECURSIVE...
Page 8 MAC A TATIC ULTICAST DDRESS ONFIGURATION Static Multicast MAC Address Overview Configuring a Static Multicast MAC Address Displaying and Maintaining Static Multicast MAC Address Configuration IGMP S NOOPING ONFIGURATION IGMP Snooping Overview IGMP Snooping Configuration Multicast Static Routing Port Configuration...
Page 9 Typical BGP/MPLS VPN Configuration Example Troubleshooting BGP/MPLS VPN Configuration MPLS S NTERMIXING FOR UPPORT Overview Restrictions in Intermixing Networking Intermixing Configuration Task Restrictions in Networking of Various MPLS Cards MPLS VLL MPLS L2VPN Overview CCC MPLS L2VPN Configuration Martini MPLS L2VPN Configuration...
Page 10 ONFIGURATION Introduction to ARP Configuring ARP Displaying and Debugging ARP ARP T ABLE ONFIGURATION Introduction to ARP Table Size Configuration Configuring ARP Table Size Dynamically Displaying ARP Table Size Configuration Configuration Example DHCP C ONFIGURATION Some Concepts about DHCP Configuring General DHCP...
Page 11 DNS C ONFIGURATION Introduction to DNS Configuring Static Domain Name Resolution Configuring Dynamic Domain Name Resolution Displaying and Debugging Domain Name Resolution DNS Configuration Example Troubleshooting Domain Name Resolution Configuration ETSTREAM ONFIGURATION Netstream Overview Netstream Configuration Netstream Configuration Examples NDP C...
Page 12 ONFIGURATION FTP Configuration TFTP Configuration NFORMATION ENTER Information Center Function YSTEM AINTENANCE AND EBUGGING Basic System Configuration Displaying the Status and Information of the System System Debugging Testing Tools for Network Connection ROTOCOL ECURITY ONFIGURATION Introduction to Protocol Port Security...
Page 13 Introduction to Egress Packet Statistics THERNET OOPBACK ETECTION Ethernet Port Loopback Detection Function Configuring the Loopback Detection Function Displaying and Maintaining the Loopback Detection Function ONFIGURATION QinQ Overview VLAN VPN Configuration VLAN VPN Configuration Traffic Classification-Based Nested VLAN Configuration Adjusting TPID Values for QinQ Packets...
Page 15: About This Guide
(+), for example: Press Ctrl+Alt+Del The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.”...
Page 16: Related Documentation
Convention Description Words in italics Italics are used to: Emphasize a point. Denote a new term at the place where it is defined in the text. Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents.
Page 17: Product Overview
1+1 redundancy; the remaining five accommodate I/O Modules. For Switch 8810, in the module area, there are 10 slots: the two (slot4, slot5) in the middle accommodate fabric modules, which are in 1+1 redundancy; the remaining 8 accommodate I/O Modules.
Page 18: Function Features
Inter-card link aggregation Link aggregation LACP Dynamic host configuration protocol (DHCP) relay DHCP DHCP server DHCP Option82 and Option60 Supports the port-based inter-card mirroring and flow-based inter-card mirroring Mirroring Flow mirroring (packets can be duplicated to CPU and other ports)
Page 19 Function Features Table 1 Function features Features Implementation L3 multiprotocol label switching (MPLS) VPN (option1/2/3), embedded MPLS VPN, hierarchical PE (HoPE), CE dual homing, MCE, and multi-role host MPLS VLL, including Martini, Kompella and CCC modes VPLS Supports different types of traffic classification, including...
Page 20 VERVIEW Table 1 Function features Features Implementation Command line interface configuration Local configuration through the Console port and the AUX port Local and remote configuration through Telnet on an Ethernet port Remote configuration through modem dialup through the AUX port.
Page 21: Command
The command line interpreter searches for target not fully matching the ■ keywords. It is ok for you to key in the whole keyword or part of it, as long as it is unique and not ambiguous. Command Line View 3Com series switches provide hierarchy protection for the command lines to avoid unauthorized user accessing illegally.
Page 22 In other words, user password of the higher level is needed (Suppose the user has set the super password [ level level ] { simple | cipher } password.) For the sake of confidentiality, on the screen the user cannot see the password that he entered.
Page 23 HWTACACS view ■ Port group view ■ The following table describes the function features of different views and the ways to enter or quit. Port numbers are only for examples. Table 2 Function feature of command view Command Command to...
Page 24 2: C HAPTER OMMAND NTERFACE Table 2 Function feature of command view Command Command to Command to view Function Prompt enter exit 100M Ethernet port view [3Com-Ethernet2/1/1 Key in interface ethernet 2/1/1 in system view GigabitEthernet Ethernet port port view...
Page 25 Command Line View Table 2 Function feature of command view Command Command to Command to view Function Prompt enter exit Use quit to return to system Configure SFTP Key in sftp view SFTP Client Client <sftp-client> ip-address in view Use return to...
Page 26 2: C HAPTER OMMAND NTERFACE Table 2 Function feature of command view Command Command to Command to view Function Prompt enter exit Use quit to return to system view Configure BGP Key in bgp 100 BGP view [3Com-bgp] parameters in system view...
Page 27 Command Line View Table 2 Function feature of command view Command Command to Command to view Function Prompt enter exit Use quit to return to system view WRED index Configure WRED Key in wred 0 in [3Com-wred-0] view parameters system view...
Page 28 2: C HAPTER OMMAND NTERFACE Table 2 Function feature of command view Command Command to Command to view Function Prompt enter exit Key in Use quit to route-policy return to system Configure route-policy-nam view Route-Policy Route-Policy [3Com-route-policy] e { permit | deny...
Page 29: Features And Functions Of Command Line
<SW8800> display ver? version 6 Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically.
Page 30 English and Chinese. For the information to be displayed exceeding one screen, pausing function is ■ provided. In this case, users can have three choices, as shown in the table below. Table 3 Functions of displaying Key or Command Function Press <Ctrl+C>...
Page 31 The parameters entered are not specific. Editing Characteristics of Command line interface provides the basic command editing function and Command Line supports to edit multiple lines. A command cannot longer than 256 characters. See the table below. Table 6 Editing functions Function...
Page 32 2: C HAPTER OMMAND NTERFACE...
Page 33: Logging In To Switch
Setting Up Step 1: As shown in the figure below, to set up the local configuration Configuration environment, connect the serial port of a PC (or a terminal) to the Console port of Environment through the switch with the Console cable.
Page 34: Setting Up Configuration Environment Through Telnet
Environment through Telnet Connecting a PC to the After you have correctly configured IP address of a VLAN interface for a switch via Switch through Telnet Console port (using ip address command in VLAN interface view), and added the port (that connects to a terminal) to this VLAN (using port command in VLAN...
Page 35 Telnet user name and password on the switch through the console port. By default, the password is required for authenticating the Telnet user to log in to the switch. If a user logs in via the Telnet without password, he will see the prompt "Login password has not been set !".
Page 36 By default, the password is required for authenticating the Telnet user to log in to the switch. If a user logs in via the Telnet without password, he will see the prompt "Login password has not been set !.".
Page 37: Setting Up Configuration Environment Through Modem Dial-Up
By default, the password is required for authenticating the Modem user to log in to the switch. If a user logs in via the Modem without password, he or she will see the prompt "Login password has not been set !.".
Page 38 <SW8800>. Then you can configure and manage the switch. Enter "?" to get the immediate help. For details of specific commands, refer to the following chapters. By default, when a Modem user logs in, he can access the commands at Level 0.
Page 39: User Interface Configuration
AUX user interface ■ AUX user interface is used to log in to the switch locally or remotely with a modem via the AUX port. A switch can only have one AUX user interface. The local configuration for it is similar to that for the Console user interface.
Page 40: User Interface Configuration
The following command is used for configuring the displayed header when user login. When the users log in to the switch, if a connection is activated, the login header will be displayed. After the user successfully logs in the switch, the shell header will be displayed.
Page 41 Remove the login header configured undo header [ shell | incoming | login ] Note that if you press <Enter> after typing any of the three keywords shell, login and incoming in the command, then what you type after the word header is the contents of the login information, instead of identifying header type.
Page 42 After such user logs out, he cannot log in again. In this case, a user can log in to the switch through the user interface only when the terminal service is enabled again.
Page 43 If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
Page 44 By default, terminal authentication is not required for local users log in via the Console port. However, password authentication is required for local users and remote Modem users to log in via the AUX port, and for Telnet users and the VTY users to log in through Ethernet port.
Page 45 Setting the command level used after a user logs in from a user interface You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level.
Page 46 For example, the command level of VTY 0 user interface is 1, however, you have the right to access commands of level 3; if you log in from VTY 0 user interface, you can access commands of level 3 and lower.
Page 47 Use this command with caution. Make sure that you will be able to log in to the system in some other way and ■ cancel the configuration, before you use the auto-execute command command and save the configuration.
Page 48: Displaying And Debugging User Interface
Displaying and After the above configuration, execute display command in any view to display Debugging User the running of the user interface configuration, and to verify the effect of the Interface configuration. Execute free command in user view to release the user interface connection.
Page 49: Management Interface Overview
Setting interface description ■ Displaying current system information ■ Test network connectivity (ping, tracert) ■ See the Port and System Management parts of this manual for details. CAUTION: Only the management interface configured with an IP address can run normally.
Page 50 5: M HAPTER ANAGEMENT NTERFACE ONFIGURATION...
Page 51: Configuration File Management
The management module of configuration file provides a user-friendly operation Management Overview interface. It saves the configuration of the switch in the text format of command line to record the whole configuration process. Thus you can view the configuration information conveniently.
Page 52 The configuration files are displayed in their corresponding saving formats. Modifying and Saving You can modify the current configuration of the switch through the CLI. Use the save command to save the current-configuration in the Flash Memory, and the Current-Configuration configurations will become the saved-configuration when the system is powered on for the next time.
Page 53 ".cfg". The file is stored in the root directory of the storage devices. After the above configuration, execute display command in any view to display the running of the configuration files, and to verify the effect of the configuration.
Page 54 6: C HAPTER ONFIGURATION ANAGEMENT...
Page 55: Vlan Overview
“Configuring Port-Based VLAN” ■ Creating/Deleting a You can use the following commands to create/delete a VLAN. If the VLAN to be VLAN created exists, the system will enter the VLAN view directly. Otherwise, the system will create the VLAN first, and then enter the VLAN view.
Page 56 Shutting down or bringing up a VLAN interface has no effect on the status of any Ethernet port in this VLAN. By default, when all the Ethernet ports in a VLAN are in the Down state, this VLAN interface is also Down. When there are one or more Ethernet ports in the Up state,...
Page 57: Configuring Protocol-Based Vlan
Remove Ethernet ports from a VLAN undo port interface-list By default, the system adds all the ports to a default VLAN whose ID is 1. Note that you can add/remove the trunk and Hybrid ports to/from a VLAN by the port/undo port commands in Ethernet port view, but not in VLAN view.
Page 58: Configuring Ip Subnet-Based Vlan
] | all } Configure the CPU The CPU is a special port in the Switch 8800 Family series routing switches. By Port in an VLAN default, because the CPU port is in a VLAN, when common broadcast packets and unknown multicast packets are broadcast within a VLAN, these packets will also be broadcast to the CPU.
Page 59 Displaying and Debugging a VLAN You can also move the CPU ports out of/into all the VLANs at a time. Perform the following configuration in system view. Table 44 Move the CPU port out of/into the specified VLANs Operation Command...
Page 60 7: VLAN C HAPTER ONFIGURATION Configuration procedure # Create VLAN 2 and enter its view. [SW8800] vlan 2 # Add Ethernet3/1/1 and Ethernet4/1/1 to VLAN 2. [3Com-vlan2] port ethernet3/1/1 ethernet4/1/1 # Create VLAN 3 and enters its view. [3Com-vlan2] vlan 3 # Add Ethernet3/1/2 and Ethernet4/1/2 to VLAN 3.
Page 61: Configuring A Super Vlan
IP address of the virtual interface of the super VLAN as the IP address of the gateway. The IP address is shared by multiple VLANs. Therefore IP addresses are saved. If different sub VLANs want to communicate with one another at Layer 3, or a sub VLAN communicates with other networks, you can enable ARP proxy.
Page 62 CAUTION: A Super VLAN cannot contain ports. ■ After you set the VLAN type to super VLAN, the ARP proxy is automatically ■ enabled on the VLAN port, and you do not need to configure the proxy. When a super VLAN exists, the ARP proxy should be enabled on the ■...
Page 63: Network Diagram
Configuring a Super VLAN These sub VLANs are isolated at Layer 2. It is required that these sub VLANs communicate with one another at Layer 3. Network diagram Omitted Configuration procedure <SW8800>system-view System View: return to User View with Ctrl+Z.
Page 64 8: S VLAN C HAPTER UPER ONFIGURATION...
Page 65: Isolate-User-Vlan Overview
Secondary VLAN for each user, with each of the Secondary VLANs containing the ports and the upstream ports connected to the user. You can configure the ports connected to different users to be of the same Secondary VLAN to enable these users to communicate with each other on Layer 2.
Page 66 You cannot configure the same MAC address in a Secondary VLAN ■ corresponding to an isolate-user-VLAN. If a VLAN is an isolate-user-VLAN or a Secondary VLAN, you cannot configure ■ vlan-interface; a VLAN configured with vlan-interface cannot be configured as an isolate-user-VLAN or a Secondary VLAN.
Page 67: Displaying And Debugging An Isolate-User-Vlan
VLAN in the Untagged mode simultaneously. For those not meeting the requirements, no other processing will be made. For an access port, the system will set the port as a hybrid port and set the ■ default port VLAN ID and isolate-user-VLAN ID to be the same. Moreover, the port joins the isolate-user-VLAN and Secondary VLAN in the Untagged mode.
Page 68: Isolate-User-Vlan Configuration Example
VLAN 6 is an isolate-user-VLAN including an upstream port (Ethernet2/1/1 port) and two Secondary VLANs: VLAN3 and VLAN4. VLAN3 includes Ethernet2/1/3 port and VLAN4 includes Ethernet2/1/4 port. Seen from the Switch A, either Switch B or Switch C carries one VLAN, VLAN 5 and VLAN 6 respectively. Network diagram...
Page 69 Isolate-user-VLAN Configuration Example # Configure the mapping relationship between the isolate-user-VLAN and the Secondary VLANs. [3Com-vlan2] quit [SW8800] isolate-user-vlan 5 secondary 2 to 3 2 Configuration on Switch C # Configure an isolate-user-VLAN. <SW8800>system-view [SW8800] vlan 6 [3Com-vlan6] isolate-user-vlan enable [3Com-vlan6] port ethernet2/1/1 # Configure Secondary VLANs.
Page 70 9: I -VLAN C HAPTER SOLATE USER ONFIGURATION...
Page 71: Ip Address
Figure 14 Five classes of IP addresses 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31...
Page 72 Nowadays, with rapid development of the Internet, IP (V4) addresses are depleting very in a few years. The traditional IP address allocation method wastes IP addresses greatly. In order to make full use of the available IP addresses, the concept of mask and subnet is proposed.
Page 73: Configuring Ip Address
1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when you design a mask. The mask divides the IP address into two parts: subnet address and host address. The part of IP address that corresponds to the bits 1s in the mask indicates the subnet address and the other part of IP address indicate the host address.
Page 74 You can configure an IP address for every VLAN interface of the switch. Generally, Address of the VLAN it is enough to configure one IP address for an interface. You can also configure 21 Interface IP addresses for an interface at most, so that it can be connected to several subnets.
Page 75 In this case, the switch CPU is under attack. When receiving an IP packet whose TTL is less than or equal to 1, the switch sends the ICMP packet "time exceeded" to the network management system instead of sending an unreachable packet to the sending end, thus avoiding attack on the CPU.
Page 76: Displaying Ip Address
Displaying IP Address After the above configuration, execute the display command in any view to display the IP addresses configured on interfaces of the network device, and to verify the effect of the configuration. Table 57 Display and debug IP address...
Page 77: Troubleshooting Ip Address Configuration
2 Check which VLAN includes the port of the switch used to connect to the host. Check whether the VLAN has been configured with a VLAN interface. Then check whether the IP address of the VLAN interface and that of the host are on the same network segment.
Page 78 10: IP A HAPTER DDRESS ONFIGURATION...
Page 79: Ip Performance
FIN_WAIT_2, finwait timer is started. If FIN packets are not received before finwait timer timeout, the TCP connection is terminated. The timeout of finwait timer ranges from 76 to 3600 seconds and it is 675 seconds by default. The receiving/sending buffer size of the connection-oriented socket is in the ■...
Page 80 IP address (range) mask-length2 } | longer ] | longer ] Display the FIB entries matching a specific ACL display fib acl { number | name } Display the FIB entries which are output from display fib | { { begin | include | exclude }...
Page 81: Troubleshooting Ip Performance
TCP packets. Operations include: <SW8800> terminal debugging <SW8800> debugging tcp packet Then the TCP packets received or sent can be checked in real time. Specific packet formats include: TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1...
Page 82 11: IP P HAPTER ERFORMANCE ONFIGURATION flag = ACK window = 16079...
Page 83: Garp&Gvrp Configuration
VLAN and multicast addresses. GARP dose not exist in a switch as an entity. A GARP participant is called GARP application. The main GARP applications at present are GVRP (GARP VLAN registration protocol) and GMRP.
Page 84 Join timer in terms of 5 centiseconds. Otherwise, the system will prompt message of error. The value range of a timer varies with the values of other timers. So if the value of a timer you want to set is not within the available value range, you can change the...
Page 85: Configuring Gvrp
Configuring GVRP The lower limit of Hold timer is 10 centiseconds. You can change its upper limit ■ by changing the value of Join timer. You can change the lower limit and upper limit of Join timer by changing the ■...
Page 86 Enable port GVRP gvrp Disable port GVRP undo gvrp GVRP should be enabled globally before it is enabled on the port. The GVRP can only be enabled/disabled on Trunk ports. By default, port GVRP is disabled. Setting the GVRP The GVRP registration types include normal, fixed and forbidden (refer to IEEE Registration Type 802.1Q).
Page 87 Configuring GVRP When a Trunk port is set as fixed, the port is not allowed to dynamically ■ register/deregister a VLAN, it only propagates information about static VLANs that are manually configured instead of that of dynamic VLANs. That is, a Trunk port that is of fixed type only permits manually configured VLANs even you configure it to permit all VLANs.
Page 88 12: GARP&GVRP C HAPTER ONFIGURATION [SW8800] gvrp # Set Ethernet3/1/1 as a Trunk port and allows all the VLANs to pass through. [SW8800] interface ethernet3/1/1 [3Com-Ethernet3/1/1] port link-type trunk [3Com-Ethernet3/1/1] port trunk permit vlan all # Enable GVRP on the Trunk port.
Page 89: Ethernet Port Configuration
Switch 8800 Family series can provide conventional Ethernet ports, fast Ethernet Overview ports, 1000 Mbps Ethernet ports and 10 Gbps Ethernet ports. The configurations of these Ethernet ports are basically the same, which will be described in the following sections. Ethernet Port...
Page 90 By default, an Ethernet port has no description. Setting the Duplex To configure a port to send and receive data packets at the same time, set it to Attribute of the full-duplex. To configure a port to either send or receive data packets at a time, set Ethernet Port it to half-duplex.
Page 91 Ethernet Port Configuration Setting Speed on the You can use the following command to set the speed on the Ethernet port. If the Ethernet Port speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed.
Page 92: Setting The Interval Of Performing Statistics On Ports
Jumbo Frames’ Passing a encounter jumbo frames larger than the standard Ethernet frame length. The Card following command can be used to enable jumbo frames to pass a card or disable them from passing a card. Perform the following configuration in system view.
Page 93 By default, the broadcast suppression ratio is 50%, while the multicast suppression ratio is 100%. Setting the Ethernet Most ports adopt the LAN mode for general data exchange. The port must work in Port Mode WAN mode, however, if it needs special frame format for data transfer (such as in fiber transmission).
Page 94 You must turn it first into access port and then set it as other type. For example, you cannot configure a trunk port directly as hybrid port, but first set it as access port and then as hybrid port.
Page 95 VLAN. When sending the packets with VLAN Tag, if the VLAN ID of the packet is identical to the default VLAN ID of the port, the system will remove VLAN Tag before sending this packet.
Page 96 Disable the port VLAN VPN feature undo vlan-vpn Note that if any of GVRP, STP, and 802.1x has been enabled on a port, the VLAN VPN feature cannot be enabled on the port. By default, the port VLAN VPN feature is disabled.
Page 97 ] | aggregation-group agg-id } Note that if the copy source is an aggregation group, the Active port with the smallest number will be taken as the source; if the copy destination is an aggregation group, the configurations of all ports in the group will be updated to the configurations of the source.
Page 98: Displaying And Debugging Ethernet Port
VLAN Tag, the port can forward them to the member ports belonging to the default VLAN; when it sending the packets with VLAN Tag and the packet VLAN ID is the default VLAN ID, the Trunk port remove the packet VLAN Tag and forward the packet.
Page 99: Ethernet Port Troubleshooting
Execute the display interface or display port command to check if the port ■ is a trunk port or a hybrid port. If it is neither of them, configure it as a trunk or hybrid port. Then configure the default VLAN ID.
Page 100 13: E HAPTER THERNET ONFIGURATION...
Page 101: Link Aggregation
LACP aggregation or static LACP aggregation. For the member ports in an aggregation group, their basic configurations must be the same. That is, if one is a trunk port, others must also be; when it turns into access port, then others must change to access port.
Page 102 A manual or static LACP aggregation group must contain a member port at least. In the case of one port in an aggregation group, the unique method for you to remove the port from the aggregation group is to delete the aggregation group.
Page 103 ID, the system compare system priority first, and then system MAC address in the case of the same system priority. The smaller device ID is regarded as higher priority. When comparing port ID, the system compares port priority first, and then port number in the case of the same port priority.
Page 104: Link Aggregation Configuration
Port state In a aggregation group, its ports may be in active or inactive state and only the active ports can transmit and receive user service packets, but not inactive ports.
Page 105 When configuring an aggregation group, the status of GVRP feature ■ configured on the master port is reserved, but that on the slave port is disabled. When adding a port to an existing aggregation group, the GVRP feature on the ■...
Page 106 During creating an aggregation group, if it already exists in the system but contains no member port, it changes to the new type. When you change a static LACP aggregation group to a manual one, LACP shall be disabled at the member ports automatically.
Page 107 By default, system priority is 32,768. Configuring Port Priority The LACP compares system IDs first and then port IDs (if system IDs are the same) in determining if the member ports are active or inactive ones for a dynamic LACP aggregation group.
Page 108: Displaying And Debugging Link Aggregation
Displaying and After the above configuration, execute the display command in any view to Debugging Link display the running of the link aggregation configuration, and to verify the effect Aggregation of the configuration. In user view, execute the reset command to clear statistics on the LACP-enabled port, and the debugging command to enable LACP debugging.
Page 109 Figure 19 Network diagram for link aggregation configuration Switch A Link aggregation Switch B Configuration procedure The following only lists the configuration for switch A, and that on switch B is similar. 1 Manual aggregation # Create aggregation group 1. [SW8800] link-aggregation group 1 mode manual # Add Ethernet ports Ethernet2/1/1 to Ethernet2/1/3 into aggregation group 1.
Page 110 14: L HAPTER GGREGATION ONFIGURATION [3Com-Ethernet2/1/2] interface ethernet2/1/3 [3Com-Ethernet2/1/3] lacp enable You must set basic configuration, rate and duplex attribute consistent at both ends to aggregate successfully the LACP-enabled ports into a dynamic aggregation group and achieve load sharing.
Page 111: Port
SOLATION ONFIGURATION Port Isolation Using the port isolation feature, you can place different user ports into the same Overview VLAN. As these users cannot communicate with each other, network security improved, a flexible networking scheme is provided, and VLAN resources are conserved.
Page 112 15: P HAPTER SOLATION ONFIGURATION Table 96 Configuring an uplink port in the isolated group Operation Command Description Required You can configure the ■ uplink port for the isolated group only after you create the isolated group The upstream port can ■...
Page 113: Port Isolation Configuration Example
Port Isolation Configuration Example Port Isolation Network requirements Configuration Users in a community connect to a switch. The switch communicates with the Example external network through port Ethernt2/1/1. These users are in VLAN 1 and cannot communicate with each other.
Page 114 15: P HAPTER SOLATION ONFIGURATION...
Page 115: Mac Address Table Management
A switch maintains a MAC address table for fast forwarding packets. A table entry Management includes the MAC address of a device and the port ID of the switch connected to Overview the device. The dynamic entries (not configured manually) are learned by the switch.
Page 116: Mac Address Table Management Configuration
MAC addresses, which will affect the switch operation performance. If aging time is set too long, the switch will store a great number of out-of-date MAC address tables. This will consume MAC address table resources and the switch will not be able to update MAC address table according to the network change.
Page 117: Maximum Mac Address Number Learned By Ethernet Port And Forwarding Option Configuration
Option Configuration performance of the switch. You can control the number of entries of the MAC address table by setting the maximum number of MAC addresses learned by a port. if you set the value to count, and when the number of MAC addresses learned by the port reaches this value, this port will no longer learn any more MAC addresses.
Page 118: Configuring Max Number Of Mac Addresses That Can Be Learned In A Vlan
MAC addresses of the network devices in network segments connected Addresses that can be to a VLAN. However, if the MAC address table in a VLAN is too big in size, the Learned in a VLAN forwarding performances of the switch will be decreased.
Page 119: Displaying And Debugging Mac Address Tables
Management The user logs into the switch through the Console port to configure the address Configuration table management. It is required to set the address aging time to 500s and add a Example static address 00e0-fc35-dc71 to Ethernet2/1/2 in VLAN1.
Page 120 Configuration procedure # Enter the system view of the switch. <SW8800> system-view # Add a MAC address (specify the native VLAN, port and state). [SW8800] mac-address static 00e0-fc35-dc71 interface ethernet2/1/2 vlan 1 # Set the address aging time to 500s.
Page 121: Mstp Region - Configuration
Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). STP is not fast in state transition. Even on a point-to-point link or an edge port, it has to take an interval twice as long as forward delay before the port transits to the forwarding state.
Page 122 (not indicated in Figure 23). VLAN mapping table The VLAN mapping table is an attribute of MST region. It is used for describing the mapping relationship of VLANs and spanning tree instances (STIs). For example, in the VLAN mapping table of MST region A0 in Figure 23, VLAN1 is mapped to instance 1, VLAN 2 is mapped to instance 2, other VLANs is mapped to CIST.
Page 123 MST region have different topology and their region roots may also be different. For example, the region root of the STI 1 is the switch B and that of the STI 2 is the switch C, as shown in Figure 23.
Page 124 In this figure, the switch A, B, C, and D make up a MST region. Port 1 and 2 on switch A connects to the common root bridge; port 5 and 6 on switch C forms a loop; port 3 and 4 on switch D connects to other MST regions in the downstream direction.
Page 125 Besides field root bridge priority, root path cost, local bridge priority and port priority, the field flags which takes one byte in an instance is also used for role selection. The following figure describes the meaning of its eight bits:...
Page 126 The second and third bits together indicate MSTP port role. 2 TC packet A TC packet is also an MSTP BPDU packet, but the lowest bit of its flags field is set to 1, which endows the TC packet with special meaning. So the TC packet has its special meaning.
Page 127 As illustrated in the Figure 28, Switch A forwards data to Switch B via the port AP1. To Switch B, the designated bridge is Switch A and the designated port is AP1. In the figure, Switch B and Switch C are connected to the LAN and Switch B forwards BPDU to LAN.
Page 128 ID (expressed as the port number). As illustrated Figure 29, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively.
Page 129 BPDU plus the corresponding path cost of the local port is set as S, the configuration BPDU with a smaller S has a higher priority. If the costs of path to the root are also the same, compare in sequence the ■...
Page 130 BPDU {0, 5, 0, AP1} of BP1 has a higher priority than the configuration BPDU {1, 0, 1, BP2} of BP2. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows.
Page 131 Introduction to MSTP For example, the link from Switch B to Switch C is down or the port receives any better configuration BPDU Thus, the spanning tree is stabilized. The tree with the root bridge A is illustrated in the Figure 30.
Page 132: Configuring Mstp
Forward Delay before they enter the forwarding state. And thus, the packets of a VLAN will be forwarded along the following path: in the MST region, the packets will be forwarded along the corresponding MSTI;...
Page 133 When GVRP and MSTP start on the switch simultaneously, GVRP packets will propagate along CIST which is a spanning tree instance. In this case, if you want to issue a certain VLAN through GVRP on the network, you should make sure that the VLAN is mapped to CIST when configuring the VLAN mapping table of MSTP.
Page 134 (VLAN ID-1). If the modulo operation is based on 16, VLAN 1 is mapped to MSTI 1, VLAN 2 is mapped to MSTI 2...VLAN 16 is mapped to MSTI 16, VLAN 17 is mapped to VLAN 17, and so on.) Perform the following configurations in MST region view.
Page 135 The root types of a switch in different STIs are independent of one another. The switch can be a primary or secondary root of any STI. However, it cannot serve as both the primary and secondary roots of one STI.
Page 136 By default, the switch Bridge priority is 32768. Configuring the Max The scale of MST region is limited by the max hops in an MST region, which is Hops in an MST Region configured on the region root. As the BPDU travels from the spanning tree root,...
Page 137 Configuring MSTP each time when it is forwarded by a switch, the max hops is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region.
Page 138 The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as a link fault and the network device will recalculate the spanning tree accordingly.
Page 139 Restore the default timeout factor undo stp timer-factor It is recommended to set 5, 6 or 7 as the timeout factor in the steady network. By default, the timeout factor of the switch is 3. Configuring the Max...
Page 140 For more about the commands, refer to the Command Manual. This parameter only takes a relative value without units. If it is set too large, too many packets will be transmitted during every Hello Time and too many network resources will be occupied.
Page 141 Restore the default setting of the port as a undo stp edged-port non-edge port You can configure a port as an edge port or a non-edge port with either of the earlier-mentioned measures. After configured as an edge port, the port can fast transit from blocking state to forwarding state without any delay.
Page 142 Aggregation port ■ The rate of either a primary or a secondary port in an aggregation port group is the sum of the port rates in the group. If a port is down, the rate is 0. Non-aggregation port ■...
Page 143 3Com’s legacy calculation standard 1 Calculating the rate Aggregation port ■ The rate of the primary port in an aggregation group is determined by the sum of the port rates in this group. No calculation is performed for secondary port. Non-aggregation port ■...
Page 144 For spanning tree calculation, the port priority is an importance factor to of a Port determine if a port can be elected as the root port. With other things being equal, the port with the highest priority will be elected as the root port. On the MSTP switch, a port can have different priorities in different STIs and plays different roles respectively.
Page 145 This configuration takes effect on the CIST and all the MSTIs. The settings of a port whether to connect the point-to-point link will be applied to all the STIs to which the port belongs.
Page 146 However, the STP switch can only recognize config BPDU (STP BPDU) sent by the STP and RSTP bridges. After the switch running STP-compatible mode switches back to MSTP mode, it will not send MSTP BPDU if you do not execute the stp mcheck command. Therefore, the connected device still sends config BPDU (STP BPDU) to it, causing the same configuration exists in different regions and other problems.
Page 147 For an access device, the access port is generally directly connected to the user terminal (for example, PC) or a file server, and the access port is set to an edge port to implement fast transition. When such a port receives BPDU packet, the system will automatically set it as a non-edge port and recalculate the spanning tree, which causes the network topology flapping.
Page 148 If you are not sure that STP is enabled on the opposite peer, it is not ■ recommended to carry out the stp loop-protection command on this port. If the port is a root port or an alternate port, you can carry out the stp ■ loop-protection command.
Page 149 (as if the link to the port is disconnected). If the port has not received any higher-priority BPDU for a certain period of time thereafter, it will resume the normal state.
Page 150: Displaying And Debugging Mstp
You can enable/disable MSTP on a port with either of the earlier-mentioned measures. Note that redundant route may be generated after MSTP is disabled. By default, MSTP is enabled on all the ports after it is enabled on the device. Disabling BPDU Packets...
Page 151 Display the configuration information display stp region-configuration about the region display stp [ instance instanceid ] tc { all | Display TC statistics detected | received | sent } Clear the MSTP statistics information reset stp [ interface interface-list ]...
Page 152: Typical Mstp Configuration Example
30 function at the distribution and access layers, and VLAN 40 functions at the access layer only. So the root of instance 1 can be configured as Switch A, root of instance 3 can be Switch B, and root of instance 4 can be Switch C.
Page 153 [3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0 # Manually activate MST region configuration. [3Com-mst-region] active region-configuration # Specify Switch A as the root of instance 1 [SW8800] stp instance 1 root primary 2 Configurations on Switch B # MST region.
Page 154 4 Configurations on Switch D # MST region [SW8800] stp region-configuration [3Com-mst-region] region-name example [3Com-mst-region] instance 1 vlan 10 [3Com-mst-region] instance 3 vlan 30 [3Com-mst-region] instance 4 vlan 40 [3Com-mst-region] revision-level 0 # Manually activate MST region configuration. [3Com-mst-region] active region-configuration...
Page 155: Digest Snooping Configuration
VLANs and VPN instances of each switch. 2 If you want to change the configuration of a region with one or multiple of its switches being digest snooping-enabled, be sure to disable digest snooping on...
Page 156 This command can be information current-configuration executed in any view. You must enable digest snooping on an port first before enabling it globally. ■ Digest snooping is unnecessary if the interconnected switches are from the ■ same manufacturer. To enable digest snooping, the interconnected switches must be configured ■...
Page 157 H3C E H3C E Configuration procedure # 3Com B is directly connected to A through GE 1/1 and GE 1/2 ports. Enable digest snooping on these two ports by executing the following command: <SW8800>system-view System View: return to User View with Ctrl+Z.
Page 158 18: D HAPTER IGEST NOOPING ONFIGURATION...
Page 159: Fast Transition
RANSITION Introduction The designated port fast transition mechanism of RSTP and MSTP uses two types of protocol packets: proposal packet: Requests for fast transition. ■ agreement packet: Permits the opposite end to perform fast state transition. ■ RSTP and MSTP request that a designated port of the upstream switch can perform fast transition after receiving the agreement packet from the downstream switch.
Page 160: Configuring Fast Transition
S5800 switch that serves as the downstream switch. If this port is a root port, after receiving the proposal packet from the designated port of the upstream switch, the port sends the agreement packet to the upstream switch initiatively rather than sends the agreement packet after receiving the agreement packet.
Page 161 Command Description Enter system view system-view interface interface-type Enter Ethernet port view interface-number Required Enable fast transition stp no-agreement-check By default, port fast transition is disabled. You can configure fast transition only on a root port or an alternate port.
Page 162 19: F HAPTER RANSITION...
Page 163: Bpdu Tunnel Overview
A and B. On the operator’s network, you can configure to convert the MAC addresses of the arriving BPDU packets to a special format at the ingress, and then reconvert them at the egress. This is how transparent transmission is implemented on the operator’s network.
Page 164: Bpdu Tunnel Configuration Example
By default, the VLAN VPN is disabled on all the ports. VLAN VPN is not compatible with STP, DOT1X, GVRP, and NTDP. In Ethernet port view, VLAN VPN and STP are not compatible with each other and cannot function at the same time.
Page 165 1 Configure Switch A # Enable rapid spanning tree protocol (RSTP) on the device. [Switch_A] stp enable # Set the port Ethernet 0/1 as a trunk port and configure it to permit VLAN 10 to pass through. [Switch_A] vlan 10...
Page 166 # Add the port Ethernet 3/1/2 into VLAN 20. [Switch_D] vlan 20 [Switch_D- Vlan 20 ]port Ethernet 3/1/2 # First disable the STP protocol and then enable VLAN VPN on the port Ethernet 3/1/2. [Switch_D] interface Ethernet 3/1/2 [Switch_D-Ethernet3/1/2] stp disable [Switch_D-Ethernet3/1/2] vlan-vpn enable D the port Ethernet 3/1/1 as a trunk port.
Page 167: Acl Overview
129.102.1.1 is surely put in the front. Specifically, for the statements of basic ACL rules, directly compare the wildcards of source addresses and follow config order if the wildcards are equal; for the ACL rules used in port packet filtering, the rules...
Page 168 If one rule is a subset of another rule in an ACL, it is recommended to apply the rules according to the range of the specified packets. The rule with the smallest range of the specified data packets is applied first, and then other rules are applied based on this principle.
Page 169: Acl Configuration Tasks
MPLS supported 1023 3C17527 3C17530 3C17531 A maximum of 12288 ACL rules can be activated on the whole service processor card. ACL Configuration The following table describes the ACL configuration tasks for interface cards. Tasks Table 145 ACL configuration tasks on interface cards...
Page 170 You may set such items in time range configuration: The defined time range includes absolute time range and periodic time range. The absolute time range is in the form of hh:mm YYYY/MM/DD; the periodic time range is in the format of hh:mm, day.
Page 171 If neither starting time nor end time is specified, the time range is 24 hours (00:00 to 24:00). If no end date is specified, the time range is from the date of configuration till the largest date available in the system.
Page 172 Delete flow template slotid Note that the sum of all elements should not be more than 16 bytes in length. The following table lists the length of the elements involved. Table 149 Length of template elements...
Page 173 The flow template pre-defined for 2 bytes MPLS2VPN The numbers listed in the table are not the actual length of these elements in IP ■ packets, but their length in flow template. DSCP field is one byte in flow template, but six bits in IP packets. You can determine whether the total length of template elements exceeds 16 bytes using these numbers.
Page 174 21: ACL C HAPTER ONFIGURATION If the time-range keyword is not selected, the ACL will be effective at any time ■ after being activated. You can define multiple sub rules for the ACL by using the rule command ■ several times.
Page 175 { number acl-number | name acl-name | all } (system view) CAUTION: The port1 and port2 parameters in the command listed in Table 152 should be ■ TCP/UDP ports for higher-layer applications. For some common ports, you can use mnemonic symbols to replace the corresponding port numbers.
Page 176: Displaying And Debugging Acl Configurations
You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running.
Page 177: Acl Configuration Example
Ethernet2/1/1. The wage server of the financial department is at 129.110.1.2. The requirement is to configure ACLs correctly to limit that the R&D department can only access the wage server at working time from 8:00 to 18:00. Network diagram...
Page 178 Example With proper basic ACL configuration, during the time range from 8:00 to 18:00 everyday the switch filters the packets from the host with source IP 10.1.1.1 (the host is connected through the port Ethernet2/1/1 to the switch.) Network diagram...
Page 179 Layer 2 ACL Network requirements Configuration Example With proper Layer 2 ACL configuration, during the time range from 8:00 to 18:00 everyday the switch filters the packets with source MAC 00e0-fc01-0101 and destination MAC 00e0-fc01-0303 (configuring at the port Ethernet2/1/1 to the switch.)
Page 180 Network requirements Control Configuration BitTorrent (BT) is a kind of shared software for file download. Its feature is as follows: The more people are using it to download a file, the faster the file downloads. While BT download greatly reduces the burden of the download server, it also brings dramatic increase of download traffic on the internet.
Page 181: Qos Overview
ToS (type of service) field in the packet headers. It can also be very complex. For example, it may contain information of the link layer (layer 2), network layer...
Page 182 As shown in Figure 42, the ToS field in the IP header contains 8 bits. The first three bits represent IP priority, in the range of 0 to 7; bits 3-6 stand for ToS priority, in the range of 0 to 15. RFC2474 redefines the ToS field in IP packets as DS (differentiated services) field.
Page 183 Figure 44. Figure 44 802.1Q tag header In the figure, the priority field in TCI stands for 802.1p priority, which consists of three bits. There are eight priority levels, numbered as 0 to 7, for determining to send which packets first when switch congestion takes place.
Page 184: Introduction To Qos Configuration Based On Port Groups
For a 100 Mbps port, the weight values are set as 50, 30, 10, 10, 50, 30, 10 and 10 (corresponding respectively to w7, w6, w5, w4, w3, w2, w1 and w0). The even the queue with the lowest priority can be allocated with a 5 Mbps bandwidth.
Page 185 Introduction to QoS Configuration Based on Port Groups Table 157 Configure QoS based on port groups Configuration procedure Command Description Enter system view system-view Enable descriptor share on the This function is disabled by share descriptors slotid specified card default.
Page 186 When you configure the port group of the common interface card except for the XP4 card, notice that: Do not add the ports of different cards to the same port group. Do not add the ■ same port to multiple port groups.
Page 187 Introduction to QoS Configuration Based on Port Groups The XP4 card does not support inter-group port mirroring. A port group can ■ have an inbound and an outbound monitoring port. There is only one monitoring port in other types of interface cards.
Page 188: Qos Configuration
[3Com-port-group1] port GigabitEthernet 7/1/1 GigabitEthernet 7/1/2 4 Redirect the packet forwarded to the port group. # Set the next hop of the packet forwarded to the port in port group 1 to 3.0.0.1. [3Com-port-group1] traffic-redirect inbound ip-group 2000 rule 0 next-hop 3.0.0.1...
Page 189 If a port is not configured by means of the priority command (namely, the default priority 0 is used), all tagged packets through this port will not be mapped to the local precedence according to the 802.1p priority in the tag;...
Page 190 Restore the local priority of the port group to undo priority the default value Configuring Traffic Traffic policing refers to rate limit based on traffic. If the traffic threshold is Policing exceeded, corresponding measures will be taken, for example, dropping the excessive packets or re-defining their priority levels.
Page 191 { acl-number | acl-name } [ Configure traffic policing rule rule [ system-index index ] ] [ tc-index index ] cir cbs ebs which only applies IP group [ pir ] [ conform { { remark-cos | remark-drop-priority }* |...
Page 192 } [ rule rule ] link group ACL It is required that CIR is less than or equal to PIR and CBS is less than or equal to EBS. You are recommended to configure CBS and EBS to numbers that are 100 to 150 times of CIR.
Page 193 (committed information rate) of the traffic that matches ACL1 is set to 10 kbps and that for ACL2 to 10 kbps, and their traffic policing indexes are the same, then the average rate of the traffic that matches ACL1 and ACL2 shall be limited to 10kbps.
Page 194 You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running.
Page 195 "DSCP+Conform-Level -> Service parameters" mapping table; for TCP and UDP packets, the value of EXP is the lower 3 bits of dscp-value. When the Switch 8800 Family switch is used as ingress P, the value of EXP is the lower 3 bits of dscp-value.
Page 196 You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running.
Page 197 The switch allocates drop precedence for it when receiving a packet (also called coloring the packet). The drop precedence values range from 0 to 2, with 2 for red, 1 for yellow and 0 for green. In congestion, red packets will be first dropped, and green packets last.
Page 198 Configuring WRED parameters The switch provides four sets of default WRED parameters, respectively numbered as 0 to 3. Each set includes 80 parameters, 10 parameters for each of the eight queues. The ten parameters are green-min-threshold, yellow-min-threshold, red-min-threshold, green-max-threshold, yellow-max-threshold, red-max-threshold, green-max-prob, yellow-max-prob, red-max-prob and exponent.
Page 199 You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running.
Page 200 You can implement port mirroring configuration by setting mirroring groups at the port. Up to 20 mirroring groups can be configured at a port, with each group including one monitoring port and multiple monitored ports. Switch 8800 Family series support cross-card mirroring, that is, the monitoring and monitored ports can be at different cards.
Page 201 You can also assign a system index for it when delivering an ACL rule with this command, but the index value may change while the system is running.
Page 202: Qos Configuration Example
See the corresponding Command Manual for description of display information and parameters. QoS Configuration Example Traffic Shaping Network requirements Configuration Example Set traffic shaping for the outbound queue 2 at the port GE7/1/8, with the maximum rate of 650 Kbps and the burst size of 12 KB.
Page 203 Configuration procedure # Enter Ethernet port view. [SW8800] interface GigabitEthernet 7/1/8 [3Com-GigabitEthernet7/1/8] # Set traffic shaping for the outbound queue 2 at the port: maximum rate 650 Kbps, burst size 12 KB. [3Com-GigabitEthernet7/1/8] traffic-shape queue 2 650 12 Port Mirroring...
Page 204 Traffic Priority Network requirements Configuration Example Re-allocate service parameters according to the mapping table for DSCP 63 for the packets from PC1 (IP 1.0.0.1) during the time range 8:00 to 18:00 everyday. Network diagram Figure 49 Network diagram for priority configuration...
Page 205 63 Traffic Redirection Network requirements Configuration Example Forward the packets sent from PC1 (IP 1.0.0.1) during the time range from 8:00 to 18:00 every day to the address 2.0.0.1. Network diagram Figure 50 Network diagram for traffic redirection configuration...
Page 206 Use WRR algorithm for the queues 0 to 5 at the port GE7/1/1. Set the queues 0, 1 and 2 into WRR queue 1, with weight respectively as 20, 20 and 30; set the queues 3, 4 and 5 into WRR queue 2, with weight respectively as 20, 20 and 40.
Page 207 [SW8800] qos cos-local-precedence-map 7 6 5 4 3 2 1 0 # Use WRR algorithm for the queues 0 to 5. Set the queues 0, 1 and 2 into WRR queue 1, with weight respectively as 20, 20 and 30; set the queues 3, 4 and 5 into WRR queue 2, with weight respectively as 20, 20 and 40.
Page 208 Network requirements Configuration Example Suppose the IP address of PC1 is 1.0.0.1 and that of PC2 is 2.0.0.1. The switch is up-linked through the port GE7/1/8. Count the packets sent from the switch to PC1 during the time range from 8:00 to 18:00 every day.
Page 209: Logon
There are two levels of security controls. The first level is implemented by applying ACLs to filter the users that are to ■ connect to the switch. Only authorized users are capable of accessing the switch.
Page 210 The acl-number2 Telnet or SSH parameter indicates the Apply Layer 2 users acl acl-number2 inbound number of the Layer 2 ACLS ACL, in the range of 4,000 to 4,999. By default, the system does not restrict incoming/outgoing requests.
Page 211 When you use Layer 2 ACLs to implement the ACL control to the Telnet or SSH ■ users, only incoming requests are restricted. If a user fails to log in due to ACL restriction, the system logs the user failure, ■ including the IP address, login method, user interface index value and failure reason.
Page 212: Configuring Acl For Snmp Users
[3Com-user-interface-vty0-4] acl 4000 inbound Basic ACL Control Network requirements Configuration Example Only the Telnet users with IP addresses of 10.110.100.52 and 10.110.100.46 can access the switch. Network diagram Figure 55 Network diagram for source IP control over Telnet users Internet...
Page 213 ACLs in the snmp-agent community, snmp-agent ■ group and snmp-agent usm-use commands. You can only apply number-based basic ACLs to implement ACL control over ■ SNMP users. For the detailed description of these commands, refer to the Command Manual.
Page 214 HAPTER OGON ONTROL ONFIGURATION ACL Control over SNMP Network requirements Users Configuration Only SNMP users from 10.110.100.52 and 10.110.100.46 can access the switch. Example Network diagram Figure 56 Network diagram for ACL control over SNMP users Internet Switch Configuration procedure # Define a basic ACL and the rules.
Page 215: Vlan-Aconfigurationl Configuration
VLAN-ACL is VLAN-based ACL. You can configure QACL for a VLAN to control accesses made to all ports in the VLAN. VLAN-ACL enables you to manage a network in an easier way. After you configure QACL for a VLAN, the system synchronizes the configuration to all member ports in the VLAN automatically.
Page 216 The applied ACL rule field must be specified by the default flow template. If no port in a VLAN has ACL rules applied to, the system checks all ports in the ■ VLAN when applying an ACL rule in VLAN view and prohibits the ACL rule from being applied if a port in the VLAN has a customized flow template applied to.
Page 217 2 If both a VLAN and one of its ports have QACL rules applied, only those applied to the port work. In this case, the VLAN-ACL takes effect only after the QACL rules and the self-defined flow template on the port are deleted.
Page 218 [3Com-acl-basic-2000] rule 0 permit source any time-range 3Com [3Com-acl-basic-2000] quit 3 Configure packet redirection in VLAN 2. # Set the next hop IP addresses of all the packets forwarded on ports in VLAN 2 to 3.0.0.1. [SW8800] vlan 2 [3Com-vlan2] traffic-redirect inbound ip-group 2000 rule 0 next-hop 3.0.0.1...
Page 220 24: VLAN-ACL C HAPTER ONFIGURATION...
Page 221: Overview
As the name implies, "Port Based Network Access Control" means to authenticate and control all the accessed devices on the port of LAN access control device. If the user’s device connected to the port can pass the authentication, the user can access the resources in the LAN.
Page 222 HAPTER ONFIGURATION There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports.
Page 223: 802.1X Configuration
“Enabling/Disabling Quiet-Period Timer” ■ Among the above tasks, the first one "enabling 802.1x" is compulsory; otherwise 802.1x will not take any effect. The other tasks are optional. You can perform the configurations at requirements. Enabling/Disabling The following command can be used to enable/disable the 802.1x on the specified 802.1x...
Page 224 [ interface interface-list ] By default, 802.1x authentication has not been enabled globally and on any port. You cannot enable 802.1x on a port before you enable it globally. And you must disable 802.1x on each port before you disable 802,1x globally.
Page 225 These commands take effect on the ports specified by the interface-list parameter when executed in system view. The parameter interface-list cannot be input when the command is executed in Ethernet Port view and it has effect only on the current interface. After globally enabling proxy user detection and control in system view, only if you enable this feature on a specific port can this configuration take effects on the port.
Page 226 ] By default, 802.1x allows up to 1024 supplicants on each port for 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series), and an Switch 8800 Family series routing switch can accommodate total of 2048 supplicants.
Page 227 ■ authentication. A switch can have only one Guest VLAN. ■ Users who are not authenticated, fail to be authenticated, or are offline are all ■ members of the Guest VLAN. Guest VLANs can only be configured on Access ports.
Page 228 Authenticator will resend the above packet. supp-timeout-value: Specifies how long the duration of an authentication timeout timer of a Supplicant is. The value ranges from 10 to 120 in units of second and defaults to 30. tx-period: Has two major effects, which are described in detail in the following section.
Page 229: Displaying And Debugging 802.1X
802.1x request packets. tx-period-value: Specifies how long the duration of the transmission timeout timer is. The value ranges from 10 to 120 in units of second and defaults to 30. It is recommended to configure different handshake period value and handshake...
Page 230: Packet Attack Prevention Configuration
802.1x Configuration Network requirements Example As shown in Figure 59, the workstation of a user is connected to the port Ethernet 3/1/1 of the Switch. The switch administrator will enable 802.1x on all the ports to authenticate the supplicants so as to control their access to the Internet. The access control mode is configured as based on the MAC address All the supplicants belong to the default domain 3Com163.net, which can contain...
Page 231 RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response received in 5 seconds. Retransmit the packet no more than 5 times in all. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes.
Page 232 # Enable the 802.1x performance on the specified port Ethernet 3/1/1. [SW8800] dot1x interface Ethernet 3/1/1 # Set the access control mode. (This command could not be configured, when it is configured as MAC-based by default.) [SW8800] dot1x port-method macbased interface Ethernet 3/1/1 # Create the RADIUS scheme radius1 and enters its configuration mode.
Page 233 [3Com-isp-3Com163.net] radius-scheme radius1 # Set a limit of 30 users to the domain 3Com163.net. [3Com-isp-3Com163.net] access-limit enable 30 # Enable idle cut function for the user and set the idle cut parameter in the domain 3Com163.net. [3Com-isp-3Com163.net] idle-cut enable 20 2000 # Add a local supplicant and sets its parameter.
Page 234 25: 802.1 HAPTER ONFIGURATION...
Page 235: Aaa And Radius/Hwtacacs Protocol Overview
RADIUS system is the important auxiliary part of Network Access Server (NAS). After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in...
Page 236 HAPTER ROTOCOL ONFIGURATION request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving user’s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS.
Page 237 The TACACS server sends back an accounting response, indicating that it has ■ received the start-accounting request. The user logs off; the TACACS client sends a stop-accounting request to the ■ TACACS server. The TACACS server sends a stop-accounting response to the client, which ■...
Page 238 Implementing By now, we understand that in the above-mentioned AAA/RADIUS framework, AAA/RADIUS on a 3Com Series Switches, serving as the user access device (NAS), is the client end of Switch RADIUS. In other words, the AAA/RADIUS concerning client-end is implemented on 3Com Series Switches.
Page 239: Aaa Configuration
You can configure them at requirements. Creating/Deleting an ISP What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a Domain group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking gw20010608@3Com163.net as an example, the...
Page 240 For 3Com Series Switches, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain.
Page 241 RADIUS scheme for an ISP domain with the same effect, and the system adopts the last configuration. By default, the Local scheme is adopted, an ISP domain is in Active state once it is created, no limit is set to the amount of supplicants, accounting optional is disabled, idle-cut is disabled, and no IP address pool is defined.
Page 242 Creating/Deleting a A local user is a group of users set on NAS. The username is the unique identifier Local User of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS.
Page 243 }* By default, users are not authorized to any service, all their priorities are 0. When you bind a port to a user, this setting takes effect only when the slot number, the subslot number and the port number exist.
Page 244 Currently, the VLAN IDs delivered by RADIUS servers can be of integer or string type. As for a VLAN ID that is of integer type, a switch adds the port to the ■ corresponding VLAN according to the VLAN ID delivered by the RADIUS server.
Page 245: Configuring Radius Protocol
Configuring RADIUS Protocol By default, the integer mode is used. That is, the switch supports the RADIUS server delivering VLAN IDs in integer form. Configuring name of a delivered VLAN Perform the following configuration in VLAN view. Table 206 Configure the name of a delivered VLAN...
Page 246 So you can configure up to 4 groups of IP addresses and UDP port numbers. However, at least you have to set one group of IP address and UDP port number for each pair of primary/secondary servers to ensure the normal AAA operation.
Page 247 4 groups of exactly same data so that every server serves as a primary and secondary AAA server.
Page 248 "3Com". Configuring VPN of The default address of the RADIUS Server is the address of the public network. If RADIUS Server the RADIUS Server is built under a private network, you must specify the VPN to which the RADIUS Server belongs when configuring the RADIUS Server.
Page 249 By default, the maximum retry times of sending RADIUS request packets is 3. Setting RADIUS Server If the NAS fails to receive the response from RADIUS server a certain period of time Response Timeout Timer after it sends a RADIUS request packet (authentication/authorization request or accounting request), it should retransmit the RADIUS request packet to ensure the RADIUS service for the user.
Page 250 Restore the default value of the response undo timer response-timeout timeout timer of RADIUS server The default value of the response timeout timer of a RADIUS server is 3 seconds. Setting Quiet Time of When the communication between the switch and the RADIUS Server is...
Page 251 The value shall be a multiple of 3. The value of minute is related to the performance of NAS and RADIUS server. The smaller the value is, the higher the performances of NAS and RADIUS are required.
Page 252 How to calculate the value of retry-times? Suppose that RADIUS server connection will timeout in T and the real-time accounting interval of NAS is t, then the integer part of the result from dividing T by t is the value of count. Therefore, when applied, T is suggested the numbers which can be divided exactly by t.
Page 253 When the secondary one fails to communicate, NAS will turn to the primary one again. The following commands can be used to set the primary server to be active manually, in order that NAS can communicate with it right after the troubleshooting.
Page 254 } } | { packet { giga-byte | kilo-byte | mega-byte transmitted to RADIUS server | one-packet } } Restore the unit to the default undo data-flow-format setting By default, the default data unit is byte and the default data packet unit is one packet.
Page 255 RADIUS scheme view has a higher priority than the configuration done in system view. By default, no source address is specified, that is to say, the interface from which a packet is sent is regarded as the source address of the packet.
Page 256: Configuring Hwtacacs Protocol
1 The number of UDP port used for authentication/authorization is 1645 and that for accounting is 1646. 2 The password configured by local-server command must be the same as that of the RADIUS authentication/authorization packet configured by the command key authentication in radius scheme view.
Page 257 Delete a HWTACACS scheme hwtacacs-scheme-name By default, no HWTACACS scheme exists. If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view. In HWTACACS view, you can configure the HWTACACS scheme specifically. The system supports up to 16 HWTACACS schemes. You can only delete the schemes that are not being used.
Page 258 If only authentication and accounting servers are configured and no authorization server is configured, both authentication and accounting can be performed normally for the FTP, Telnet, and SSH users, but the priority of these users is 0 (that is, the lowest privilege level) by default, The primary and secondary authorization servers cannot use the same IP address.
Page 259 VLAN that contains the port to which the server connects for packet sending is used as the source address. Setting a Key for When using a TACACS server as an AAA server, you can set a key to improve the Securing the communication security between the switch and the TACACS server.
Page 260 In that case, the switch can send users’ requests to the server only after it has waited a time no less than the time configured with this command for the communication to be resumed.
Page 261: Displaying And Debugging Aaa And Radius Protocol
NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table lists the numbers of users and the recommended intervals.
Page 262: Aaa And Radius/Hwtacacs Protocol Configuration Examples
Enable/disable the anti-attack function of anti-attack { arp | dot1x | ip } { disable | packets enable } The anti-attack function of IP packets is enabled while the anti-attack function of ARP packets and dot1x packets are disabled by default.
Page 263 FTP users. The following description is based on Telnet users. Network Requirements In the environment as illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered.
Page 264 Authentication at Local authentication described in section “Configuring Authentication at Remote RADIUS Authentication RADIUS Server” . But you should modify the server IP address in Figure 63 of Server section “Configuring Authentication at Remote RADIUS Server” to 127.0.0.1, authentication password to 3Com, the UDP port number of the authentication server to 1645.
Page 265: Troubleshooting Aaa And Radius/Hwtacacs
RADIUS/HWTACACS server of ISP. So it is very likely to be invalid. Symptom: User authentication/authorization always fails Solution: The username may not be in the userid@isp-name format or NAS has not been ■ configured with a default ISP domain. Please use the username in proper format and configure the default ISP domain on NAS.
Page 266 The accounting service and authentication/authorization service are provided ■ on different servers, but NAS requires the services to be provided on one server (by specifying the same IP address). So please make sure the settings of servers are consistent with the actual conditions.
Page 267: Portal
Portal server unconditionally. Users can access the Internet only after they are successfully authenticated. Portal Structure The basic network diagram of Portal is shown in Figure 65. It is composed of four elements: authentication client, access device, Portal server, and authentication/accounting server.
Page 268 Portal authentication procedure on 3Com series switches is: Procedure When the switch receives the login user’s HTTP packets for the first time, it will ■ judge whether this user is Portal user at first. For Portal users, the switch allows the user to access only the contents of the specified website servers (the Portal server and the authentication-free addresses).
Page 269 Free IP addresses are IP addresses that the user can access unrestrictedly. Free IP addresses can be the IP addresses of DNS servers or the IP addresses that ISP provides to access free websites. All users can access these free IP addresses unrestrictedly.
Page 270: Basic Portal Configuration
ORTAL ONFIGURATION Basic Portal Configuration Configuration A valid IP address has been configured for this portal-enabled VLAN interface. ■ Prerequisites 802.1x is not enabled on the switch. ■ The Portal server has been installed and configured. Refer to CAMS Portal ■...
Page 271 When a Portal server is first configured, you must configure the IP address for ■ If a Portal server has been enabled on a VLAN interface, you must disable this ■ Portal server on the VLAN interface before modifying its parameters.
Page 272 192.168.1.100/16 192.168.1.100/16 192.168.1.100/16 Configuration procedure Only the configurations on switches are listed below. Configurations on the Portal servers and RADIUS authentication/accounting servers are not described here. 1 Configure the RADIUS scheme # Create a RADIUS scheme named portal [SW8800] radius scheme portal...
Page 273 Basic Portal Configuration 3 Configure Portal authentication # Configure the portal server. Its name is newp, IP address is 192.168.1.200, key is 3Com, port is 50100, and URL is http://192.168.1.200:81/portal/index_page.jsp [SW8800] portal server newp ip 192.168.1.200 key 3Com port 50100 url http://192.168.1.200/portal/index_default.jsp...
Page 274 ■ be configured as DHCP Relay instead of DHCP Server. Additionally, the master IP address ( public address ) and the slave IP address (private IP address) must be configured on the Portal-enabled VLAN interface. # Set the Portal to run in the ReDHCP authentication method.
Page 275 Example” for the configurations on RADIUS schemes, ISP domains and Portal servers. # Configure the authentication network segment [SW8800] portal auth-network 162.31.0.0 255.255.0.0 vlan 100 # Set the Portal to run in the Layer 3 Portal authentication method [SW8800] portal method layer3 # Configure VLAN 100 [SW8800] vlan 100...
Page 276: Portal Authentication-Free User And Free Ip Address Configuration
IP address of the interface belong to the same network segment. The Direct authentication method requires that the IP address of an authentication-free user and that of the VLAN interface belong to the same network segment.
Page 277 Portal Authentication-free User and Free IP Address Configuration Server2 can access Internet without passing the authentication. ■ Network diagram Figure 68 Network diagram for authentication-free user and free IP address configuration Vlan-interface 2 Vlan-interface 2 Portal Portal Portal 192.168.1.160/16 192.168.1.160/16 192.168.1.200/16...
Page 278: Portal Rate Limit Function Configuration
The upload interface for Portal rate limit is specified. ■ Example Network diagram Refer to Figure 66. Configuration procedure # Specify Ethernet2/1/10 as the upload interface for Portal rate limit. [3Com-Ethernet2/1/10]portal upload-interface Portal User Deletion Portal User Deletion Table 247 Portal user deletion procedure Procedure...
Page 279: Ip Routing Protocol Overview
The last router in the path is responsible for submitting the packet to the destination host. In Figure 69, R stands for a router. A packet sent from Host A to Host C should go through two routers and the packet is transmitted through two hops. Therefore, when a node (router) is connected to another node through a network, they are in the same route segment and are deemed as adjacent in the Internet.
Page 280 If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network.
Page 281 Indirect route: The router is not directly connected to the network where the ■ destination resides. In order to limit the size of the routing table, an option is available to set a default route. All the packets that fail to find the suitable entry will be forwarded through this default route.
Page 282: Routing Management Policy
After you configured static equivalent routes, a packet can reach the same destination through multiple different paths, whose precedence levels are equal. When there is no route that can reach the same destination with a higher...
Page 283 Normally, the router sends data via main route. When the line fails, the main route will hide itself and the router will choose one from the left routes as a backup route whose precedence is higher than others’...
Page 284 28: IP R HAPTER OUTING ROTOCOL VERVIEW...
Page 285: Static Route
All the following routes are static routes: Reachable route: A normal route is of this type. That is, the IP packet is sent to ■ the next hop via the route marked by the destination. It is a common type of static routes.
Page 286: Configuring Static Route
IP address and mask ■ The IP address and mask are in a dotted decimal format. As "1"s in the 32-bit mask is required to be consecutive, the dotted decimal mask can also be replaced by the mask-length (which refers to the digits of the consecutive "1"s in the mask).
Page 287: Displaying And Debugging Static Route
0.0.0.0 { 0.0.0.0 | 0 } [ interface-type Delete a default route interface-number | gateway-address ] [ preference value ] The meanings of parameters in the command are the same as those of the static route. Deleting All the Static You can use the undo ip route-static command to delete one static route.
Page 288: Typical Static Route Configuration Example
Typical Static Route Network requirements Configuration As shown in Figure 71, the masks of all the IP addresses are 255.255.255.0. It is Example required that all the hosts or Switch 8800 Family series routing switches can be interconnected in pairs by static route configuration.
Page 289: Troubleshooting Static Route Faults
Symptom: Route Faults The switch is configured with the static routing protocol and both the physical status and the link layer protocol status of the interface is Up, but the IP packets cannot be forwarded normally. Solution: Use the display ip routing-table protocol static command to view whether ■...
Page 290 29: S HAPTER TATIC OUTE ONFIGURATION...
Page 291: Introduction To Rip
0, and that to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost value is an integer ranging from 0 to 15. The hop count equal to or exceeding 16 is defined as infinite, that is, the destination network or the host is unreachable.
Page 292: Configuring Rip
RIP Enabling and The following section describes the procedure: Running If RIP is enabled on a router for the first time, the router will broadcast or ■ multicast the request packet to the adjacent routers. Upon receiving the request packet, the RIP on each adjacent router responds with a packet conveying its local routing table.
Page 293 For an interface that is not on the specified network segment, RIP does not receive or send routes on it, nor forwards its interface route, as if this interface does not exist at all. network-address is the address of the enabled or disabled network, and it can also be configured as the IP network address of respective interfaces.
Page 294 By default, RIP does not send any packets to any unicast addresses. It should be noted that a peer should also be restricted by rip work, rip output, rip input and network when transmitting packets. Configuring Split...
Page 295 The metricout configuration takes effect only on the RIP routes learnt by the router and RIP routes generated by the router itself. That is, it has no effect on the routes imported to RIP by other routing protocols. Configuring RIP to...
Page 296 The filter-policy import command filters the RIP routes received from its ■ neighbors, and the routes that fail to pass the filter will not be added to the routing table, and will not be advertised to the neighbors. The filter-policy export command filters all the advertised routes, including ■...
Page 297 Configuring RIP RIP-1 only sends the route with natural mask, that is, it always sends routes in the route summary form. RIP-2 supports subnet mask and classless interdomain routing. To advertise all the subnet routes, the route summary function of RIP-2 can be disabled.
Page 298 Therefore, when an interface version is set as RIP-1, the zero Interface Packet field check should be performed on the packet. But if the value in the zero filed is not zero, processing will be refused. As there is no zero field in the RIP-2 packet, this configuration is invalid for RIP-2.
Page 299 Configuring RIP Specifying the In interface view, you can specify the operating state of RIP on the interface. For Operating State of the example, whether RIP operates on the interface, namely, whether RIP update Interface packets are sent and received on the interface. In addition, whether an interface sends or receives RIP update packets can be specified separately.
Page 300: Displaying And Debugging Rip
Typical RIP Network requirements Configuration As shown in Figure 72, the Switch 8800 Family series routing switch C connects to Example the subnet 117.102.0.0 through the Ethernet port. The Ethernet ports of the Switch 8800 Family series routing switches A and Switch B are respectively connected to the network 155.10.1.0 and 196.38.165.0.
Page 301: Troubleshooting Rip Faults
196.38.165.1/24 196.38.165.0/24 Network address: 117.102.0.0/16 Configuration procedure The following configuration only shows the operations related to RIP. Before performing the following configuration, make sure the Ethernet link layer can work normally. 1 Configure Switch A # Configure RIP [Switch A] rip [Switch A-rip] network 110.11.2.0...
Page 302 ONFIGURATION Solution: RIP does not operate on the corresponding interface (for example, the undo rip work command is executed) or this interface is not enabled through the network command. The peer routing device is configured to be in the multicast...
Page 303: Ospf Overview
Area partition: It allows the network of AS to be divided into different areas for ■ the convenience of management so that the routing information transmitted between the areas is abstracted further, hence to reduce the network bandwidth consumption.
Page 304 OSPF uses five types of packets: Hello Packet: ■ It is the commonest packet, which is periodically sent by a router to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. Database Description (DD) Packet: ■...
Page 305 Router ID to OSPF To run OSPF, a router must have a router ID. If no ID is configured, the system will automatically pick an IP address from the IP addresses of the current interfaces as the Router ID. The following introduces how to choose a router ID. If loopback interface addresses exist, the system chooses the Loopback address with the greatest IP address value as the router ID.
Page 306 To shorten the process, BDR is brought forth in OSPF. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them.
Page 307: Ospf Gr Overview
■ information, consequently helping users to diagnose failure OSPF GR Overview Open Shortest Path First (OSPF) is an internal gateway protocol. It is developed by IETF based on link state algorithm. OSPF version 2 (RFC2328) is now commonly used. Graceful Restart (GR) is designed to keep the OSPF routing data normal when abnormal switchover occurs on the switch, so that critical services will not be interrupted.
Page 308 Out-of-band LSDB resynchronization (OOB) which is used to synchronize LSDB. The L_bit set in a HELLO packet can negotiate about LLS capabilities and notify the peer about its own LLS data. The LR_bit set in the EO_TLV of the LLS data is used to negotiate about the OOB capabilities.
Page 309 Packet Format of OSPF Format of Grace LSA This LSA is an Opaque-LSA generated by the Restarter. For this LSA, the LS-type is 9, Opaque type is 3 and Opaque ID is 0. Figure 74 Format of Grace LSA...
Page 310 Figure 78 Format of EO_TLV The meaning of each field in EO_TLV: The type field refers to the type of TLV, and the type of EO_TLV is 1; The Length field refers to the length of TLV, and the length of EO_TLV is 4;...
Page 311: Configuring Ospf
Configuring OSPF The AuthLen field refers to the length of CA_TLV, and the length of CA_TLV is 20; The Sequence number and AuthData fields are determined by the OSPF check information. LLS data can be included in only HELLO packets and DD packets. Only one LLS data can be included in a packet.
Page 312 When you do that manually, you must guarantee that the IDs of any two routers in the AS are unique. A common undertaking is to set the router ID to be the IP address of an interface on the router.
Page 313 [ process-id ] By default, OSPF is disabled. When enabling OSPF, pay attention to the following points: The default OSPF process ID is 1. If no process ID is specified in the command, ■ the default one is adopted.
Page 314 RIP). Since these routes are more reliable, the calculated cost of the external routes is the same as the cost of routes within the AS. Also, such route cost and the route cost of the OSPF itself are comparable. That is, cost to reach the external route type 1 = cost to reach the corresponding ASBR from the local router + cost to reach the destination address of the route from the ASBR.
Page 315 By default, OSPF will not import the routing information of other protocols. For an imported route, type is 2, cost is 1, and tag is 1 by default. The routes that can be imported include Direct, Static, rip, is-is, and bgp. In addition, the routes of other OSPF processes can also be imported.
Page 316 Restore the default type of the external routes undo default type imported by OSPF By default, the type of imported route is type-2, the cost is 1 and the tag is 1 for a imported route. Configuring the default interval and number for OSPF to import external...
Page 317 Because OSPF does not calculate the LSAs it generated during SPF calculation, there is no default route in the OSPF route on this router. To ensure the correct routing information, you should configure to import the default route on the router only connected to the external network.
Page 318 If the filter-policy export command does not specify which type of route is to ■ be filtered, it takes effect on all routes imported by the local device using the import-route command. Configuring filtering of received Type-3 LSAs Use the following command to configure route filtering between OSPF areas.
Page 319 Thus, the ABR only needs to send an aggregated LSA, and all the LSAs in the range of the aggregate segment specified by the command will not be transmitted separately.
Page 320 HAPTER ONFIGURATION If the local router works as an area border router (ABR) and a router in the NSSA, this command summarizes Type-5 LSAs transformed from Type-7 LSAs. If the router is not the router in the NSSA, the summarization is disabled.
Page 321 40 seconds and that for the neighboring routers of p2mp interfaces is 120 seconds. Note that both hello and dead timer will restore to the default values after the user modify the network type. Setting an interval for LSA retransmission between neighboring routers If a router transmits a Link State Advertisements (LSA) to the peer, it requires the acknowledgement packet from the peer.
Page 322 DR, choose the one with higher priority. If the priorities are the same, choose the one with greater router ID. If the priority of a router is 0, it will not be elected as DR or BDR.
Page 323 LSDBs during LSDB synchronization. Interface Transmits DD You can manually specify an interface to fill in the MTU field in a DD packet when Packets it transmits the packet. The MTU should be set to the real MTU on the interface.
Page 324 By default, all interfaces are allowed to transmit and receive OSPF packets. After an OSPF interface is set to be in silent status, the interface can still advertise its direct route. However, the OSPF hello packets of the interface will be blocked, and no neighboring relationship can be established on the interface.
Page 325 According to RFC2328, after the area partition of OSPF, not all the areas are equal. Virtual Link In which, an area is different from all the other areas. Its Area-id is 0.0.0.0 and it is usually called the backbone Area. The OSPF routes between non-backbone areas are updated with the help of the backbone area.
Page 326 The backbone area cannot be configured to be the stub area and the virtual ■ link cannot pass through the stub area. If you want to configure an area to be the stub area, then all the routers in this ■ area should be configured with this attribute.
Page 327 LSAs reach the NSSA ABR, the NSSA ABR will transform it into type-5 LSA, which will be propagated to Area 0 and Area 2. On the other hand, RIP routes of the AS running RIP will be transformed into type-5 LSAs that will be propagated in the OSPF AS.
Page 328 The keyword default-cost is used on the ABR attached to the NSSA. Using this command, you can configure the default route cost on the ABR to NSSA. By default, the NSSA is not configured, and the cost of the default route to the NSSA is 1.
Page 329 The OSPF Trap function enables the switch to send multiple types of SNMP Trap packets in case of OSPF process exceptions. In addition, you can specify an OSPF process ID so that this functions works only on that process. If no process ID is specified, this function works on all OSPF processes.
Page 330: Displaying And Debugging Ospf
Display OSPF statistics display ospf [ process-id ] cumulative display ospf [ process-id ] [ area-id ] lsdb [ brief | [ asbr | ase Display LSDB information of | network | nssa | router | summary [ verbose ] ] [...
Page 331: Typical Ospf Configuration Example
Configure Switch A and Switch C as DR and BDR respectively. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, that is, 2, so it is elected as the BDR. The priority of Switch B is 0, which means that it cannot be elected as the DR.
Page 332 31: OSPF C HAPTER ONFIGURATION Network diagram Figure 83 Network diagram for configuring DR election based on OSPF priority 1.1.1.1 Switch A Switch D 4.4.4.4 196.1.1.4/24 196.1.1.1/24 196.1.1.3/24 196.1.1.2/24 3.3.3.3 Switch C Switch B 2.2.2.2 Configuration procedure # Configure Switch A [Switch A] interface Vlan-interface 1 [Switch A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0...
Page 333 Network requirements Virtual Link In Figure 84, Area 2 and Area 0 are not directly connected. Area 1 is required to be taken as a transit area for connecting Area 2 and Area 0. Configure a virtual link between Switch B and Switch C in Area 1.
Page 334 [Switch C-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.255 OSPF GR Configuration Network requirements Example For the GR-enabled switch, the GR method must be configured in the view of ■ the corresponding process. Additionally, the Neighbor State Machine (NSM) must be in the FULL state.
Page 335 Typical OSPF Configuration Example Network diagram Figure 85 Network diagram Configuration procedure # Configure the switch Switch 8800 FamilyA <Switch 8800 FamilyA> system-view [Switch 8800 FamilyA] vlan 192 [Switch 8800 FamilyA-vlan192] port GigabitEthernet 3/1/1 [Switch 8800 FamilyA-vlan192] interface vlan 192 [Switch 8800 FamilyA-Vlan-interface192] ip address 192.168.1.1 24...
Page 336: Troubleshooting Ospf Faults
If the network type is broadcast, there must be at least one interface with a ■ priority greater than zero. If an area is set as the stub area, to which the routers are connected. The area ■ on these routers must be also set as the stub area.
Page 337 The backbone area (Area 0) cannot be configured as the stub area and the ■ virtual link cannot pass through the stub area. That is, if a virtual link has been set up between RTB and RTC, neither Area1 nor Area0 can be configured as a stub area.
Page 338 31: OSPF C HAPTER ONFIGURATION...
Page 339: Introduction To Integrated Is-Is
Link State DataBase (LSDB). All the link states in the network form the LSDB. In ■ an IS, at least one LSDB is available. The IS uses the SPF algorithm and the LSDB to generate its own routes. Link State Protocol Data Unit (LSPDU). In the IS-IS, each IS will generate an LSP ■...
Page 340 Routing Domain 1 and Routing Domain 2. Routing Domain 1 includes two areas, Area 1 and Area 2, and Routing Domain 2 only has Area 3. In Routing Domain 1, the three ISs connected by bold lines compose the area backbone. They are all...
Page 341: Routing Protocol
Introduction to Integrated IS-IS Figure 87 IS-IS topology Area 1 Area 2 Routing Domain 1 Routing Domain 2 Routing Domain Boundary Area 3 IS-IS Area End system Intermediate system Subnetwork Path Interdomain Routing Level 1 IS-IS Routing Level 2 IS-IS Routing...
Page 342 If the IP address 168.10.1.1 of the interface LoopBack0 serves as a router_ID for the router, you can use the following method to obtain the System ID: Turn each part of the IP address 168.10.1.1 into three digits. Add 0 to the front of the part less than three digits.
Page 343: Configuring Integrated Is-Is
(SEL=0). You can regard it as a special NSAP. In general, you can configure a NET for a router. If you will redivide an area (combine multiple areas or divide an area into multiple areas), you can configure multiple NETs to ensure correct routes in the case of reconfiguration.
Page 344 After creating an IS-IS routing process, you should also activate this routing Entering the IS-IS View process at an interface that may correlate with another router. After that, the IS-IS protocol can be started and run. Perform the following configuration in system view.
Page 345 The format of the network-entity-title argument is X...X.XXXXXXXXXXXX.XX, among which the first "X...X" is the area address, the twelve Xs in the middle is the System ID of the router. The last XX should be 00. Enabling IS-IS on the After enabling IS-IS, you need to specify on which Interfaces the IS-IS will be run.
Page 346 Restore the default priorities for DIS election undo isis dis-priority [ level-1 | level-2 ] on the interface By default, the interface priority is 64. If the level-1 or level-2 is not specified, it defaults to setting the priority of Level-1. Setting Router Type...
Page 347 } | [ level-1 | level-1-2 | level-2 ] | route-policy other protocols route-policy-name ]* If the level is not specified in the command for importing the route, it defaults to importing the routes into level-2. protocol specifies the routing protocol sources that can be imported, which can be direct, static, rip, bgp, and ospf, etc.
Page 348 By default, a Level-2 router does not advertise its routing information to a Level-1 area. Setting IS-IS Route Users can set the routes with the same next hops as one route in the routing table. Summary Perform the following configurations in IS-IS view.
Page 349 Configuring Integrated IS-IS The default route generated by this command will only be imported to the router at the same level. Setting the Preference In a router on which several routing protocols are concurrently operating, there is of IS-IS Protocol an issue of sharing and selecting the routing information among all the routing protocols.
Page 350 (adopt the default values). So the system will set the broadcast intervals of all packets as that of the level-1 Hello packet. The other is if Hello packets are not separated according to level-1 and level-2 on the p2p links, the attribute of the packets need not be set either.
Page 351 By default, the LSP packet is transmitted via the interface every 33 milliseconds. Setting LSP packet retransmission interval Over a p2p link, if the local end does not receive the response within a period of time after it sends an LSP packet, it considers that the originally transmitted LSP packet has been lost or dropped.
Page 352 The authentication password set on the interface is mainly used in the Hello packet so as to confirm the validity and correctness of its peers. The authentication passwords at the same level of all the interfaces of a network should be identical. Perform the following configuration in interface view.
Page 353 You must configure this command when the switch needs to authenticate the devices of other vendors using MD5 algorithm in IS-IS. Perform the following configuration in IS-IS view. Table 332 Set the IS-IS to use the MD5 algorithm compatible with that of the other vendors Operation...
Page 354 Setting Overload Flag Sometimes, the router in the IS-IS domain may encounter some problems in operation thus errors may occur in the whole routing area. In order to avoid this problem, you can set the overload flag bit for this router.
Page 355 By default, LSP is refreshed every 900 seconds (15 minutes). Setting Lifetime of LSP When a router generates the LSP of the system, it will fill in the maximum lifetime of this LSP. When other routers receive this LSP, its life time will be reduced continuously as the time goes.
Page 356 Restore the default configuration undo spf-slice-size By default, SPF calculation is not divided into slices but runs to the end once, which can also be implemented by setting the seconds argument to 0. After slice calculation is set, the routes that are not processed once will be calculated in one second.
Page 357 The restart interval specifies the interval of restarting routers. The restart ■ interval is set as holdtime in Hello PDU of IS-IS. In this way, the neighbors of a router will not break adjacency relations with it when it is restarted.
Page 358: Displaying And Debugging Integrated Is-Is
IS-IS route maintenance conditions. Table 345 Display and debug IS-IS Operation Command display isis lsdb [ [ l1 | l2 | level-1 | level-2 ] | [ [ LSPID | local ] Display IS-IS LSDB | verbose ]* ]* Display IS-IS SPF calculation...
Page 359: Typical Integrated Is-Is Configuration Example
Typical Integrated IS-IS Network requirements Configuration As is shown in Figure 89, Switches A, B, C and D belong to the same autonomous Example system. The IS-IS routing protocol is running in these four switches so as to implement route interconnection. In the network design, switches A, B, C and D belong to the same area.
Page 360 # Configure Switch C [Switch C] isis [Switch C-isis] network-entity 86.0001.0000.0000.0007.00 [Switch C] interface vlan-interface 101 [Switch C-Vlan-interface101] ip address 200.10.0.2 255.255.255.0 [Switch C-Vlan-interface101] isis enable [Switch C] interface vlan-interface 100 [Switch C-Vlan-interface100] ip address 200.20.0.1 255.255.255.0 [Switch C-Vlan-interface100] isis enable...
Page 361: Bgp/Mbgp Overview
BGP-4 can be extended easily to support new developments of the network. ■ CIDR handles IP addresses in an entirely new way, that is, it does not distinguish ■ networks of Class A, Class B and Class C. For example, an invalid Class C network address 192.213.0.0 (255.255.0.0) can be expressed as...
Page 362 33: BGP C HAPTER ONFIGURATION The BGP is called IBGP when it runs in an AS and EBGP when it runs among different ASs. BGP Message Types BGP is driven by messages, which include the following types: Type 1, OPEN: The first message sent after the creation of a connection to ■...
Page 363 MBGP extension attributes In the packets BGP-4 uses, three pieces of information related to IPv4 are carried in the update packet. They are network layer reachability information (NLRI), Next_Hop (The next hop address) in path attribute and Aggregator in path attribute (This attribute includes the BGP speaker address which forms the summary route).
Page 364: Configuring Bgp
Relationship between peer configuration and peer group configuration In Switch 8800 Family series, a BGP peer must belong to a peer group. If you want to configure a BGP peer, you need first to create a peer group and then add a peer into the group.
Page 365 Perform the following configurations in BGP view. Creating a peer group A BGP peer must belong to a peer group. Before configuring a BGP peer, a peer group to which the peer belongs must be created first. Table 347 Create a peer group...
Page 366 Adding a member to a peer group A BGP peer must belong to a peer group. If you want to configure a BGP peer, you need first to create a peer group and then add a peer into the group.
Page 367 Configuring BGP When exchanging routing information between BGP speakers, the peer group must be enabled first and then the peer should be added to the enabled peer group. Configuring the Graceful-restart ability of a peer or peer group Table 351 Enable/disable the Graceful-restart ability of a peer or peer group...
Page 368 By default, only the connections with EBGP peer groups on directly connected networks are permitted. ttl refers to time-to-live in the range of 1 to 255 with the default value as 64. Configuring an IBGP peer group to be a client of a route reflector Perform the following configuration in BGP view.
Page 369 Moreover, neighbors do not notify the learned IBGP routes. Configuring to send default route to a peer group If you only need to notify a default route between a pair of BGP peer instead of transmitting the default route within the whole network, you can use the peer default-route-advertise command.
Page 370 By default, the allowed repeating time of local AS is set to 1. Specifying the source interface of a route update packet Generally, the system specified the source interface of a route update packet. When the interface fails to work, in order to keep the TCP connection valid, the...
Page 371 Configuring BGP MD5 authentication password BGP uses TCP as its transport layer. For the sake of high security, you can configure MD5 authentication password when setting up a TCP connection. In other words, BGP MD5 authentication just sets password for TCP connection, but not for authenticating BGP packets.
Page 372 IP ACL for a peer (group) acl-number export Configuring route filtering policy based on AS path list for a peer (group) Table 367 Configure route filtering policy based on AS path list for a peer (group) Operation Command Configure the ingress route filtering policy...
Page 373 By default, BGP does not import the default routes of other protocols when BGP is importing the routes of other protocols. Configuring BGP Route The BGP supports two forms of route aggregation:...
Page 374 Configuring BGP to filter the received route information Filtering The routes received by the BGP can be filtered, and only those routes that meet the certain conditions will be received by the BGP. Perform the following configuration in BGP view.
Page 375 When flapping occurs, update packet will be propagated on the network repeatedly, which will occupy much bandwidth and much processing time of the router. You have to find measures to avoid it. The technology controlling unstable route is called route dampening.
Page 376 The reasonable maximum interval of sending Keepalive is one third of the holdtime value. The interval of sending Keepalive cannot be less than 1 second. As a result, if the holdtime is not 0 seconds, the minimum holdtime value is 3 seconds.
Page 377 EBGP peers in the same AS. Using the compare-different-as-med command, you can compare the route MED metrics of the peers in different ASs. Comparing the MED It is used to select the best route. The route with smaller MED value will be Routing Metrics from selected.
Page 378 Router A and Router B. You only need to connect Router C to Router A and Router B respectively. If a BGP router is not either a reflector or client, we call the BGP router non-client. You still need connect non-clients to reflectors and non-clients.
Page 379 AS path method cannot detect the loop inside the AS. When configuring route reflectors, you can use the following two methods to avoid loop inside the AS. One is to use the cluster ID; the other is to use Originator_ID of a route reflector.
Page 380 The configured sub-AS number is valid only inside the confederation. In addition, the number cannot be the same as the AS number of a peer in the peer group for which you have not configured an AS number. Configuring AS confederation attribute compatible with nonstandard...
Page 381 Router D AS200 As shown in Figure 91, Router D and Router E are IBGP peers of Router C. When Router A and Router B simultaneously advertise two routes to the same destination to Router C, if Router C is load balancing enabled (such as balance 2),...
Page 382 Clearing BGP Connection After the user changes BGP policy or protocol configuration, they must cut off the current connection so as to enable the new configuration. Perform the following configuration in user view. Table 390 Clear BGP connection...
Page 383: Displaying And Debugging Bgp
After the above configuration, execute the display command in any view to Debugging BGP display the running of the BGP configuration, and to verify the effect of the configuration. Execute the reset command in user view to clear the statistics of the configuration.
Page 384: Typical Bgp Configuration Examples
Configuration Examples Configuring BGP AS Network requirements Confederation Attribute Divide the following AS 100 into three sub-AS: 1001, 1002, and 1003, and configure EBGP, confederation EBGP, and IBGP. Network diagram Figure 92 Network diagram for AS confederation configuration AS100 Switch B...
Page 385 Switch B receives an update packet passing EBGP and transmits it to Switch C. Switch C is a reflector with two clients: Switch B and Switch D. When Switch C receives a route update from Switch B, it will transmit such information to Switch D.
Page 386: Configure Vlan
33: BGP C HAPTER ONFIGURATION Network diagram Figure 93 Network diagram for BGP route reflector configuration Route reflector VLAN 3 VLAN 4 193.1.1.1/24 194.1.1.1/24 Network Switch C 1.0.0.0 AS200 VLAN 100 IBGP IBGP VLAN 4 EBGP 1.1.1.1/8 VLAN 3 194.1.1.2/24 193.1.1.2/24...
Page 387 All switches are configured with BGP, and IGP in AS 200 utilizes OSPF. Switch A is in AS 100, and Switch B, Switch C and Switch D are in AS 200.Switch A, Switch B, and Switch C operate EBGP. Switch B, Switch C and Switch D operate IBGP.
Page 388 [Switch A-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [Switch A-acl-basic-2000] rule deny source any Define two route policies, one is called Apply_med_50 and the other is called Apply_med_100. The first MED attribute with the route policy as network 1.0.0.0 is set as 50, while the MED attribute of the second is 100.
Page 389 After above configuration, due to the fact that the MED attribute of route 1.0.0.0 discovered by Switch C is less than that of Switch B, Switch D will first select the route 1.0.0.0 from Switch C. If the MED attribute of Switch A is not configured, the local preference on Switch...
Page 390: Troubleshooting Bgp
[Switch C] bgp 200 [Switch C-bgp] peer 193.1.1.1 route-policy localpref import By then, due to the fact that the Local preference attribute value (200) of the route 1.0.0.0 learned by Switch C is higher than that of Switch B (Switch B is not configured with local Preference attribute, 100 by default), Switch D will also first select the route 1.0.0.0 from Switch C.
Page 391 Route covering large network segment cannot be imported. For example, route 10.1.1.0/24 can be imported, while 10.0.0.0/8 may cause error. If Ospf is used, after a large network segment is imported to the local route by means of the network command, the router will automatically make changes according to the network segment actually used by the interface.
Page 392 33: BGP C HAPTER ONFIGURATION...
Page 393: Ip Routing Policy
IP-prefix The function of the IP-prefix is similar to that of ACL, but it is more flexible and easy for the users to understand. When the IP-prefix is applied to the routing information filtering, its matching objects are the destination address information...
Page 394: Configuring Ip Routing Policy
AS-path The AS-path list is only used in the BGP. The routing information packet of the BGP includes an autonomous system path domain (During the process of routing information exchanging of the BGP, the autonomous system paths the routing information has passed through will be recorded in this domain).
Page 395 If a route satisfies all the if-match clauses of the node, it will be denied by the node and will not take the test of the next node. If not, however, the route will take the test of the next node.
Page 396 The if-match clauses for a node in the route-policy have the relationship of "AND" for matching. That is, the route must satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed.
Page 397 Defining apply clauses for a route-policy The apply clauses specify actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clauses. Thereby, some attributes of the route can be modified. Perform the following configuration in route policy view.
Page 398 You can define an item of permit 0.0.0.0/0 greater-equal 0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass.
Page 399 A route can have one more community attributes. The speakers of multiple community attributes of a route can act according to one, several or all attributes. A router can select community attribute modification before transmitting routes to other peers.
Page 400 Configuring to filter the advertised routes You may define a route advertisement policy to filter advertised routing information. This can be done by referencing an ACL or IP prefix-list to filter routing information that does not meet the conditions, or by specifying a protocol to filter routing information of that protocol only.
Page 401: Displaying And Debugging The Routing Policy
Import three static routes through enabling the OSPF protocol on the Switch A. The route filtering rules can be configured on Switch B to make the received three static routes partially visible and partially shielded. It means that routes in the network segments 20.0.0.0 and 40.0.0.0 are visible while those in the network...
Page 402: Troubleshooting Routing Policy
[Switch A] ip route-static 20.0.0.1 255.0.0.0 12.0.0.2 [Switch A] ip route-static 30.0.0.1 255.0.0.0 12.0.0.2 [Switch A] ip route-static 40.0.0.1 255.0.0.0 12.0.0.2 # Enable the OSPF protocol and specifies the number of the area to which the interface belongs. [Switch A] router id 1.1.1.1...
Page 403 You can define an item of permit 0.0.0.0/0 less-equal 32 after the multiple list items in the deny mode so as to let all the other routes pass the filtering (If less-equal 32 is not specified, only the default route will be matched).
Page 404 34: IP R HAPTER OUTING OLICY ONFIGURATION...
Page 405: Route Capacity Configuration
(especially OSPF routes and BGP routes). Generally, the routing information is stored in the memory of the switch and the total size of the switch memory will not change. When the size of the routing table increases to some degree, it may affect the operation of the system.
Page 406 35: R HAPTER OUTE APACITY ONFIGURATION...
Page 407: Recursive Routing Configuration
L2 path searching. A recursive route can be a static route or BGP route. Recursive routing can make route entries flexible, independent of a specific interface.
Page 408 36: R HAPTER ECURSIVE OUTING ONFIGURATION...
Page 409: Ip Multicast Overview
VERVIEW An Ethernet switch functions as a router when it runs IP multicast protocol. A router that is referred to in the following represents a generalized router or a layer 3 Ethernet switch running IP multicast protocol. IP Multicast Overview...
Page 410 User E User E Suppose the Users B, D, and E need the information, they need to be organized into a receiver group to ensure that the information can reach them smoothly. The routers on the network duplicate and forward the information according to the...
Page 411: Implementation Of Ip Multicast
It should be noted that a multicast source does not necessarily belong to a multicast group. It sends data to multicast groups but is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously.
Page 412 All members in the group can receive the packets. This group is a multicast group. Membership here is dynamic, and a host can join or leave the group at any time. A multicast group can be permanent or temporary. Some multicast group addresses are allocated by IANA, and the multicast group is called permanent multicast group.
Page 413 As Internet Assigned Number Authority (IANA) provisions, the high 24 bits of a multicast MAC address are 0x01005e and the low 23 bits of a MAC address are the low 23 bits of a multicast IP address. The high twenty-fifth bit is 0, a fixed value.
Page 414: Rpf Mechanism For Ip Multicast Packets
If a source tree is used, the source address is the address of the source host sending the multicast packet. If a shared tree is used, the source...
Page 415 RPF Mechanism for IP Multicast Packets address is the RP address of the shared tree. A multicast packet arriving at the router will be forwarded according to the multicast forwarding entry if it passes the RPF check, or else, it will be discarded.
Page 416 37: IP M HAPTER ULTICAST VERVIEW...
Page 417: Static Multicast Mac Address Configuration
MAC group. interface-number } ] } &<1-10> vlan vlan-id CAUTION: Do not enable the PIM on the virtual interface of the VLAN to be configured. ■ The multicast MAC address to be configured must not be a multicast MAC ■...
Page 418: Displaying And Maintaining Static Multicast Mac Address Configuration
Ethernet 2/1/4 Configuration procedure # Enter system view <SW8800> system-view # Add a static multicast MAC address group, and add multiple ports into the static multicast address group [SW8800] mac-address multicast 0100-5e01-018d interface Ethernet 2/1/1 to Ethernet 2/1/3 vlan 2...
Page 419: Igmp Snooping Overview
IGMP messages. If the switch hears IGMP host report message from an IGMP host, it will add the host to the corresponding multicast table. If the switch hears IGMP leave message from an IGMP host, it will remove the host from the corresponding multicast table.
Page 420 MAC multicast group: The multicast group is identified with MAC multicast ■ address and maintained by the Ethernet switch. Router port aging time: Time set on the router port aging timer. If the switch ■ has not received any IGMP general query message when the timer times out, it considers the port no longer as a router port.
Page 421 VLAN of the port into the MAC multicast forwarding table, and meanwhile creates an IP multicast group and adds the port received the report message to it.
Page 422: Igmp Snooping Configuration
IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer. If the switch has not receive any report message from the multicast group after the timer expires, the port will be removed from the corresponding MAC multicast group.
Page 423 Ports in secondary VLANs cannot be used as source addresses of multicast. ■ Configuring Router Port This task is to manually configure the router port aging time. If the switch has not Aging Time received any general query message from the router before the router port is aged, it will remove the port from all MAC multicast groups.
Page 424 VLAN Cancel the filtering rule of multicast groups in undo igmp-snooping group-policy the specified VLAN By default, no filtering rule is set for a VLAN. In this case, a host can be joined to any multicast group.
Page 425 If no acl-number exists, you can also configure the filtering rule of multicast ■ groups in VLAN view. That is, this rule is not restricted by the ACL itself, and is valid for all members in the specified VLAN. Enabling/Disabling IGMP...
Page 426: Multicast Static Routing Port Configuration
You can also configure a port in a VLAN to be a static routing port in the corresponding Ethernet port view. Table 419 Configure a port in a VLAN to be a static routing port in Ethernet port view Operation...
Page 427: Displaying And Maintaining Igmp Snooping
Displaying and Maintaining IGMP Snooping You will fail to configure a port to be a static routing port if the VLAN identified ■ by the vlan-id argument does not exist or the port does not belong to the VLAN. You can configure multiple ports in a VLAN to be static routing ports by ■...
Page 428: Troubleshooting Igmp Snooping
# Display the status of the VLAN10 interface, to check if PIM or IGMP is enabled on this interface. [SW8800] display current-configuration interface Vlan-interface 10 # You can enable IGMP Snooping in VLAN view only if PIM or IGMP is not running on VLAN10. [SW8800] vlan10...
Page 429 Carry out the display igmp-snooping group command in any view to display ■ if the multicast group is the expected one. If the multicast group created by IGMP Snooping is not correct, turn to ■ professional maintenance personnel for help.
Page 430 39: IGMP S HAPTER NOOPING ONFIGURATION...
Page 431: Multicast Vlan Configuration
Based on the current multicast on demand, when users in different VLANs request Overview the service, multicast flow is duplicated in each VLAN and thus a great deal of bandwidth is wasted. To solve this problem, we provide the multicast VLAN feature.
Page 432: Multicast Vlan Configuration Example
VLAN C HAPTER ULTICAST ONFIGURATION Multicast VLAN Network requirements Configuration Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 receive multicast Example flows through the multicast VLAN10. Table 422 Device number and description Device Description Requirement The IP address of VLAN 2 interface is 168.10.1.1.
Page 433 [Switch B-Ethernet 1/1/10] port trunk vlan 10 [Switch B-Ethernet 1/1/10] quit # Define Ethernet 1/1/1 as hybrid port. Add the port to VLAN 2 and VLAN 10. Make the port carry no VLAN label when it transmits packets of VLAN 2 and VLAN 10.
Page 434 ULTICAST ONFIGURATION # Define Ethernet 1/1/2 as hybrid port. Add the port to VLAN 3 and VLAN 10. Make the port carry no VLAN label when it transmits packets of VLAN 3 and VLAN 10. Set the default VLAN ID of the port to VLAN 3.
Page 435: Ommon Ulticast Configuration
CAUTION: Multicast routing must be enabled before other multicast configurations can take effect. Configuring Multicast Because too many multicast routing table entries may exhaust the router memory, Routing Table Size Limit you need to limit the size of the multicast routing table.
Page 436 { null NULL-interface-number | interface-type interface-number } } * } Clearing Route Entries You can clear route entries from the kernel multicast routing table, as well as MFC from the Kernel forwarding entries via the following command. Multicast Routing Table Perform the following configuration in user view.
Page 437: Managed Multicast Configuration
The managed multicast feature controls user’s authority to join multicast groups. Overview This feature is based on ports: users must first pass the 802.1x authentication set for their ports. Then they are allowed to join the multicast groups specifically configured for them but are prohibited from joining any multicast group they are not authorized to join.
Page 438 Network requirements Configuration Example As shown in Figure 107, HostA and HostB join the multicast group. Layer 3 multicast is enabled on LSA, LSB, LSC and LSD. Managed multicast is enabled on LSA and LSC. Because managed multicast combines multicast with 802.1x, 802.1x must be enabled on LSA and LSC.
Page 439: Configuring Broadcast/Multicast Suppression
Configuring Broadcast/Multicast Suppression # Create a local-user in system view. Then set the password and service type for the user. [SW8800] local-user liu [3Com-luser-liu] password simple aaa [3Com-luser-liu] service-type lan-access # In user view, configure the allowed multicast group for the user to join.
Page 440: Displaying And Debugging Common Multicast Configuration
Operation Command display multicast routing-table [ group-address [ mask { mask Display the multicast | mask-length } ] | source-address [ mask { mask | mask-length } ] routing table | incoming-interface { vlan-interface vlan-interface-number | register } ]* display multicast forwarding-table [ group-address [ mask {...
Page 441: Igmp C
All hosts participating in multicast must implement IGMP. Hosts participating in IP multicast can join and leave a multicast group at any time. The number of members of a multicast group can be any integer and the location of them can be anywhere.
Page 442: Introduction To Igmp Proxy
In Version 2, when a host is intended to leave, it will send a leave group message if it is the host who responds to the latest membership query message.
Page 443 Switch B is configured as follows: Multicast is enabled. ■ PIM and IGMP are configured on the interfaces of VLAN 100 and VLAN 200. ■ The interface of VLAN 100 is configured as the IGMP proxy interface of the ■...
Page 444: Igmp Configuration
Switch A processes the message after receiving the IGMP message sent by ■ Switch B through the interface of VLAN 100, just as the message is sent by a host directly connected to the interface of VLAN 100. The procedures to process IGMP normal group or specific group querying...
Page 445 By default, IGMP is disabled on the interface. CAUTION: If the VLAN VPN is enabled on a port, the IGMP Snooping feature cannot be ■ enabled on the VLAN for the port, and the IGMP feature cannot be enabled on the corresponding interface either.
Page 446 By default, IGMP Version 2 is used. CAUTION: The system does not support automatic switching between different IGMP versions. Therefore, all routers on a subnet must be configured to run the same IGMP version. Configuring the Interval...
Page 447 (querier for short) sends query messages on the interface regularly. If a non-query router fails to receive messages from the querier within a period of time, it will deem that the querier has failed and take over the job of the original querier.
Page 448 By default, the maximum query response time is 10 seconds. Configuring the limit of If there is no limit to the number of IGMP groups added on a router interface or a IGMP groups on an router, the router memory may be exhausted, which may cause router failure.
Page 449 For an Ethernet switch, you can configure a port in a switch interface to join a multicast group. Perform the following configuration in the corresponding view.
Page 450 Cancel the filtering rule of multicast groups in undo igmp-snooping group-policy the specified VLAN By default, no filtering rule is set for a VLAN. In this case, a host can be joined to any multicast group. CAUTION: If an inexistent acl-number is bound to the VLAN, or if the bound acl-number is ■...
Page 451 When you configure IGMP fast leave on aggregation ports, the configuration ■ takes effect only on primary aggregation ports. If you have added an IGMP V1 host of the same multicast group to the port, or ■ configured a static host of the same multicast group by using the igmp...
Page 452 [SwitchB-Vlan-interface 100] igmp enable [SwitchB-Vlan-interface 100] pim dm [SwitchB-Vlan-interface 100] quit # Configure the interface of VLAN 100 to be the IGMP proxy interface of the interface of VLAN 200. [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface 200] igmp proxy Vlan-interface 100...
Page 453: Displaying And Debugging Igmp
# Enable IGMP and PIM-DM for the interface of VLAN 100. [SwitchA] interface vlan-interface 100 [SwitchA-Vlan-interface 100] igmp enable [SwitchA-Vlan-interface 100] pim dm # Configure Vlan-interface 100 so that it will not use the IP address 33.33.33.2 as a PIM neighbor [SwitchA-Vlan-interface 100] pim neighbor-policy 2001 [SwitchA-Vlan-interface 100] quit [SwitchA] acl number 2001 [SwitchA-acl-basic-2001] rule deny source 33.33.33.2 0...
Page 454 42: IGMP C HAPTER ONFIGURATION...
Page 455: Pim-Dm C
(S, G) entry and then flood the data to all downstream PIM-DM nodes. If the RPF check is not passed, that is, multicast packets enter from an error interface, the packets will be discarded. After this process, an (S, G) entry will be created in the PIM-DM multicast domain.
Page 456: Pim-Dm Configuration
RIP and OSPF Assert mechanism As shown in the following figure, both routers A and B on the LAN have their own receiving paths to multicast source S. In this case, when they receive a multicast packet sent from multicast source S, they will both forward the packet to the LAN.
Page 457 (PIM-DM) protocol or protocol independent multicast-sparse mode (PIM-SM) protocol is enabled in interface view. When you configure the time interval for a port to send Hello packets, the pim ■ neighbor hold-time value automatically turns into 3.5 times the time interval value.
Page 458 Maximum Number of avoid exhausting the memory of the router or router faults. The maximum number PIM Neighbor on an of PIM neighbors of a router is defined by the system, and is not open for Interface modification. Perform the following configuration in the interface view.
Page 459: Displaying And Debugging Pim-Dm
| mask } ] ] | **rp [ rp-address [ mask { mask-length | Display the PIM multicast mask } ] ] } | { group-address [ mask { mask-length | mask } ] | routing table source-address [ mask { mask-length | mask } ] } * } |...
Page 460: Pim-Dm Configuration Example
{ alert | all | mbr | mrt | timer | warning | { debugging recv | send } { all | assert | graft | graft-ack | join | prune } } undo debugging pim dm { alert | all | mbr | mrt | timer |...
Page 461 [SW8800] interface vlan-interface 12 [3Com-vlan-interface12] ip address 2.2.2.2 255.255.0.0 [3Com-vlan-interface12] pim dm [3Com-vlan-interface12] quit [SW8800] interface vlan-interface 20 [3Com-vlan-interface20] ip address 3.3.3.2 255.255.0.0 [3Com-vlan-interface20] igmp enable [3Com-vlan-interface20] pim dm You should enable PIM-DM on all equal-cost routes if there are any.
Page 462 43: PIM-DM C HAPTER ONFIGURATION...
Page 463: Pim-Sm C
Different from the flood & prune principle of the dense mode, PIM-SM assumes that all hosts do not need to receive multicast packets, unless there is an explicit request for the packets.
Page 464 44: PIM-SM C HAPTER ONFIGURATION sent to leaf routers along the path built and then reach the hosts. In this way, an RP-rooted tree (RPT) is built as shown in Figure 8-1. Figure 112 RPT schematic diagram Multicast Source S...
Page 465: Pim-Sm Configuration
Clearing multicast route entries from PIM routing table ■ Clearing PIM neighbor ■ CAUTION: At least one router in an entire PIM-SM domain should be configured with C-RPs and C-BSRs. Enabling Multicast Refer to “Enabling Multicast Routing” “Enabling Multicast Routing”.
Page 466 In PIM-SM, the shared tree built by multicast routing data is rooted at the RP. There Candidate-RPs is a mapping from a multicast group to an RP. A multicast group can be mapped to only one RP. Different multicast groups can be mapped to the same RP or different RPs.
Page 467 Remove the candidate-RP configured undo c-rp { interface-type interface-number | all } When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range.
Page 468 Cancel the configured filter of messages undo register-policy If an entry of a source group is denied by the ACL, or the ACL does not define operation to it, or there is no ACL defined, the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream.
Page 469: Displaying And Debugging Pim-Sm
{ all | mbr { alert | fresh } | verbose | mrt | Enable the PIM-SM msdp | timer { assert | bsr | crpadv | jp | jpdelay | mrt | probe | debugging spt } | warning | { recv | send } { assert | bootstrap | crpadv | jp...
Page 470 VLAN12 VLAN12 Configuration procedure Configure LSA # Enable PIM-SM. <SW8800>system-view System View: return to User View with Ctrl+Z. [SW8800] multicast routing-enable [SW8800] vlan 10 [3Com-vlan10] port ethernet 2/1/2 to ethernet 2/1/3 [3Com-vlan10] quit [SW8800] interface vlan-interface 10 [3Com-vlan-interface10] igmp enable...
Page 471 # Configure PIM domain border. [SW8800] interface vlan-interface 12 [3Com-vlan-interface12] pim bsr-boundary After VLAN-interface 12 is configured as domain border, the LSD will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LSB any more.
Page 472 [3Com-vlan-interface11] pim sm [3Com-vlan-interface11] quit [SW8800] vlan 12 [3Com-vlan12] port ethernet 2/1/6 to ethernet 2/1/7 [3Com-vlan12] quit [SW8800] interface vlan-interface 12 [3Com-vlan-interface12] igmp enable [3Com-vlan-interface12] pim sm [3Com-vlan-interface12] quit You should enable PIM-SM on all equal-cost routes if there are any.
Page 473: Msdp C
PIM-SM as their intro-domain multicast routing protocol. A RP configured with MSDP peer notifies all of its MSDP peers of the active multicast source message in its domain via SA (Source Active) message. In this way, multicast source information in a PIM-SM domain is transmitted to another PIM-SM domain.
Page 474 Besides, the RP in domain 1 encapsulates the first received multicast data into this SA message. If there is any group member in the domain of an MSDP peer (in the figure, it is PIM-SM domain 3), the RP in this domain sends the multicast data encapsulated in the SA message to group members along the RPT and the join message to multicast source.
Page 475 If the SA message is from a MSDP peer that is the RP of the multicast source as from Switch A to Switch B, it is received and forwarded to other peers. If the SA message is from a MSDP peer that has only one peer as from Switch B to Switch A, it is received.
Page 476: Msdp Configuration
HAPTER ONFIGURATION If the SA message is sent from a MSDP peer in a different domain which is the next autonomous domain along the optimal path to the RP in the domain of source, as from Switch D to Switch F, it is received and forwarded to other peers.
Page 477 The command to add description is optional. If the local router is also in BGP Peer relation with a MSDP peer, the MSDP peer and the BGP peer should use the same IP address. Not any two routers between which MSDP peer relationship has been established must run BGP or MBGP, so long as they have a BGP or MBGP route between them.
Page 478 ONFIGURATION Configuring Originating During the creation of SA message, an MSDP peer can be configured to use the IP address of a specified interface as the RP address in its SA message. Please perform the following configurations in MSDP view.
Page 479 Restore the default configuration undo peer peer-address request-sa-enable The SA request message sent by a local RP will get the immediate response about all active sources. By default, the router does not send SA request message to its MSDP peer when receiving the join message of a group.
Page 480 Information Forwarded source information besides that of creating source information. The outbound filter or time to live (TTL) threshold of SA messages can be used to control the SA message forwarding. By default, all SA messages are forwarded to other MSDP peers.
Page 481 Group message flooding shall be prevented. In a Mesh group, the SA messages from outside the group are forwarded to other members in the group, but the SA messages from peers inside the group will not be performed with Peer-RPF check or forwarded in the group. In this case, the overflow of SA messages is avoided and Peer-RPF is simplified, as BGP or MBGP is not required between MSDP peers.
Page 482: Displaying And Debugging Msdp
Tracing the Transmission Path of SA Messages on the Network The msdp-tracert command can be used in any view to trace the network path of multicast data from multicast source to destination receiver and locate faults.
Page 483: Msdp Configuration Examples
MSDP Configuration Examples Locating information loss and reducing configuration faults can be realized by tracing the network path of the specified (S, G, RP) entries. After the transmission path of SA messages is determined, the overflow of SA messages can be avoided by the correct configuration.
Page 484 To configure Anycast RP in the PIM-SM domain, establish MSDP peer relationship between Switch A and Switch B; use the address of loopback0 on Switch A and Switch B to send SA messages outside; set Loopback10 interface on Switch A and Switch B as BSR/RP and configure the Anycast RP address.
Page 485 # Configure the IP address of interface loopback0. [SwitchB] interface loopback0 [SwitchB-LoopBack0] ip address 10.10.1.1 255.255.255.255 [SwitchB-LoopBack0] quit # Configure the IP address of interface loopback10 and enable IGMP and PIM-SM. [SwitchB] interface loopback10 [SwitchB-LoopBack10] ip address 10.1.1.1 255.255.255.255 [SwitchB-LoopBack10] igmp enable...
Page 486 45: MSDP C HAPTER ONFIGURATION [SwitchB-LoopBack10] pim sm [SwitchB-LoopBack10] quit # Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. [SwitchB] interface Vlan-interface10 [SwitchB-Vlan-interface10] ip address 10.10.2.1 255.255.255.0 [SwitchB-Vlan-interface10] igmp enable [SwitchB-Vlan-interface10] pim sm [SwitchB-Vlan-interface10] undo shutdown [SwitchB-Vlan-interface10] quit # Configure the IP address of Vlan-interface20 and enable IGMP and PIM-SM.
Page 487 # Configure the IP address of interface loopback0. [SwitchA] interface loopback0 [SwitchA-LoopBack0] ip address 10.21.1.1 255.255.255.255 [SwitchA-LoopBack0] quit # Configure the IP address of interface loopback10 and enable IGMP and PIM-SM. [SwitchA] interface loopback10 [SwitchA-LoopBack10] ip address 10.1.1.1 255.255.255.255 [SwitchA-LoopBack10] igmp enable...
Page 488 Network requirement Networking In the following network, enable MSDP and configure an Anycast RP in PIM-SM domain 1; establish MSDP peer relationship among RPs across PIM-SM domains; and use MBGP between domains. For the related commands, refer to 9.4 “MBGP Multicast Extension Configuration Example”.
Page 489 # Configure the IP address of interface loopback10 and enable PIM-SM. [SwitchA] interface loopback10 [SwitchA-LoopBack10] ip address 10.1.1.1 255.255.255.255 [SwitchA-LoopBack10] pim sm [SwitchA-LoopBack10] quit # Configure the IP address of Vlan-interface30 and enable IGMP and PIM-SM. [SwitchA] interface Vlan-interface30 [SwitchA-Vlan-interface30] ip address 10.25.2.3 255.255.255.0 [SwitchA-Vlan-interface30] igmp enable [SwitchA-Vlan-interface30] pim sm...
Page 490 System View: return to User View with Ctrl+Z. [SwitchE] vlan 10 [SwitchE-vlan10] port ethernet1/1/2 [SwitchE-vlan10] quit [SwitchE] vlan 20 [SwitchE-vlan20] port ethernet1/1/3 [SwitchE-vlan20] quit # Enable multicast. [SwitchE] multicast routing-enable # Configure the IP address of interface loopback0 and enable PIM-SM.
Page 491 # Configure the IP address of interface lookback10 and enable PIM-SM. [SwitchE] interface loopback10 [SwitchE-LoopBack10] ip address 10.1.1.1 255.255.255.255 [SwitchE-LoopBack10] pim sm [SwitchE-LoopBack10] quit # Configure the IP address of Vlan-interface10 and enable IGMP and PIM-SM. [SwitchE] interface Vlan-interface10 [SwitchE-Vlan-interface10] ip address 10.26.2.3 255.255.255.0 [SwitchE-Vlan-interface10] igmp enable [SwitchE-Vlan-interface10] pim sm...
Page 492 [SwitchE-msdp] originating-rp loopback0 [SwitchE-msdp] quit [SwitchE] ip route-static 10.29.1.1 255.255.255.0 Vlan-interface20 # Configure C-RP and BSR. [SwitchE] pim [SwitchE-pim] c-rp loopback 10 [SwitchE-pim] c-bsr loopback 0 30 The configuration on the switches other than SwitchA and SwitchE is omitted here.
Page 493: Mbgp Multicast Extension Overview
To construct inter-domain multicast routing trees, you need to know the unicast routing information as well as the information of multicast-supporting parts of the network, namely, the multicast network topology.
Page 494: Mbgp Multicast Extension Configuration
Send the next hop information about the new protocol with the same coding ■ mode as that of NLRI. Enable the router to report part or all of the SNPAs (Sub-network Points of ■ Attachment) saved in the local system.
Page 495 ■ Only configuration tasks in IPv4 multicast sub-address family view are detailed below. Other tasks configured in BGP or system view are only briefed. For the detailed configuration, refer to the BGP Configuration and IP Routing policy sections of the Routing Protocol part.
Page 496 The use of MBGP peer groups is to simplify configuration. When configuring (Group) MBGP peers, you can create and configure a peer group in BGP view, and then add the peers into the group, since all peers in a group have the same configuration with the group.
Page 497 By default, there is no route reflector in an AS. It is generally unnecessary to configure this command for a peer group. This command is reserved for the occasional compatibility with the network equipments of other vendors.
Page 498 Remove outgoing policy configuration acl-number export By default, a peer (group) does not perform route filtering based on the IP ACL. Configuring AS-path-list-based route filtering policy for a peer (group) Please perform the following configurations in IPV4 multicast sub-address family...
Page 499 { group-name | peer-address Remove outgoing policy configuration }as-path-acl acl-number export By default, a peer (group) does not perform route filtering based on the AS path list. Configuring prefix-list-based route filtering policy for a peer (group) Please perform the following configurations in IPV4 multicast sub-address family view.
Page 500 Route reflector solves this problem. The core is to specify a router as the focus of the internal sessions. Multiple MBGP multicast routers can be peers of one central point, namely a multiple route reflector, which in turn creates peer relationship with other reflectors.
Page 501: Displaying And Debugging Mbgp Configuration
All switches are configured with MBGP. The IGP in AS200 Example uses OSPF. Switch A is AS100 and serves as the MBGP neighbor of Switch B and Switch C in AS200. Switch B and Switch C run IBGP for Switch D in AS200. Switch D is also in AS200.
Page 502 46: MBGP M HAPTER ULTICAST XTENSION ONFIGURATION Network diagram Figure 119 Network diagram for MBGP path selection configuration Configuration procedure Configure Switch A: <SwitchA> system-view System View: return to User View with Ctrl+Z. [SwitchA] vlan 20 [SwitchA-vlan20] port ethernet1/1/2 [SwitchA-vlan20] quit [SwitchA] interface vlan-interface 20 [SwitchA-Vlan-interface20] ip address 192.1.1.1 255.255.255.0...
Page 503 [SwitchA] route-policy set_med_100 permit node 10 [SwitchA-route-policy] if-match acl 2000 [SwitchA-route-policy] apply cost 100 Apply the routing policy set_med_50 to the exported route updates of Switch ■ C (193.1.1.2). Apply the routing policy set_med_100 to the exported route updates of Switch B (192.1.1.2).
Page 504 [SwitchC] acl number 2000 [SwitchC-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchC-acl-basic-2000] quit Define the routing policy named "localpref". Set the local preference for the ■ routes matching ACL 2000 to 200, and otherwise, to 100. [SwitchC] route-policy localpref permit node 10...
Page 505 [SwitchD-bgp] undo synchronization [SwitchD-bgp] group d1 internal [SwitchD-bgp] peer 194.1.1.2 group d1 [SwitchD-bgp] peer 195.1.1.2 group d1 [SwitchD-bgp] ipv4-family multicast [SwitchD-bgp-af-mul] peer d1 enable To make the configuration effective, you need to use the reset bgp all command on all MBGP neighbors.
Page 506 46: MBGP M HAPTER ULTICAST XTENSION ONFIGURATION...
Page 507: Mpls A
The 3Com Switch 8800 Family Series Routing Switches (hereinafter referred to as Switch 8800 Family series) running MPLS can serve as routers. Routers mentioned in this manual can be either a router in common sense, or a layer 3 Ethernet switch running MPLS.
Page 508 (LIB). In simple words, label mapping is to assign a label to a FEC. The second type is also called incoming label mapping (ILM), that is, to map each input label to a series of next hop label forwarding entries (NHLFE). The packets are forwarded along the paths based on the mapping results.
Page 509 In ordered control mode, a LSR can send label mapping messages to upstream only when it receives a specific label mapping messages of the next hop of a FEC or the LSR serves as LSP (Label Switching Path) egress node.
Page 510: Mpls Architecture
Suppose there are two LSRs: Ru and Rd. For a specific FEC, if LSR Ru has received the label binding from LSR Rd, in case Rd is not the next hop of Ru and Ru saves this binding, then it is the liberal label retention. And if Ru discards this binding, then it is the conservative label retention mode.
Page 511 Packets in the same FEC pass through the same path (that is, LSP) in MPLS area. LSR assigns a short label of fixed length for the incoming FEC packet, and then forwards it through the corresponding interface.
Page 512 LSR, the label map message is sent back to its upstream LSR if only it has received the label map message from its downstream LSR. And when the independent label control mode...
Page 513 If the depth of the label stack for a packet is m, it indicates that the label at the bottom of that stack is level 1 label, and the label at the top of the stack is level m label. A packet with no label can be regarded as a packet with empty label stack,...
Page 514 The basic structure of MPLS-based VPN is shown in Figure 125. CE is the customer edge device, and it may either be a router or a switch, or perhaps a host. PE is a service provider edge router, which is located on the backbone network. PE is...
Page 515: Mpls Basic Capability Configuration
Defining MPLS LSR ID Before configuring any other MPLS command, it is necessary to first configure the LSR ID. This ID is usually in IP address format and must be unique in the domain. Perform the following configuration in the system view.
Page 516 By default, LSR ID is not defined. Enabling MPLS and In system view, you can first enable MPLS globally and enter MPLS view using the Entering MPLS View mpls command. Then you can directly enter MPLS view after using the mpls command in system view.
Page 517: Ldp Configuration
By default, the labels of all destination addresses are advertised to all LDP peers. Configuring Static LSP You can manually set an LSR to be a node along an LSP, and place a limit on the traffic over the LSP. Depending on the position in an MPLS domain, an LSR along an LSP can be the ingress node, an intermediate node (also called transit node), or the egress node.
Page 518 It begins to set up LSP if in topology-driven mode,. Disabling LDP function on interface causes the break of all LDP session in VLAN interface, and all the LSP based on those sessions are deleted. So you must use this command with cautiously.
Page 519 LDP Configuration remoteip: the IP address of the Remote-peer. It should be the ID of the peer LSR. Configuring session Configuring session hold-time parameters The LDP entity on the interface sends Hello packets periodically to find out LDP peer, and the established sessions must also maintain their existence by periodic message (if there is no LDP message, then Keepalive message must be sent).
Page 520 ID is contained in this record. If not, the router adds its ID into the record; and if yes, it indicates that a loop presents and the process for establishing LSP is terminated.
Page 521: Displaying And Debugging Mpls Basic Capability
Debugging MPLS After accomplishing the configuration tasks mentioned previously, you can execute the display command in any view to view the running state of a single or all the static LSPs and thus to evaluate the effect of the configurations.
Page 522 Displaying MPLS-enabled interfaces After accomplishing the configuration tasks mentioned previously, you can execute the display command in any view to view the information related to the MPLS-enabled interfaces and thus to evaluate the effect of the configurations. Table 516 Display information of the MPLS-enabled interfaces...
Page 523: Typical Mpls Configuration Example
After accomplishing the configuration tasks described earlier, you can execute the display command in any view to view the running state of LDP and thus to evaluate the effect of the configurations. Table 520 Display LDP...
Page 524 48: MPLS B HAPTER ASIC APABILITY ONFIGURATION The four switches all support MPLS, and LSP can be established between any two switches with the routing protocol OSPF.LDP establishes LSP by using routing information of OSPF. Network diagram Figure 126 Network diagram...
Page 525 Typical MPLS Configuration Example [SW8800] mpls lsr-id 172.17.1.1 [SW8800] mpls [3Com-mpls] quit [SW8800] mpls ldp # Configure IP address and enable MPLS and LDP for VLAN interface 201. [SW8800] vlan 201 [3Com-vlan201] port gigabitethernet 2/1/1 [3Com-vlan201] quit [SW8800] interface vlan-interface 201 [3Com-Vlan-interface201] ip address 168.1.1.2 255.255.0.0...
Page 526: Troubleshooting Mpls Configuration
Solution: Check loop detection configuration at both ends to see if one end is configured while the other end is not (this will result in session negotiation failure). Cause 2: Local machine cannot get the route to peer LSR ID, so TCP connection cannot be set up and session cannot be established.
Page 527 Troubleshooting MPLS Configuration Solution: The default address for session transfer is MPLS LSR ID. The local machine should issue the LSR ID route (often the Loopback address) and lean the peer LSR ID route.
Page 528 48: MPLS B HAPTER ASIC APABILITY ONFIGURATION...
Page 529: Bgp/Mpls Vpn C
Traditional VPN, for which layer 2 tunneling protocols (L2TP, L2F and PPTP, and so Overview on.) or layer 3 tunnel technology (IPSec, GRE and so on.) is adopted, is a great success and is therefore widely used. However, along with the increase of the size of VPNs , the deficiency of traditional VPN in such aspects as expansibility and manageability becomes more and more obvious.
Page 530 Nested BGP/MPLS VPN model In a basic BGP/MPLS VPN model, the PEs are in the network of the service provider and are managed by the service provider. When a VPN user wants to subdivide the VPN into multiple VPNs, the traditional solution is to configure these VPNs directly on the PEs of the service provider.
Page 531 Basic concepts in BGP/MPLS VPN 1 VPN-instance VPN-instance is an important concept in VPN routing in MPLS. In an MPLS VPN implementation, each site corresponds to a specific VPN-instance on PE (their association is implemented by binding VPN-instance to the VALN interface). If subscribers on one site belong to multiple VPNs, then the corresponding VPN-instance includes information about all these VPNs.
Page 532 HAPTER ONFIGURATION VPN is just a private network, so it can use the same IP address to indicate different sites. But the IP address is supposed as unique when MP-BGP advertises CE routes between PE routers, so routing errors may occur for the different meaning in two systems.
Page 533 BGP/MPLS VPN Overview The routes for other VPNs will not appear in the VPN’s routing table by using VPN Target attribute to filter routing information received at PE router, so the CE-transmitted data will only be forwarded within the VPN.
Page 534 Exterior-layer label, known as LSP initialization label, distributed by MPLS LDP, is at the top of the label stack and indicates an LSP from the ingress PE to egress PE. By the switching of exterior-layer label, VPN packets can be forwarded along the LSP to the peer PE.
Page 535 UPE and SPE are relative concepts. In a multi-layer PE architecture, an upper layer PE is an SPE for its lower layer PE, and a lower layer PE is an UPE for its upper layer The MBGP runs between SPE and UPE can be either MP-IBGP or MP-EBGP,...
Page 536 VPN2 Site1 VPN2 Site1 Introduction to OSPF As one of the most popular IGP routing protocols, OSPF is used as an internal Multi-instance routing protocol in many VPNs. Using OSPF on PE-CE links brings convenience to you because in this case CE routers only need to support OSPF protocol, without the need of supporting other protocols, and network administrator only have to know the OSPF protocol.
Page 537: Bgp/Mpls Vpn Configuration
Introduction to The VPN attribute of the packets from a CE to its PE lies on the VPN bound with Multi-Role Host the ingress interface. This, in fact determines that all the CEs forwarded by the PE through the same ingress interface belong to the same VPN; but in actual network environments, a CE may need to access multiple VPNs through one physical interface.
Page 538 | gateway-address ] [ preference static route preference-value ] By default, the preference value for a static route is 60. You can also specify preference for a static route. Configuring RIP If you select RIP mode for CE-PE route switching, you should then configure RIP on...
Page 539 Configuring OSPF If you select OSPF mode for CE-PE route switching, you should then configure OSPF on CE. For configuring OSPF, see the routing protocol part in 3Com Switch 8800 Family Series Routing Switches Operation Manual Volume II. You must configure OSPF multi-instance to isolate services of different VPNs on CE router, which is now called Multi-VPN-Instance CE.
Page 540 By default, no VPN-instance is defined. 1 Configure RD for the vpn-instance After PE router is configured with RD, when a VPN route learned from CE is imported into BGP, BGP attaches the RD in front of the IPv4 address. Then the...
Page 541 Remove the maximum number limitation undo routing-table limit Integer is in the range of 1 to 65536 and alarm-integer is in the range of 1 to 100. Changing the maximum route limit for VPN-instance will not affect the existing routing table. To make the new configuration take effect immediately, you should rebuild the corresponding routing protocol or perform shutdown/undo shutdown operation on the corresponding interface.
Page 542 Ethernet ports By default, the vlan-id range of MPLS/VPN VLANs is from 0 to 1023, and the default value of vlan-id is 0. The value range of vlan-id is from 1 to 3071. CAUTION: This command can only be executed on Trunk ports, and MPLS/VPN-enabled ■...
Page 543 These route exchanging modes are available between PE and CE: static route, RIP, OSPF, EBGP. 1 Configure static route on PE You can configure a static route pointing to CE on PE for it to learn VPN routing information from CE. Perform the following configuration in the system view.
Page 544 49: BGP/MPLS VPN C HAPTER ONFIGURATION By default, the preference value for a static route is 60. You can also specify another preference for the static route you are configuring. 2 Configure RIP multi-instance If you select RIP mode for CE-PE route switching, you should then specify running environment for RIP instance on PE.
Page 545 Tag value; by default, the first two bytes are fixed, that is, 0xD000, and the last two bytes is AS number of local BGP. For example, the AS number of local BGP is 100, and then its default tag value is 3489661028 in decimal notation.
Page 546 Delete a Sham-link undo sham-link source-addr destination-addr By default, the cost value is 1, dead value is 40 seconds, hello value is 10 seconds, retransmit value is 5 seconds and trans-delay value is 1 second. 4 Configure EBGP on PE If you select EBGP between PE and CE, you should configure a neighbor for each VPN in VPN instance address family sub-view, and import IGP route of CE.
Page 547 PE must import the VPN routing information of the direct-connect CE into its MBGP routing table. For example, if a static route is used between PE and CE, PE must import a static route in VPN-instance address family sub-view of MBGP (import-route static). If RIP is run between PE and CE, PE must import an RIP route in VPN-instance view of MBGP (import-route rip).
Page 548 32 bits. Step 3: Permit BGP session over any operable TCP interface. In general, BGP uses the best local address in TCP connection. To keep TCP connection available even when the interface involved fails, you can perform the following configuration to permit BGP session over any interface through which TCP connection with the peer can be set up.
Page 549 Step 3: Configure the local address as the next hop in route advertisement (optional). Since the default value is no configuration, you must show clearly to add in this configuration command when configuring MBGP of PE-PE. Perform the following configuration in VPNv4 sub-address family view.
Page 550: Displaying And Debugging Bgp/Mpls Vpn
49: BGP/MPLS VPN C HAPTER ONFIGURATION This command adds a default route which uses local address as the next hop on the PE SPE (system processing engine) Perform the following configuration in VPNv4 sub-address family view. Table 551 Advertise default route to the peer (group)
Page 551 Disable the debugging mp-update | open | packet | update | route-refresh } [ receive | send | verbose ] } { all | event | normal | update } Displaying MPLS L3VPN-LSP information Table 557 Display MPLS L3VPN-LSP information...
Page 552: Typical Bgp/Mpls Vpn Configuration Example
Subscribers in different VPNs cannot access each other. The VPN-target ■ attribute for VPNA is 111:1 and that for VPNB is 222:2. The PEs and P are 3Com switches supporting MPLS, and CEs are common layer ■ 3 switches. The configuration in this case is focused on: Configure EBGP to exchange VPN routing information between CEs and PEs.
Page 553 [CE1-bgp] peer 168.1.1.2 group 168 as-number 100 [CE1-bgp] import-route direct [CE1-bgp] import-route static The configuration on the other three CE switches (CE2 to CE4) is similar to that on CE1, the details are omitted here. 2 Configure PE1 # Configure vpn-instance for VPNA on PE1, as well as other associated attributes to control advertisement of VPN routing information.
Page 554 [PE1-Vlan-interface201] ip address 172.1.1.1 255.255.0.0 [PE1-Vlan-interface201] mpls [PE1-Vlan-interface201] mpls ldp enable [PE1-Vlan-interface201] quit # Enable OSPF on the interface connecting PE1 and P and on the Loopback interface, import direct-connect routes. Achieve inter-PE communication. [PE1] ospf [PE1-ospf-1] area 0 [PE1-ospf-1-area-0.0.0.0] network 172.1.0.0 0.0.255.255 [PE1-ospf-1-area-0.0.0.0] network 202.100.1.1 0.0.0.0...
Page 555 [P-ospf-1] import-route direct 4 Configure PE3 The configuration on PE3 is similar to that on PE1, you should pay more attention to VPN routing attribute setting on PE3 to get information about how to control advertisement of a same VPN routing information (with same VPN-target) over MPLS network.
Page 556 [PE3] interface Vlan-interface 201 [PE3-Vlan-interface201] ip address 172.3.1.1 255.255.0.0 [PE3-Vlan-interface201] mpls [PE3-Vlan-interface201] mpls ldp enable [PE3-Vlan-interface201] quit # Enable OSPF on the interface connecting PE3 and P and the Loopback interface, import direct-connect routes. [PE3] ospf [PE3-ospf-1] area 0 [PE3-ospf-1-area-0.0.0.0] network 172.3.0.0 0.0.255.255 [PE3-ospf-1-area-0.0.0.0] network 202.100.1.3 0.0.0.0...
Page 557 Typical BGP/MPLS VPN Configuration Example [PE3-bgp-af-vpn] peer 202.100.1.1 group 202 [PE3-bgp-af-vpn] quit 5 Configure PE2 and PE4 The configuration of PE2 and PE4 is similar to that of PE1 and PE3. The details are omitted here. Extranet Configuration Network requirements Example Company A and Company B are located at City A and City B respectively.
Page 558 CEs. For these details refer to the former example. 1 Configure PE-A: # Configure VPN-instance 1 for VPN1 on PE-A, so that it can send and receive VPN routing information of VPN-target 111:1. [PE-A] ip vpn-instance vpn-instance 1...
Page 559 [PE-A-bgp-af-vpn] peer 20.1.1.1 group 20 [PE-A-bgp-af-vpn] quit 2 Configure PE-C. # Create a VPN-instance 2 on PE-C, so that it can send and receive VPN routing information of VPN-target 111:1 and 222:2. [PE-C] ip vpn-instance vpn-instance 2 [PE-C-vpn-2] route-distinguisher 100:2...
Page 560 [PE-C-bgp-af-vpn] peer 30 enable [PE-C-bgp-af-vpn] peer 30.1.1.1 group 30 [PE-C-bgp-af-vpn] quit 3 Configure PE-B: # Create VPN-instance 3 for VPN2 on PE-B, so that it can send and receive VPN routing information of VPN-target 222:2. [PE-B] ip vpn-instance vpn-instance 3 [PE-B-vpn-3] route-distinguisher 100:3...
Page 561 In Hub&Spoke networking, VPN-target of VPN-instance (VPN-instance3) which ■ is used to release route on the PE1 cannot be the same with any VPN-target of VPN-instance (VPN-instance2) which is used to import route on PE1. In Hub&Spoke networking, route-distinguisher rd2 (100:3) of VPN-instance ■...
Page 562 [PE1-vpn-vpn-instance3] route-distinguisher 100:3 [PE1-vpn-vpn-instance3] vpn-target 100:2 export-extcommunity [PE1-vpn-vpn-instance3] quit # Set up EBGP adjacency between PE1 and CE1, import intra-CE1 VPN routes learned into MBGP VPN-instance address family, with one routing loop permitted. [PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpn-instance2...
Page 563 [PE1-bgp] quit # Bind the VLAN interface connecting PE1 and CE1 to different VPN-instances. Bind the interface of the VLAN to which the Ethernet port Gigabitethernet 2/1/1 belongs to VPN-instance2, bind the interface of the VLAN to which the Ethernet port Gigabitethernet 2/1/2 belongs to VPN-instance3.
Page 564 [PE2-bgp-af-vpn-instance] group 172 external [PE2-bgp-af-vpn-instance] peer 172.15.1.1 group 172 as-number 65003 [PE2-bgp-af-vpn-instance] quit [PE2-bgp] quit # Bind the interface of the VLAN to which the port connecting PE2 and CE2 belongs to VPN-instance. [PE2] vlan 201 [PE2-vlan201] port gigabitethernet 2/1/1...
Page 565 CE3 and CE4 are single-homed; each of them is only connected to one PE. CE1 and CE3 are in one VPN, and CE2 and CE4 are in another VPN. The two VPNs cannot intercommunicate with each other.
Page 566 AS:65001 AS:65002 AS:65002 Configuration procedure The configuration of CE router is omitted in this case and you can refer to Section “Integrated BGP/MPLS VPN Configuration Example” “Integrated BGP/MPLS VPN Configuration Example” . 1 Configure PE1 # Configure two VPN-instances 1.1 and 1.2 respectively for CE1 and CE2 on PE1, set different VPN-targets for them.
Page 567 [PE1-bgp-af-vpn-instance] group 17211 external [PE1-bgp-af-vpn-instance] peer 172.11.11.2 group 17211 as-number 65001 [PE1-bgp-af-vpn-instance] quit [PE1-bgp] quit # Set up EBGP adjacency between PE1 and CE2 in VPN-instance 1.2, import intra-CE2 VPN routes learned into VPN-instance 1.2. [PE1-bgp] ipv4-family vpn-instance vpn-instance1.2 [PE1-bgp-af-vpn-instance] import-route direct...
Page 568 The configuration of PE2 is similar to that of PE1, so only VPN-instance configuration is detailed here. # Create two VPN-instances 2.1 and 2.2 respectively for CE1 and CE2 on PE2, configure different VPN-targets for them. [PE2] ip vpn-instance vpn-instance2.1 [PE2-vpn-vpn-instance2.1] route-distinguisher 1.1.1.1:1...
Page 569 Only the VPN-instance configuration of PE3 is detailed here, other configurations are similar to that of the PE1 and PE2, and are omitted here. # Create two VPN-instances 3.1 and 3.2 respectively for CE3 and CE4 on PE3, configure different VPN-targets for them.
Page 570 City A accesses to the MPLS/VPN network of service provider in City A, and gets AS100 as the AS number; site in City B accesses to the MPLS/VPN network of service provider in City B, and gets AS200 as the AS number. The VPN goes through two ASs.
Page 571 # Configure VPN-instance. [PE1] ip vpn-instance vpna [PE1-vpn-vpna] route-distinguisher 100:1 [PE1-vpn-vpna] vpn-target 100:1 both [PE1] ip vpn-instance vpnb [PE1-vpn-vpnb] route-distinguisher 100:2 [PE1-vpn-vpnb] vpn-target 100:2 both # Configure VLAN interface connecting PE1 and P1. [PE1] vlan 205 [PE1-vlan205] port gigabitethernet 2/2/1 [PE1-vlan205] quit...
Page 572 ONFIGURATION [PE1] interface Vlan-interface 205 [PE1-Vlan-interface205] mpls [PE1-Vlan-interface205] mpls ldp enable [PE1-Vlan-interface205] ip address 10.1.1.2 255.255.255.0 # Bind the VLAN interface with the VPN-instance. [PE1] interface Vlan-interface 201 [PE1-Vlan-interface201] ip binding vpn-instance vpna [PE1-Vlan-interface201] ip address 172.11.11.1 255.255.255.0 [PE1-Vlan-interface201] quit...
Page 573 [PE2-vpn-vpna] route-distinguisher 200:1 [PE2-vpn-vpna] vpn-target 100:1 both [PE2] ip vpn-instance vpnb [PE2-vpn-vpnb] route-distinguisher 200:2 [PE2-vpn-vpnb] vpn-target 100:2 both # Configure the VLAN interface connecting PE2 and P2. [PE1] vlan 205 [PE1-vlan205] port gigabitethernet 2/2/1 [PE1-vlan205] quit [PE1] interface Vlan-interface 205...
Page 574 [P1-bgp-af-vpn] undo policy vpn-target Cross-Domain BGP/MPLS Network requirements VPN Configuration CE1 and CE2 belong to the same VPN. CE1 accesses the MPLS network through Example - Option C PE1 in AS100; and CE2 accesses the MPLS network through PE2 in AS200.
Page 575 Typical BGP/MPLS VPN Configuration Example The example adopts Option C to implement a cross-domain BGP/MPLS VPN, that is, the VPN routing is managed by the Multi-hop MP-EBGP which advertise label VPN-IPv4 routes between PEs. Network diagram Figure 139 Network diagram for Multihop EBGP cross-domain VPN...
Page 576 [ASBR-PE2-ospf-1-area-0.0.0.0] network 202.200.1.1 0.0.0.0 [ASBR-PE2-ospf-1-area-0.0.0.0] quit [ASBR-PE2-ospf-1] quit 2 Configure basic MPLS capability on the MPLS backbone network to enable the network to forward VPN traffic. MPLS must be enabled between the ASBR-PEs. # Configure basic MPLS capability on PE1 and enable LDP on the interface...
Page 577 [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] interface vlan 310 [PE2-Vlan-interface310] mpls [PE2-Vlan-interface310] mpls ldp [PE2-Vlan-interface310] quit 3 Create a VPN instance on each PE, and bind the instance to the interface connected to the corresponding CE.
Page 578 [CE1] vlan 410 [CE1-vlan410] interface vlan 410 [CE1-Vlan-interface410] ip address 168.1.1.2 255.255.0.0 [CE1-Vlan-interface410] quit # Create a VPN instance on PE1 and bind it to the interface connected to CE1 [PE1] ip vpn-instance vpna [PE1-vpn-vpna] route-distinguisher 100:2 [PE1-vpn-vpna] vpn-target 100:1 both...
Page 579 Typical BGP/MPLS VPN Configuration Example [CE1-bgp] peer 168.1.1.1 group 20 as-number 100 [CE1-bgp] quit # Configure PE1: set up EBGP peer relation with CE1, IBGP peer relation with ASBR-PE1, and Multihop MP-EBGP peer relation with PE2. [PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpna [PE1-bgp-af-vpn-instance] group 10 external [PE1-bgp-af-vpn-instance] peer 168.1.1.2 group 10 as-number 65001...
Page 580 [CE2-bgp] group 10 external [CE2-bgp] peer 168.2.2.1 group 10 as-number 200 [CE2-bgp] quit # Configure PE2: set up EBGP peer relation with CE2, IBGP peer relation with ASBR-PE2, and Multihop MP-EBGP peer relation with PE1. [PE2] bgp 200 [PE2-bgp] ipv4-family vpn-instance vpna [PE2-bgp-af-vpn-instance] group 10 external [PE2-bgp-af-vpn-instance] peer 168.2.2.2 group 10 as-number 65002...
Page 581 SPE acts as a PE on the network at the province level, and is connected with a downstream MPLS VPN at the city level. UPE acts as a PE on the network at the city level and provide access service for the VPN clients which are normally low-end routers.
Page 582 [SPE] ip vpn-instance vpn1 [SPE-vpn-vpn1] route-distinguisher 100:1 [SPE-vpn-vpn1] vpn-target 100:1 both # Configure interfaces (So far as a PE router concerned, its Loopback 0 interface must be assigned with a host address of 32-bit mask. [SPE] vlan 201 [SPE-vlan201] port gigabitethernet 2/1/1...
Page 583 OSPF Multi-instance Network requirements Sham-link Configuration As shown in the following picture, a company connects to a WAN through OSPF Example multi-instance function of 3Com router. OSPF is bind to VPN1.MPLS VPN backbone runs between PEs and OSPF runs between PE and CE. Configure a Sham-link between PE1 and PE2 to ensure the traffic between CE1 and CE2 does not pass the Backdoor link that directly connects CE1 and CE2.
Page 584 49: BGP/MPLS VPN C HAPTER ONFIGURATION Network diagram Figure 141 Network diagram for OSPF multi-instance LoopBack0: 1.1.1.1 LoopBack0: 1.1.1.1 LoopBack0: 3.3.3.3 LoopBack0: 3.3.3.3 VLAN202 VLAN202 1.1.1.1 1.1.1.1 VLAN202 VLAN202 3.3.3.3 3.3.3.3 10.10.10.10 10.10.10.10 168.1.13.1/24 168.1.13.1/24 168.1.13.2/24 168.1.13.2/24 VLAN201 VLAN201 VLAN201...
Page 585 [PE1-bgp] group fc internal [PE1-bgp] peer 50.1.1.2 group fc [PE1-bgp] peer 50.1.1.2 connect-interface LoopBack1 [PE1-bgp] peer 50.1.1.3 group fc # Configure BGP and import OSPF routing and direct-connect route. [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-af-vpn-instance] import-route ospf 100 [PE1-bgp-af-vpn-instance] import-route ospf-ase 100...
Page 586 ONFIGURATION [PE1] ospf 1000 [PE1-ospf-1000] area 0 [3Com-ospf-1000-area-0.0.0.0] network 168.12.1.0 0.0.0.255 [3Com-ospf-1000-area-0.0.0.0] network 50.1.1.1 0.0.0.0 2 Configure PE2 # Enable MPLS and LDP. [PE2] mpls lsr-id 50.1.1.2 [PE2] mpls [PE2-mpls] quit [PE2] mpls ldp # Configure VPN-instance VPN1. [PE2] ip vpn-instance vpn1...
Page 587 [PE2-bgp] group fc internal [PE2-bgp] peer 50.1.1.1 group fc [PE2-bgp] peer 50.1.1.1 connect-interface LoopBack1 [PE2-bgp] peer 50.1.1.3 group fc # Configure VPN-instance and import OSPF and direct-connect route. [PE2-bgp] ipv4-family vpn-instance vpn1 [PE2-bgp-af-vpn-instance] import-route direct [PE2-bgp-af-vpn-instance] import-route ospf-nssa 100 [PE2-bgp-af-vpn-instance] import-route ospf-ase 100...
Page 588 And this VPN is divided into three sub-VPNs: VPN1, VPN2 and VPN3. Some of the nodes of these sub-VPNs directly access a PE in the network, and some access a PE through the father VPN. That is, the adopted network structure is unsymmetrical.
Page 589 AS50001 AS50002 AS50002 AS50002 AS50002 Configuration procedure This procedure omits part of the configuration for CE router. 1 Configure IGP on the service provider’s backbone network. # Configure prov_pe1. <SW8800> system-view [SW8800] sysname prov_pe1 [prov_pe1] interface LoopBack0 [prov_pe1-LoopBack0] ip address 5.5.5.5 255.255.255.255...
Page 590 [prov_pe2-bgp] peer 5.5.5.5 connect-interface LoopBack0 [prov_pe2-bgp] ipv4-family vpnv4 [prov_pe2-bgp-af-vpn] peer ibgp enable [prov_pe2-bgp-af-vpn] peer ibgp next-hop-local [prov_pe2-bgp-af-vpn] peer 5.5.5.5 group ibgp [prov_pe2-bgp-af-vpn] quit [prov_pe2-bgp] quit 2 Create a VPN instance on provider PEs to access customer PEs and directly connected user CEs.
Page 591 [prov_pe1-Vlan-interface310] ip address 1.1.1.2 255.0.0.0 [prov_pe1- Vlan-interface310] mpls [prov_pe1- Vlan-interface310] quit [prov_pe1] interface vlan 210 [prov_pe1-Vlan-interface210] ip binding vpn-instance vpn1 [prov_pe1- Vlan-interface210] ip address 18.1.1.1 255.0.0.0 [prov_pe1- Vlan-interface210] quit # Configure prov_pe2. [prov_pe2] ip vpn-instance customer_vpn [prov_pe2-vpn-instance] route-distinguisher 3:3 [prov_pe2-vpn-instance] vpn-target 3:3...
Page 592 49: BGP/MPLS VPN C HAPTER ONFIGURATION [cust_pe2-Vlan-interface410] mpls [cust_pe2-Vlan-interface410] quit 3 Configure EBGP between provider PE and customer PE. # Configure prov_pe1 to access the corresponding Customer PE. [prov_pe1] route-policy comm permit node 10 [prov_pe1-route-policy-comm-10] if-match vpn-target 1:1 [prov_pe1-route-policy-comm-10] quit...
Page 593 Typical BGP/MPLS VPN Configuration Example [cust_pe2-bgp] ipv4-family vpnv4 [cust_pe2-bgp-af-vpn] peer ebgp enable [cust_pe2-bgp-af-vpn] peer 2.1.1.2 group ebgp 4 On each Customer PE, configure the sub-VPN that accesses the network through the Customer PE. # Configure cust_pe1. [cust_pe1] ip vpn-instance vpn1...
Page 594 [CE-vpn-vpn2] vpn-target 200:1 import-extcommunity # Configure VLAN201. [CE] vlan 201 [CE-vlan201] port gigabitethernet 2/1/1 [CE-vlan201] quit [CE] interface Vlan-interface 201 [CE-Vlan-interface201] ip binding vpn-instance vpn1 [CE-Vlan-interface201] ip address 10.1.1.2 255.255.255.0 # Configure VLAN202. [CE] vlan 202 [CE-vlan202] port gigabitethernet 2/1/2 [CE-vlan202] quit...
Page 595 Configuration Example CE1 and CE3 belong to VPN1, and CE2 belong to VPN2. The host PC2 with the IP address of 172.16.0.1 accesses the network through CE2. As a multi-role host, it can access both VPN1 and VPN2. Network diagram Figure 144 Network diagram for multi-role host application 172.18.0.1/16...
Page 596 [PE1-vlan110] interface vlan-interface 110 [PE1-Vlan-interface110] mpls [PE1-Vlan-interface110] mpls ldp [PE1-Vlan-interface110] quit # Create VPN instances for VPN1 and VPN2 on PE1, bind the address of the interface of VLAN310 to VPN1 and VPN2. [PE1] ip vpn-instance vpn1 [PE1-vpn-vpn1] route-distinguisher 100:1...
Page 597 [PE2-vlan110] interface vlan-interface 110 [PE2-Vlan-interface110] mpls [PE2-Vlan-interface110] mpls ldp [PE2-Vlan-interface110] quit # Create a VPN instance for VPN1 on PE2, and bind the address of the interface of VLAN210 to VPN1. [PE2] ip vpn-instance vpn1 [PE2-vpn-vpn1] route-distinguisher 300:1 [PE2-vpn-vpn1] vpn-target 100:1 both...
Page 598 PE1, configure PE1 not to advertise any route information to CE2 to avoid route loops. Following depicts a way to achieve this. You can also avoid route loops in other ways. Directly configure a static route to PC2 on PE1 if no routing protocol is employed between PE1 and CE2.
Page 599: Troubleshooting Bgp/Mpls Vpn Configuration
PE and CE. Symptom 2 PE at the local end can learn private network route of the PE at peer end, but two PEs cannot intercommunicate with each other. Solution: Check whether the loopback interface configured on the PE has the address ■...
Page 600 VPNv4 sub-address family view. Check whether the BGP information is correct on the PE at the peer end; check ■ whether specified the local Loopback interface as the interface to create adjacent with the peer end;...
Page 601: Card Intermixing For Mpls Support
■ belong to the same VLAN. The port on the MPLS card can also be used for the access to the service private network side of the MPLS VPN. In this case, you do not need to configure card intermixing, and you must use the port of the MPLS card for the connection with...
Page 602: Restrictions In Intermixing Networking
Restrictions in Intermixing Networking Rules of Intermixing A non-MPLS card can be used for access to the private network side, and an ■ Configuration MPLS card must be used for access to the public network side; You cannot perform other configurations on the destination port in intermixed ■...
Page 603: Intermixing Configuration Task
MPLS forwarding, but you can specify the start VLAN ID of the 100M Ethernet Trunk port. Assume the start VLAN ID is VLAN ID, the range of VLAN IDs of the VLANs that pass a certain 100M Ethernet port is from VLAN ID to VLAN ID + 1023.
Page 604 Configuration” and the "VPN Operation" section in 3Com Switch 8800 Family Series Routing Switches Operation Manual. for detailed configuration information. Configuring flow The packets to be redirected are identified through the flow template and ACL template and ACL rules configurations.
Page 605 Intermixing Configuration Task You can define the flow template by means of the IP + VLAN + DMAC method to make sure that different kinds of packets are processed in different ways: If ARP packets do not match IP rules in redirection, they will be processed on ■...
Page 606 CE1 and CE3 constitute VPN A, and CE2 and CE4 constitute VPN B. In PE1, a ■ port of an interface card is shared, and in PE2, a Layer 2 switch is shared to connect with the host directly. The PE devices (PE1 and PE2) are Switch 8800 Family series switches, and the ■...
Page 607 [PE1-vpn-vpna] route-distinguisher 100:1 [PE1-vpn-vpna] vpn-target 100:1 both [PE1-vpn-vpna] quit # Configure ACL and redirection, and configure a basic IP ACL to permit all the IP packets in CE devices to be redirected. [PE1] flow-template user-defined slot 3 dmac 0000-0000-0000 sip 0.0.0.0...
Page 608 NTERMIXING FOR UPPORT CAUTION: If the VRRP protocol is enabled on the VLAN port to which the source port of MPLS VPN redirection belongs, you must configure another ACL rule to redirect the packets whose destination address is the virtual MAC address of VRRP, so that ICMP packets whose destination address is the virtual MAC address of VRRP can be processed normally.
Page 609 [PE2-vlan-interface200] ip address 196.168.2.1 255.255.255.0 [PE2-vlan-interface200] mpls [PE2-vlan-interface200] mpls ldp enable [PE2-vlan-interface200] quit # Enable OSPF on the interface connecting PE2 with P router and the Loopback interface. [PE2] ospf 1 route-id 2.2.2.2 [PE2-ospf-1] area 0 [PE2-ospf-1-area-0.0.0.0] network 196.168.1.0 0.0.0.255 [PE2-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0...
Page 610 MPLS S HAPTER NTERMIXING FOR UPPORT # Configure VPN-instance. The configuration of VPN B is similar to that of VPN A, so followed is only the configuration of VPN A. [PE2] ip vpn-instance vpna [PE2-vpn-vpna] route-distinguisher 100:1 [PE2-vpn-vpna] vpn-target 100:1 both...
Page 611: Restrictions In Networking Of Various Mpls Cards
You do not need to customize the flow template needed for VLL redirection and you can use the default flow template. In addition, the flow template only needs to match Layer 2 ACL of 4000 series and only the VLAN ID needs to be specified in ACL rules.
Page 612 In card intermixing networking, non-MPLS cards can only be used for access at ■ the private network side, and MPLS card must be used for access at the public network side. MPLS card has influence on the forwarding performance of a switch.
Page 613: Mpls Vll
Introduction to MPLS MPLS L2VPN provides MPLS network-based Layer 2 VPN services. For users, an L2VPN MPLS L2VPN is a Layer 2 switched network, through which Layer 2 connections can be established between network nodes. Figure 146 MPLS L2VPN VPN A...
Page 614 Label Stack The fields in an MPLS L2VPN packet are described as follows: Tunnel label (the outer label) is an MPLS label or a GRE label. It is used to transmit a packet from one PE to anther. VC label (the inner label) is a lower layer label used to identify the links between PEs and CEs.
Page 615 Martini draft defines the way to implement MPLS L2VPN by establishing point-to-point links. Here, LDP (Label Distribution Protocol) is used as the signaling protocol to exchange VC labels. This kind of MPLS L2VPNs is known as Martini MPLS L2VPNs. Kompella draft defines how to establish MPLS L2VPNs in MPLS networks through end-to-end (CE-to-CE) connections.
Page 616: Ccc Mpls L2Vpn Configuration
51: MPLS VLL HAPTER Table 563 Features and implementation ways of the three types of MPLS L2VPNs VPN type Implementation Feature Users can assign extra labels to VPNs for future use. This eases the configuration Similar to Layer 3 BGP/MPLS VPN work loads of VPN deployment and defined in RFC2547.
Page 617 A static LSP used by a remote CCC connection cannot be used for other ■ purposes (such as carrying IP packets and BGP/MPLS VPN packets). When you configure a static LSP for a CCC connection, the next hop must be the IP address from which the ARP packets are learnt. CCC MPLS L2VPN...
Page 618 CE A CE A CE A PE A PE A PE A P P P P P P P P P P P P P P P P P P P P PE B PE B PE B CE C...
Page 619 # Configure the local connection. [PE_A] ccc local-conn interface vlan-interface 211 out-interface vlan-interface 213 # Configure a static LSP, with the out-label of 100 and the egress interface being the interface of VLAN 214. [PE_A] mpls [3Com-mpls] static-lsp ingress PEA-PEB l2vpn nexthop 5.5.5.2 out-...
Page 620 For Layer 2 connections with the MPLS L2VPN being VLAN encapsulation, the VLAN IDs of the interfaces of the two CEs can either be the same or different. However, if a trunk is configured between the CEs and the PEs on both sides, the...
Page 621: Martini Mpls L2Vpn Configuration
Martini MPLS L2VPN Network requirements Configuration Example CEs shown in Figure 150 are in the same VLAN as the corresponding PEs resides in. A remote connection is required between CE-A and CE-B. Network diagram Figure 150 Network diagram for Martini MPLS L2VPN...
Page 622 [PE-A] interface Vlan-interface 21 [PE-A-Vlan-interface21] ip address 168.1.1.1 255.255.0.0 [PE-A-Vlan-interface21] mpls [PE-A-Vlan-interface21] mpls ldp enable # Configure an IP address for the Loopback interface, which is used as the Router [PE-A] interface loopback 0 [PE-A-LoopBack0] ip address 192.1.1.1 255.255.255.255 # Enable OSPF.
Page 623 [PE-B] vlan 212 [PE-B-vlan212] port gigabitethernet 2/1/2 [PE-B-vlan212] interface vlan-interface 212 [PE-B-Vlan-interface212] quit # Configure an IP address for the Loopback interface, which is used as the LSR ID. [PE-B] interface loopback 0 [PE-B-LoopBack0] ip address 192.1.1.2 255.255.255.255 # Enable OSPF.
Page 624 [PE-P] mpls [PE-P-mpls] quit [PE-P] mpls ldp [PE-P] mpls l2vpn # Configure an IP address for the Loopback interface, which is used as the LSR ID. [PE-P] interface loopback 0 [PE-P-LoopBack0] ip address 192.1.1.3 255.255.255.255 [PE-P-LoopBack0] quit # Configure the VLAN interface.
Page 625: Kompella Mpls L2Vpn Configuration
VLAN is Trunk type. It is not recommended to use Hybrid type as the port link type in a private network VLAN. The user access modes of the instance in all the peer PEs...
Page 626 For example, you can change a CE range from 10 to 20, rather than from 10 to 5. The only way to change a CE range to a smaller number is to remove the CE and create a new one.
Page 627 Kompella MPLS L2VPN Configuration VLAN is Trunk type. It is not recommended to use Hybrid type as the port link type in a private network VLAN. The user access modes of the instance in all peer PEs must be consistent.
Page 628 # Enable MPLS globally. [PE-B] mpls lsr-id 3.3.3.3 [PE-B] mpls [PE-B-mpls] quit [PE-B] mpls ldp # Configure an IP address for the Loopback interface. [PE-B] interface loopback 0 [PE-B-LoopBack0] ip address 3.3.3.3 32 # Enable MPLS L2VPN globally. [PE-B] mpls l2vpn # Configure VLAN 212.
Page 629: Displaying And Debugging Mpls L2Vpn
The configuration of P device is the same as that of standard MPLS configuration. Refer to the P router Configuration of BGP/MPLS VPN in Basic MPLS Operation Manual. Note that the VLANs on PEA and PEB which are connected to the CEs must be consistent. Displaying and...
Page 630: Troubleshooting Mpls L2Vpn
Because you cannot perform Layer 2 VPN configuration on a VLAN interface if MPLS/BGP VPN, multicasting, or VLL is enabled on it. Check to see if the VLAN is a Super-Vlan or a Sub-Vlan. You can perform the ■...
Page 631 Symptom 4: Fail to ping the peer end of a CCC MPLS L2VPN connection. The sending and receiving channels are up, so does the link connection.
Page 632 51: MPLS VLL HAPTER...
Page 633: Vpls Overview
MPLS-based virtual private network (VPN) services over IP networks. MPLS VPN services fall into two types: L3 MPLS VPN and L2 MPLS VPN. The latter includes VPLS (virtual private LAN service) and VLL (virtual leased line). VLL only applies to point-to-point networking, while VPLS can apply to multipoint-to-multipoint VPN networking.
Page 634: Basic Vpls Network Architectures
Figure 152 VPLS network with PW logical multipoint-to-multipoint connection As shown in Figure 152, VPLS can provide point-to-multipoint connection service like a L3VPN. It can learn MAC addresses and exchange packets between multiple sites. In addition, it keeps the forwarding tables of the individual VPNs independent with each other and allows MAC address overlap between VPNs.
Page 635: Vpls Operational Principle
As shown in the following figure, the whole VPLS network is just like a huge Components switch. For each VPN, it sets up PWs between the sites of the VPN on MPLS tunnels and transparently transmits user’s layer 2 packets from one site to another through these PWs.
Page 636 Attachment circuit An attachment circuit (AC) is a virtual connection link between CE and PE. User’s layer 2 and layer 3 data are transmitted to the peer site through AC without any modification. Pseudowire A pseudowire (PW) is a bidirectional virtual connection between two VSIs in a VPN.
Page 637: Concepts Related To Vpls
VPN service access, it implement packet mapping and forwarding from private networks to public network tunnels, and vice versa. It has two types: UPE and NPE. It is a user-facing PE device, a kind of convergence device for users to access the VPN.
Page 638: Vpls Basic Configuration
52: VPLS C HAPTER ONFIGURATION It is a core PE device, located at the edge of the VPLS core network. It provides VPLS transparent transmission service in the core network. Through virtual switching instance (VSI) you can map the actually connected links to each virtual links.
Page 639 By default, no remote peer exists. Configuring an address for the remote peer You can specify any LDP-enabled interface address of a remote peer device or the loopback address of a label switch router (LSR) that has advertised its routing information as the address of the remote peer.
Page 640 VPLS peer PE, you must specify an IP address and peer type for the peer PE. By default, the peer type is NPE. When you specify UPE as the peer type, it indicates the peer is a user convergence node UPE in hierarchical VPLS architecture.
Page 641 ■ enable VLAN VPN on the port; If IGMP Snooping is enabled in the VLAN to which the port belongs or if IGMP ■ is enabled on the VLAN interface to which the port belongs, it is not allowed to enable VLAN VPN on the port, and vice versa;...
Page 642 If GARP VLAN registration protocol (GVRP), spanning tree protocol (STP) or ■ 802.1x protocol is enabled on a port, VLAN VPN on this port is not allowed to enable. If IGMP Snooping is enabled in the VLAN to which the port belongs or if IGMP ■...
Page 643 { config | auto } ] view rule [ rule-id ] { permit | deny } [ mpls l2label-range [ range-id ] ] [ cos cos-value | c-tag-cos c-cos-value | exp exp-value | ingress { { Define a sub-rule in...
Page 644 If disabled, failure of the VPLS module in slot 0 would result in loss of traffic for VSIs 0 thru 3 and failure of the VPLS module in slot 1 would result in loss of traffic for VSIs 4 thru 7.
Page 645 Configuring packet MTU Use the mtu command to specify the maximum transmission unit (MTU) value for user access packets of this VPLS instance, which is in the range of 128 to 8,192. This MTU value is also the MTU value for PW.
Page 646: Displaying And Debugging Vpls
Example networking. Figure 155 shows a simple back-to-back network diagram. Where, two sites of VPN1 connect to port E6/1/48 of the two PEs (PE1 and PE2) respectively. Both PEs are configured with the private VLAN 100 and public VLAN 10 connected through G4/1/1 to implement basic VPLS service.
Page 647 VPN1 VPN1 Configuration procedure The VPLS service processor card is on slot 5 on PE1 and PE2, and the common interface card is on slot 4. 1 Configure PE1 # Configure the Router ID used to advertise OSPF routing information. Generally, the interface address of both MPLS LSR-ID and Loopback0 can be configured with the same IP address.
Page 648 [PE1-GigabitEthernet4/1/1] traffic-redirect inbound link-group 4000 rule 0 slot 5 10 join-vlan Note that, if a common interface module is on slot 4 and all the eight label ranges corresponding to the rule are not assigned, you must configure the following...
Page 649 # Configure a 32-bit Loopback address, which is used to create LSP. [PE2] interface loopback0 [PE2 -LoopBack0] ip address 1.2.3.4 32 # Configure a public VLAN, add a port to it, configure the IP address for the interface. Then, enable MPLS and MPLS LDP on the interface. [PE2] vlan 10...
Page 650: Troubleshooting Vpls
[PE2-GigabitEthernet4/1/1] traffic-redirect inbound link-group 4000 rule 0 slot 5 10 join vlan Note that, if a common interface module on slot 4 and all the eight label ranges corresponding to the rule are not assigned, you must configure the following...
Page 651 The interface of the private VLAN is not bound with the corresponding VPLS ■ instance, or is DOWN: make sure the interface is UP, or the PW to the UPE is UP. The parameters for the peer or the MTU value of the VPLS instance is ■...
Page 652 52: VPLS C HAPTER ONFIGURATION...
Page 653: Introduction To Vrrp
Layer 3 Switch, implementing communication between the host and the external network. If Switch is down, all the hosts on this segment taking Switch as the next-hop on the default route will be disconnected from the external network.
Page 654: Configuring Vrrp
Host 2 Host 3 This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the virtual router). The switches within the virtual router have their own IP addresses (such as 10.100.10.2 for the Master switch and 10.100.10.3 for the Backup switch).
Page 655 IP address is used by the virtual router. If the user configure the IP address for the host same as the virtual IP address of the virtual router, then all messages in this segment will be forwarded to the host.
Page 656 The virtual-address can be an unused address in the network segment where the virtual router resides, or the IP address of an interface in the virtual router. If the IP address is of the switch in the virtual router, it can also be configured as virtual-address.
Page 657 The priority ranges from 0 to 255. The greater the number, the higher the priority. However the value can only be taken from 1 to 254. The priority 0 is reserved for special use and 255 is reserved for the IP address owner by the system.
Page 658 If they are the same, the packet will be taken as a true and legal one. Otherwise it will be regarded as an illegal packet to be discarded. In this case, an authentication key not exceeding 8 characters should be configured.
Page 659: Displaying And Debugging Vrrp
By implementing the following command you can track some interface. If the interface which is tracked is Down, the priority of the switch including the interface will reduce automatically by the value specified by value-reduced, thus resulting in comparatively higher priorities of other switches within the virtual router, one of which will turn to Master switch so as to track this interface.
Page 660: Vrrp Configuration Example
Networking requirements Router Example Host A uses the VRRP virtual router which combines switch A and switch B as its default gateway to access host B on the Internet. VRRP virtual router information includes: virtual router ID1, virtual IP address 202.38.160.111, switch A as the Master and switch B as the Backup allowed...
Page 661: Networking Diagram
VRRP Configuration Example Networking diagram Figure 158 Network diagram for VRRP configuration 10.2.3.1 Host B Internet V LAN-interface3: 10.100.10.2 Switch_A Switch_B VLAN-interface2: 202.38.160.1 VLAN-interface2: 202.38.160.2 Virtual IP address: 202.38.160.111 202.38.160.3 Host A Configuration Procedure Configure switch A # Configure VLAN 2.
Page 662 VRRP Tracking Interface Networking requirements Example Even when switch A is still functioning, it may want switch B to function as gateway when the Internet interface connected with it does not function properly. This can be implemented by configuration of tracking interface.
Page 663 Under normal conditions, switch A functions as the gateway, but when the interface vlan-interface 3 of switch A is down, its priority will be reduced by 30, lower than that of switch B so that switch B will preempt the Master for gateway services instead.
Page 664: Troubleshooting Vrrp
Fault 1: Frequent prompts of configuration errors on the console This indicates that an incorrect VRRP packet has been received. It may be because of the inconsistent configuration of another switch within the virtual router, or the attempt of some devices to send out illegal VRRP packets. The first possible fault can be solved through modifying the configuration.
Page 665 IP address, timer duration and authentication type must be guaranteed. Fault 3: Frequent switchover of VRRP state Such problem occurs when the virtual router timer duration is set too short. So the problem can be solved through prolonging this duration or configuring the preemption delay.
Page 666 53: VRRP C HAPTER ONFIGURATION...
Page 667: Introduction To Ha
HA (high availability) is to achieve a high availability of the system and to recover the system as soon as possible in the event of fabric failures so as to shorten the MTBF (Mean Time Between Failure) of the system.
Page 668 Manually by using a command if he expects the slave module to operate in place of the master module. After the switchover, the slave module will control the system and the original master module will be forced to reset.
Page 669: Displaying And Debugging Ha Configuration
Displaying and Debugging HA Configuration himself, he can do it manually to backup the configuration file saved in the master module. Perform the following configuration in user view. Table 605 Synchronize the configuration file manually Operation Command Synchronize the configuration file manually...
Page 670: Ha Configuration Example
HAPTER ONFIGURATION HA Configuration Network requirements Example Take the master module out and make the slave module take over the work of the master to ensure the normal operation. Configuration procedure # Synchronize the configuration file manually. <SW8800>slave update configuration # Display the switchover state.
Page 671: Introduction To Arp
Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A needs to transmit messages to Host B.
Page 672: Configuring Arp
The ARP mapping table can be maintained dynamically or manually. Usually, the manually configured mapping from the IP addresses to the MAC addresses is known as static ARP. The user can display, add or delete the entries in the ARP mapping table through relevant manual maintenance commands.
Page 673 According to the multi-port keyword in this command, the switch decides that the port to be added is for a multicast ARP entry. Only one port can be added every time the command is executed. If the multicast ARP entry does not exist, a new multicast ARP entry is generated.
Page 674 You cannot configure multicast ARP for aggregation ports. Otherwise, the ■ system will prompt error message. You cannot add a port in a multicast ARP entry to an aggregation group; if you ■ want to do this, you must first delete the port from any multicast ARP entry it belongs to.
Page 675: Displaying And Debugging Arp
ARP address carried in a received gratuitous ARP packet in its ARP address table if no ARP address in the cache of the network device matches the IP address carried by the gratuitous ARP packet. If the cache contains an ARP entry...
Page 676 Table 614 Display and debug ARP Operation Command display arp [ ip-address | [ dynamic | static ] [ | { begin | Display ARP mapping table include | exclude } text ] ] Display the current setting of the...
Page 677: Arp Table
Introduction to ARP You can manually configure the maximum numbers of ARP entries (that is, the Table Size sizes of ARP tables) on an Switch 8800 Family routing switch to meet your actual Configuration needs. The following table lists the specifications and numbers of ARP entries on variious models.
Page 678: Configuring Arp Table Size Dynamically
As a short static ARP entry is included into the number of normal ARP entries ■ like a normal long static ARP entry, if a card is configured to support up to 8K aggregation ARP entries, the card does not support the configuration of neither kinds.
Page 679: Configuration Example
Configuration Network requirements Example A host is connected to a Switch 8800 Family series routing switch and appropriate modules are installed Network diagram Figure 159 Diagram for ARP table size configuration console...
Page 680 56: ARP T HAPTER ABLE ONFIGURATION...
Page 681: Some Concepts About Dhcp
As is often the case, the number of hosts in a network exceeds that of the available IP addresses, and position changes of hosts (when users carry their laptops from here to there, or move to a wireless network) require reassigned new IP addresses.
Page 682 ■ clients for predetermined period of time and reclaims them at the expiration of the period. In this case, a DHCP client must reapply for an IP address regularly. This is the common case for normal users. 2 IP address assignment order.
Page 683 An IP address assigned dynamically is valid for a specified lease time and will be reclaimed by the DHCP server when the time expires. So the DHCP client must update the lease to prolong the lease time if it is to use the IP address for a longer time.
Page 684: Configuring General Dhcp
HAPTER ONFIGURATION DHCP provide a framework about how to set a host on a TCP/IP network. DHCP is derived from BOOTP, and possesses more function such as automatic allocation of reusable network addresses and additional configuration options. DHCP can act as a BOOTP relay agent, so a DHCP user and a BOOTP user can interact with each other.
Page 685 DHCP server and IP addresses in global address pools are assigned. Enabling/Disabling Fake If an unauthorized DHCP server exists in a network, it also answers when users in DHCP Server Detection the network request IP addresses, and then interacts with the DHCP clients. This causes that the users cannot obtain correct IP addresses to access network.
Page 686: Configuring Dhcp Server
IP address and other parameters (such as the lease time of the IP address) to the DHCP client. At present, you can configure up to 128 global DHCP address pools for a DHCP server.
Page 687 IP address can be assigned in two modes: static binding and dynamic assignment. Assignment Mode You can statically bind an IP address in an address pool to the MAC address of a client or configure a address range to allow the DHCP server dynamic allocate the addresses in the range to DHCP clients.
Page 688 Remove a statically bound IP address entry ip-address | mac-address mac-address } IP addresses in the address pool of a VLAN interface are not statically bound by default. CAUTION: A binding in a VLAN interface address pool cannot be overwritten directly.
Page 689 Relay address must be the same. Otherwise, the binding will fail, or the address assigned to the client will not be in the same network segment with the Relay address.
Page 690 The default lease times for global address pools and VLAN interface address pools are all one day. Configuring DHCP Client You can configure a domain name used by DHCP clients for each address pool on Domain Names a DHCP server.
Page 691 Therefore, when a DHCP server assigns an IP address to a DHCP client, it must also send a DNS server address to the client. At present, you can configure up to eight DNS server addresses for one DHCP address pool.
Page 692 } { interface vlan-interface vlan-id [ to multiple VLAN interfaces vlan-interface vlan-id ] | all } By default, no NetBIOS server address is configured for global and VLAN interface address pools. If you execute the dhcp server nbns-list command multiple times, the newly configured IP addresses overwrite the existing ones.
Page 693 [ to vlan-interface multiple VLAN interface DHCP address pools vlan-id ] | all } By default, the DHCP clients of global and VLAN interface address pools are all of h-node type. Configuring Custom With the evolvement of DHCP, new options come forth continuously. To utilize DHCP Options these options, you can manually add them to the property list of a DHCP server.
Page 694 57: DHCP C HAPTER ONFIGURATION Table 642 Configure a custom DHCP options for a global DHCP address pool Operation Command option code { ascii ascii-string | hex Configure a custom DHCP option for a global hex-string | ip-address ip-address [ ip-address...
Page 695 Revert to the default maximum duration undo dhcp server ping timeout By default, the DHCP server sends up to 2 ping packets to test an IP address and waits for a response for up to 500 milliseconds before it sends another ping packet.
Page 696 As shown in Figure 161, two DHCP clients at the same network segment (10.110.0.0) are connected to the following switch through a port in VLAN2. The switch, acting as a DHCP server, is supposed to assign IP addresses to the two DHCP clients without the help of any DHCP Relay.
Page 697 [3Com-Vlan-interface2]ip address 10.110.1.1 255.255.0.0 # Specify to assign IP addresses in the interface address pool to DHCP clients. [3Com-Vlan-interface2]dhcp select interface # Specify to assign IP addresses in global address pool to DHCP clients (it is also the default configuration). [3Com-Vlan-interface2]dhcp select global Or execute the following command to revert to the default.
Page 698: Configuring Dhcp Relay
As is often the case, the number of hosts in a network exceeds that of the available IP addresses, and position changes of hosts (when users carry their laptops from here to there, or move to a wireless network) require reassigned new IP addresses.
Page 699 Note that when configuring a new DHCP server for a VLAN that already has a DHCP server configured for it, the newly configured one does not overwrite the existing ones. Both the new and the old ones are valid. You can configure up to 20 DHCP server addresses for a VLAN interface.
Page 700 When receiving the packet, DHCP server allocates an IP address in the same segment as the IP address added by the DHCP relay. If there is a local DHCP Server, when the DHCP Client applies for IP addresses, it ■...
Page 701 # Assign an IP address to Vlan-interface 2. [3Com-Vlan-interface2]ip address 10.110.1.1 255.255.0.0 # Specify to forward DHCP packets to a remote DHCP server. [3Com-Vlan-interface2]dhcp select relay # Configure the IP address of the DHCP server to which VLAN 2 sends DHCP packets.
Page 702: Dhcp Option 82 Configuration
DHCP relay devices, it indicates that the forwarded packets will carry the VLAN ID and Layer 2 port number of the port of the switch that the DHCP client is connected to. Generally, sub-option 1 and sub-option 2 are used together to identify a DHCP client.
Page 703 Option 82 Structure There is a field named options in the DHCP packets. It can be null or contains at least one feature-specific option, such as Option 82 which may comprise multiple sub-options. Figure 164 illustrates the structure of Option 82.
Page 704 2 can be added while sub-option 5 cannot be added currently. In the normal mode, sub-option 1 is the layer 2 port number and VLAN ID of the received packet, and sub-option 2 is the MAC address of the device to receive packets.
Page 705 The process for a DHCP client to acquire an IP address from a DHCP server through a DHCP relay is the same as that for a DHCP client to acquire an IP address directly from the DHCP server in the same network segment. Both the processes have four phases: discovery, offer, selection and acknowledgement.
Page 706 DHCP relay a response packet which carries the DHCP configuration information and Option 82 information. 6 After receiving the response packet sent by the DHCP server, the DHCP relay strips Option 82 information in the packet. Then, it forwards the packet that carries the DHCP configuration information to the DHCP client.
Page 707 Two DHCP clients are on 10.110.0.0, and they acquire IP addresses from the DHCP Configuration Example server through a DHCP relay device. The DHCP relay function is enabled on a VLAN interface of the switch serving as the DHCP relay. Option 82 support is enabled on...
Page 708 <SW8800> system-view [SW8800] dhcp enable # Enter the view of the interface on which the DHCP relay function will be enabled. Configure an IP address and a subnet mask for the interface so that it belongs to the same network segment with the DHCP client [SW8800] interface vlan-interface 100 [3Com-vlan-interface 100] ip address 10.110.1.1 255.255.0.0...
Page 709: Introduction To Dns
IP address of the domain name in its own database and sends it back to the switch. If the domain name server judges that the domain name does not belong to the local domain, it forwards the request to the upper level domain name resolution server till the resolution is finished.
Page 710: Configuring Static Domain Name Resolution
".", like "www.3Com", the system searches with it directly. The system adds each suffix to search one by one only after the search fails. If the input domain name contains a "." in the final position, like "3Com.com.", it indicates that the domain name suffix needs not to be added.
Page 711: Displaying And Debugging Domain Name Resolution
Displaying and Debugging Domain Name Resolution Configure the IP Address You are required to configure the domain name sever if you need to use the of Domain Name Server function of the dynamic domain name resolution. In this way, you can send the inquiry request packets to the appropriate sever.
Page 712: Troubleshooting Domain Name Resolution Configuration
Check whether the IP address of the domain name sever is correctly ■ configured. Check whether there is a correct route between the domain name sever and ■ the switch. Check whether there is network connection failure, such as network cable ■...
Page 713: Netstream
Netstream cache. After a certain amount of time, the stream information is sent to the NDC in the format of version 5, version 8, or version 9 UDP packets. The aged stream information is generally sent in the form of version 5 UDP ■...
Page 714: Netstream Configuration
■ classified and aggregated to generate aggregation information according to certain rules, and then sent in the format of version 8 UDP packets. The MPLS stream statistics information is sent in the format of version 9 UDP ■ packets. Netstream...
Page 715 Netstream template is 30 minutes For Version 5 packets, the active aging time, inactive aging time, version template refresh rate, and version template aging time are the same as those of version 9 packets. The switch supports eleven aggregation modes currently:...
Page 716: Netstream Configuration Examples
The configuration in aggregation view affects version 8 UDP packets only. ■ CAUTION: When the aging time is configured, the active aging time is in minutes and the inactive aging time is in seconds. Netstream Network requirements...
Page 717 # Configure the export destination address and destination port number of the Netstream statistics packets. [Switch_A] ip Netstream export host 12.110.2.2 9991 Notes: The Network Data Collector may require SNMP read access to the Switch 8800. ■ The Network Data Collector may require that the Switch 8800 have its time ■...
Page 718 59: N HAPTER ETSTREAM ONFIGURATION...
Page 719: Ndp C
You can also clear the current NDP information and collect NDP neighbor information again. Upon receipt of NDP packets, a switch with NDP disabled directly forwards the packets to all ports in the same VLAN, while a switch with NDP enabled does not forward any NDP packet. Introduction to NDP...
Page 720 Enable NDP in the system port-list | all ] the system. When you try to enable NDP on all ports, NDP is enabled only on the common Ethernet ports and Gigabit Ethernet ports that support NDP interface modules. Configuring NDP on a...
Page 721: Ndp Configuration Example
Use the display command in any view to display the operating state of the ■ NDP and verify configuration result. You can use the reset command to clear the statistics related to NDP in user ■ view. Table 668 Display and debug NDP...
Page 722 60: NDP C HAPTER ONFIGURATION The information of the neighbor switches Switch B and Switch C that are ■ connected to Switch A should be visible to Switch A through NDP configuration. Network diagram Figure 170 Network diagram for NDP configuration...
Page 723: Poe Overview
The power supply of the Switch 8800 Family series is administered by the SRP card; each PoE card on the switch can be viewed as a power sourcing equipment (PSE), which administers the power supplying of all the ports on it independently.
Page 724: Poe Configuration
400 W, a power of 381 W only can be guaranteed to respond quickly for stable power supply. Currently, you can set a PoE power ranging from 37 W to 806 W on the PoE ■...
Page 725 Before setting the maximum power supplied by a card, make sure the ■ remaining power of the switch is no less than the full power of the card, and the power you can set for a card ranges from 37 W to 806 W.
Page 726: Comprehensive Configuration Example
■ if you insert a PoE-incapable card into the slot. When a card is almost fully loaded and a new PD is added, the switch will ■ respond to the PD according to the PoE priority set on the port.
Page 727 Figure 171 PoE remote power supplying Configuration procedure # Set the maximum power to 400 W on the card in slot 3. By default, the power of each card is full, so the power on the card in slot 5 need not be configured.
Page 728 61: P HAPTER ONFIGURATION...
Page 729: O E Psu Supervision
Query PSU information such as voltage and power. ■ AC Input Alarm You can set the AC input alarm thresholds for the PoE PSUs to enable the Switch Thresholds 8800 Family series to monitor the AC input voltages of the PSUs in real time Configuration through the PoE supervision module.
Page 730: Dc Output Alarm Thresholds Configuration
[SW8800] display poe-power ac-input state DC Output Alarm You can set the DC output alarm thresholds for the PoE PSUs to enable the Switch Thresholds 8800 Family series to monitor the DC output voltages of the PSUs in real time Configuration through the PoE supervision module.
Page 731: Displaying Poe Supervision Information
Displaying PoE After completing the above configurations, you can execute the display Supervision command in any view to query the PoE state of the switch. Then you can view the Information display output to check the effect of these configurations.
Page 732 # Set the undervoltage alarm threshold of AC input for PoE PSUs to 181.0 V. [SW8800] poe-power input-thresh lower 181.0 # Set the overvoltage alarm threshold of DC output for the PoE PSUs to 57.0 V. [SW8800] poe-power output-thresh upper 57.0 # Set the undervoltage alarm threshold of DC output for the PoE PSUs to 45.0 V.
Page 733: Udp Helper
With the UDP Helper function enabled, the device decides whether to forward a received UDP broadcast packet according to the UDP port number of the packet. If the packet needs to be forwarded, the device modifies the destination IP address in the IP header and then sends the packet to the specified destination server.
Page 734 By default, the destination ■ server to which the UDP packets are forwarded is not configured. Table 675 shows the list of default UDP ports. Table 675 List of default UDP ports Protocol UDP port number Trivial file transfer protocol (TFTP)
Page 735: Displaying Udp Helper
Otherwise, the system prompts error. 2 The dns | netbios-ds | netbios-ns | tacacs | tftp | time keyword refers to six default UDP ports. You can specify a default UDP port in one of the two following ways: Specifying the port number.
Page 736 63: UDP H HAPTER ELPER ONFIGURATION...
Page 737: Snmp C
SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree. A tree node represents a managed object, as shown in the figure below. Thus the object can be identified with the unique path starting from the...
Page 738: Configuring Snmp
The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}.
Page 739 Through this information, the device maintenance staffs can obtain the manufacturer information of the device so as to contact the manufacturer in case the device is in trouble. You can use the following command to set the contact information.
Page 740 SNMP Agent to Send Station to report some critical and urgent events (such as restart). Trap You can use the following commands to enable or disable the managed device to send trap message. Perform the following configuration in corresponding views.
Page 741 By default, the lifetime of Trap message is 120 seconds. Setting the Engine ID of You can use the following commands to set the engine ID of a local device. a Local Device Perform the following configuration in system view.
Page 742 SNMP V3, this operation is adding a user for an SNMP group. Creating/Updating View You can specify the view to control the access to the MIB by SNMP manager. You Information or Deleting can use either the predefined views or the self-defined views. You can use the a View following commands to create, update the information of views or delete a view.
Page 743: Displaying And Debugging Snmp
The agent can receive/send the SNMP packets of the sizes ranging from 484 to 17940, measured in bytes. By default, the size of an SNMP packet is 2000 bytes. Disabling SNMP Agent To disable SNMP Agent, perform the following configuration in system view.
Page 744 [SW8800] snmp-agent group v3 managev3group write internet [SW8800] snmp-agent usm v3 managev3user managev3group # Set the VLAN interface 2 as the interface for network management. Add port GigabitEthernet 2/1/3 to the VLAN 2. This port will be used for network management.
Page 745 SNMP Configuration Example The switch supports 3Com’s network management products. Users can query and configure the switch through the network management system. For details, see the manuals for the network management products.
Page 746 64: SNMP C HAPTER ONFIGURATION...
Page 747: Rmon C
Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the widely used Network Management standards by far.
Page 748 RMON alarm management can monitor the specified alarm variables such as the Entry to/from the Alarm statistics on a port. When a value of the monitored data exceeds the defined Table threshold, an alarm event will be generated. And then the events are handled according to the definition, which is decided in the event management.
Page 749 Entry to/from the alarm table. The extended alarm entry performs mathematical operation to the Extended RMON Alarm sampled value of the alarm variable, and then the result will be compared with the Table configured threshold to implementing the alarm function.
Page 750: Displaying And Debugging Rmon
Delete an entry from the statistics table undo rmon statistics entry-number Statistics entry calculates the accumulated information starting from the time defined by an event. You can use the display rmon history command to view the information of the statistics entry. Displaying and...
Page 751: Rmon Configuration Example
[ event-number ] RMON Configuration Network requirements Example Set an entry in RMON Ethernet statistics table for the Ethernet port performance, which is convenient for network administrators’ query. Network diagram Figure 175 Network diagram for RMON configuration...
Page 752 : 10(sec) Rising threshold : 70(linked with event 1) Falling threshold : 50(linked with event 1) When startup enables : risingOrFallingAlarm This entry will exist : forever. Latest value The "0" in black means the memory of slot 0 is queried.
Page 753: Brief Introduction To Ntp
Guarantee the normal operation of the inter-system Remote Procedure Call ■ (RPC). Record for an application when a user logs in to a system, a file is modified, or ■ some other operation is performed. Basic Operating Principle...
Page 754 Switch B serves as an NTP time server. That is, Switch A synchronizes the local ■ clock with the clock of B. It takes one second to transmit a data packet from either A or B to the opposite ■ end.
Page 755: Ntp Configuration
NTP Configuration The delay for a round trip of an NTP packet traveling between Switch A and B: ■ Delay= (T ) - (T Offset of Switch A clock relative to Switch B clock: offset= ( (T ) + (T ) ) /2.
Page 756 Cancel NTP peer mode undo ntp-service unicast-peer ip-address NTP version number number ranges from 1 to 3 and defaults to 3; it does not support authentication and will not be the first choice for time server. Configuring NTP Broadcast Server Mode Designate an interface on the local Switch to transmit NTP broadcast packets.
Page 757 The local Switch listens to the broadcast from the server. When it receives the first broadcast packets, it starts a brief client/server mode to switch messages with a remote server for estimating the network delay.
Page 758 Configuring NTP ID Enable NTP authentication, set MD5 authentication key, and specify the reliable Authentication key. A Client will synchronize itself by a server only if the serve can provide a reliable key. Perform the following configuration in system view.
Page 759 The IP address defaults 127.127.1.0, and the stratum defaults to 8. Setting Authority to Set authority to access the NTP services on a local Switch. This is a basic and brief Access a Local Switch security measure, compared to authentication. An access request will be matched with peer, server, server only, and query only in an ascending order of the limitation.
Page 760: Displaying And Debugging Ntp
Allow local NTP time service request and control query. However, the local clock will not be synchronized by a remote server. peer: Allow local NTP time service request and control query. And the local clock will also be synchronized by a remote server.
Page 761: Ntp Configuration Example
Network requirements Server On 3Com1, set local clock as the NTP master clock at stratum 2. On 3Com2, configure 3Com1 as the time server in server mode and set the local equipment as in client mode. (Note: 3Com1 supports to configure the local clock as the master...
Page 762 Peer dispersion: 10.94 ms Reference time: 19:21:32.287 UTC Oct 24 2004(C5267F3C.49A61E0C) By this time, 3Com2 has been synchronized by 3Com1 and is at stratum 3, higher than 3Com1 by 1. Display the sessions of 3Com2 and you will see 3Com2 has been connected with 3Com1.
Page 763 Peer dispersion: 10.94 ms Reference time: 19:21:32.287 UTC Oct 24 2004(C5267F3C.49A61E0C) By this time, 3Com4 has been synchronized by 3Com5 and it is at stratum 2, or higher than 3Com5 by 1. Display the sessions of 3Com4 and you will see 3Com4 has been connected with...
Page 764 Network requirements Mode On 3Com3, set local clock as the NTP master clock at stratum 2 and configure to broadcast packets from Vlan-interface2. Configure 3Com4 and 3Com1 to listen to the broadcast from their Vlan-interface2 respectively. (Note: 3Com3 supports to...
Page 765: Network Requirements
10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, 3Com4 has been synchronized by 3Com3 and it is at stratum 3, higher than 3Com3 by 1. Display the status of 3Com4 sessions and you will see 3Com4 has been connected to 3Com3.
Page 766 Configure Network requirements Authentication-Enabled 3Com1 sets the local clock as the NTP master clock at stratum 2. 3Com2 sets NTP Server Mode 3Com1 as its time server in Server mode and itself in Client mode and enables authentication. (Note: 3Com1 supports to configure the local clock as the master...
Page 767 ..Configuration procedure Configure Switch 3Com1. # Enter system view. <3Com1> system-view # Set the local clock as the master NTP clock at stratum 2. [3Com1] ntp-service refclcok-master 2 Configure Switch 3Com2. # Enter system view. <3Com2> system-view # Set 3Com1 as time server.
Page 768 66: NTP C HAPTER ONFIGURATION # Set the key. [3Com1] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Configure the key as reliable. [3Com1] ntp-service reliable authentication-keyid 42...
Page 769: Ssh Terminal
IP address spoofing and clear text password interception attacks. The switch can act as either SSH server or SSH client. When used as an SSH server, the switch supports multiple connections with SSH clients; when used as an SSH client, the switch supports SSH connections with the SSH server-enabled switch, UNIX hosts, and so on.
Page 770 ■ otherwise, the server tears down the TCP connection. 2 Key algorithm negotiation: The server generates an RSA key pair randomly, and sends the public key in the ■ key pair to the client. The client uses the public key from the server and a random number generated ■...
Page 771 RSA public key from the client, and sends the encrypted information back to the client; Both the server and the client uses the random number and the session ID with ■ the length of 16 characters as parameters to calculate the authentication data;...
Page 772 By default, the system supports all protocols. CAUTION: If the supported protocol configured in the user interface is SSH, make sure to ■ configure the authentication mode for logging into the user interface to authentication-mode scheme (using AAA authentication mode).
Page 773 After this command is entered, the system prompts you to input the number of the key pair bits. Pay attention to the following: The host key and the server key must have a difference of at least 128 bits in ■...
Page 774 Configuring the updating cycle of the server key Use this configuration task to set the updating cycle of the server key to secure the SSH connection in best effort. Perform the following configuration in system view...
Page 775 By default, the authentication timeout is 60 seconds. Configuring the number of authentication retries Use this configuration task to set the number of authentication retries an SSH user can request for a connection, thereby preventing illegal behaviors such as malicious guessing.
Page 776 If the public key string contains any illegal character, the configured key is ■ invalid; If the configured key is valid, it will be saved to the public keys in the system. ■ Perform the following configuration in public key edit view.
Page 777 The first-time authentication means that when the SSH client accesses the server for the first time in the case that there is no local copy of the server’s public key, the user can choose to proceed to access the server and save a local copy of the server’s public key;...
Page 778 On completion of the above configurations, you can use the display command in Debugging SSH any view to view the operation of the configured SSH and further verify the result of the configurations. You can also debug SSH by performing the debugging command in user view.
Page 779 The following shows the configuration methods for both password authentication and RSA public key authentication. Password authentication. ■ # Create the local user client001, and set the authentication mode of the user interface to AAA. [SW8800] user-interface vty 0 4 [3Com-ui-vty0-4] authentication-mode scheme # Specify the login protocol for user client001 as SSH.
Page 780 #Allocate an existent public key sw8800002 to user client002. [SW8800] ssh user client002 assign rsa-key sw8800002 Start the SSH client software on the terminal preserving the RSA private key, and perform the corresponding configurations to establish the SSH connection. SSH Client Configuration...
Page 781: Sftp Service
At the same time, since the switch can be used as a client, users can log in to remote devices to transfer files securely.
Page 782 The default SFTP directory flash: is configured for a user whose service type is ■ set to SFTP or all. In this case, the priority of the directory is higher than the default priority. Currently, for remote authentication, the default authentication mode must be ■...
Page 783 [ command ] Optional Starting the SFTP client Use this configuration task to start the SFTP client program, establish a connection with the remote SFTP server, and enter the SFTP client view. Perform the following configuration in system view.
Page 784 SFTP file operations As shown in Table 738, available SFTP file operations include: change the name of a file, download a file, upload a file, display the list of files, and delete a file. Perform the following configuration in SFTP user view.
Page 785 SFTP Configuration Network requirements Example As shown in Figure 184: Switch A is used as the SFTP server, and its IP address is 10.111.27.91; ■ Switch B is used as the SFTP client; ■ An SFTP user is configured with the username "8040" and password "3com".
Page 786 # Set the authentication mode to password. [SW8800] ssh user 8040 authentication-type password 2 Configure Switch A # Configure the server with a public key whose name is the IP address of the server. [SW8800] rsa peer-public-key 10.111.27.91 [3Com-rsa-public-key] public-key-code begin RSA key code view: return to last view with "public-key-code end".
Page 787 Downloading file successfully ended # Upload local file pu to the server, change the file name to puk, and check if the operations are successful. sftp-client> put pu puk Uploading file successfully ended sftp-client>...
Page 788 67: SSH T HAPTER ERMINAL ERVICE drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pu -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk sftp-client> # Exit SFTP. sftp-client> quit [SW8800]...
Page 789: File
URL of the program starts with "slot[No.]#[flash: | cf:]/", where [No.] is the slave module number, and [flash: | cf:] is the name of the equipment, which can be a flash card of CR card. For example, if the slave module is on slot 1, the URL of 8500.app program on the slave module is...
Page 790 CAUTION: When you use the delete command without the unreserved option to delete a file, the file is in fact saved in the recycle bin and still occupies some of the storage space. So, the frequent uses of this command may results in insufficient storage space of the switch.
Page 791 CF card before dismounting it. The system saves logs in the CF card. The log file is saved in the root directory with the name logfileX.txt, where the X is an integral number ranging from 1 to 5.
Page 792 68: F HAPTER YSTEM ANAGEMENT...
Page 793: Device Management
In addition, there is a command available for rebooting the system, when some function failure occurs. Device Management The main device management tasks are to check the status of the modules, CPU, Configuration and the memory usage of the switch.
Page 794 ] If the switch fails to boot up through the specified bootstrap program, it retries to boot up by using a program in the flash memory or the CF card. If it fails again, the switch fails to start.
Page 795 "slot[No.]#[flash: | cf:]/", where [No.] is the slave module number, and [flash: | cf:] is the name of the equipment, which can be a flash card of CR card. For example, if the slave module is on slot 1, the URL of 8500.app program on the slave module is "slot1#flash:/8500.app".
Page 796: Displaying And Debugging Device Management
(Switch 8807) the right commands. The switch serves as an FTP client and the remote PC as an FTP server. The configuration on the FTP server is as follows: an FTP user is configured with the name switch, the password hello and the read & write authority over the Switch root directory on the PC.
Page 797 2 Configure the switch # The switch has been configured with a Telnet user named as user, as 3-level user, with password hello, requiring username and password authentication. # Use the telnet command to log into the switch.
Page 798 [3Com-luser-switch] service-type ftp ftp-directory flash: [3Com-luser-switch] password simple hello 2 Run the FTP client program on the PC to set up an FTP connection with the switch. Then upload the switch program switch.app to the flash root directory on the switch and download the configuration file vrpcfg.txt from the switch.
Page 799 1 After uploading, performs upgrading on the switch. <SW8800> # You can use the boot boot-loader command to specify the new file as the application program on the next booting and reboot the switch to implement the upgrading of the application program.
Page 800 69: D HAPTER EVICE MANAGEMENT...
Page 801: Ftp Configuration
FTP, a TCP/IP protocol on the application layer, is used for transmitting files between a remote server and a local host. The switch provides the following FTP services: FTP server: You can run FTP client program to log in the server and access the ■ files on it.
Page 802 Disable the FTP server undo ftp server FTP server supports multiple users to access at the same time. A remote FTP client sends request to the FTP server. Then, the FTP server will carry out the corresponding operation and return the result to the client.
Page 803 If you input the URL of the FTP site you want to connect directly, the login may fail because of the bugs in the file manager or in the IE browser.
Page 804 FTP server: Configure an FTP user named as switch, with password hello and with read & write authority over the Switch root directory on the PC. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 2.2.2.2. The switch and PC are reachable.
Page 805 FTP server: Configure an FTP user named as switch, with password hello and with read & write authority over the flash root directory on the PC. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 2.2.2.2. The switch...
Page 806: Tftp Configuration
Switch Switch Configuration procedure 1 Configure the switch # Log into the switch through the console port locally or Telnet remotely, and start FTP function and set username, password and file directory. [SW8800] ftp server enable [SW8800] local-user switch [3Com-luser-switch] service-type ftp ftp-directory flash: [3Com-luser-switch] password simple hello 2 Run FTP client on the PC and establish FTP connection.
Page 807 Start TFTP server and set authorized TFTP directory. Downloading Files by To download a file, the client sends a request to the TFTP server and then receives Means of TFTP data from it and sends acknowledgement to it. You can use the following commands to download files by means of TFTP.
Page 808 The switch serves as TFTP client and the remote PC as TFTP server. Authorized TFTP directory is set on the TFTP server. The IP address of a VLAN interface on the switch is 1.1.1.1, and that of the PC is 1.1.1.2.
Page 809 [SW8800] interface vlan 1 [3Com-vlan-interface1] ip address 1.1.1.1 255.255.255.0 [3Com-vlan-interface1] quit # Enter system view and download the switch.app from the TFTP server to the Flash Memory of the switch. <SW8800> tftp 1.1.1.2 get switch.app switch.app # Upload the vrpcfg.cfg to the TFTP server.
Page 810 70: FTP&TFTP C HAPTER ONFIGURATION...
Page 811: Information Center
2 Priority The priority is computed according to following formula: facility*8+severity-1. The default value for the facility is 23. The range of severity is 1~8, and the severity will be introduced in separate section. Priority is only effective when information is send to log host. There is no character...
Page 812 Mmm " is month field, such as: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd" is day field, if the day is little than 10th, one blank should be added, such as " 7". hh:mm:ss" is time field, "hh" is from 00 to 23, "mm" and "ss" are from 00 to 59.
Page 813 Physical sublayer & physical layer module Point to point protocol module PSSINIT PSSINIT module RADIUS module Routing management module RMON Remote monitor module RSA (Revest, Shamir and Adleman) encryption module RTPRO Routing protocol module SHELL User interface module SNMP Simple network management protocol module SOCKET...
Page 814 Notice: There is a slash between severity and digest. 7 Digest The digest is abbreviation, it represent the abstract of contents. Notice: There is a colon between digest and content. The digest can be up to 32 characters long. Information Center Switch supports 7 output directions of information.
Page 815 Support to output log in 7 directions, i.e., Console, monitor to Telnet terminal, ■ logbuffer, loghost, trapbuffer, and SNMP log file. The log is divided into 8 levels according to the significance and it can be ■ filtered based on the levels.
Page 816 Default value description Refer to configuration Loghost cases for related log host configuration 2 Sending the configuration information to the console terminal Table 766 Send the configuration information to the console terminal. Configuration Device Configuration Default value description Other configurations are...
Page 817 Information Center Function Table 767 Send the configuration information to the monitor terminal Configuration Device Configuration Default value description Other configurations are Enable information By default, information valid only if the center center is enabled information center is enabled Set the information...
Page 818 71: I HAPTER NFORMATION ENTER Table 769 Send the configuration information to the trap buffer Configuration Device Configuration Default value description Other configurations are Enable information By default, information valid only if the center center is enabled information center is...
Page 819 Note that the IP address of log host must be correct. Ensure to enter the correct IP address using the info-center loghost command to configure loghost IP address. If you enter a loopback address, the system prompts of invalid address appears.
Page 820 4 Configuring the loghost The configuration on the loghost must be the same with that on the switch. For related configuration, see the configuration examples in the later part. Sending the...
Page 821 When defining the information sent to the console terminal, channel-number or channel-name must be set to the channel that corresponds to Console direction. Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging.
Page 822 To view the output information at the console terminal, you must first enable the corresponding log, debugging and trap information functions at the switch. For example, if you have set the log information as the information sent to the console terminal, now you need to use the terminal logging command to enable the terminal display function of log information on the switch, then you can view the information at the console terminal.
Page 823 When there are more than one Telnet users or monitor users at the same time, some configuration parameters should be shared among the users, such as...
Page 824 When a user modifies these settings, it will be reflected on other clients. If you want to view the debugging information of some modules on the switch, you must select debugging as the information type when configuring information source, meantime using the debugging command to turn on the debugging switch of those modules.
Page 825 [ channel | size information to log buffer By default, the switch outputs information to the log buffer in the CPU. The size of the log buffer is 512, that is, the log buffer can hold up to 512 messages.
Page 826 When defining the information sent to log buffer, channel-number or channel-name must be set to the channel that corresponds to logbuffer direction. Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging.
Page 827 ] By default, the switch outputs information to the trap buffer in the CPU. The size of the trap buffer is 256, that is, the trap buffer can hold up to 256 messages. 3 Configuring information source on the switch By this configuration, you can define the information that sent to trap buffer is generated by which modules, information type, information level, and so on.
Page 828 NFORMATION ENTER Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging. When there is no specific configuration record for a module in the channel, use the default one.
Page 829 SNMP NM 3 Configuring information source on the switch By this configuration, you can define the information that sent to SNMP NM is generated by which modules, information type, information level, and so on. Perform the following configuration in system view:...
Page 830 } 4 Configuring of SNMP and network management workstation on the switch You have to configure SNMP on the switch and the remote workstation to ensure that the information is correctly sent to SNMP NM. Then you can get correct information from network management workstation.
Page 831 # Enable information center [SW8800] info-center enable # Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set that the modules which are allowed to output information are ARP and IP.
Page 832 # Enable information center [SW8800] info-center enable # Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set all the modules are allowed output information.
Page 833 Note the following points when editing /etc/syslog.conf: The note must occupy a line and start with the character #. ■ There must be a tab other than a space as the separator in selector/actor pairs. ■ No redundant space after file name.
Page 834 1 Configuration on the switch # Enable information center. [SW8800] info-center enable # Configure console terminal log output; allow modules ARP and IP to output information; the severity level is restricted within the range of emergencies to informational. [SW8800] info-center console channel console...
Page 835: System Aintenance And
HH:MM:SS YYYY/MM/DD Setting the Time Zone You can configure the name of the local time zone and the time difference between the local time and the Universal Time Coordinated (UTC) time. Perform the following configuration in user view.
Page 836: Displaying The Status And Information Of The System
Information of statistics information. the System For the display commands related to each protocols and different ports, refer to the relevant chapters. The following display commands are used for displaying the system status and the statistics information. Perform the following configuration in any view.
Page 837 When the debugging is over, disable all the debugging. Displaying Diagnostic When the switch does not run well, you can collect all sorts of information about Information the switch to locate the source of fault. Each module has its corresponding display command which displays the operating information of related module for fault locating and analyzing.
Page 838: Testing Tools For Network Connection
Table 804 Execute the ping command Operation Command ping [ ip ] [ -a ip-address | -c count | -d | - f | -h ttl | -i {interface-type interface-number } | -n Support IP ping | - p pattern | -q | -r | -s packetsize | -t timeout...
Page 839 The tracert is used for testing the gateways passed by the packets from the source host to the destination one. It is mainly used for checking if the network is connected and analyzing where the fault occurs in the network.
Page 840 72: S HAPTER YSTEM AINTENANCE AND EBUGGING...
Page 841: Protocol
If a protocol is not enabled, this function can drop the packet whose destination IP is the virtual interface IP of the switch, so that it reduces the unnecessary communications between the modules and the CPU operation of the fabric, and enhances the anti-interference ability of the switch to the packet.
Page 842 Table 809 Set the status of HTTP protocol port Operation Command Shutdown the port of HTTP protocol ip http shutdown Open the port of HTTP protocol undo ip http shutdown By default, the port 80 of HTTP protocol is enabled.
Page 843: Packet
The monitored objects include ports, VLANs, ports+VLANs, and cards. In addition to these four types of objects, a traffic class (TC) or a drop precedence (DP) can also be monitored. When monitoring a card, the counters can monitor all TCs and all DPs.
Page 844 74: P HAPTER ACKET TATISTICS ONFIGURATION...
Page 845: Ethernet
800 such VLANs) and set the interval for external loopback detection on ports to check whether there exists a loop on each port or not. If a loop is found on a port, the switch will give out a trap alarm and determine whether performing Shutdown on this loop or not according to your configuration.
Page 846 75: E HAPTER THERNET OOPBACK ETECTION...
Page 847: Qin
In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks, which are nested in the VLAN tags of public networks, remain intact.
Page 848 Tag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q QinQ Packets specifies the value of TPID to be 0x8100. The structure of the Tag field of an Ethernet frame defined by IEEE 802.1Q is as follows: Figure 198 The structure of the Tag field of an Ethernet frame...
Page 849: Vlan Vpn Configuration
VLAN VPN cannot be enabled if the port has any of the protocol among GVRP, ■ STP, and 802.1x enabled. VLAN VPN cannot be enabled on a port if the VLAN which the port belongs to ■ has IGMP Snooping enabled or its VLAN interface has IGMP enabled. Similarly, if a port is VLAN VPN-enabled, you cannot enable IGMP Snooping in the VLAN to which the port belongs or enable IGMP on the VLAN interface of the VLAN.
Page 850: Traffic Classification-Based Nested Vlan Configuration
Nested VLAN Configuration Configuration ACLs and corresponding rules to be applied already exist. ■ prerequisites The VLANs to be specified by the nested-vlanid argument already exist. ■ Configuration procedure Table 815 Configure traffic classification-based nest vlan Configuration step Command Description...
Page 851 600, Switch 8814 does not process the packet. Assume that 3C17533 24-port 1000 Base-X modules are installed in the slot 2 of Switch A and Switch C. And a card with any type of GE port is installed in slot 3 of Switch B.
Page 852 [Switch_A] flow-template user-defined slot 4 s-tag-vlan [Switch_A-GigabitEthernet4/1/2] flow-template user-defined [Switch_A-GigabitEthernet4/1/2] quit # Configure QinQ so that when the packets of VLAN 100 to 512 leave the uplink port GigabitEthernet 4/1/1, they need to be tagged with the exterior tag of VLAN 100.
Page 853: Adjusting Tpid Values For Qinq Packets
TPID Value Network requirements Configuration Example Switch A and Switch C are Switch 8800 Family series switches. Switch B is a ■ switch produced by other vendor. It uses TPID value of 0x9100. Two networks are connected to the GigabitEthernet2/1/1 ports of Switch A ■...
Page 854 [SwitchA]interface GigabitEthernet2/1/2 [SwitchA-GigabitEthernet2/1/2]port link-type trunk [SwitchA-GigabitEthernet2/1/2]port trunk permit vlan 10 [SwitchA-GigabitEthernet2/1/2]vlan-vpn uplink enable # Configure the GigabitEthernet2/1/1 port to be a VLAN VPN port and add it to VLAN 10 (an access port). [SwitchA]interface GigabitEthernet2/1/1 [SwitchA-GigabitEthernet2/1/1]port access vlan 10 [SwitchA-GigabitEthernet2/1/1]vlan-vpn enable...
Page 855: Vlan-Vpn Tunnel Configuration
Because GigabitEthernet2/1/2 port is a VLAN-VPN uplink port with a TPID of ■ 0x9100, Switch A changes the TPID value in the outer VLAN Tag of the packet to 0x9100, and forwards the packet to the public network. The packet reaches GigabitEthernet3/1/2 port of Switch B. Switch B sends the ■...
Page 856 VLAN-VPN Tunnel Network requirements Configuration Example Switch 8800 Family series switches, namely Switch C and D in the network ■ diagram, serve as devices used to access the operator’s network. Switch 8800 series switches, namely Switch A and B in the network diagram, ■...
Page 857 Configuration procedure 1 Configure switch A. # Enable RSTP. [Switch_A] stp enable # Set the port to a trunk port and allow the packets of VLAN 10 to pass the port. [Switch_A] vlan 10 [Switch_A-Ethernet0/1] port link-type trunk [Switch_A-Ethernet0/1] port trunk permit vlan 10 2 Configure switch B.
Page 858 [Switch_C] interface Ethernet4/1/2 [Switch_C-Ethernet4/1/2] stp disable [Switch_C-Ethernet4/1/2] vlan-vpn enable [Switch_C-Ethernet4/1/2] quit # Set Ethernet4/1/3 to a trunk port and add this port to all the VLANs. [Switch_C] interface Ethernet4/1/3 [Switch_C-Ethernet4/1/3] port link-type trunk [Switch_C-Ethernet4/1/3] port trunk permit vlan all 4 Configure switch D.
Page 859 [Switch_D] interface Ethernet3/1/2 [Switch_D-Ethernet3/1/2] stp disable [Switch_D-Ethernet3/1/2] vlan-vpn enable [Switch_D-Ethernet3/1/2] quit # Set Ethernet3/1/3 to a trunk port and add this port to all the VLANs. [Switch_D] interface Ethernet3/1/3 [Switch_D-Ethernet3/1/3] port link-type trunk [Switch_D-Ethernet3/1/3] port trunk permit vlan all CAUTION: STP must be enabled on VLAN-VPN tunnel-enabled devices;...
Page 860 76: Q HAPTER ONFIGURATION...
Page 861: Introduction To Nqa
While the NQA not only can finish the above functions, but also can probe whether the DLSW, DHCP, FTP, HTTP, and SNMP servers are on or off, and test the response time of various services. Besides, the NQA also realizes the MIB operation through which you can perform various tests conveniently.
Page 862 77: NQA C HAPTER ONFIGURATION Introduction to NQA Table 818 Introduction to the configuration tasks of the ICMP test in NQA Configuration Tasks Operation Command Remarks Enter system view system-view Required; Enable the client function of nqa-agent enable By default, NQA client is the NQA disabled.
Page 863 NQA Configuration Table 818 Introduction to the configuration tasks of the ICMP test in NQA Operation Command Remarks Optional; Set the name of the VPN vpn-instance name By default, no name of the instance VPN instance is set Optional; By default, no source IP Set the source IP address of address is configured.
Page 864 ■ same time, this TTL value does not take effect. It is not allowed to configure the source IP and the destination IP both to 0 or F. ■ Other values are all allowed to configure.Source address can only be the Layer 3 interface configured with IP address.
Page 865: Displaying And Maintaining Nqa
Operation sequence errors:0 Drop operation number:0 Other operation errors:0 Displaying and Use the display command to display the operation status after the above Maintaining NQA configurations. Verify the configuration effect through the displayed information. Table 819 Display and maintain NQA...
Page 866 77: NQA C HAPTER ONFIGURATION...
Page 867: Password
The user and can successfully log in to the switch and proceed with operations only if he or she passes the authentication. If the password authentication fails, the user will not be able to log in to the switch.
Page 868 For example, a user of level 3 is allowed to log in to the system. After logging in, if the user wants to change his or her user level, the user needs to use the command super and pass the super password authentication.
Page 869 If a user fails to provide the correct password after the allowed number login-times, the system adds the user to the blacklist. To view the names and the IP addresses of such users, carry out display password-control blacklist in any view.
Page 870 There can be the following three cases: 1 If the password has not expired but is within the alert time range, the system will remind the user of the remaining days before the password will expire, and ask the user whether he or she wants to change the password.
Page 871 The configuration command for password aging time can be used either in the system view or in the user view. In the system view, this command is used to configure global parameters; in the user view, this command is used to configure the parameters for the user.
Page 872 The system will add the user to the blacklist and lock the user for a period of ■ time by putting the user name + IP address and the lock time into the blacklist.
Page 873 Configuring the maximum number of history password records When a password used to log in to the system expires, the system will ask the user to enter a new password and will automatically save the password. You can configure the maximum number of history records allowable for each user. The purpose is to prevent users from using a single password or repeated passwords, thus enhancing the security.
Page 874 When a user logs in successfully, the system will log the user name, IP address, ■ and VTY number When a user is prohibited by the ACL rule, the system will log the user’s IP ■ address When a user fails in authentication, the system will log the user name, IP ■...
Page 875 <SW8800> reset password-control history-record Are you sure to delete all history record?[Y/N] If you type "Y", the system will delete the history records of all users and gives the following prompt: Updating the password file, please wait... All historical passwords have been cleared.
Page 876 78: P HAPTER ASSWORD ONTROL ONFIGURATION...
Page 877: Acronyms
Accounting Management ANSI American National Standard Institute Access Preamble Address Resolution Protocol Access Server ASBR Autonomous System Border Router American Standard Code for Information ASCII Interchange Alert Standard Forum Abstract Syntax Notation Access Unit Administrative Unit Group Auxiliary (port) Bit-rate Allocation Signal...
Page 878 CRONYMS Call Forwarding services Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter-Domain Routing CIST Common and Internal Spanning Tree Configuration Librarian CLNP Connectionless Network Protocol Conference Calling Class of Service Central Processing Unit Cyclic Redundancy Check C-RP...
Page 879 International Organization for Standardization Interim inter-switch Signaling Protocol Immediate Service Termination (IST) Layer 2 Forwarding L2TP Layer 2 Tunneling Protocol Layer 2 VPN Switch ACL LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol...
Page 880 LSAck Low Speed Data Low Speed Data LSDB Link State Database Label Switch Path LSPDU Link State Protocol Data Unit LSPM Label Switch Path Management Label Switch Router Link State Update Media Access Control Metropolitan Area Network Mobile Application Part...
Page 881 PSTN Public Switched Telephone Network Permanent Virtual Channel Pseudowire QACL QoS/ACL Quality of Service RADIUS Remote Authentication Dial in User Service Router Distinguisher Request For Change Routing Information Protocol Remote Manager RMON Remote Monitoring Response Path Raman Pump Amplifier Unit For C-band...
Page 882 Simple Network Management Protocol Section Overhead SONET Synchronous Optical NETwork Service Provider 4ÐóSTM-1 Electrical Process Board Special Tone Board Scheduled Start Date or Start-to-Start Secure Shell Secure Socket(s) Layer Spread Spectrum Modulation Segment Type STM-1 SDH Transport Module -1 Shielded Twisted Pair...
Page 883 VDSL Very High Speed DSL; Very High Rate DSL Virtual File System VLAN Virtual LAN Virtual Leased Lines Virtual Operate System VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch Virtual Private Network Comware Versatile Routing Platform...

This manual is also suitable for:

8810 8814

3Com 8807 Configuration Manual

About this Guide

Product Overview

Command

Logging in to Switch

User Interface Configuration

Management Interface Overview

CONFIGURATION FILE MANAGEMENT Configuration File Management

7 Vlan C Onfiguration

Vlan C

Ip Address

Ip Performance

Garp&Gvrp Configuration

Ethernet Port Configuration

Link Aggregation

Port

Mac Address Table Management

Mstp Region - Configuration

Digest Snooping Configuration

Fast Transition

20 Bpdu Tunnelconfiguration

21 Acl Configuration

22 Qos Configuration

Logon

Configuration

Vlan-Aconfigurationl Configuration

Configuration

26 Aaaand Radius/Hwtacacs Protocolconfiguration

Portal

Ip Routing Protocol Overview

Static Route

30 Rip Configuration

31 Ospf Configuration

32 Integrated Is-Is Configuration

33 Bgp Configuration

Ip Routing Policy

Route Capacity Configuration

Recursive Routing Configuration

37 Ip Multicastoverview

Static Multicast Mac Address Configuration

39 Igmp Snoopingconfiguration

Multicast Vlan Configuration

Ommon Ulticast Configuration

Igmp C

Pim-DM C

Pim-Sm C

Msdp C

46 Mbgp M Ulticastextensionconfiguration

Mpls a

Mpls Basic Capability Configuration

Bgp/Mpls Vpn C

Card Intermixing for Mpls Support

Mpls Vll

52 Vpls C Onfiguration

53 Vrrp C Onfiguration

54 Ha Configuration

55 Arp Configuration

Arp Table

57 Dhcp C Onfiguration

58 Dns Configuration

Netstream

Ndp C

61 Poe Configuration

Quick Links

Configuration Guide

Troubleshooting

Related Manuals for 3Com 8807

Summary of Contents for 3Com 8807