3Com 5500-EI PWR Install Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. 5500-EI PWR
  6. Install manual

3Com 5500-EI PWR Install Manual

Hide thumbs Also See for 5500-EI PWR:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, Quick Reference Manual
1 CLI Configuration ······································································································································1-1
Introduction to the CLI·····························································································································1-1
Command Hierarchy ·······························································································································1-1
Command Level and User Privilege Level ······················································································1-1
Modifying the Command Level········································································································1-2
Switching User Level ·······················································································································1-3
CLI Views ················································································································································1-7
CLI Features ·········································································································································1-11
Online Help····································································································································1-11
Terminal Display····························································································································1-13
Command History··························································································································1-13
Error Prompts ································································································································1-13
Command Edit·······························································································································1-14
Table of Contents
i

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 5500-EI PWR and is the answer not in the manual?

Questions and answers

Related Manuals for 3Com 5500-EI PWR

Summary of Contents for 3Com 5500-EI PWR

  • Page 1 Table of Contents 1 CLI Configuration ······································································································································1-1 Introduction to the CLI·····························································································································1-1 Command Hierarchy ·······························································································································1-1 Command Level and User Privilege Level ······················································································1-1 Modifying the Command Level········································································································1-2 Switching User Level ·······················································································································1-3 CLI Views ················································································································································1-7 CLI Features ·········································································································································1-11 Online Help····································································································································1-11 Terminal Display····························································································································1-13 Command History··························································································································1-13 Error Prompts ································································································································1-13 Command Edit·······························································································································1-14...

  • Page 2: Cli Configuration

    Each 3com switch 5500-EI provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on the 3com switch 5500-EI provides the following features, and so has good manageability and operability.

  • Page 3: Modifying The Command Level

    Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.

  • Page 4: Switching User Level

    To do… Use the command… Remarks Configure the level of a command in command-privilege level level view Required a specific view view command You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
  • Page 5 can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited.
  • Page 6 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.
  • Page 7 To do… Use the command… Remarks Enter system view — system-view Enter ISP domain view domain domain-name — Required Set the HWTACACS authentication super By default, the HWTACACS authentication scheme for hwtacacs-scheme authentication scheme for user level user level switching hwtacacs-scheme-name switching is not set.

  • Page 8: Cli Views

    # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 A VTY 0 user switches its level to level 3 after logging in. # A VTY 0 user telnets to the switch, and then uses the set password to switch to user level 3. <Sysname>...
  • Page 9 Table 1-1 lists the CLI views provided by the 3com switch 5500-EI, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-1 CLI views Available View Prompt example Enter method...
  • Page 10 Available View Prompt example Enter method Quit method operation Execute the Configure user User interface user-interface interface [Sysname-ui-aux0] view command in parameters system view. Execute the ftp FTP client Configure FTP [ftp] command in user view client parameters view. Execute the sftp SFTP client Configure SFTP sftp-client>...
  • Page 11 Available View Prompt example Enter method Quit method operation Configure OSPF Execute the ospf OSPF view protocol [Sysname-ospf-1] command in parameters system view. Execute the quit command to return to OSPF view. Execute the area OSPF area Configure OSPF [Sysname-ospf-1- command in OSPF Execute the view...

  • Page 12: Cli Features

    Available View Prompt example Enter method Quit method operation Execute the msdp Configure MSDP MSDP view [Sysname-msdp] command in parameters system view. Execute the PoE profile Configure PoE [Sysname-poe-pro poe-profile view profile parameters file-a123] command in system view. Execute the Configure smart Smart link [Sysname-smlk-gr...
  • Page 13 boot Set boot option Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Display current system information <Other information is omitted>...

  • Page 14: Terminal Display

    Terminal Display The CLI provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see Table 1-2). Table 1-2 Display-related operations Operation Function Stop the display output and execution of the Press <Ctrl+C>...

  • Page 15: Command Edit

    Table 1-3 Common error messages Error message Remarks The command does not exist. The keyword does not exist. Unrecognized command The parameter type is wrong. The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many.

  • Page 16: Table Of Contents

    Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Logging In Through the Console Port ·····································································································2-1 Console Port Login Configuration ···········································································································2-3...
  • Page 17 Modem Connection Establishment ·········································································································4-2 5 Logging In Through the Web-based Network Management System····················································5-1 Introduction ·············································································································································5-1 Establishing an HTTP Connection ··········································································································5-1 Configuring the Login Banner ·················································································································5-2 Configuration Procedure··················································································································5-2 Configuration Example ····················································································································5-3 Enabling/Disabling the WEB Server ·······································································································5-3 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Configuring Source IP Address for Telnet Service Packets ·································································7-1...

  • Page 18: Logging In To An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the console port of a 3Com low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.

  • Page 19: User Interface Index

    User Interface Index Two kinds of user interface index exist: absolute user interface index and relative user interface index. The absolute user interface indexes are as follows: The absolute AUX user interfaces are numbered 0 through 7. VTY user interface indexes follow AUX user interface indexes. The first absolute VTY user interface is numbered 8, the second is 9, and so on.
  • Page 20 To do… Use the command… Remarks user-interface [ type ] first-number Enter user interface view — [ last-number ] Display the information about the current user display users [ all ] interface/all user interfaces Display the physical Optional attributes and configuration display user-interface [ type Available in any view.

  • Page 21: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction To log in through the console port is the most common way to log in to a switch.
  • Page 22 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...

  • Page 23: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.

  • Page 24: Console Port Login Configurations For Different Authentication Modes

    Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...

  • Page 25: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Remarks mode Optional Specify to AAA configuration perform local specifies whether to Local authentication is authentication or perform local performed by default. remote RADIUS authentication or RADIUS Refer to the AAA part for authentication authentication more.

  • Page 26: Configuration Example

    To do… Use the command… Remarks Optional Set the check parity { even | none | By default, the check mode of a mode odd } console port is none, that is, no check is performed. Optional Set the stop bits stopbits { 1 | 1.5 | 2 } The stop bits of a console port is 1.
  • Page 27 Commands of level 2 are available to the users logging in to the AUX user interface. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of the AUX user interface is 6 minutes.

  • Page 28: Console Port Login Configuration With Authentication Mode Being Password

    Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure console port login with the authentication mode being password: To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...

  • Page 29: Configuration Example

    To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, Set the timeout time for the idle-timeout minutes the connection to a user interface is user interface [ seconds ] terminated if no operation is performed...

  • Page 30: Console Port Login Configuration With Authentication Mode Being Scheme

    # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19,200 bps.
  • Page 31 To do… Use the command… Remarks Set the authentication password { simple | cipher } Required password for the local user password Specify the service type for service-type terminal [ level Required AUX users level ] Quit to system view quit —...

  • Page 32: Configuration Example

    To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...
  • Page 33 Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal, Specify commands of level 2 are available to users logging in to the AUX user interface.

  • Page 34: Logging In Through Telnet

    Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Introduction Switch 5500-EI support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch.

  • Page 35: Telnet Configurations For Different Authentication Modes

    Configuration Description Optional Make terminal services By default, terminal services are available in all available user interfaces Optional Set the maximum number of lines the screen can contain By default, the screen can contain up to 24 lines. VTY terminal configuration Optional Set history command buffer...

  • Page 36: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 37: Configuration Example

    To do… Use the command… Remarks Optional The default history command Set the history command buffer history-command buffer size is 10. That is, a history size max-size value command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.

  • Page 38: Telnet Configuration With Authentication Mode Being Password

    [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.

  • Page 39: Configuration Example

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number to 24 lines. of lines the screen can screen-length screen-length You can use the screen-length 0 contain command to disable the function to display information in pages.

  • Page 40: Telnet Configuration With Authentication Mode Being Scheme

    Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure to authenticate users logging in to VTY 0 using the password. [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to VTY 0.
  • Page 41 To do… Use the command… Remarks Create a local user and enter local-user user-name No local user exists by default. local user view Set the authentication password { simple | cipher } Required password for the local user password Specify the service type for service-type telnet [ level Required VTY users...
  • Page 42 Note that if you configure to authenticate the users in the scheme mode, the command level available to the users logging in to the switch depends on the user privilege level level command and the service-type { ftp | lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in Table 3-4.

  • Page 43: Configuration Example

    Scenario Command Authentication level User type Command mode The user privilege level level command is executed, and the Level 0 service-type command does not specify the available command level. The user privilege level level Determined by command is executed, and the the service-type service-type command specifies the command...

  • Page 44: Telnetting To A Switch

    # Set the authentication password of the local user to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Telnet, Specify commands of level 2 are available to users logging in to VTY 0.. [Sysname-luser-guest] service-type telnet level 2 [Sysname-luser-guest] quit # Enter VTY 0 user interface view.
  • Page 45 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com Ethernet switch can accommodate up to five Telnet connections at same time.

  • Page 46: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

  • Page 47: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 48: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 49 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 50 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.

  • Page 51: Introduction

    Logging In Through the Web-based Network Management System Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction Switch 5500-EI has a Web server built in. It enables you to log in to an Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 52: Configuring The Login Banner

    [Sysname-luser-admin] service-type telnet level 3 [Sysname-luser-admin] password simple admin Establish an HTTP connection between your PC and the switch, as shown in Figure 5-1. Figure 5-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 53: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 5-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 54 To do… Use the command… Remarks Enter system view system-view — Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server Required undo ip http shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 55: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.

  • Page 56: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure the source IP address for Telnet service packets for a Switch 5500-EI operating as a Telnet client.

  • Page 57: Displaying Source Ip Address Configuration

    To do… Use the command… Remarks a Telnet client telnet { source-ip ip-address | source-interface interface-type interface-number } The IP address specified is that of a Layer 3 interface of the local device. Otherwise, the system prompts configuration failure. The source interface specified must exist. Otherwise, the system prompts configuration failure. Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets.

  • Page 58: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 59: Controlling Telnet Users

    Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined, including the source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying). Controlling Telnet Users by Source IP Addresses Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999.

  • Page 60: Controlling Telnet Users By Source Mac Addresses

    To do… Use the command… Remarks user-interface [ type ] Enter user interface view — first-number [ last-number ] Required The inbound keyword specifies to Apply the ACL to control filter the users trying to Telnet to Telnet users by specified acl acl-number { inbound | the current switch.

  • Page 61: Controlling Network Management Users By Source Ip Addresses

    Network diagram Figure 8-1 Network diagram for controlling Telnet users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL.

  • Page 62: Configuration Example

    To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, the config enter basic ACL view { auto | config } ] keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view...

  • Page 63: Controlling Web Users By Source Ip Address

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address...

  • Page 64: Configuration Example

    To do… Use the command… Remarks Required Disconnect a Web user free web-users { all | user-id user-id | by force user-name user-name } Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch. Network diagram Figure 8-3 Network diagram for controlling Web users using ACLs 10.110.100.46...
  • Page 65 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-4 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 66: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 67: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.
  • Page 68 Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.

  • Page 69: Erasing The Startup Configuration File

    It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.

  • Page 70: Displaying Switch Configuration

    You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
  • Page 71 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Principles·······························································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 Protocol-Based VLAN ·····························································································································1-6 Introduction to Protocol-Based VLAN······························································································1-6...

  • Page 72: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 73: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs. This decreases bandwidth consumption and improves network performance. Network security is improved. Because each VLAN forms a broadcast domain, hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used.
  • Page 74 tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3, a VLAN tag contains four fields, including the tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 75: Vlan Interface

    MAC address forwarding table. Packets received in any VLAN on a port are forwarded according to this table. Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN.

  • Page 76: Assigning An Ethernet Port To Specified Vlans

    configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity. A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged.

  • Page 77: Protocol-Based Vlan

    Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already If the VLAN ID is one of the If the VLAN ID is just the been added to its default VLAN IDs allowed to pass default VLAN ID, strip off the...
  • Page 78 Ethernet II and 802.2/802.3 encapsulation Mainly, there are two encapsulation types of Ethernet packets: Ethernet II and 802.2/802.3, defined by RFC 894 and RFC 1042 respectively. The two encapsulation formats are described in the following figures. Ethernet II packet: Figure 1-4 Ethernet II encapsulation format 802.2/802.3 packet: Figure 1-5 802.2/802.3 encapsulation format In the two figures, DA and SA refer to the destination MAC address and source MAC address of the...
  • Page 79 802.2 Logical Link Control (LLC) encapsulation: the length field, the destination service access point (DSAP) field, the source service access point (SSAP) field and the control field are encapsulated after the source and destination address field. The value of the control field is always Figure 1-7 802.2 LLC encapsulation format The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer protocol.

  • Page 80: Procedure For The Switch To Judge Packet Protocol

    Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Encapsulation Formats Table 1-4 lists the encapsulation formats supported by some protocols. In brackets are type values of these protocols. Table 1-4 Encapsulation formats Encapsulation Protocol Ethernet II 802.3 raw...

  • Page 81: Implementation Of Protocol-Based Vlan

    Implementation of Protocol-Based VLAN The Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.

  • Page 82: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration...

  • Page 83: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 84: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface information Vlan-interface [ vlan-id ] Available in any view.

  • Page 85: Assigning An Ethernet Port To A Vlan

    Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. You can assign an access port to a VLAN in either Ethernet port view or VLAN view. You can assign a trunk port or hybrid port to a VLAN only in Ethernet port view.

  • Page 86: Configuring The Default Vlan For A Port

    Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, its default VLAN is the VLAN it resides in and cannot be configured. This section describes how to configure a default VLAN for a trunk or hybrid port. Follow these steps to configure the default VLAN for a port: To do…...
  • Page 87 Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/1 SwitchB Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...

  • Page 88: Configuring A Protocol-Based Vlan

    [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 200 Configuring a Protocol-Based VLAN Protocol-Based VLAN Configuration Task List Complete these tasks to configure protocol-based VLAN: Task...

  • Page 89: Associating A Port With A Protocol-Based Vlan

    Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.

  • Page 90: Displaying Protocol-Based Vlan Configuration

    Displaying Protocol-Based VLAN Configuration To do... Use the command... Remarks Display the information about display vlan [ vlan-id [ to the protocol-based VLAN vlan-id ] | all | dynamic | static] Display the protocol information and protocol indexes display protocol-vlan vlan configured on the specified { vlan-id [ to vlan-id ] | all } VLAN...
  • Page 91 [Sysname-vlan100] quit [Sysname] vlan 200 [Sysname-vlan200] port GigabitEthernet 1/0/12 # Configure protocol templates for VLAN 200 and VLAN 100, matching AppleTalk protocol and IP protocol respectively. [Sysname-vlan200] protocol-vlan at [Sysname-vlan200] quit [Sysname] vlan 100 [Sysname-vlan100] protocol-vlan ip # To ensure the normal operation of IP network, you need to configure a user-defined protocol template for VLAN 100 to match the ARP protocol (assume Ethernet II encapsulation is adopted here).
  • Page 92 AppleTalk workstations can be automatically assigned to VLAN 100 and VLAN 200 respectively for transmission by matching the corresponding protocol templates, so as to realize the normal communication between workstations and servers. 2-11...
  • Page 93 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example I ·······························································································1-4 IP Address Configuration Example II ······························································································1-5 2 IP Performance Optimization Configuration···························································································2-1 IP Performance Overview ·······················································································································2-1...

  • Page 94: Ip Addressing Configuration

    IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary.

  • Page 95: Special Case Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.

  • Page 96: Configuring Ip Addresses

    While allowing you to create multiple logical networks within a single Class A, B, or C network, subnetting is transparent to the rest of the Internet. All these networks still appear as one. As subnetting adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host.

  • Page 97: Displaying Ip Addressing Configuration

    You can assign at most five IP address to an interface, among which one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The primary and secondary IP addresses of an interface cannot reside on the same network segment;...

  • Page 98: Ip Address Configuration Example Ii

    IP Address Configuration Example II Network requirements As shown in Figure 1-4, VLAN-interface 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the switch, and the hosts on the LAN can communicate with each other, do the following: Assign two IP addresses to VLAN-interface 1 on the switch.
  • Page 99 --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from the switch to check the connectivity. <Switch>...

  • Page 100: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When configuring IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Displaying and Maintaining IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance.

  • Page 101: Enabling Reception Of Directed Broadcasts To A Directly Connected Network

    finwait timer: When the TCP connection is changed into FIN_WAIT_2 state, finwait timer will be started. If no FIN packets are received within the timer timeout, the TCP connection will be terminated. If FIN packets are received, the TCP connection state changes to TIME_WAIT. If non-FIN packets are received, the system restarts the timer from receiving the last non-FIN packet.

  • Page 102: Displaying And Maintaining Ip Performance Configuration

    If receiving a lot of malicious packets that cause it to send ICMP error packets, the device’s performance will be reduced. As the ICMP redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large. If a host sends malicious ICMP destination unreachable packets, end users may be affected.
  • Page 103 To do… Use the command… Remarks Clear IP traffic statistics reset ip statistics Available in Clear TCP traffic statistics reset tcp statistics user view Clear UDP traffic statistics reset udp statistics...
  • Page 104 Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 5500-EI Series Switches Identify Voice Traffic····························································1-3 Setting the Voice Traffic Transmission Precedence ·······································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-5 Security Mode of Voice VLAN ·········································································································1-6 Voice VLAN Configuration ······················································································································1-7...

  • Page 105: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are allocated specially for voice traffic. After creating a voice VLAN and assigning ports that connect voice devices to the voice VLAN, you can have voice traffic transmitted in the dedicated voice VLAN and configure quality of service (QoS) parameters for the voice traffic to improve its transmission priority and ensure voice quality.
  • Page 106 Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 107: How Switch 5500-Ei Series Switches Identify Voice Traffic

    Pingtel phones 00e0-7500-0000 Polycom phones 00e0-bb00-0000 3Com phones Setting the Voice Traffic Transmission Precedence In order to improve the transmission quality of voice traffic, the switch by default re-marks the precedence of the traffic in the voice VLAN as follows:...

  • Page 108: Configuring Voice Vlan Assignment Mode Of A Port

    Set the DSCP precedence to 46. You can adjust the QoS scheme for voice traffic according to the precedence of the voice traffic marked by the switch. Alternatively, you can modify the precedence of voice traffic as needed at the command line interface to apply an existing QoS scheme to voice traffic.

  • Page 109: Support For Voice Vlan On Various Ports

    Support for Voice VLAN on Various Ports Voice VLAN packets can be forwarded by access ports, trunk ports, and hybrid ports. You can enable a trunk or hybrid port belonging to other VLANs to forward voice and service packets simultaneously by enabling the voice VLAN.

  • Page 110: Security Mode Of Voice Vlan

    IP phones acquiring IP address and voice VLAN through manual configuration can forward only tagged traffic, so the matching relationship is relatively simple, as shown in Table 1-3: Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type...

  • Page 111: Voice Vlan Configuration

    Table 1-4 How a packet is handled when the voice VLAN is operating in different modes Voice VLAN Packet Type Processing Method Mode Untagged packet If the source MAC address of the packet matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN.
  • Page 112 To do… Use the command… Remarks Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1440 minutes. Enable the voice VLAN function voice vlan vlan-id enable Required globally interface interface-type Enter Ethernet port view Required interface-number Required...

  • Page 113: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in manual voice VLAN assignment mode: To do… Use the command… Remarks — Enter system view system-view Optional voice vlan mac-address Set an OUI address that can be identified Without this address,...

  • Page 114: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 115: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A.
  • Page 116 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the current states of voice VLANs. <DeviceA> display voice vlan state Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...

  • Page 117: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in manual voice VLAN assignment mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN.
  • Page 118 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 119 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 120: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 121 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 122 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...

  • Page 123: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 124: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 125: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.

  • Page 126: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
  • Page 127 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] port trunk permit vlan all # Enable GVRP on Ethernet1/0/1. [SwitchA-Ethernet1/0/1] gvrp [SwitchA-Ethernet1/0/1] quit # Configure Ethernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2.
  • Page 128 The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
  • Page 129 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 1-10...
  • Page 130 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-2 Configuring Flow Control on a Port ·································································································1-3 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-4 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-7...

  • Page 131: Port Basic Configuration

    Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Initially Configuring a Port Follow these steps to initially configure a port: To do...

  • Page 132: Configuring Port Auto-Negotiation Speed

    Configuring Port Auto-Negotiation Speed You can configure an auto-negotiation speed for a port by using the speed auto command. Take a 10/100/1000 Mbps port as an example. If you expect that 10 Mbps is the only available auto-negotiation speed of the port, you just need to configure speed auto 10.

  • Page 133: Configuring Flow Control On A Port

    To do... Use the command... Remarks Optional Limit broadcast traffic received broadcast-suppression { ratio By default, the switch does not on each port | pps max-pps } suppress broadcast traffic. interface interface-type Enter Ethernet port view — interface-number Optional Limit broadcast traffic received broadcast-suppression { ratio By default, the switch does not on the current port...

  • Page 134: Duplicating The Configuration Of A Port To Other Ports

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Configure flow control to Required flow-control operate in TxRx mode Use either command By default, flow control is Configure flow control to flow-control operate in Rx mode disabled on a port.
  • Page 135 After you enable loopback detection on Ethernet ports, the switch can monitor if an external loopback occurs on them. If there is a loopback port found, the switch will deal with the loopback port according to your configuration. If a loop is found on an access port, the system will set the port to the block state (ports in this state cannot forward data packets), send log messages to the terminal, and remove the corresponding MAC forwarding entry.

  • Page 136: Enabling Loopback Test

    To do… Use the command… Remarks detection on a loopback-detection enable specified port Optional By default, the loopback port auto-shutdown function is enabled on Enable the loopback port loopback-detection ports if the device boots with the default auto-shutdown function shutdown enable configuration file (config.def);...

  • Page 137: Enabling The System To Test Connected Cable

    external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).

  • Page 138: Enabling Giant-Frame Statistics Function

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Set the interval to perform statistical analysis on port flow-interval interval By default, this interval is 300 traffic seconds. Enabling Giant-Frame Statistics Function The giant-frame statistics function is used to ensure normal data transmission and to facilitate statistics and analysis of unusual traffic on the network.

  • Page 139: Configuring Storm Control On A Port

    Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on Ethernet 1/0/1. The Up/Down log information for Ethernet 1/0/1 is generated and displayed on the terminal. <Sysname> system-view System View: return to User View with Ctrl+Z.

  • Page 140: Setting The Port State Change Delay

    To do... Use the command... Remarks Enable log/trap information to be output when a type of traffic Optional storm-constrain enable { log | received on the port exceeds trap } Enabled by default. the upper threshold or falls below the lower threshold Return to system view quit —...

  • Page 141: Displaying And Maintaining Basic Port Configuration

    To do … Use the command … Remarks Required Set the port state change link-delay delay-time Defaults to 0, which indicates that no delay delay is introduced. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP.

  • Page 142: Ethernet Port Configuration Example

    Ethernet Port Configuration Example Network requirements Switch A and Switch B are connected to each other through two trunk port (Ethernet 1/0/1). Configure the default VLAN ID of both Ethernet 1/0/1 to 100. Allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass both Ethernet 1/0/1. Network diagram Figure 1-2 Network diagram for Ethernet port configuration Configuration procedure...
  • Page 143 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 144: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.

  • Page 145: Link Aggregation Classification

    Table 1-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting Priority marking...

  • Page 146: Static Lacp Aggregation Group

    LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.

  • Page 147: Dynamic Lacp Aggregation Group

    The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.

  • Page 148: Aggregation Group Categories

    For an aggregation group: When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state;...

  • Page 149: Link Aggregation Configuration

    A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. When more than eight load-sharing aggregation groups are configured on a single switch, fabric ports cannot be enabled on this switch.

  • Page 150: Configuring A Static Lacp Aggregation Group

    For a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual aggregation link-aggregation group agg-id mode Required group...

  • Page 151: Configuring A Dynamic Lacp Aggregation Group

    To do… Use the command… Remarks Create a static aggregation link-aggregation group agg-id Required group mode static interface interface-type Enter Ethernet port view — interface-number Add the port to the aggregation port link-aggregation group Required group agg-id For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group.

  • Page 152: Configuring A Description For An Aggregation Group

    To do… Use the command… Remarks Optional lacp port-priority Configure the port priority By default, the port priority is port-priority 32,768. Changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member ports in the dynamic aggregation group. Configuring a Description for an Aggregation Group To do…...

  • Page 153: Link Aggregation Configuration Example

    Link Aggregation Configuration Example Ethernet Port Aggregation Configuration Example Network requirements Switch A connects to Switch B with three ports Ethernet 1/0/1 to Ethernet 1/0/3. It is required that load between the two switches can be shared among the three ports. Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B.
  • Page 154 <Sysname> system-view [Sysname] link-aggregation group 1 mode static # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 1 [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] port link-aggregation group 1 [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] port link-aggregation group 1 Adopting dynamic LACP aggregation mode...
  • Page 155 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 156: Port Isolation Configuration

    Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to secure and add privacy to the data traffic and prevent malicious attackers from obtaining the user information.

  • Page 157: Port Isolation Configuration Example

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 158 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 159 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode ······························1-8 Ignoring the Authorization Information from the RADIUS Server··················································1-10...

  • Page 160: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 161 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses.
  • Page 162 Security mode Description Feature In this mode, neither NTK In this mode, port-based 802.1x authentication userlogin nor intrusion protection is performed for access users. will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds.

  • Page 163: Port Security Configuration Task List

    Security mode Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs macAddressElseUs 802.1x authentication of the user. erLoginSecure In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

  • Page 164: Enabling Port Security

    Task Remarks Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure Optional mode Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do...

  • Page 165: Setting The Port Security Mode

    Control the maximum number of users who are allowed to access the network through the port Control the number of Security MAC addresses that can be added with port security This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management.

  • Page 166: Configuring Port Security Features

    Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

  • Page 167: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode

    To do... Use the command... Remarks Optional Set the timer during which the port-security timer disableport port remains disabled timer 20 seconds by default The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
  • Page 168 The users of the port can initiate 802.1x authentication. If a user passes authentication, the port leaves the guest VLAN and is added to the original VLAN, that is, the one the port belongs to before it is added to the guest VLAN). The port then does not handle other users' authentication requests. MAC address authentication is also allowed.

  • Page 169: Ignoring The Authorization Information From The Radius Server

    Ignoring the Authorization Information from the RADIUS Server After an 802.1x user or MAC-authenticated user passes Remote Authentication Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server. Follow these steps to configure a port to ignore the authorization information from the RADIUS server: To do...
  • Page 170 To do... Use the command... Remarks Enter system view system-view — mac-address security mac-address In system Either is interface interface-type interface-number vlan view required. vlan-id Add a security By default, no MAC address interface interface-type interface-number security MAC entry In Ethernet address entry is port view mac-address security mac-address vlan...

  • Page 171: Displaying And Maintaining Port Security Configuration

    Displaying and Maintaining Port Security Configuration To do... Use the command... Remarks Display information about port display port-security [ interface interface-list ] security configuration Available in Display information about display mac-address security [ interface any view security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Examples...

  • Page 172: Guest Vlan Configuration Example

    [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seconds after intrusion protection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 Guest VLAN Configuration Example Network requirements As shown in Figure 1-2, Ethernet 1/0/2 connects to a PC and a printer, which are not used at the same time.
  • Page 173 # Configure RADIUS scheme 2000. <Switch> system-view [Switch] radius scheme 2000 [Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accouting 10.11.1.1 1813 [Switch-radius-2000] key authentication abc [Switch-radius-2000] key accouting abc [Switch-radius-2000] user-name-format without-domain [Switch-radius-2000] quit # Configure the ISP domain and apply the scheme 2000 to the domain. [Switch] domaim system [Switch-isp-system] scheme radius-scheme 2000 [Switch-isp-system] quit...
  • Page 174 Table of Contents 1 Port-MAC-IP Binding Configuration ········································································································1-1 Port-MAC-IP Binding Overview···············································································································1-1 Introduction······································································································································1-1 Configuring Port-MAC-IP Binding····································································································1-1 Displaying and Maintaining Port-MAC-IP Binding Configuration ····························································1-2 Port-MAC-IP Binding Configuration Example ·························································································1-2 Port-MAC-IP Binding Configuration Example ·················································································1-2...

  • Page 175: Port-Mac-Ip Binding Configuration

    Port-MAC-IP Binding Configuration When configuring port-MAC-IP binding, go to these sections for information you are interested in: Port-MAC-IP Binding Overview Displaying and Maintaining Port-MAC-IP Binding Configuration Port-MAC-IP Binding Configuration Example Port-MAC-IP Binding Overview Introduction Binding is a simple security mechanism. Through the binding configuration on the switch, you can filter the packets forwarded on the ports.

  • Page 176: Displaying And Maintaining Port-Mac-Ip Binding Configuration

    To do... Use the command... Remarks am user-bind mac-addr mac-address In system ip-addr ip-address [ interface view interface-type interface-number ] Either is required. Create a port-MAC-IP By default, no binding interface interface-type interface-number binding entry is configured. In Ethernet am user-bind { ip-addr ip-address | port view mac-addr mac-address [ ip-addr ip-address ] }...
  • Page 177 Network diagram Figure 1-1 Network diagram for port-MAC-IP binding configuration Switch A Eth1/0/1 Switch B Host A Host B 10.12.1.1/24 MAC address: 0001-0002-0003 Configuration procedure Configure Switch A as follows: # Enter system view. <SwitchA> system-view # Enter Ethernet 1/0/1 port view. [SwitchA] interface Ethernet 1/0/1 # Bind the MAC address and the IP address of Host A to Ethernet 1/0/1.
  • Page 178 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-8 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-11...

  • Page 179: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is an technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).

  • Page 180: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
  • Page 181 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.

  • Page 182: Dldp Status

    DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...

  • Page 183: Dldp Operating Mode

    Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when Entry aging timer...

  • Page 184: Dldp Implementation

    Table 1-4 DLDP operating mode and neighbor entry aging Detecting a neighbor Removing the DLDP after the corresponding neighbor entry Triggering the Enhanced timer operating neighbor entry ages immediately after the after an Entry timer expires mode Entry timer expires Normal mode Yes (When the enhanced timer...
  • Page 185 Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.

  • Page 186: Dldp Neighbor State

    Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is received DLDP switches to the disable state, outputs log and when the echo waiting timer expires. tracking information, and sends flush packets.

  • Page 187: Dldp Configuration

    DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view — system-view Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter Ethernet interface interface-type Enable...

  • Page 188: Resetting Dldp State

    When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.

  • Page 189: Dldp Configuration Example

    DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
  • Page 190 # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
  • Page 191 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 MAC Address Table Management··········································································································1-4 MAC Address Table Management Configuration Task List ····························································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6...

  • Page 192: Mac Address Table Management

    MAC Address Table Management When MAC address table management functions, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 193 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on GigabitEthernet 1/0/1.

  • Page 194: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/1 (technically called unicast), because MAC-A is already in the MAC address table.

  • Page 195: Mac Address Table Management

    The MAC address aging timer only takes effect on dynamic MAC address entries. With the “destination MAC address triggered update function” enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.

  • Page 196: Configuring A Mac Address Entry

    Task Remarks Enabling Destination MAC Address Triggered Update Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). Adding a MAC address entry in system view You can add a MAC address entry in either system view or Ethernet port view.

  • Page 197: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.

  • Page 198: Enabling Destination Mac Address Triggered Update

    By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC address entries the MAC address table can dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.

  • Page 199: Configuration Examples

    To do… Use the command… Remarks Display the aging time of the dynamic MAC address entries in the MAC address display mac-address aging-time table Display the configured start port MAC display port-mac address Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2.
  • Page 200 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VRRP ·····························································································1-3 Auto Detect Implementation in VLAN Interface Backup··································································1-4 Auto Detect Configuration Examples ······································································································1-6 Configuration Example for Auto Detect Implementation with Static Routing ··································1-6 Configuration Example for Auto Detect Implementation with VRRP···············································1-6...

  • Page 201: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.

  • Page 202: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VRRP Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and Required detect-group group-number...

  • Page 203: Auto Detect Implementation In Vrrp

    The disadvantage of using static routes is that they cannot adapt to network topology changes. If a fault or a topology change occurs to the network, the routes may be unreachable and the network may break. To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route.

  • Page 204: Auto Detect Implementation In Vlan Interface Backup

    Switch A Master VLAN 10 Gateway: 10.1.1.1/24 Backup Internet Master VLAN 20 Gateway: 20.1.1.1/24 Backup Switch B The uplink port of Switch A fails Figure 1-1 The uplink of the master switch fails Using VRRP together with the Auto Detect function, you can change the priority of a switch according to the uplink status.
  • Page 205 and thus cannot transmit traffic normally, VLAN-interface 2 takes over to transmit traffic. In this way, the traffic can be transmitted smoothly without interruption. Figure 1-2 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interfaces backup. When data can be transmitted through two VLAN interfaces on the switch to the same destination, configure one of the VLAN interface as the active interface and the other as the standby interface.

  • Page 206: Auto Detect Configuration Examples

    Auto Detect Configuration Examples Configuration Example for Auto Detect Implementation with Static Routing Network requirements Create detected group 8 on Switch A; detect the reachability of the IP address 10.1.1.4, with 192.168.1.2 as the next hop, and the detecting number set to 1. On switch A, configure a static route to Switch C.
  • Page 207 Packets sourced from Host A and destined for Host B is forwarded by Switch A under normal situations. When the connection between Switch A and Switch C fails, Switch B becomes the master in VRRP group 1 automatically and the link from Switch B to Host B, the backup link, is enabled. Network diagram Figure 1-4 Network diagram for implementing the auto detect function in VRRP Configuration procedure...

  • Page 208: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    Configuration Example for Auto Detect Implementation with VLAN Interface Backup Network requirements Make sure the routes between Switch A, Switch B, and Switch C, and between Switch A, Switch D, and Switch C are reachable. Create detected group 10 on Switch A to detect the connectivity between Switch B and Switch C. Configure VLAN-interface 1 to be the active interface, which is enabled when the detected group 10 is reachable.
  • Page 209 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-17 Configuring an MST Region ··········································································································1-17 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20...
  • Page 210 Introduction····································································································································1-39 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 MSTP Maintenance Configuration ········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-45 Enabling Trap Messages Conforming to 802.1d Standard···································································1-46 Displaying and Maintaining MSTP ········································································································1-46 MSTP Configuration Example···············································································································1-47 VLAN-VPN Tunnel Configuration Example ··························································································1-49...

  • Page 211: Overview

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 212 In the narrow sense, STP refers to IEEE 802.1d STP; in the broad sense, STP refers to the IEEE 802.1d STP and various enhanced spanning tree protocols derived from that protocol. Protocol Packets of STP STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol packets.
  • Page 213 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 5500-EI is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 214 Port. Port ID A port ID used on a 3Com switch 5500-EI consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 5500-EI is 128. You can use commands to configure port priorities.
  • Page 215 Upon initialization of a device, each device generates a BPDU with itself as the root bridge, in which the root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port. Selection of the optimum configuration BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.
  • Page 216 Step Description Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the rest ports. The root bridge ID is replaced with that of the configuration BPDU of the root port.
  • Page 217 The following table shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
  • Page 218 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 219 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

  • Page 220: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 221 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 222 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 223 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 224: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The 3com switches 5500-EI support MSTP. After MSTP is enabled on a switch 5500-EI, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol,...

  • Page 225: Protocols And Standards

    In addition to the basic MSTP functions, 3com Switch 5500-EI also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard BPDU packet drop Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
  • Page 226 Task Remarks Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter...

  • Page 227: Configuring Root Bridge

    Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...

  • Page 228: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 5500-EI support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 229 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...

  • Page 230: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.

  • Page 231: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Required By default, a port recognizes and sends Configure how a port stp interface interface-list MSTP packets in the automatic mode. recognizes and sends compliance { auto | dot1s | That is, it determines the format of MSTP packets legacy } packets to be sent according to the...

  • Page 232: Configuring The Maximum Hop Count Of An Mst Region

    To do... Use the command... Remarks Enter system view — system-view Required Configure the MSTP operation An MSTP-enabled switch stp mode { stp | rstp | mstp } mode operates in the MSTP mode by default. Configuration example # Specify the MSTP operation mode as STP-compatible. <Sysname>...

  • Page 233: Configuring The Network Diameter Of The Switched Network

    Configuring the Network Diameter of the Switched Network In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches;...
  • Page 234 To do... Use the command... Remarks Required Configure the max age stp timer max-age The max age parameter defaults to parameter centiseconds 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.

  • Page 235: Configuring The Timeout Time Factor

    Configuring the Timeout Time Factor When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.

  • Page 236: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum The maximum transmitting rate stp transmit-limit packetnum transmitting rate of all Ethernet ports on a switch defaults to 10. As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources.

  • Page 237: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Configure the port as an edge By default, all the Ethernet stp edged-port enable port ports of a switch are non-edge ports. On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.

  • Page 238: Enabling Mstp

    Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do... Use the command... Remarks Enter system view —...

  • Page 239: Configuring Leaf Nodes

    Use the To do... Remarks command... Optional By default, MSTP is enabled on all ports. stp interface Disable MSTP on To enable a switch to operate more flexibly, you can interface-list specified ports disable MSTP on specific ports. As MSTP-disabled disable ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.

  • Page 240: Configuring The Timeout Time Factor

    Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port. Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port.
  • Page 241 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000 Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.

  • Page 242: Configuring Port Priority

    Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 cost 2000 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of Ethernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.

  • Page 243: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required. Configure port priority for the stp [ instance instance-id ] port port priority priority The default port priority is 128. Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port.

  • Page 244: Configuration Procedure

    Configuration Procedure You can perform the mCheck operation in the following two ways. Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command... Remarks Enter system view —...

  • Page 245: Configuring Root Guard

    <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 5500-EI cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
  • Page 246 forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period. You are recommended to enable root guard on the designated ports of a root bridge. Loop guard, root guard, and edge port settings are mutually exclusive.

  • Page 247: Configuring Loop Guard

    Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port;...

  • Page 248: Configuring Bpdu Dropping

    period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time.

  • Page 249: Configuring Digest Snooping

    MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch 5500-EI is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.

  • Page 250: Configuring Digest Snooping

    The digest snooping function is not applicable to edge ports. Configuring Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs.

  • Page 251: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
  • Page 252 3Com switch 5500-EI running MSTP, the upstream designated port fails to change its state rapidly. The rapid transition feature is developed to resolve this problem. When a 3Com switch 5500-EI running MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the switch 5500-EI operating as the downstream switch.

  • Page 253: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a 3Com switch 5500-EI is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 254: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.

  • Page 255: Mstp Maintenance Configuration

    To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...

  • Page 256: Enabling Trap Messages Conforming To 802.1D Standard

    <Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.

  • Page 257: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
  • Page 258 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...

  • Page 259: Vlan-Vpn Tunnel Configuration Example

    Network requirements Switch C and Switch D are the access devices for the service provider network. The 3Com switches 5500-EI operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram.
  • Page 260 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
  • Page 261 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-4 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-5 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 262 4 OSPF Configuration ··································································································································4-1 OSPF Overview ······································································································································4-1 Introduction to OSPF ·······················································································································4-1 OSPF Route Calculation ·················································································································4-2 Basic OSPF Concepts·····················································································································4-2 OSPF Area Partition and Route Summarization ·············································································4-4 OSPF Network Type······················································································································4-10 DR/BDR·········································································································································4-10 OSPF Features······························································································································4-12 OSPF Configuration Task List ··············································································································4-12 Basic OSPF Configuration ····················································································································4-13 Configuration Prerequisites ···········································································································4-13 Basic OSPF Configuration ············································································································4-13 OSPF Area Attribute Configuration·······································································································4-15...
  • Page 263 5 IP Route Policy Configuration··················································································································5-1 IP Route Policy Overview ·······················································································································5-1 Introduction to IP Route Policy ········································································································5-1 Filters ···············································································································································5-1 IP Route Policy Configuration Task List··································································································5-2 Route Policy Configuration ·····················································································································5-3 Configuration Prerequisites ·············································································································5-3 Defining a Route Policy ···················································································································5-4 Defining if-match Clauses and apply Clauses·················································································5-4 IP-Prefix Configuration ····························································································································5-5 Configuration Prerequisites ·············································································································5-6 Configuring an ip-prefix list··············································································································5-6...

  • Page 264: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router.
  • Page 265 Interface: It indicates through which interface IP packets should be forwarded to the destination. Nexthop: It indicates the next router that IP packets will pass through to reach the destination. Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes.

  • Page 266: Routing Protocol Overview

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 267: Routing Protocols And Routing Priority

    Routing Protocols and Routing Priority Different routing protocols may find different routes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol can uniquely determine the current optimal routing to the destination. For the purpose of route selection, each routing protocol (including static routes) is assigned a priority.

  • Page 268: Routing Information Sharing

    Under normal circumstances, packets are forwarded through the primary route. When the primary route goes down, the route with the highest priority among the backup routes is selected to forward packets. When the primary route recovers, the route selection process is performed again and the primary route is selected again to forward packets.

  • Page 269: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 270: Default Route

    Blackhole route: route with blackhole attribute. If a static route destined for a destination has the blackhole attribute, the outgoing interface of this route is the Null 0 interface regardless of the next hop address, and all the IP packets addressed to this destination will be dropped without notifying the source hosts.

  • Page 271: Displaying And Maintaining Static Routes

    Use the ip route-static command to configure a default route by setting the destination IP address and the mask to 0.0.0.0. Avoid configuring the next hop address of a static route to the address of an interface on the local switch.
  • Page 272 Figure 2-1 Network diagram for static route configuration Host A 1.1.5.2/24 1.1.5.1/24 1.1.2.2/24 1.1.3.1/24 Switch C 1.1.2.1/24 1.1.3.2/24 1.1.1.1/24 1.1.4.1/24 Switch A Switch B 1.1.1.2/24 1.1.4.2/24 Host C Host B Configuration procedure When only one interface of the device is interconnected with another network segment, you can implement network communication by configuring either a static route or default route.

  • Page 273: Troubleshooting A Static Route

    # Configure static routes on Switch C. <SwitchC> system-view [SwitchC] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [SwitchC] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 Perform the following configurations on the host. # Set the default gateway address of Host A to 1.1.5.1. Detailed configuration procedure is omitted. # Set the default gateway address of Host B to 1.1.4.1.

  • Page 274: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 275: Rip Startup And Operation

    Next hop: IP address of an interface on the adjacent router that IP packets should pass through to reach the destination. Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated.

  • Page 276: Rip Configuration Task List

    RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional...
  • Page 277 To do... Use the command... Remarks Required Enable RIP on the specified interface network network-address Disabled by default Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 278: Rip Route Control

    RIP Route Control In actual implementation, it may be needed to control RIP routing information more accurately to accommodate complex network environments. By performing the configuration described in the following sections, you can: Control route selection by adjusting additional routing metrics on interfaces running RIP. Reduce the size of the routing table by setting route summarization and disabling the receiving of host routes.
  • Page 279 The rip metricout command takes effect only on the RIP routes learnt by the router and the RIP routes generated by the router itself, but the command is invalid for any route imported to RIP from other routing protocols. Configuring RIP route summarization Rip route summarization means that when the router advertises RIP updates, different subnet routes in the same natural network segment can be aggregated into one route with a natural mask for transmission to another network segment.
  • Page 280 Follow these steps to configure RIP to filter incoming/outgoing routes: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required filter-policy { acl-number | ip-prefix By default, RIP does not ip-prefix-name [ gateway filter any incoming route. ip-prefix-name ] | route-policy Configure RIP to filter route-policy-name } import...

  • Page 281: Rip Network Adjustment And Optimization

    To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable load sharing among traffic-share-across-interf RIP interfaces Disabled by default Configuring RIP to redistribute routes from another protocol Follow these steps to configure RIP to import routes from another protocol: To do...
  • Page 282 To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required timers { update Set the RIP timers update-timer | timeout By default, the Update timer is 30 seconds timeout-timer } * and the Timeout timer 180 seconds. When configuring the values of RIP timers, you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation.
  • Page 283 Some fields in a RIP-1 packet must be 0, and they are known as must be zero field. For RIP-1, the must be zero field is checked for incoming packets, and those RIP-1 packets with this field being nonzero will not be processed. Setting RIP-2 packet authentication mode RIP-2 supports two authentication modes: simple authentication and message digest 5 (MD5) authentication.

  • Page 284: Displaying And Maintaining Rip Configuration

    Displaying and Maintaining RIP Configuration To do... Use the command... Remarks Display the current RIP running status and display rip configuration information Available in any view Display RIP interface information display rip interface Display RIP routing information display rip routing Available in RIP Reset the system configuration related to RIP reset...

  • Page 285: Troubleshooting Rip Configuration

    Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP. <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.2.0 [SwitchA-rip] network 155.10.1.0...
  • Page 286 3-13...

  • Page 287: Ospf Configuration

    OSPF Configuration When configuring OSPF, go to these sections for information you are interested in: OSPF Overview OSPF Configuration Task List Displaying and Maintaining OSPF Configuration OSPF Configuration Examples Troubleshooting OSPF Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 288: Ospf Route Calculation

    OSPF Route Calculation Taking no account of area partition, the routing calculation process of the OSPF protocol is as follows: Each OSPF-supported router maintains a link state database (LSDB), which describes the topology of the whole AS. According to the network topology around itself, each router generates a link state advertisement (LSA).
  • Page 289 Hello packet: Hello packets are most commonly used OSPF packets, which are periodically sent by a router to its neighbors. A Hello packet contains the values of some timers, DR, BDR and known neighbors. DD packet: When two routers synchronize their databases, they use database description (DD) packets to describe their own LSDBs, including the summary of each LSA.

  • Page 290: Ospf Area Partition And Route Summarization

    Type-7 LSAs can only be advertised in an NSSA area. When Type-7 LSAs reach an ABR, the ABR can convert part of the routing information carried in the Type-7 LSAs into Type-5 LSAs and advertise the Type-5 LSAs. Type-7 LSAs are not directly advertised to other areas (including the backbone area).
  • Page 291 Figure 4-1 OSPF area partition On the border of an area is a router, which belongs to different areas. After area partition, area border routers perform route summarization to reduce the number of LSAs advertised to other areas and minimize the effect of topology changes. Classification of routers The OSPF router falls into four types according to the position in the AS: Internal router...
  • Page 292 Figure 4-2 OSPF router types ASBR Area 1 Area 4 Backbone Router Internal Router Area 0 Area 3 Area 2 Type-7 LSAs translator A Type-7 LSAs translator takes effect on an ABR. The state of the Type-7 LSAs translator determines whether the ABR needs to translate Type-7 LSAs into Type-5 LSAs.
  • Page 293 In the following figure, Area 2 has no direct physical link to the backbone area 0. Configuring a virtual link between ABRs can connect Area 2 to the backbone area. Figure 4-3 Virtual link application 1 Another application of virtual links is to provide redundant links. If the backbone area cannot maintain internal connectivity due to a physical link failure, configuring a virtual link can guarantee logical connectivity in the backbone area, as shown below.
  • Page 294 A (totally) stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area. Virtual links cannot transit (totally) stub areas. NSSA area Similar to a stub area, an NSSA area imports no AS external LSA (Type-5 LSA) but can import Type-7 LSAs that are generated by the ASBR and distributed throughout the NSSA area.
  • Page 295 Figure 4-6 Route summarization OSPF has two types of route summarization: ABR route summarization To distribute routing information to other areas, an ABR generates Type-3 LSAs on a per network segment basis for an attached non-backbone area. If contiguous network segments are available in the area, you can summarize them with a single network segment.

  • Page 296: Ospf Network Type

    OSPF Network Type Four OSPF network types OSPF divides networks into four types by link layer protocols: Broadcast: If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast. In a broadcast network, protocol packets are sent in multicast (224.0.0.5 and 224.0.0.6) by default. Non-broadcast multi-access (NBMA): If Frame Relay, ATM, or X.25 is adopted, OSPF defaults the network type to NBMA.
  • Page 297 solve this problem, DR is defined in OSPF so that all routers send information to the DR only and the DR broadcasts the network link states in the network. If the DR fails, a new DR must be elected and synchronized with the other routers on the network. The process takes quite a long time;...

  • Page 298: Ospf Features

    DR is based on the router interfaces in a certain segment. A router may be a DR on an interface and a BDR or DR Other on another interface. The priority of a router affects the DR and BDR election. However, it has no effect on the election after the DR and BDR election ends.

  • Page 299: Basic Ospf Configuration

    Task Remarks Configuring OSPF Route Priority Optional Configuring the Maximum Number of OSPF Optional ECMP Routes Configuring OSPF to Redistribute External Optional Routes Configuring OSPF Timers Optional Configuring the LSA transmission delay Optional Configuring the SPF Calculation Interval Optional Disabling OSPF Packet Transmission on an Optional Interface OSPF Network Adjustment and...
  • Page 300 packet exchange between an OSPF process and other routers. Therefore, packets can be exchanged between routers with different OSPF processes IDs. Configuring an area and the network segments in the area. You need to plan areas in an AS before performing the corresponding configurations on each router.

  • Page 301: Ospf Area Attribute Configuration

    OSPF Area Attribute Configuration Area partition in OSPF reduces the number of LSAs in the network and enhances OSPF scalability. To further reduce routing table size and the number of LSAs in some non-backbone areas on the edge of the AS, you can configure these areas as stub areas. A stub area cannot redistribute any external route.

  • Page 302: Ospf Network Type Configuration

    To do... Use the command... Remarks Optional vlink-peer router-id [ hello For a virtual link to take effect, you seconds | retransmit need to use this command at both Create and configure a virtual seconds | trans-delay ends of the virtual link and ensure link seconds | dead seconds | consistent configurations of the...

  • Page 303: Configuring An Nbma/P2Mp Neighbor

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Required Configure the network ospf network-type By default, the network type of an type of the OSPF { broadcast | nbma | p2mp interface depends on the physical interface [ unicast ] | p2p } interface.

  • Page 304: Configuring The Dr Priority On An Ospf Interface

    Configuring the DR Priority on an OSPF Interface You can control the DR/BDR election on a broadcast or NBMA network by configuring the DR priorities of interfaces. Follow these steps to configure the DR priority on an OSPF interface: To do... Use the command...

  • Page 305: Configuring Ospf To Filter Received Routes

    Configuring ASBR route summarization for imported routes. Follow these steps to configure ABR route summarization: To do... Use the command... Remarks Enter system view system-view — ospf [ process-id [ router-id Enter OSPF view — router-id ] ] Enter area view area area-id —...

  • Page 306: Configuring The Ospf Cost On An Interface

    Configuring the OSPF Cost on an Interface Follow these steps to configure the OSPF cost on an interface: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Configure the OSPF cost ospf cost value By default, a VLAN interface on the on the interface...

  • Page 307: Configuring Ospf To Redistribute External Routes

    Configuring OSPF to Redistribute External Routes Follow these steps to configure OSPF to redistribute external routes: To do... Use the command... Remarks Enter system view system-view — ospf [ process-id [ router-id Enter OSPF view — router-id ] ] Required Configure OSPF to import-route protocol [ process-id ] By default, OSPF does not...

  • Page 308: Configuration Prerequisites

    By Adjusting SPF calculation interval, you can mitigate resource consumption caused by frequent network changes. In a network with high security requirements, you can enable OSPF authentication to enhance OSPF network security. In addition, OSPF supports network management. You can configure the binding of the OSPF MIB with an OSPF process and configure the Trap message transmission and logging functions.

  • Page 309: Configuring The Lsa Transmission Delay

    Default Hello and Dead timer values will be restored once the network type is changed. Do not set an LSA retransmission interval that is too short. Otherwise, unnecessary retransmission will occur. LSA retransmission interval must be greater than the round trip time of a packet between two routers.

  • Page 310: Disabling Ospf Packet Transmission On An Interface

    To do... Use the command... Remarks Required Configure the SPF spf-schedule-interval interval calculation interval 5 seconds by default Disabling OSPF Packet Transmission on an Interface To prevent OSPF routing information from being acquired by the routers on a certain network, use the silent-interface command to disable OSPF packet transmission on the corresponding interface.

  • Page 311: Configuring The Mtu Field In Dd Packets

    To do... Use the command... Remarks Return to OSPF view quit — Return to system view quit — interface interface-type Enter interface view — interface-number Optional ospf authentication-mode Configure the authentication mode By default, OSPF packets { simple password | md5 key-id of the OSPF interface are not authenticated on an key }...

  • Page 312: Configuring Ospf Network Management

    To do... Use the command... Remarks ospf [ process-id [ router-id Enter OSPF view — router-id ] ] Required Enable the OSPF logging of log-peer-change neighbor state changes Disabled by default Configuring OSPF Network Management Follow these steps to configure OSPF network management (NM): To do...

  • Page 313: Ospf Configuration Examples

    To do... Use the command... Remarks Display OSPF routing table display ospf [ process-id ] routing Display OSPF virtual links display ospf [ process-id ] vlink Display OSPF request list display ospf [ process-id ] request-queue Display OSPF retransmission list display ospf [ process-id ] retrans-queue Display the information about display ospf [ process-id ] abr-asbr...
  • Page 314 Switch D Vlan-int1 196.1.1.4/24 4.4.4.4 Configuration procedure # Configure Switch A. <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [SwitchA-Vlan-interface1] ospf dr-priority 100 [SwitchA-Vlan-interface1] quit [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch B.

  • Page 315: Configuring Ospf Virtual Link

    On Switch A, run the display ospf peer command to display its OSPF peers. Note that Switch A has three peers. The state of each peer is full, which means that adjacency is established between Switch A and each peer. Switch A and Switch C must establish adjacencies with all the switches on the network so that they can serve as the DR and BDR respectively on the network.
  • Page 316 Network diagram Figure 4-9 Network diagram for OSPF virtual link configuration Device Interface IP interface Router ID Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 Vlan-int2 197.1.1.2/24 Switch C Vlan-int1 152.1.1.1/24 3.3.3.3 Vlan-int2 197.1.1.1/24 Configuration procedure # Configure Switch A. <SwitchA>...

  • Page 317: Troubleshooting Ospf Configuration

    [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.0] quit [SwitchB-ospf-1] area 1 [SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 # Configure Switch C. <SwitchC> system-view [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [SwitchC-Vlan-interface1] quit [SwitchC] interface Vlan-interface 2 [SwitchC-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [SwitchC-Vlan-interface2] quit [SwitchC] router id 3.3.3.3...

  • Page 318: Unable To Learn A Complete Network Topology

    Use the display ip interface brief command to verify that the link layer works normally. Use the ping command to check network layer connectivity. Use the display ospf interface command to view the OSPF interface configuration. If the network type of an interface is NBMA, use the display current-configuration configuration ospf command to verify that a neighbor is specified for the router.

  • Page 319: Ip Route Policy Configuration

    IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 320: Ip Route Policy Configuration Task List

    You can specify a range of IP addresses or subnets when defining an ACL so as to match the destination network addresses or next-hop addresses in routing information. You can reference an ACL into a route policy to filter routing information. For ACL configuration, refer to the part discussing ACL.

  • Page 321: Route Policy Configuration

    Route Policy Configuration A route policy is used to match given routing information or some attributes of routing information and change the attributes of the routing information if the conditions are met. The above-mentioned filtering lists can serve as the match conditions: A route policy can comprise multiple nodes and each node comprises: if-match clause: Defines matching rules;...

  • Page 322: Defining A Route Policy

    Defining a Route Policy Follow these steps to define a route policy: To do... Use the command... Remarks Enter system view system-view — Required Define a route policy and enter route-policy route-policy-name { permit the route policy view | deny } node node-number Not defined by default The permit argument specifies the matching mode for a defined node in the route policy to be in permit mode.

  • Page 323: Ip-Prefix Configuration

    To do... Use the command... Remarks Optional Define a rule to match the if-match interface By default, no matching is performed on next-hop interface of interface-type the next-hop interface of routing routing information interface-number information. Optional Define a rule to match the if-match ip next-hop { acl By default, no matching is performed on next-hop address of...

  • Page 324: Configuration Prerequisites

    Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched Configuring an ip-prefix list An IP-prefix list is identified by its IP-prefix list name. Each IP-prefix list can comprise multiple entries. Each entry can independently specify a match range in the form of network prefix and is identified by an index-number.

  • Page 325: Ip Route Policy Configuration Example

    IP Route Policy Configuration Example Configuring to Filter Received Routing Information Network requirements Switch A communicates with Switch B. OSPF protocol is enabled on both switches. The router ID of Switch A is 1.1.1.1 and that of Switch B is 2.2.2.2. Configure three static routes and enable OSPF on Switch A.
  • Page 326 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1]quit # Configure an ACL. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule permit source any [SwitchA-acl-basic-2000] quit # Configure a route policy. [SwitchA] route-policy ospf permit node 10 [SwitchA-route-policy] if-match acl 2000 [SwitchA-route-policy] quit # Apply route policy when the static routes are imported.

  • Page 327: Controlling Rip Packet Cost To Implement Dynamic Route Backup

    20.0.0.0/8 Type2 10.0.0.1 1.1.1.1 40.0.0.0/8 Type2 10.0.0.1 1.1.1.1 Total Nets: 3 Intra Area: 1 Inter Area: 0 ASE: 2 NSSA: 0 Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services.
  • Page 328 Host 192.168.0.9/24 Configuration considerations According to the network requirements, select RIP. For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
  • Page 329 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 1 [SwitchC-route-policy] apply cost 5 [SwitchC-route-policy] quit # Create node 20 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 2 and prefix list 2. [SwitchC] route-policy in permit node 20 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2...

  • Page 330: Troubleshooting Ip Route Policy

    2.0.0.0/8 DIRECT 2.2.2.2 Vlan-interface2 2.2.2.2/32 DIRECT 127.0.0.1 InLoopBack0 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6 6.6.6.6/32 DIRECT 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 127.0.0.1 InLoopBack0 127.0.0.1/32 DIRECT 127.0.0.1 InLoopBack0 192.168.0.0/24 DIRECT 192.168.0.39 Vlan-interface1 192.168.0.39/32 DIRECT 127.0.0.1 InLoopBack0 Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down.
  • Page 331 Analysis The route policy cannot filter routing information correctly in the following two cases: All nodes in the route policy are in the deny mode. All entries in the IP-prefix list are in the deny mode. Solution Use the display ip ip-prefix command to display the configuration of the IP-prefix list. Use the display route-policy command to display the configuration of the route policy.

  • Page 332: Route Capacity Configuration

    Route Capacity Configuration When configuring route capacity, go to these sections for information you are interested in: Route Capacity Configuration Overview Route Capacity Limitation Configuration Displaying and Maintaining Route Capacity Limitation Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 333: Route Capacity Limitation

    Route Capacity Limitation Huge routing tables are usually caused by OSPF route entries. Therefore, the route capacity limitation of a switch applies only to OSPF routes, instead of static routes and RIP routes. The route capacity limitation is implemented by controlling the size of the free memory of the switch. When the free memory of the switch is equal to or lower than the lower limit, OSPF connection will be disconnected and OSPF routes will be removed from the routing table.

  • Page 334: Displaying And Maintaining Route Capacity Limitation Configuration

    To do... Use the command... Remarks Optional Enable automatic protocol memory auto-establish recovery enable Enabled by default Follow these steps to disable automatic protocol recovery: To do... Use the command... Remarks Enter system view system-view — Optional Disable automatic protocol memory auto-establish recovery disable...
  • Page 335 Table of Contents 1 Multicast Overview ······································································································································· 1 Multicast Overview ····································································································································· 1 Information Transmission in the Unicast Mode ·················································································· 1 Information Transmission in the Broadcast Mode·············································································· 2 Information Transmission in the Multicast Mode················································································ 3 Roles in Multicast ······························································································································· 3 Common Notations in Multicast·········································································································· 4 Advantages and Applications of Multicast··························································································...
  • Page 336 Displaying and Maintaining IGMP············································································································ 12 4 PIM Configuration········································································································································· 1 PIM Overview············································································································································· 1 Introduction to PIM-DM······················································································································· 2 How PIM-DM Works ··························································································································· 2 Introduction to PIM-SM······················································································································· 4 How PIM-SM Works ··························································································································· 5 Configuring PIM-DM································································································································· 10 Enabling PIM-DM ····························································································································· 10 Configuring PIM-SM································································································································· 10 Enabling PIM-SM······························································································································...
  • Page 337 Displaying and Maintaining MSDP··········································································································· 14 MSDP Configuration Example ················································································································· 15 Anycast RP Configuration ················································································································ 15 Troubleshooting MSDP Configuration ····································································································· 18 MSDP Peer Always in the Down State····························································································· 18 No SA Entry in the SA Cache of the Router·····················································································18 6 IGMP Snooping Configuration ···················································································································· 1 IGMP Snooping Overview··························································································································...

  • Page 338: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.

  • Page 339: Information Transmission In The Broadcast Mode

    Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.

  • Page 340: Information Transmission In The Multicast Mode

    Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.

  • Page 341: Common Notations In Multicast

    All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.

  • Page 342: Advantages And Applications Of Multicast

    Advantages and Applications of Multicast Advantages of multicast Advantages of multicast include: Enhanced efficiency: Multicast decreases network traffic and reduces server load and CPU load. Optimal performance: Multicast reduces redundant traffic. Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission.

  • Page 343: Multicast Architecture

    The radical difference between the SSM model and the ASM model is that in the SSM model, receivers already know the locations of the multicast sources by some means. In addition, the SSM model uses a multicast address range that is different from that of the ASM model, and dedicated multicast forwarding paths are established between receivers and the specified multicast sources.
  • Page 344 group address), rather than one address. All the receivers join a group. Once they join the group, the data sent to this group of addresses starts to be transported to the receivers. All the members in this group can receive the data packets. This group is a multicast group. A multicast group has the following characteristics: The membership of a group is dynamic.
  • Page 345 Class D address range Description 224.0.0.11 Mobile agents 224.0.0.12 DHCP server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork bandwidth management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255...

  • Page 346: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 347: Multicast Packet Forwarding Mechanism

    Among a variety of mature intra-domain multicast routing protocols, Protocol Independent Multicast (PIM) is a popular one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs.

  • Page 348: Implementation Of The Rpf Mechanism

    In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
  • Page 349 considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 1-1. Multicast packets travel along the SPT from the multicast source to the receivers.

  • Page 350: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Enabling Multicast Packet Buffering...

  • Page 351: Enabling Multicast Routing

    To do... Use the command... Remarks Configure the maximum Optional number of packets that can be multicast storing-packet buffered per multicast packet-number The system default is 100. forwarding entry The multicast packet buffering feature should be enabled before multicast routing is enabled. Enabling Multicast Routing Follow these steps to enable multicast routing: To do...

  • Page 352: Configuring Suppression On The Multicast Source Port

    To do... Use the command... Remarks Optional Configure the maximum By default, the maximum number of multicast route multicast route-limit limit number of multicast route entries entries is 256 Configuring Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network. This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources.

  • Page 353: Configuring A Multicast Mac Address Entry

    To do... Use the command... Remarks reset multicast forwarding-table [ statistics ] { all | { group-address [ mask Clear multicast forwarding entries and, with statistics {mask | mask-length } ] | source-address specified, the corresponding [ mask { mask |mask-length } ] | statistics information incoming-interface interface-type Use the reset...

  • Page 354: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 355 Consistent with the multicast routing table, the multicast forwarding table is the table that guide multicast forwarding. Follow these commands to display common multicast configuration: To do... Use the command... Remarks Display the statistics information about display multicast-source-deny [ interface Available in any multicast source port interface-type [ interface-number ] ]...

  • Page 356: Igmp Configuration

    IGMP Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. When configuring IGMP, go to these sections for information you are interested in: IGMP Overview Configuring IGMP Displaying and Maintaining IGMP...
  • Page 357 Figure 3-1 Joining multicast groups IP network Router A Router B Ethernet Host A Host B Host C (G2) (G1) (G1) Query Report Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1, while Host A is expected to receive multicast data addressed to G2, as shown in Figure 3-1.

  • Page 358: Enhancements Provided By Igmpv2

    Enhancements Provided by IGMPv2 Compared with IGMPv1, IGMPv2 provides the querier election mechanism and Leave Group mechanism. Querier election mechanism In IGMPv1, the DR elected by the Layer 3 multicast routing protocol (such as PIM) serves as the querier among multiple routers on the same subnet. In IGMPv2, an independent querier election mechanism is introduced.
  • Page 359 If it does not expect multicast data from specific sources like S1, S2, …, it sends a report with the Filter-Mode denoted as “Exclude Sources (S1, S2, …). As shown in Figure 1-7, the network comprises two multicast sources, Source 1 (S1) and Source 2 (S2), both of which can send multicast data to multicast group G.

  • Page 360: Igmp Proxy

    TO_EX: The filtering mode has changed from Include to Exclude. ALLOW: The Source Address fields in this Group Record contain a list of the additional sources that the system wishes to hear from, for packets sent to the specified multicast address. If the change was to an Include source list, these are the addresses that were added to the list;...

  • Page 361: Configuring Igmp

    Enable multicast routing, and then enable PIM and IGMP on VLAN-interface 1 and VLAN-interface 2. Run the igmp proxy command on VLAN-interface 1 to configure it as the proxy interface for VLAN-interface 2. Configure Switch A as follows: Enable multicast routing, enable IGMP and PIM on VLAN-interface 1. Configure the pim neighbor-policy command to filter PIM neighbors in the network segment 33.33.33.0/24.

  • Page 362: Configuring Igmp Version

    Before performing the following configurations described in this chapter, you must enable multicast routing and enable IGMP on the specific interfaces. Configuring IGMP Version Follow these steps to configure IGMP version: To do... Use the command... Remarks Enter system view system-view —...
  • Page 363 If the IGMP querier receives IGMP report messages from other hosts within the period of robust-value x lastmember-queryinterval, it will maintain the membership of the group. If the IGMP querier does not receive IGMP report messages from other hosts after the period of robust-value x lastmember-queryinterval, it considers that the group has no members on the local subnet and removes the forwarding table entry for the group.

  • Page 364: Configuring The Maximum Allowed Number Of Multicast Groups

    To do... Use the command... Remarks Configure the maximum Optional igmp max-response-time response time of IGMP general seconds 10 seconds by default. queries Configuring the Maximum Allowed Number of Multicast Groups By configuring the maximum number of IGMP multicast groups allowed to be joined on an interface of the switch, you can control the number of programs on demand available for users attached to the interface, thus to control the bandwidth usage on the interface.

  • Page 365: Configuring Simulated Joining

    To do... Use the command... Remarks Enter system view — system-view Enter interface view interface interface-type interface-number — igmp group-policy In VLAN acl-number [ 1 | 2 | port interface view Optional interface-list ] Configuring a multicast No multicast group filter group filter is configured by default In LoopBack...

  • Page 366: Configuring Igmp Proxy

    Configuring simulated joining in interface view Follow these steps to configure simulated joining in interface view: To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — igmp host-join VLAN interface Configure one or more ports in group-address port Required view...

  • Page 367: Removing Joined Igmp Groups From An Interface

    You must enable the PIM protocol on the interface before configuring the igmp proxy command. Otherwise, the IGMP Proxy feature does not take effect. One interface cannot serve as the proxy interface for two or more interfaces. Generally, an interface serving as an IGMP querier cannot act as an IGMP proxy interface. If it is necessary to configure an IGMP querier interface as an IGMP proxy interface, you must configure the port that belongs to the proxy interface and connects to the upstream multicast device as a static router port.

  • Page 368: Pim Overview

    PIM Configuration When configuring PIM, go to these sections for information you are interested in: PIM Overview Configuring PIM-DM Configuring PIM-SM Configuring Common PIM Parameters Displaying and Maintaining PIM PIM Configuration Examples Troubleshooting PIM In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 369: Introduction To Pim-Dm

    Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members. The basic implementation of PIM-DM is as follows: PIM-DM assumes that at least one multicast group member exists on each subnet of a network, and therefore multicast data is flooded to all nodes on the network.
  • Page 370 corresponding interface from the outgoing interface list in the (S, G) entry and stop forwarding subsequent packets addressed to that multicast group down to this node. An (S, G) entry contains the multicast source address S, multicast group address G, outgoing interface list, and incoming interface.

  • Page 371: Introduction To Pim-Sm

    The node that need to receive multicast data sends a graft message hop by hop toward the source, as a request to join the SPT again. Upon receiving this graft message, the upstream node puts the interface on which the graft was received into the forwarding state and responds with a graft-ack message to the graft sender.

  • Page 372: How Pim-Sm Works

    PIM-SM is a type of sparse mode multicast protocol. It uses the “pull mode” for multicast forwarding, and is suitable for large- and medium-sized networks with sparsely and widely distributed multicast group members. The basic implementation of PIM-SM is as follows: PIM-SM assumes that no hosts need to receive multicast data.
  • Page 373 A DR must be elected in a multi-access network, no matter this network connects to multicast sources or to receivers. The DR at the receiver side sends join messages to the RP; the DR at the multicast source side sends register messages to the RP. A DR is elected on a multi-access subnet by means of comparison of the priorities and IP addresses carried in hello messages.
  • Page 374 Switch 5500-EI series Ethernet switches do not support DR priority. DR election is based on IP addresses. In a PIM-DM domain, a DR serves as an IGMPv1 querier. RP discovery The RP is the core of a PIM-SM domain. For a small-sized, simple network, one RP is enough for forwarding information throughout the network, and the position of the RP can be statically specified on each router in the PIM-SM domain.
  • Page 375 Figure 4-5 Building an RPT in PIM-SM RPT building As shown in Figure 4-5, the process of building an RPT is as follows: When a receiver joins a multicast group G, it uses an IGMP message to inform the directly connected DR.
  • Page 376 Figure 4-6 Multicast registration As shown in Figure 4-6, the multicast source registers with the RP as follows: When the multicast source S sends the first multicast packet to a multicast group G, the DR directly connected with the multicast source, upon receiving the multicast packet, encapsulates the packet in a PIM register message, and sends the message to the corresponding RP by unicast.

  • Page 377: Configuring Pim-Dm

    Assert PIM-SM uses exactly the same assert mechanism as PIM-DM does. Refer to Assert. Configuring PIM-DM Enabling PIM-DM With PIM-DM enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors. When deploying a PIM-DM domain, you are recommended to enable PIM-DM on all interfaces of non-border routers.

  • Page 378: Configuring An Rp

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Required Enable PIM-SM pim sm Disabled by default Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job.

  • Page 379: Configuring A Bsr

    To do... Use the command... Remarks c-rp interface-type Optional Configure candidate interface-number By default, candidate RPs are not set for [ group-policy acl-number | the switch and the value of priority is 0. priority priority ]* Optional Limit the range of crp-policy acl-number By default, the range of valid C-RPs is valid C-RPs...
  • Page 380 the right of advertising RP information in the network. After being configured as a C-BSR, a router automatically floods the network with bootstrap messages. As a bootstrap message has a TTL value of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap messages.

  • Page 381: Filtering The Registration Packets From Dr To Rp

    After this feature is configured, Bootstrap messages cannot pass the border. However, the other PIM messages can pass the domain border. The network can be effectively divided into domains that use different BSRs. Filtering the Registration Packets from DR to RP Within a PIM-SM domain, the source-side DR sends register messages to the RP, and these register messages have different multicast source or group addresses.

  • Page 382: Configuring Common Pim Parameters

    Typically, you need to configure the above-mentioned parameters on the receiver-side DR and the RP only. Since both the DR and RP are elected, however, you should carry out these configurations on the routers that may win DR election and on the C-RPs that may win RP election. Configuring Common PIM Parameters Complete the following tasks to configure common PIM parameters: Task...

  • Page 383: Configuring The Hello Interval

    If you have configured a basic ACL, the switch filters all the received multicast packets based on the multicast source address, and discards packets that fail source address match. If you have configured an advanced ACL, the switch filters all the received multicast packets based on the multicast source address and group address, and discards packets that fail source and group address match.

  • Page 384: Configuring Multicast Source Lifetime

    To do... Use the command... Remarks Optional Configure a limit on the By default, the upper limit on the number of PIM neighbors pim neighbor-limit limit number of PIM neighbors on an on the interface interface is 128. Optional Configure a filtering rule to pim neighbor-policy By default, no filtering rule is filter PIM neighbors...

  • Page 385: Clearing The Related Pim Entries

    The PIM prune delay function is applicable only to PIM-SM networks, but not to PIM-DM networks. Upon receiving a prune message from a downstream device, the upstream node removes the interface connecting the downstream node from the outgoing interface list of the (S, G) entry. If the downstream node finds shortly after it has sent a prune message that a member for the multicast group is present on the local subnet, it immediately sends a prune override message to the upstream to let the upstream node cancel the prune action.

  • Page 386: Displaying And Maintaining Pim

    Displaying and Maintaining PIM Configuration Use the command... Remarks display pim routing-table [ { { *g [ group-address [ mask { mask-length | mask } ] ] | **rp [ rp-address [ mask { mask-length | mask } ] ] } | { group-address Display PIM multicast routing Available in [ mask { mask-length | mask } ] |...
  • Page 387 Network diagram Figure 4-7 Network diagram for PIM-DM configuration Device Interface IP address Device Interface IP address Switch A Vlan-int100 10.110.1.1/24 Switch D Vlan-int300 10.110.5.1/24 Vlan-int103 192.168.1.1/24 Vlan-int103 192.168.1.2/24 Switch B Vlan-int200 10.110.2.1/24 Vlan-int101 192.168.2.2/24 Vlan-int101 192.168.2.1/24 Vlan-int102 192.168.3.2/24 Switch C Vlan-int200 10.110.2.2/24 Vlan-int102...

  • Page 388: Verifying The Configuration

    [SwitchA-Vlan-interface103] quit The configuration on Switch B and Switch C is similar to the configuration on Switch A. # Enable IP multicast routing on Switch D, and enable PIM-DM on each interface. <SwitchD> system-view [SwitchD] multicast routing-enable [SwitchD] interface vlan-interface 300 [SwitchD-Vlan-interface300] pim dm [SwitchD-Vlan-interface300] quit [SwitchD] interface vlan-interface 103...

  • Page 389: Pim-Sm Configuration Example

    PIM-DM Routing Table Total 1 (S,G) entry (10.110.5.100, 225.1.1.1) Protocol 0x40: PIMDM, Flag 0xC: SPT NEG_CACHE Uptime: 00:00:23, Timeout in 187 sec Upstream interface: Vlan-interface300, RPF neighbor: NULL Downstream interface list: Vlan-interface101, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry PIM-SM Configuration Example...
  • Page 390 Network diagram Figure 4-8 Network diagram for PIM-SM domain configuration Device Interface IP address Device Interface IP address Switch A Vlanint100 10.110.1.1/24 Switch D Vlanint300 10.110.5.1/24 Vlanint101 192.168.1.1/24 Vlanint101 192.168.1.2/24 Vlanint102 192.168.9.1/24 Vlanint105 192.168.4.2/24 Switch B Vlanint200 10.110.2.1/24 Switch E Vlanint104 192.168.3.2/24 Vlanint103...

  • Page 391: Display Bsr Information

    [SwitchA-Vlan-interface100] quit [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] pim sm [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim sm [SwitchA-Vlan-interface102] quit The configuration on Switch B and Switch C is similar to that on Switch A. The configuration on Switch D and Switch E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches.

  • Page 392: Display Pim Routing-Table

    Uptime: 00:49:44 Expires: 00:01:46 # Display PIM routing table information on Switch A. <SwitchA> display pim routing-table PIM-SM Routing Table Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry (*, 225.1.1.1), RP 192.168.9.2 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF Uptime: 00:23:21, never timeout Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list:...

  • Page 393: Troubleshooting Pim

    (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:03:03, Timeout in 27 sec Upstream interface: Vlan-interface105, RPF neighbor: 192.168.4.2 Downstream interface list: Vlan-interface102, Protocol 0x200: SPT, timeout in 147 sec Vlan-interface103, Protocol 0x200: SPT, timeout in 145 sec Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry Troubleshooting PIM Symptom: The router cannot set up multicast routing tables correctly.

  • Page 394: Msdp Configuration

    MSDP Configuration When configuring MSDP, go to these sections for information you are interested in: MSDP Overview Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers Configuring SA Message Transmission Displaying and Maintaining MSDP MSDP Configuration Example Troubleshooting MSDP Configuration In this manual, the term “router”...

  • Page 395: How Msdp Works

    MSDP achieves this objective. By establishing MSDP peer relationships among RPs of different PIM-SM domains, source active (SA) messages can be forwarded among domains and the multicast source information can be shared. MSDP is applicable only if the intra-domain multicast protocol is PIM-SM. MSDP is meaningful only for the any-source multicast (ASM) model.
  • Page 396 Intermediate MSDP peer: an MSDP peer with multicast remote MSDP peers, like RP 2. An intermediate MSDP peer forwards SA messages received from one remote MSDP peer to other remote MSDP peers, functioning as a relay of multicast source information. MSDP peers created on common PIM-SM routers (other than RPs) Router A and Router B are MSDP peers on common multicast routers.
  • Page 397 When the multicast source in PIM-SM 1 sends the first multicast packet to multicast group G, DR 1 encapsulates the multicast data within a register message and sends the register message to RP 1. Then, RP 1 gets aware of the information related to the multicast source. As the source-side RP, RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer.
  • Page 398 If only one MSDP peer exists in a PIM-SM domain, this PIM-SM domain is also called a stub domain. For example, AS 4 in Figure 5-3 is a stub domain. The MSDP peer in a stub domain can have multiple remote MSDP peers at the same time.
  • Page 399 Because the SA message is from a static RPF peer (RP 6), RP 7 accepts the SA message and forwards it to other peer (RP 8). When RP 8 receives the SA message from RP 7 An EBGP route exists between two MSDP peers in different ASs. Because the SA message is from an MSDP peer (RP 7) in a different AS, and the MSDP peer is the next hop on the EBGP route to the source-side RP, RP 8 accepts the message and forwards it to its other peer (RP 9).

  • Page 400: Protocols And Standards

    Receivers send join messages to the nearest RP to join in the RPT rooted as this RP. In this example, Receiver joins the RPT rooted at RP 2. RPs share the registered multicast information by means of SA messages. In this example, RP 1 creates an SA message and sends it to RP 2, with the multicast data from Source encapsulated in the SA message.

  • Page 401: Configuration Prerequisites

    In the case that all the peers use the rp-policy keyword: Multiple static RPF peers function at the same time. RPs in SA messages are filtered based on the configured prefix list, and only the SA messages whose RP addresses pass the filtering are received. If multiple static RPF peers using the same rp-policy keyword are configured, when any of the peers receives an SA message, it will forward the SA message to other peers.

  • Page 402: Configuration Prerequisites

    Configuration Prerequisites Before configuring an MSDP peer connection, you need to configure: A unicast routing protocol Basic functions of IP multicast PIM-SM basic functions MSDP basic functions Complete the following tasks to configure an MSDP peer connection: Task Remarks Configuring Description Information for MSDP Peers Optional Configuring an MSDP Mesh Group Optional...

  • Page 403: Configuring Msdp Peer Connection Control

    Before you configure an MSDP mesh group, make sure that the routers are fully connected with one another. The same group name must be configured on all the peers before they can join a mesh group. If you add the same MSDP peer to multiple mesh groups, only the latest configuration takes effect. Configuring MSDP Peer Connection Control The connection between MSDP peers can be flexibly controlled.

  • Page 404: Configuration Prerequisites

    To reduce the delay in obtaining the multicast source information, you can cache SA messages on the router. The number of SA messages cached must not exceed the system limit. The more messages are cached, the more router memory is occupied. Configuration Prerequisites Before you configure SA message transmission, perform the following tasks: Configuring a unicast routing protocol.

  • Page 405: Configuring Sa Message Cache

    Configuring SA Message Cache With the SA message caching mechanism enabled on the router, the group that a new member subsequently joins can obtain all active sources directly from the SA cache and join the corresponding SPT source tree, instead of waiting for the next SA message. You can configure the number of SA entries cached in each MSDP peer on the router by executing the following command, but the number must be within the system limit.

  • Page 406: Configuring A Rule For Filtering The Multicast Sources Of Sa Messages

    To do... Use the command... Remarks Optional Configure a rule for filtering the peer peer-address By default, a router receives all SA SA messages received by an sa-request-policy [ acl request messages from the MSDP MSDP peer acl-number ] peer. Configuring a Rule for Filtering the Multicast Sources of SA Messages An RP filters each registered source to control the information of active sources advertised in the SA message.

  • Page 407: Displaying And Maintaining Msdp

    To do... Use the command... Remarks Optional By default, no filtering is peer peer-address sa-policy imposed on SA messages to be Configure to filter imported and { import | export } [ acl received or forwarded, namely exported SA messages acl-number ] all SA messages from MSDP peers are received or...

  • Page 408: Msdp Configuration Example

    You can locate message loss and configuration errors by tracing the network path of the specified (S, G, RP) entries. Once the transmission path of SA messages is determined, correct configuration can prevent the flooding of SA messages. MSDP Configuration Example Anycast RP Configuration Network requirements The PIM-SM domain has multiple multicast sources and receivers.
  • Page 409 Configuration procedure Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 5-5. Detailed configuration steps are omitted here. Configure OSPF for interconnection between the switches. Ensure the network-layer interoperation among the switches, and ensure the dynamic update of routing information between the switches through a unicast routing protocol.
  • Page 410 [SwitchB-msdp] peer 2.2.2.2 connect-interface loopback 0 [SwitchB-msdp] quit # Configure an MSDP peer on Loopback 0 of Switch D. [SwitchD] msdp [SwitchD-msdp] originating-rp loopback 0 [SwitchD-msdp] peer 1.1.1.1 connect-interface loopback 0 [SwitchD-msdp] quit Verify the configuration You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches.

  • Page 411: Troubleshooting Msdp Configuration

    PIM-SM Routing Table Total 0 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry Matched 0 (S,G) entry, 0 (*,G) entry, 0 (*,*,RP) entry Troubleshooting MSDP Configuration MSDP Peer Always in the Down State Symptom An MSDP peer is configured, but it is always in the down state. Analysis An MSDP peer relationship between the locally configured connect-interface interface address and the configured peer address is based on a TCP connection.

  • Page 412: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 413: Basic Concepts In Igmp Snooping

    Figure 6-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...

  • Page 414: Work Mechanism Of Igmp Snooping

    member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 6-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 415 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.

  • Page 416: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional...

  • Page 417: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 418: Configuring Timers

    Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports, and the query response timer. Follow these steps to configure timers: To do... Use the command... Remarks Enter system view system-view —...

  • Page 419: Configuring A Multicast Group Filter

    To do... Use the command... Remarks Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ] processing feature is disabled. The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3.

  • Page 420: Configuring The Maximum Number Of Multicast Groups On A Port

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure a multicast group igmp-snooping group-policy No group filter is configured by filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group. A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port.

  • Page 421: Configuring Igmp Snooping Querier

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.

  • Page 422: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    To do... Use the command... Remarks Required Enable IGMP Snooping igmp-snooping querier By default, IGMP Snooping querier querier is disabled. Configuring IGMP query interval Follow these steps to configure IGMP query interval: To do... Use the command... Remarks Enter system view system-view —...

  • Page 423: Configuring Static Member Port For A Multicast Group

    If the function of dropping unknown multicast packets or the XRN fabric function is enabled, you cannot enable unknown multicast flooding suppression. Unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time. If both are enabled, only multicast source port suppression takes effect. In this case, multicast data received on the blocked port will be dropped.

  • Page 424: Configuring A Static Router Port

    Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router.

  • Page 425: Configuring A Port As A Simulated Group Member

    This feature is recommended in MFF networks only. For details about MFF, refer to ARP Operation. Configuring a Port as a Simulated Group Member Simulated joining in IGMP Snooping is implemented in the same way as in IGMP except that IGMP Snooping establishes and maintains IGMP Snooping entries.

  • Page 426: Configuring A Vlan Tag For Query Messages

    Configuring a VLAN Tag for Query Messages By configuring the VLAN tag carried in IGMP general and group-specific queries forwarded and sent by IGMP Snooping switches, you can enable multicast packet forwarding between different VLANs In a Layer-2 multicast network environment. Follow these steps to configure VLAN tag for query message: To do...
  • Page 427 To do... Use the command... Remarks Enter Ethernet port view for the interface interface-type — Layer 2 switch to be configured interface-number Define the port as a trunk or port link-type { trunk | Required hybrid port hybrid } port hybrid vlan vlan-id-list Required { tagged | untagged } The multicast VLAN defined on...

  • Page 428: Displaying And Maintaining Igmp Snooping

    One port can belong to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member ports must be in the same VLAN with the router port. Otherwise, the multicast member port cannot receive multicast packets. If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN.
  • Page 429 Network diagram Figure 6-3 Network diagram for IGMP Snooping configuration Receiver Host A Source Receiver Eth1/0/4 VLAN100 Eth1/0/1 Eth1/0/2 1.1.1.2/24 10.1.1.1/24 Eth1/0/1 Eth1/0/3 Router A Switch A Host B Eth1/0/2 1.1.1.1/24 IGMP querier Multicast packets Host C Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 6-3.
  • Page 430 <SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): Ethernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/3...
  • Page 431 Device Device description Networking description Host A User 1 Host A is connected to Ethernet 1/0/1 on Switch B. Host B User 2 Host B is connected to Ethernet 1/0/2 on Switch B. In this configuration example, you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports.

  • Page 432: Troubleshooting Igmp Snooping

    [SwitchA-Ethernet1/0/10] port hybrid vlan 10 tagged [SwitchA-Ethernet1/0/10] quit # Configure the interface IP address of VLAN 10 as 168.10.2.1, and enable PIM-DM and IGMP. [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] ip address 168.10.2.1 255.255.255.0 [SwitchA-Vlan-interface10] igmp enable [SwitchA-Vlan-interface10] pim dm Configure Switch B: # Enable the IGMP Snooping feature on Switch B.
  • Page 433 IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN. If it is disabled globally, use the igmp-snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time.
  • Page 434 Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 Additional 802.1x Features on Switch 5500-EI ·············································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-13 Configuration Prerequisites ···········································································································1-13...
  • Page 435 Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks············································································4-2 Enabling Layer 3 Error Control········································································································4-3 Displaying and Maintaining System Guard Configuration ······································································4-3...

  • Page 436: 802.1X Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 437 Figure 1-1 Architecture of 802.1x authentication The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device.

  • Page 438: The Mechanism Of An 802.1X Authentication System

    The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both the controlled port and uncontrolled port of the port.
  • Page 439 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.

  • Page 440: 802.1X Authentication Procedure

    The Length field indicates the size of an EAP packet, which includes the Code, Identifier, Length, and Data fields. The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not contain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Data field of a Request packet or a Response packet.
  • Page 441 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 442 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 443 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.

  • Page 444: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 445: Additional 802.1X Features On Switch 5500-Ei

    Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.
  • Page 446 Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies. The CAMS server is configured to disable the use of multiple network adapters, proxies, or IE proxies.
  • Page 447 Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated. But they need to be authenticated when accessing external resources. Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function. Refer to AAA Operation for detailed information about the dynamic VLAN delivery function.

  • Page 448: Introduction To 802.1X Configuration

    Note: 802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting. Therefore, to enable 802.1x re-authentication, do not configure the accounting none command in the domain.

  • Page 449: Configuring Basic 802.1X Functions

    Configuring Basic 802.1x Functions Follow these steps to configure basic 802.1x functions: To do… Use the command… Remarks Enter system view system-view — Required Enable 802.1x globally dot1x By default, 802.1x is disabled globally. In system dot1x interface interface-list view Enable Required interface interface-type...

  • Page 450: Timer And Maximum User Number Configuration

    Caution: 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa. The settings of 802.1x and aggregation group member are mutually exclusive.

  • Page 451: Advanced 802.1X Configuration

    Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value | quiet-period-value: server-timeout seconds Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds ver-period-value } tx-period-value: 30 seconds ver-period-value:...

  • Page 452: Configuring Client Version Checking

    dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy Required interface interface-type checking for a interface-number By default, the 802.1x proxy port/specified checking is disabled on a port. ports In port view dot1x supp-proxy-check { logoff | trap } quit Note:...

  • Page 453: Enabling Dhcp-Triggered Authentication

    Enabling DHCP-triggered Authentication After performing the following configuration, 802.1x allows running DHCP on access users, and users are authenticated when they apply for dynamic IP addresses through DHCP. Follow these steps to enable DHCP-triggered authentication: To do... Use the command... Remarks Enter system view system-view...

  • Page 454: Configuring The 802.1X Re-Authentication Timer

    To do... Use the command... Remarks Enter system view system-view — dot1x re-authenticate Required In system view Enable 802.1x [ interface interface-list ] By default, 802.1x re-authentication re-authentication is on port(s) In port view dot1x re-authenticate disabled on a port. Note: To enable 802.1x re-authentication on a port, you must first enable 802.1x globally and on the port.

  • Page 455: Displaying And Maintaining 802.1X Configuration

    Displaying and Maintaining 802.1x Configuration To do... Use the command... Remarks Display the configuration, display dot1x [ sessions | session, and statistics statistics ] [ interface Available in any view information about 802.1x interface-list ] Clear 802.1x-related statistics reset dot1x statistics Available in user view information [ interface interface-list ]...
  • Page 456 Network diagram Figure 1-12 Network diagram for AAA configuration with 802.1x and RADIUS enabled Configuration procedure Note: Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation for the information about these commands. Configuration on the client and the RADIUS servers is omitted.
  • Page 457 [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers. [Sysname-radius-radius1] timer 5 [Sysname-radius-radius1] retry 5 # Set the timer for the switch to send real-time accounting packets to the RADIUS servers. [Sysname-radius-radius1] timer realtime-accounting 15 # Configure to send the user name to the RADIUS server with the domain name truncated.

  • Page 458: Quick Ead Deployment Configuration

    Quick EAD Deployment Configuration When configuring quick EAD deployment, go to these sections for information you are interested in: Introduction to Quick EAD Deployment Configuring Quick EAD Deployment Displaying and Maintaining Quick EAD Deployment Quick EAD Deployment Configuration Example Troubleshooting Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an Endpoint Admission Defense (EAD) solution can improve the overall...

  • Page 459: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 460: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.

  • Page 461: Troubleshooting

    Configuration procedure Note: Before enabling quick EAD deployment, make sure sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection.

  • Page 462: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 463: Habp Client Configuration

    Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 464: System Guard Configuration

    System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.

  • Page 465: Configuring System Guard Against Tcn Attacks

    Set the maximum number of Optional system-guard ip infected hosts that can be detect-maxnum number 30 by default concurrently monitored Set the maximum number of addresses that the system can learn, the maximum number of system-guard ip Optional times an address can be hit detect-threshold By default, ip-record-threshold before an action is taken and...

  • Page 466: Enabling Layer 3 Error Control

    Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control: To do... Use the command... Remarks Enter system view system-view — Required Enable Layer 3 error control system-guard l3err enable Enabled by default Displaying and Maintaining System Guard Configuration To do...
  • Page 467 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-1 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-6 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-6...
  • Page 468 Local Authentication of FTP/Telnet Users·····················································································2-28 HWTACACS Authentication and Authorization of Telnet Users ···················································2-29 Troubleshooting AAA ····························································································································2-30 Troubleshooting RADIUS Configuration························································································2-30 Troubleshooting HWTACACS Configuration ················································································2-31 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-1 EAD Configuration Example ···················································································································3-2...

  • Page 469: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.

  • Page 470: Introduction To Isp Domain

    None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
  • Page 471 Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 472 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 473 Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message.

  • Page 474: Introduction To Hwtacacs

    Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 475 Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP. transmission. Encrypts the entire message except the HWTACACS Encrypts only the password field in header. authentication message. Separates authentication from authorization. For example, you can use one TACACS server for Combines authentication and authentication and another TACACS server for authorization.
  • Page 476 Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 477 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.

  • Page 478: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...

  • Page 479: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.

  • Page 480: Configuring An Aaa Scheme For An Isp Domain

    Optional Set the accounting-optional By default, the accounting optional switch accounting-optional switch is off. Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable | By default, the self-service location function...
  • Page 481 Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme domain uses the...
  • Page 482 To do… Use the command… Remarks Enter system view — system-view Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain authentication Optional { radius-scheme Configure an authentication radius-scheme-name [ local ] | By default, no separate scheme for the ISP domain hwtacacs-scheme...

  • Page 483: Configuring Dynamic Vlan Assignment

    accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never uses the secondary scheme for authorization and accounting. If you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system uses the secondary local scheme for authentication, it also does so for authorization and accounting;...

  • Page 484: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
  • Page 485 To do… Use the command… Remarks Enter system view — system-view Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.

  • Page 486: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
  • Page 487 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...

  • Page 488: Creating A Radius Scheme

    creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.

  • Page 489: Configuring Radius Accounting Servers

    Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication UDP port number of the authentication/authorization...

  • Page 490: Configuring Shared Keys For Radius Messages

    Optional Enable stop-accounting stop-accounting-buffer By default, stop-accounting request request buffering enable buffering is enabled. Optional Set the maximum number of transmission retry stop-accounting By default, the system tries at most 500 attempts of a buffered retry-times times to transmit a buffered stop-accounting request.

  • Page 491: Configuring The Maximum Number Of Radius Request Transmission Attempts

    Required Set a shared key for RADIUS authentication/authorization key authentication string By default, no shared key is messages created. Required Set a shared key for RADIUS key accounting string By default, no shared key is accounting messages created. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.

  • Page 492: Configuring The Status Of Radius Servers

    If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be restored to the defaults. When the third party RADIUS server is used, you can select standard or extended as the server-type in a RADIUS scheme; when the CAMS server is used, you can select extended as the server-type in a RADIUS scheme.
  • Page 493 To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Optional Set the format of the user-name-format By default, the usernames sent usernames to be sent to...

  • Page 494: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.

  • Page 495: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 496: Enabling Sending Trap Message When A Radius Server Goes Down

    Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes minutes before it restores the...
  • Page 497 user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem. After this function is enabled, every time the switch restarts: The switch generates an Accounting-On message, which mainly contains the following information: NAS-ID, NAS-IP-address (source IP address), and session ID.

  • Page 498: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...

  • Page 499: Configuring Tacacs Authorization Servers

    Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0. Optional Set the IP address and port By default, the IP address of secondary authentication number of the secondary...

  • Page 500: Configuring Tacacs Accounting Servers

    Configuring TACACS Accounting Servers Follow these steps to configure TACACS accounting servers: To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Required Set the IP address and port By default, the IP address of...

  • Page 501: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Set a shared key for key { accounting | Required HWTACACS authentication, authorization | authorization or accounting By default, no such key is set. authentication } string messages Configuring the Attributes of Data to be Sent to TACACS Servers...

  • Page 502: Displaying And Maintaining Aaa Configuration

    To do… Use the command… Remarks Enter system view — system-view Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Optional Set the response timeout time timer response-timeout By default, the response of TACACS servers seconds timeout time is five seconds.

  • Page 503: Displaying And Maintaining Radius Protocol Configuration

    Displaying and Maintaining RADIUS Protocol Configuration To do… Use the command… Remarks Display RADIUS message statistics about local RADIUS display local-server statistics server Display configuration information display radius scheme about one specific or all RADIUS [ radius-scheme-name ] schemes Available in any view Display RADIUS message display radius statistics...
  • Page 504 Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server. A RADIUS authentication server with IP address 10.110.91.164 is connected to the switch. On the switch, set the shared key it uses to exchange messages with the authentication RADIUS server to aabbcc.

  • Page 505: Local Authentication Of Ftp/Telnet Users

    [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius-cams] quit # Associate the ISP domain with the RADIUS scheme. [Sysname] domain cams [Sysname-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain.

  • Page 506: Hwtacacs Authentication And Authorization Of Telnet Users

    # Configure an authentication scheme for the default “system” domain. [Sysname] domain system [Sysname-isp-system] scheme local A Telnet user logging into the switch with the name telnet@system belongs to the "system" domain and will be authenticated according to the configuration of the "system" domain. Method 2: using local RADIUS server This method is similar to the remote authentication method described in Remote RADIUS...

  • Page 507: Troubleshooting Aaa

    [Sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [Sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [Sysname-hwtacacs-hwtac] key authentication aabbcc [Sysname-hwtacacs-hwtac] key authorization aabbcc [Sysname-hwtacacs-hwtac] user-name-format without-domain [Sysname-hwtacacs-hwtac] quit # Configure the domain name of the HWTACACS scheme to hwtac. [Sysname] domain hwtacacs [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite.

  • Page 508: Troubleshooting Hwtacacs Configuration

    Troubleshooting HWTACACS Configuration See the previous section if you encounter an HWTACACS fault. 2-31...

  • Page 509: Introduction To Ead

    EAD Configuration Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.

  • Page 510: Ead Configuration Example

    Configuring the IP address of the security policy server. Associating the ISP domain with the RADIUS scheme. EAD is commonly used in RADIUS authentication environment. This section mainly describes the configuration of security policy server IP address. For other related configuration, refer to Overview.
  • Page 511 Network diagram Figure 3-2 EAD configuration Authentication servers 10.110.91.164/16 Eth1/0/1 Internet User Security policy servers Virus patch servers 10.110.91.166/16 10.110.91.168/16 Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname>...
  • Page 512 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-1 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-3 MAC Address Authentication Enhanced Function Configuration Task List ····································1-3 Configuring a Guest VLAN ··············································································································1-4...

  • Page 513: Mac Address Authentication Configuration

    MAC Address Authentication Configuration When configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples MAC Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...

  • Page 514: Related Concepts

    format configured with mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames. The service type of a local user needs to be configured as lan-access. Related Concepts MAC Address Authentication Timers The following timers function in the process of MAC address authentication:...

  • Page 515: Mac Address Authentication Enhanced Function Configuration

    To do... Use the command... Remarks quit Optional Set the user name in mac-authentication authmode By default, the MAC MAC address mode usernameasmacaddress [ usernameformat address of a user is for MAC address { with-hyphen | without-hyphen } { lowercase | used as the user authentication uppercase } | fixedpassword password ]...

  • Page 516: Configuring A Guest Vlan

    Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a...
  • Page 517 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.

  • Page 518: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port

    If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 519: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 520 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 521 Table of Contents 1 Web Authentication Configuration ··········································································································1-1 Introduction to Web Authentication ·········································································································1-1 Web Authentication Configuration ··········································································································1-1 Configuration Prerequisites ·············································································································1-1 Configuring Web Authentication······································································································1-1 Displaying and Maintaining Web Authentication·····················································································1-3 Web Authentication Configuration Example ···························································································1-3...

  • Page 522: Web Authentication Configuration

    Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: Introduction to Web Authentication Web Authentication Configuration Displaying and Maintaining Web Authentication Web Authentication Configuration Example Introduction to Web Authentication Web authentication is a port-based authentication method that is used to control the network access rights of users.
  • Page 523 To do… Use the command… Remarks web-authentication customize { corp-name Optional corporation-text | email Customize the Web By default, there is no email-string | phone-num authentication pages customized information on Web phonenum-string | authentication pages. platform-name platform-text | file web-file } Required Set the IP address and port web-authentication...

  • Page 524: Displaying And Maintaining Web Authentication

    Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and XRN. You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect.
  • Page 525 Network diagram Figure 1-1 Web authentication for user Configuration procedure # Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.) # Set the IP address and port number of the Web authentication server. <Sysname>...
  • Page 526 # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain. [Sysname] domain default enable aabbcc.net # Reference scheme radius1 in domain aabbcc.net. [Sysname-isp-aabbcc.net] scheme radius-scheme radius1 # Enable Web authentication globally.
  • Page 527 Table of Contents 1 VRRP Configuration ··································································································································1-1 VRRP Overview ······································································································································1-1 Introduction to VRRP Group············································································································1-2 Virtual Router Overview···················································································································1-3 VRRP Timer ····································································································································1-5 VRRP Tracking································································································································1-5 Operation Procedure of VRRP ········································································································1-6 Periodical sending of ARP packets in a VRRP Group ····································································1-6 VRRP Configuration································································································································1-7 Configuring Basic VRRP Functions·································································································1-7 Configuring Advanced VRRP Functions ·························································································1-7 Displaying and Maintaining VRRP ··········································································································1-9 VRRP Configuration Examples·············································································································1-10...

  • Page 528: Vrrp Configuration

    VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: VRRP Overview VRRP Configuration Displaying and Maintaining VRRP VRRP Configuration Examples Troubleshooting VRRP VRRP Overview As shown in Figure 1-1, the following occasions may occur in a stable network: All the hosts in a network set the same gateway as their next hop, whose IP address is also known as the next hop address of the default route (for example, the next hop address of the default route is 10.100.10.1 in...

  • Page 529: Introduction To Vrrp Group

    Introduction to VRRP Group VRRP allows you to combine a group of LAN switches (including a master and several backups) into a VRRP group. The VRRP group functions as a virtual router, forwarding packets as a gateway. Figure 1-2 VRRP network diagram Network Actual IP address Actual IP address...

  • Page 530: Virtual Router Overview

    Preemptive mode and preemption delay of a switch in a VRRP group You can configure a 5500-EI Ethernet switch to operate in preemptive mode. In non-preemptive mode, as long as a switch in a VRRP group becomes the master, it stays as the master as long as it operates normally, even if a backup is assigned a higher priority later.
  • Page 531 The virtual router IP address and the IP addresses used by the member switches in the VRRP group must belong to the same network segment. If not, the VRRP group will be in the initial state (the state before you configure the VRRP on the switches of the group). In this case, VRRP does not take effect.

  • Page 532: Vrrp Timer

    You need to configure the mapping between the IP addresses of the VRRP group and the MAC address before enabling VRRP feature on a 5500-EI Ethernet switch. If VRRP is already enabled, the system does not support this configuration. The number of virtual router IP addresses that can be mapped with the virtual router MAC address is determined by the chips of the switches in the VRRP group.

  • Page 533: Operation Procedure Of Vrrp

    Interface tracking function of the VRRP group When the VLAN interface of the master goes down, if you want the specified backup to become the master, you can use the interface tracking function. With this function enabled for the VRRP group: If the tracked VLAN interface of the master goes down, the priority of the switch decreases automatically by a specified value.

  • Page 534: Vrrp Configuration

    VRRP Configuration Configuring Basic VRRP Functions Follow these steps to configure the basic VRRP functions: To do… Use the command… Remarks Enter system view system-view — Optional Configure response of the virtual router to the ping vrrp ping-enable By default, the virtual IP operations address cannot be pinged.
  • Page 535 Task Remarks Configuring VRRP Tracking Optional Configuring the preemptive mode and preemption delay for a switch To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Configure a virtual router IP vrrp vrid virtual-router-id Required address...

  • Page 536: Vlan-Interface

    Configuring VRRP Tracking Follow these steps to configure VRRP tracking: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Configure a virtual router IP vrrp vrid virtual-router-id Required address virtual-ip virtual-address vrrp vrid virtual-router-id track Optional Enable the interface tracking...

  • Page 537: Vrrp Configuration Examples

    VRRP Configuration Examples Single-VRRP Group Configuration Network requirements Host A uses the VRRP virtual router comprising switch A and switch B as its default gateway to visit host B on the Internet. The information about the VRRP group is as follows: VRRP group ID: 1 Virtual router IP address: 202.38.160.111/24 Master: Switch A...

  • Page 538: Configure Vlan

    <LSW-A> system-view [LSW-A] vlan 3 [LSW-A-vlan3] port Ethernet1/0/10 [LSW-A-vlan3] quit [LSW-A] interface Vlan-interface 3 [LSW-A-Vlan-interface3] ip address 10.100.10.2 255.255.255.0 [LSW-A-Vlan-interface3] quit # Configure VLAN 2. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit # Enable a VRRP group to respond to ping operations destined for its virtual router IP address.

  • Page 539: Vrrp Tracking Interface Configuration

    [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Enable a VRRP group to respond to ping operations destined for its virtual router IP address. [LSW-B] vrrp ping-enable # Create a VRRP group. [LSW-B] interface vlan 2 [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Configure the preemptive mode for the VRRP group.
  • Page 540 Configuration procedure Configure Switch A. # Configure VLAN 3. <LSW-A> system-view [LSW-A] vlan 3 [LSW-A-vlan3] port Ethernet1/0/10 [LSW-A-vlan3] quit [LSW-A] interface Vlan-interface 3 [LSW-A-Vlan-interface3] ip address 10.100.10.2 255.255.255.0 [LSW-A-Vlan-interface3] quit # Configure VLAN 2. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0...

  • Page 541: Multiple-Vrrp Group Configuration

    [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Configure that the virtual router can be pinged through. [LSW-B] vrrp ping-enable # Create a VRRP group. [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Configure the authentication key for the VRRP group.
  • Page 542 Network diagram Figure 1-5 Network diagram for multiple-VRRP group configuration Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.2/24 10.100.10.3/24 Switch A Switch B Vlan-int2 VLAN-int2 202.38.160.1/24 202.38.160.2/24 VRRP group 1 VRRP group 2 Virtual IP address Virtual IP address 202.38.160.112/24 202.38.160.111/24 202.38.160.3/24 202.38.160.4/24 Host A...

  • Page 543: Port Tracking Configuration Examples

    Configure Switch B. # Configure VLAN 3. <LSW-B> system-view [LSW-B] vlan 3 [LSW-B-vlan3] port Ethernet1/0/10 [LSW-B-vlan3] quit [LSW-B] interface Vlan-interface 3 [LSW-B-Vlan-interface3] ip address 10.100.10.3 255.255.255.0 [LSW-B-Vlan-interface3] quit # Configure VLAN 2. [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/6 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create VRRP group 1.
  • Page 544 Network diagram Figure 1-6 Network diagram for VRRP port tracking configuration Network Vlan-int3 10.100.10. 2/24 Master Backup Virtual IP address Virtual IP address 202.38.160.111/24 202.38.160.111/24 Actual IP address Actual IP address Vlan-int2 Vlan-int2 202.38.160. 1/24 202.38.160.2/24 Layer 2 Switch Configuration procedure Configure the master switch.

  • Page 545: Troubleshooting Vrrp

    [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] vrrp Vlan-interface 2 vrid 1 track reduced 50 Troubleshooting VRRP You can locate VRRP problems through the configuration and debugging information. Here are some possible symptoms you might meet and the corresponding troubleshooting methods. Symptom 1: Frequent prompts of configuration errors on the console This indicates that incorrect VRRP packets are received.
  • Page 546 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to Gratuitous ARP········································································································1-4 Configuring ARP ·····································································································································1-5 Configuring Gratuitous ARP····················································································································1-5 Displaying and Debugging ARP··············································································································1-6 ARP Configuration Examples ·················································································································1-6 2 ARP Attack Defense Configuration ·········································································································2-1 ARP Attack Defense Configuration·········································································································2-1 Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn·············2-1...
  • Page 547 Resilient ARP Configuration Example ····································································································4-2...

  • Page 548: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples Support for ARP attack defense is added. For details, refer to ARP Attack Defense Configuration.
  • Page 549 Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...

  • Page 550: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 551: Introduction To Gratuitous Arp

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

  • Page 552: Configuring Arp

    Configuring ARP Follow these steps to configure ARP basic functions: To do… Use the command… Remarks Enter system view system-view — Optional arp static ip-address mac-address [ vlan-id By default, the ARP mapping Add a static ARP entry interface-type table is empty, and entries are interface-number ] created dynamically by ARP.

  • Page 553: Displaying And Debugging Arp

    The sending of gratuitous ARP packets is enabled as long as an S5500-EI switch operates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets whenever a VLAN interface is enabled (such as when a link is enabled or an IP address is configured for the VLAN interface) or whenever the IP address of a VLAN interface is changed.
  • Page 554 [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet 1/0/10...

  • Page 555: Arp Attack Defense Configuration

    ARP Attack Defense Configuration ARP Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features. Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on...
  • Page 556 Figure 2-1 Network diagram for ARP man-in-the-middle attack ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, S5500-EI series Ethernet switches support the ARP attack detection function. After you enable ARP attack detection for a VLAN, When receiving an ARP request or response packet from an ARP untrusted port, the device delivers the ARP packet to the CPU to check the validity of the packet.

  • Page 557: Introduction To Arp Packet Rate Limit

    For details about DHCP Snooping and IP static binding, refer to DHCP Operation. For details about 802.1x authentication, refer to 802.1x and System Guard Operation. ARP restricted forwarding With the ARP restricted forwarding function enabled, ARP request packets are forwarded through trusted ports only;...

  • Page 558: Configuring Arp Attack Defense

    Figure 2-2 Gateway spoofing attack To prevent gateway spoofing attacks, an S5500-EI series Ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter ARP packets based on the gateway’s address. To filter APR attack packets arriving on a downstream port, you can bind the gateway’s IP address to the downstream port (directly connected to hosts) of the switch.

  • Page 559: Configuring The Maximum Number Of Dynamic Arp Entries That A Vlan Interface Can Learn

    Task Remarks Optional Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn The switch serves as a gateway. Optional Configuring ARP Source MAC Address Consistency The switch serves as a gateway or an Check access device. Optional ARP Packet Filtering Based on Gateway’s Address The switch serves as an access device.

  • Page 560: Configuring Arp Attack Detection

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required based on the gateway’s IP arp filter source ip-address Not configured by default. address Follow these steps to configure ARP packet filtering based on gateway’s IP and MAC address: To do…...

  • Page 561: Configuring The Arp Packet Rate Limit Function

    To do… Use the command… Remarks Optional After DHCP snooping is Specify the current port as a enabled, you need to configure dhcp-snooping trust trusted port the upstream port connected to the DHCP server as a trusted port. Optional By default, a port is an ARP Configure the port as an ARP untrusted port.

  • Page 562: Arp Attack Defense Configuration Example

    To do… Use the command… Remarks Required Enable the ARP packet rate By default, the ARP packet rate arp rate-limit enable limit function limit function is disabled on a port. Optional Configure the maximum ARP By default, the maximum ARP arp rate-limit rate packet rate allowed on the port packet rate allowed on a port is...
  • Page 563 Network diagram Figure 2-3 ARP attack detection and packet rate limit configuration Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] dhcp-snooping trust [SwitchA-Ethernet1/0/1] arp detection trust...

  • Page 564: Arp Attack Defense Configuration Example Ii

    ARP Attack Defense Configuration Example II Network Requirements Host A and Host B are connected to Gateway through an access switch (Switch). The IP and MAC addresses of Gateway are 192.168.100.1/24 and 000D-88F8-528C. To prevent gateway spoofing attacks from Host A and Host B, configure ARP packet filtering based on the gateway’s IP and MAC addresses on Switch.

  • Page 565: Arp Attack Defense Configuration Example Iii

    ARP Attack Defense Configuration Example III Network Requirements Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To prevent ARP attacks such as ARP flooding: Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header.
  • Page 566 Enable ARP attack detection based on bindings of authenticated 802.1x clients on the switch to prevent ARP attacks. Network Diagram Figure 2-6 Network diagram for 802.1x based ARP attack defense Configuration Procedures # Enter system view. <Switch> system-view # Enable 802.1x authentication globally. [Switch] dot1x # Enable ARP attack detection for VLAN 1.

  • Page 567: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Configuring Proxy ARP Proxy ARP Configuration Examples Proxy ARP Overview Introduction to Proxy ARP If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network according to the destination IP address and mask), the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 568: Local Proxy Arp

    Host A and Host D are on different sub networks. When Host A (192.168.0.22/16) needs to send packets to Host D (192.168.1.30/16), because the mask of the two hosts are both 16 bits, Host A regards Host D to be on its directly connected sub network, and thus Host A will broadcast an ARP request to request the MAC address of Host D.

  • Page 569: Proxy Arp Configuration Examples

    To do… Use the command… Remarks interface vlan-interface Enter VLAN interface view — vlan-id Required Enable common proxy ARP arp proxy enable Disabled by default. Required Enable local proxy ARP local-proxy-arp enable Disabled by default. display arp proxy Display common and local proxy ARP [ interface vlan-interface Available in any view configuration...

  • Page 570: Local Proxy Arp Configuration In Port Isolation Application

    [Switch-Vlan-interface3] quit # Configure the IP address of VLAN-interface 4 to be 192.168.1.27/24. [Switch] interface Vlan-interface 4 [Switch-Vlan-interface4] ip address 192.168.1.27 24 [Switch-Vlan-interface4] quit # Enter VLAN-interface 3 view, and enable common proxy ARP on it. [Switch] interface Vlan-interface 3 [Switch-Vlan-interface3] arp proxy enable [Switch-Vlan-interface3] quit # Enter VLAN-interface 4 view, and enable common proxy ARP on it.
  • Page 571 [SwitchB-Ethernet1/0/3] quit Configure Switch A # Configure local proxy ARP on VLAN-interface 1, enabling Host A and Host B to communicate at Layer <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] local-proxy-arp enable [SwitchA-Vlan-interface1] quit...

  • Page 572: Resilient Arp Configuration

    Resilient ARP Configuration When configuring resilient ARP, go to these sections for information you are interested in: Introduction to Resilient ARP Configuring Resilient ARP Resilient ARP Configuration Example Introduction to Resilient ARP In expandable resilient networking (XRN) network application, normally you need to connect redundancy links between the fabric and other devices to support the resilient network.

  • Page 573: Resilient Arp Configuration Example

    To do… Use the command… Remarks Optional Configure the VLAN interface By default, Resilient ARP resilient-arp interface through which Resilient packets are sent through the vlan-interface vlan-id packets are sent interface of VLAN 1 (VLAN-interface 1). Display information about the display resilient-arp [ unit Available in any view Resilient ARP state...
  • Page 574 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-2 IP Address Assignment Policy ········································································································1-2 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-3 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
  • Page 575 Configuring IP Address Detecting ·································································································2-24 Configuring DHCP Accounting Functions ·····························································································2-25 Introduction to DHCP Accounting··································································································2-25 DHCP Accounting Fundamentals··································································································2-25 DHCP Accounting Configuration ···································································································2-26 Enabling the DHCP Server to Process Option 82 ················································································2-26 Displaying and Maintaining the DHCP Server ······················································································2-27 DHCP Server Configuration Examples ·································································································2-27 DHCP Server Configuration Example ···························································································2-27 DHCP Server with Option 184 Support Configuration Example ···················································2-29 DHCP Accounting Configuration Example ····················································································2-30...
  • Page 576 Introduction to BOOTP Client ·················································································································6-1 Configuring a DHCP/BOOTP Client········································································································6-2 DHCP Client Configuration Example·······························································································6-3 BOOTP Client Configuration Example ····························································································6-3 Displaying DHCP/BOOTP Client Configuration······················································································6-3...

  • Page 577: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification IP filtering based on authenticated 802.1x clients are added. For details, refer to Configuring IP Filtering.

  • Page 578: Dhcp Ip Address Assignment

    DHCP IP Address Assignment IP Address Assignment Policy Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the clients.

  • Page 579: Updating Ip Address Lease

    After the client receives the DHCP-ACK message, it will probe whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

  • Page 580: Protocol Specification

    htype, hlen: Hardware address type and length of the DHCP client. hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent that the DHCP request packet passes, the field value increases by 1. xid: Random number that the client selects when it initiates a request. The number is used to identify an address-requesting process.

  • Page 581: Dhcp Server Configuration

    DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Based DHCP Server Configuring DHCP Server Security Functions Configuring DHCP Accounting Functions Enabling the DHCP Server to Process Option 82...
  • Page 582 Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.

  • Page 583: Dhcp Ip Address Preferences

    If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.

  • Page 584: Dhcp Server Configuration Task List

    When you merge two or more XRN systems into one XRN system, a new master unit is elected, and the new XRN system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new XRN system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.

  • Page 585: Configuring The Global Address Pool Based Dhcp Server

    To improve security and avoid malicious attacks to unused sockets, S5500-EI Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...

  • Page 586: Creating A Dhcp Global Address Pool

    To do… Use the command… Remarks Enter system view — system-view interface interface-type interface-number Configure the Configure the specified Optional current interface dhcp select global interface(s) or By default, the all the quit interface operates interfaces to in global address operate in Configure multiple dhcp select global { interface...
  • Page 587 Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID. Follow these steps to configure the static IP address allocation mode: To do… Use the command… Remarks Enter system view system-view —...
  • Page 588 To improve security and avoid malicious attack to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

  • Page 589: Configuring A Domain Name Suffix For The Dhcp Client

    In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.

  • Page 590: Configuring Wins Servers For The Dhcp Client

    Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.

  • Page 591: Configuring Gateways For The Dhcp Client

    Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
  • Page 592 Meanings of the sub-options for Option 184 Table 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option NCP-IP...
  • Page 593 Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients. Supposing that the DHCP clients are on the same segment as the DHCP server, the mechanism of Option 184 on the DHCP server is as follows: A DHCP client sends to the DHCP server a request packet carrying Option 55, which indicates the client requests the configuration parameters of Option 184.

  • Page 594: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    Configuring the TFTP Server and Bootfile Name for the DHCP Client This task is to specify the IP address and name of a TFTP server and the bootfile name in the DHCP global address pool. The DHCP clients use these parameters to contact the TFTP server, requesting the configuration file used for system initialization, which is called auto-configuration.

  • Page 595: Configuring The Interface Address Pool Based Dhcp Server

    To do… Use the command… Remarks Required option code { ascii ascii-string | hex Configure a self-defined DHCP hex-string&<1-10> | ip-address Not configured by option ip-address&<1-8> } default. Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process.

  • Page 596: Enabling The Interface Address Pool Mode On Interface

    Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address allocation One of the two options is Address Allocation mode required. And these two Mode for an options can be configured Configuring the dynamic IP address allocation Interface Address at the same time.

  • Page 597: Configuring An Address Allocation Mode For An Interface Address Pool

    To improve security and avoid malicious attack to the unused sockets, S5500-EI Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
  • Page 598 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

  • Page 599: Configuring A Domain Name Suffix For The Dhcp Client

    The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.

  • Page 600: Configuring Wins Servers For The Dhcp Client

    To do… Use the command… Remarks Enter system view — system-view interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.

  • Page 601: Configuring Bims Server Information For The Dhcp Client

    Follow these steps to configure WINS servers for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server nbns-list ip-address&<1-8> Required Configure interface By default, no quit WINS server WINS server addresses for Configure...

  • Page 602: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...

  • Page 603: Configuring A Self-Defined Dhcp Option

    Follow these steps to configure the TFTP server and bootfile name for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type — Enter interface view Specify the interface-number IP address Specify the TFTP dhcp server tftp-server ip-address and name of server...

  • Page 604: Configuring Dhcp Server Security Functions

    Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service. Prerequisites Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).

  • Page 605: Configuring Dhcp Accounting Functions

    will assign the IP address to the requesting client (The DHCP client probes the IP address by sending gratuitous ARP packets). Follow these steps to configure IP address detecting: To do… Use the command… Remarks Enter system view — system-view Optional Specify the number of ping dhcp server ping packets...

  • Page 606: Dhcp Accounting Configuration

    DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting, make sure that: The DHCP server is configured and operates properly. Address pools and lease time are configured. DHCP clients are configured and DHCP service is enabled. The network operates properly. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do…...

  • Page 607: Displaying And Maintaining The Dhcp Server

    Displaying and Maintaining the DHCP Server To do… Use the command… Remarks Display the statistics on IP display dhcp server conflict { all | ip address conflicts ip-address } display dhcp server expired { ip ip-address | Display lease expiration pool [ pool-name ] | interface [ interface-type information interface-number ] | all }...
  • Page 608 The IP addresses of VLAN-interface 1 and VLAN-interface 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 respectively. In the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2, gateway 10.1.1.126, and WINS server 10.1.1.4.

  • Page 609: Dhcp Server With Option 184 Support Configuration Example

    DHCP Server with Option 184 Support Configuration Example Network requirements A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. A switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool.

  • Page 610: Dhcp Accounting Configuration Example

    DHCP client 3COM VCX Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184. (Configuration process omitted) Configure the DHCP server. # Enter system view.
  • Page 611 Ethernet 1/0/1 belongs to VLAN 2; Ethernet 1/0/2 belongs to VLAN 3. The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0.

  • Page 612: Troubleshooting A Dhcp Server

    [Sysname-radius-123] primary accounting 10.1.2.2 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of...

  • Page 613: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 614: Option 82 Support On Dhcp Relay Agent

    Figure 3-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.

  • Page 615: Configuring The Dhcp Relay Agent

    Figure 3-2 Padding contents for sub-option 1 of Option 82 Figure 3-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 616: Dhcp Relay Agent Configuration Task List

    If a switch belongs to an XRN fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Enabling DHCP...

  • Page 617: Configuring Dhcp Relay Agent Security Functions

    To improve security and avoid malicious attack to the unused SOCKETs, S5500-EI Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled.
  • Page 618 To do… Use the command… Remarks Optional Create a static dhcp-security static IP-to-MAC binding ip-address mac-address Not created by default. interface interface-type Enter interface view — interface-number Required Enable the address address-check enable checking function Disabled by default. The address-check enable command is independent of other commands of the DHCP relay agent.

  • Page 619: Configuring The Dhcp Relay Agent To Support Option

    Currently, the DHCP relay agent handshake function on an S5500-EI series switch can only interoperate with a Windows 2000 DHCP server. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.

  • Page 620: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Required Enable Option 82 support on dhcp relay information the DHCP relay agent enable Disabled by default. Configure the strategy for the Optional dhcp relay information DHCP relay agent to process strategy { drop | keep | By default, the replace strategy request packets containing replace }...

  • Page 621: Troubleshooting Dhcp Relay Agent Configuration

    Network diagram Figure 3-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay DHCP server DHCP client DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA>...
  • Page 622 Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.

  • Page 623: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying and Maintaining DHCP Snooping Configuration DHCP Snooping Configuration Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 624: Introduction To Dhcp-Snooping Option 82

    Figure 4-1 Typical network diagram for DHCP snooping application DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82...
  • Page 625 Figure 4-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S5500-EI Series Ethernet Switches support Option 82 in the standard format.

  • Page 626: Introduction To Ip Filtering

    When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 4-2. Table 4-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will …...

  • Page 627: Configuring Dhcp Snooping

    client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table, thus it cannot access external networks. To solve this problem, the switch supports the configuration of static binding table entries, that is, the binding relationship between IP address, MAC address, and the port connecting to the client, so that packets of the client can be correctly forwarded.

  • Page 628: Configuring Dhcp Snooping To Support Option 82

    If an S5500-EI Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
  • Page 629 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do… Use the command… Remarks Enter system view system-view — Optional Configure a global handling dhcp-snooping information policy for requests that contain strategy { drop | keep |...
  • Page 630 To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping Configure the circuit ID sub-option contains the VLAN ID information [ vlan vlan-id ] sub-option in Option 82 and port index related to the port circuit-id string string that receives DHCP request packets from DHCP clients...

  • Page 631: Configuring Ip Filtering

    If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured. If you have configured a remote ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former remote ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs.

  • Page 632: Displaying And Maintaining Dhcp Snooping Configuration

    For details about 802.1x authentication, refer to 802.1x and System Guard Operation. You are not recommended to configure IP filtering on the ports of an aggregation group. Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering based on the DHCP-snooping table.

  • Page 633: Dhcp Snooping Configuration Examples

    DHCP Snooping Configuration Examples DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 4-6, Ethernet 1/0/5 of the switch is connected to the DHCP server, and Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 are respectively connected to Client A, Client B, and Client C. Enable DHCP snooping on the switch.

  • Page 634: Ip Filtering Configuration Example

    [Switch-Ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd IP Filtering Configuration Example Network requirements As shown in Figure 4-7, Ethernet 1/0/1 of the S5500-EI switch is connected to the DHCP server and Ethernet 1/0/2 is connected to Host A. The IP address and MAC address of Host A are 1.1.1.1 and 0001-0001-0001 respectively.
  • Page 635 [Switch-Ethernet1/0/2] quit [Switch] interface ethernet 1/0/3 [Switch-Ethernet1/0/3] ip check source ip-address mac-address [Switch-Ethernet1/0/3] quit [Switch] interface ethernet 1/0/4 [Switch-Ethernet1/0/4] ip check source ip-address mac-address [Switch-Ethernet1/0/4] quit # Create static binding entries on Ethernet 1/0/2 of the switch. [Switch] interface ethernet 1/0/2 [Switch-Ethernet1/0/2] source static...

  • Page 636: Dhcp Packet Rate Limit Configuration

    DHCP Packet Rate Limit Configuration When configuring the DHCP packet rate limit function, go to these sections for information you are interested in: Introduction to DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Rate Limit Configuration Example Introduction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets will be processed by the switch CPU for validity checking.

  • Page 637: Configuring Port State Auto Recovery

    To do… Use the command… Remarks interface interface-type Enter port view — interface-number Required Enable the DHCP packet dhcp rate-limit enable By default, DHCP packet rate limit is rate limit function disabled. Optional Configure the maximum DHCP packet rate allowed dhcp rate-limit rate By default, the maximum rate is 15 on the port...
  • Page 638 Configure DHCP packet rate limit on Ethernet 1/0/11 and set the maximum DHCP packet rate allowed on the port to 100 pps. Set the port state auto-recovery interval to 30 seconds on the switch. Networking diagram Figure 5-1 Network diagram for DHCP packet rate limit configuration Configuration procedure # Enable DHCP snooping on the switch.

  • Page 639: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 640: Configuring A Dhcp/Bootp Client

    Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view system-view — interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc }...

  • Page 641: Dhcp Client Configuration Example

    DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server. Network diagram Figure 2-1. Configuration procedure The following describes only the configuration on Switch B serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
  • Page 642 Table of Contents 1 ACL Configuration ········································································································ 1-1 ACL Overview ············································································································· 1-1 ACL Matching Order ····························································································· 1-1 Ways to Apply an ACL on a Switch ········································································ 1-2 Types of ACLs Supported by Switch 5500-EI Series ·············································· 1-3 ACL Configuration Task List ························································································ 1-3 Configuring Time Range ·······················································································...

  • Page 643: Acl Configuration

    ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.

  • Page 644: Ways To Apply An Acl On A Switch

    config: where rules in an ACL are matched in the order defined by the user. auto: where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule (Layer 2 ACLs and user-defined ACLs do not support this feature).

  • Page 645: Types Of Acls Supported By Switch 5500-Ei Series

    Filtering the packets to be forwarded Being referenced by upper-level software ACLs can also be used to filter and classify the packets to be processed by software. In this case, the rules in an ACL can be matched in one of the following two ways: config, where rules in an ACL are matched in the order defined by the user.

  • Page 646: Configuring Time Range

    Task Remarks Configuring Advanced ACL Required Configuring Layer 2 ACL Required Configuring User-defined ACL Required Applying ACL Rules on Ports Required Applying ACL Rules to Ports in a VLAN Required Configuring Time Range Time ranges can be used to filter packets. You can specify a time range for each rule in an ACL.

  • Page 647: Configuring Basic Acl

    If only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the absolute time sections.
  • Page 648 Configuration procedure Follow these steps to define a basic ACL rule: To do... Use the command... Remarks Enter system view — system-view acl number acl-number Required Create an ACL and enter [ match-order { auto | basic ACL view config by default config } ] Required rule [ rule-id ] { deny |...

  • Page 649: Configuring Advanced Acl

    Configuring Advanced ACL An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message type and message code. An advanced ACL can be numbered from 3000 to 3999. Note that ACL 3998 and ACL 3999 cannot be configured because they are reserved for cluster management.

  • Page 650: Configuring Layer 2 Acl

    number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule. The content of a modified or created rule cannot be identical with the content of any existing rules;...

  • Page 651: Configuring User-Defined Acl

    To do... Use the command... Remarks Create a Layer 2 ACL and acl number acl-number Required enter layer 2 ACL view Required rule [ rule-id ] { permit | For information about Define an ACL rule deny } rule-string rule-string, refer to ACL Commands.
  • Page 652 A user-defined ACL can be numbered from 5000 to 5999. Configuration prerequisites To configure a time range-based user-defined ACL rule, you need to define the corresponding time ranges first. For information about time range configuration, refer to Configuring Time Range. Configuration procedure Follow these steps to define a user-defined ACL rule: To do...

  • Page 653: Use The Command

    number is 65534, however, the system will display an error message and you need to specify a number for the rule. The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists.

  • Page 654: Applying Acl Rules To Ports In A Vlan

    [Sysname-Ethernet1/0/1] packet-filter inbound ip-group 2000 Applying ACL Rules to Ports in a VLAN By applying ACL rules to ports in a VLAN, you can add filtering of packets on all the ports in the VLAN. Note: The ACL rules are only applied to ports that are in the VLAN at the time the packet-filter vlan command is executed.

  • Page 655: Examples For Upper-Layer Software Referencing Acls

    To do... Use the command... Remarks display packet-filter { interface Display information about interface-type interface-number | packet filtering unitid unit-id } Display information about display drv qacl_resource ACL resources Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switch.

  • Page 656: Examples For Applying Acls To Hardware

    Network diagram Figure 1-2 Network diagram for controlling Web login users by source IP Internet Switch 10.110.100.46 Configuration procedure # Define ACL 2001. <Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 Examples for Applying ACLs to Hardware Basic ACL Configuration Example...

  • Page 657: Advanced Acl Configuration Example

    Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit # Apply ACL 2000 on Ethernet 1/0/1.

  • Page 658: Layer 2 Acl Configuration Example

    # Apply ACL 3000 on Ethernet 1/0/1. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] packet-filter inbound ip-group 3000 Layer 2 ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC 1’s MAC address is 0011-0011-0011. Apply an ACL to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to 18:00 everyday.

  • Page 659: User-Defined Acl Configuration Example

    User-defined ACL Configuration Example Network requirements As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through the same gateway, which has an IP address of 192.168.0.1 (the IP address of VLAN-interface 1).

  • Page 660: Example For Applying An Acl To A Vlan

    Example for Applying an ACL to a VLAN Network requirements PC 1, PC 2 and PC 3 belong to VLAN 10 and connect to the switch through Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 respectively. The IP address of the database server is 192.168.1.2.
  • Page 661 Table of Contents 1 QoS Configuration ········································································································ 1-1 Overview ···················································································································· 1-1 Introduction to QoS ······························································································ 1-1 Traditional Packet Forwarding Service ·································································· 1-1 New Applications and New Requirements ······························································ 1-1 Major Traffic Control Techniques ·········································································· 1-2 QoS Supported By Switch 5500-EI Series ···································································· 1-3 Introduction to QoS Functions ·····················································································...
  • Page 662 2 QoS Profile Configuration ···························································································· 2-1 Overview ···················································································································· 2-1 Introduction to QoS Profile ··················································································· 2-1 QoS Profile Application Mode ··············································································· 2-1 QoS Profile Configuration Task List············································································· 2-2 Configuring a QoS Profile ····················································································· 2-2 Applying a QoS Profile ························································································· 2-3 Displaying and Maintaining QoS Profile Configuration ·················································· 2-4 Configuration Example ································································································...

  • Page 663: Qos Configuration

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By Switch 5500-EI Series QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 664: Major Traffic Control Techniques

    Besides the traditional applications such as WWW, E-mail, and FTP, new services are developed on the Internet, such as tele-education, telemedicine, video telephone, videoconference and Video-on-Demand (VoD). Enterprise users expect to connect their regional branches together using VPN techniques for coping with daily business, for instance, accessing databases or manage remote equipments through Telnet.

  • Page 665: Qos Supported By Switch 5500-Ei Series

    Congestion management handles resource competition during network congestion. Generally, it adds packets to queues first, and then forwards the packets by using a scheduling algorithm. Congestion management is usually applied in the outbound direction of a port. Congestion avoidance monitors the use of network resources and drops packets actively when congestion reaches certain degree.

  • Page 666: Traffic Classification

    QoS Feature Description Refer to … For information about congestion Congestion WRED avoidance and WRED, refer to avoidance Congestion Avoidance. The Switch 5500-EI series support SP, WFQ, and WRR queue scheduling algorithms and support the following five queue Congestion For information about SP, WFQ, and scheduling modes: management WRR, refer to...

  • Page 667: Priority Trust Mode

    Priority Trust Mode Introduction to precedence types 1) IP precedence, ToS precedence, and DSCP precedence Figure 1-2 DS field and ToS byte The ToS field in an IP header contains eight bits numbered 0 through 7, among which, The first three bits indicate IP precedence in the range 0 to 7. Bit 3 to bit 6 indicate ToS precedence in the range of 0 to 15.
  • Page 668 service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) class: This class comes from the IP ToS field and includes eight subclasses; Best Effort (BE) class: This class is a special class without any assurance in the CS class.
  • Page 669 2) 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).
  • Page 670 Local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to one of the eight hardware output queues. Packets with the highest local precedence are processed preferentially. As local precedence is used only for internal queuing, a packet does not carry it after leaving the queue.

  • Page 671: Priority Marking

    802.1p priority Local precedence Protocol Priority Protocol packets generated by a switch carry their own priority. You can set a new IP precedence or DSCP precedence for the specific type of protocol packets to implement QoS. Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification.
  • Page 672 Figure 1-5 Evaluate the traffic with the token bucket Put tokens in the bucket at the set rate Packets to be sent through this port Continue to send Packet classification Token bucket Drop Evaluating the traffic with the token bucket When token bucket is used for traffic evaluation, the number of the tokens in the token bucket determines the amount of the packets that can be forwarded.

  • Page 673: Line Rate

    Drop. Drop the packet whose evaluation result is “nonconforming”. Modify the DSCP precedence and forward. Modify the DSCP precedence of the packets whose evaluation result is “nonconforming” and then forward them. Line Rate Line rate refers to limiting the total rate of inbound or outbound packets on a port. Line rate can be implemented through token buckets.
  • Page 674 Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0.
  • Page 675 Figure 1-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally.

  • Page 676: Congestion Avoidance

    Figure 1-8 Diagram for WRR queuing WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical Switch 5500-EI there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.

  • Page 677: Flow-Based Traffic Accounting

    peak will then occur in a certain future time. Consequently, the network traffic jitters all the time. WRED You can use weighted random early detection (WRED) to avoid global TCP session synchronization. In WRED algorithm, an upper limit and a lower limit are set for each queue, and the packets in a queue are processed as follows.

  • Page 678: Traffic Mirroring

    Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the matched packets to the destination mirroring port or CPU depending on your configuration. For information about port mirroring, refer to the Mirroring module of this manual. QoS Configuration Complete the following tasks to configure QoS: Task Remarks Configuring Priority Trust Mode...

  • Page 679: Configuring The Mapping Between 802.1P Priority And Local Precedence

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure to trust port By default, the switch trusts priority and configure the priority priority-level port priority and the priority port priority of a port is 0. Follow these steps to configure to trust packet priority: To do…...

  • Page 680: Setting The Priority Of Protocol Packets

    Configuration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view — system-view qos cos-local-precedence-map Configure the mapping cos0-map-local-prec cos1-map-local-prec between 802.1p priority cos2-map-local-prec cos3-map-local-prec Required and local precedence cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec Configuration example...

  • Page 681: Marking Packet Priority

    On a Switch 5500-EI, you can set the priority for protocol packets of Telnet, OSPF, SNMP, and ICMP. Configuration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3)

  • Page 682: Configuring Traffic Policing

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required traffic-priority { inbound | outbound } acl-rule { { dscp Refer to the Mark the priorities for dscp-value | ip-precedence command manual packets matching specific { pre-value | from-cos } } | cos for information ACL rules...
  • Page 683 Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The rate limit for traffic policing, and the actions for the packets exceeding the rate limit have been determined.

  • Page 684: Configuring Line Rate

    Configuring Line Rate Refer to section Line Rate for information about line rate. Configuration prerequisites The port on which line rate configuration is to be performed has been determined. The target rate and the direction of rate limiting (inbound or outbound) have been determined.
  • Page 685 Configuration procedure Follow these steps to configure traffic redirecting: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number traffic-redirect { inbound | Required outbound } acl-rule { cpu | Configure traffic { interface interface-type By default, traffic redirecting...

  • Page 686: Configuring Vlan Mapping

    Configuring VLAN Mapping Refer to section VLAN Mapping for information about VLAN mapping. Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The ports on which the configuration is to be performed have been determined. The VLAN ID to be set for the packets has been determined.
  • Page 687 To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port interface interface-type — view interface-number Required queue-scheduler { wfq queue0-width queue1-width By default, the queue queue2-width queue3-width scheduling algorithm queue4-width queue5-width adopted on all the ports is Configure queue queue6-width queue7-width | wrr WRR.

  • Page 688: Configuring Wred

    Configuration example Adopts WRR for queue scheduling, setting the weights of the output queues to 2, 2, 3, 3, 4, 4, 5, and 5 (in the order queue 0 through queue 7). Verify the configuration. Configuration procedure: <Sysname> system-view [Sysname] queue-scheduler wrr 2 2 3 3 4 4 5 5 [Sysname] display queue-scheduler Queue scheduling mode: weighted round robin weight of queue 0: 2...

  • Page 689: Configuring Traffic Accounting

    Configuration procedure: <Sysname> system-view [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] wred 2 64 20 Configuring Traffic Accounting Refer to section Flow-based Traffic Accounting for information about traffic accounting. Configuration prerequisites The ACL rules for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules.

  • Page 690: Enabling The Burst Function

    Enabling the Burst Function Refer to section Burst for information about the burst function. Configuration prerequisites You have determined that the burst function is required. Configuration procedure Follow these steps to enable the burst function: To do… Use the command… Remarks —...
  • Page 691 To do… Use the command… Remarks Required Omit the following steps if you redirect mirrored-to { inbound | Configure the current port as a traffic to the CPU. outbound } acl-rule source mirroring port Proceed to the { monitor-interface | cpu } following steps if you redirect traffic to a port.

  • Page 692: Displaying And Maintaining Qos

    Displaying and Maintaining QoS To do… Use the command… Remarks Display the mapping between display qos 802.1p priority and local cos-local-precedence-map precedence display qos-interface Display the priority marking { interface-type interface-number | configuration unit-id } traffic-priority Display the protocol packet priority display protocol-priority configuration display qos-interface...

  • Page 693: Configuration Example Of Priority Marking And Queue Scheduling

    Set the maximum rate of outbound packets sourced from the marketing department to 64 kbps. Drop the packets exceeding the rate limit. Set the maximum rate of outbound IP packets sent by PC 1 in the R&D department to 640 kbps. Drop the packets exceeding the rate limit. Network diagram Figure 1-9 Network diagram for traffic policing and rate limiting configuration Configuration procedure...
  • Page 694 clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch. Server 1 (the database server), Server 2 (the mail server), and Server 3 (the file server) are connected to Ethernet 1/0/2 of the switch. Configure priority marking and queue scheduling on the switch to mark traffic flows accessing Server 1, Server 2, and Server 3 with different priorities respectively and assign the three traffic flows to different queues for scheduling.

  • Page 695: Vlan Mapping Configuration Example

    [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule local-precedence 2 [Sysname-Ethernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration Example Network requirements Two customer networks are connected to the public network through Switch A and Switch B.
  • Page 696 Network diagram Figure 1-11 Network diagram for VLAN mapping configuration VLAN100 VLAN200 SwitchB Eth1/0/15 Eth1/0/16 Eth1/0/17 Public Network VLAN500/600 Eth1/0/10 Eth1/0/11 Eth1/0/12 SwitchA VLAN100 VLAN200 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A.
  • Page 697 [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] port link-type trunk [SwitchA-Ethernet1/0/12] port trunk pvid vlan 200 [SwitchA-Ethernet1/0/12] port trunk permit vlan 200 600 [SwitchA-Ethernet1/0/12] quit # Configure Ethernet 1/0/10 of Switch A as a trunk port, and assign it to VLAN 100, VLAN 200, VLAN 500, and VLAN 600.

  • Page 698: Configuring Traffic Mirroring And Redirecting Traffic To A Port

    [SwitchA-Ethernet1/0/10] traffic-remark-vlanid inbound link-group 4003 remark-vlan 200 [SwitchA-Ethernet1/0/10] quit Define the same VLAN mapping rules on Switch B. The detailed configuration procedure is similar to that of Switch A and thus is omitted here. Configuring Traffic Mirroring and Redirecting Traffic to a Port Network Requirements A company uses a switch to interconnect all the departments.
  • Page 699 # Create a time range trname covering the period from 8:00 to 18:00 during working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day 2) Configure a policy for the traffic of the marketing department # Create basic ACL 2000 to permit the traffic of the hosts in the marketing department during the specified time range.

  • Page 700: Qos Profile Configuration

    QoS Profile Configuration When configuring QoS profile, go to these sections for information you are interested in: Overview QoS Profile Configuration Task List Displaying and Maintaining QoS Profile Configuration Configuration Example Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration.

  • Page 701: Qos Profile Configuration Task List

    A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information). Manual application mode You can use the apply command to manually apply a QoS profile to a port. QoS Profile Configuration Task List Complete the following tasks to configure QoS profile: Operation...

  • Page 702: Applying A Qos Profile

    To do… Use the command… Remarks Optional Configure packet packet-filter { inbound | Refer to the ACL module of filtering outbound } acl-rule this manual for information about packet filtering. traffic-priority { inbound | outbound } acl-rule { { dscp Configure priority dscp-value | ip-precedence Optional...

  • Page 703: Displaying And Maintaining Qos Profile Configuration

    To do… Use the command… Remarks Configure the Optional mode to apply a qos-profile By default, the mode to QoS profile as port-based apply a QoS profile is port-based user-based. 802.1x authentication mode is Specify the MAC address-based, the mode to mode to apply a QoS apply a profile...

  • Page 704: Configuration Example

    Configuration Example QoS Profile Configuration Example Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password is hello. It is connected to Ethernet 1/0/1 of the switch and belongs to the test.net domain.
  • Page 705 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money [Sysname-radius-radius1] key accounting money # Configure the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever.
  • Page 706 Table of Contents 1 Mirroring Configuration································································································ 1-1 Mirroring Overview······································································································ 1-1 Local Port Mirroring ······························································································ 1-2 Remote Port Mirroring ·························································································· 1-2 Traffic Mirroring ···································································································· 1-3 Mirroring Configuration ······························································································· 1-4 Configuring Local Port Mirroring············································································ 1-4 Configuring Remote Port Mirroring ········································································ 1-5 Displaying and Maintaining Port Mirroring ···································································· 1-8 Mirroring Configuration Examples ················································································...

  • Page 707: Mirroring Configuration

    Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying and Maintaining Port Mirroring Mirroring Configuration Examples Mirroring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.

  • Page 708: Local Port Mirroring

    Local Port Mirroring In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device. Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device.
  • Page 709 Table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the Source port reflector port through local port mirroring. There can be more than one source port.

  • Page 710: Configuring Local Port Mirroring

    Mirroring Configuration Complete the following tasks to configure mirroring: Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional On a Switch 5500-EI, only one destination port for local port mirroring and only one reflector port can be configured, and the two types of ports cannot both exist. Configuring Local Port Mirroring Configuration prerequisites The source port is determined and the direction in which the packets are to be mirrored...

  • Page 711: Configuring Remote Port Mirroring

    To do… Use the command… Remarks group mirroring-group group-id monitor-port When configuring local port mirroring, note that: You need to configure the source and destination ports for the local port mirroring to take effect. The source port and the destination port cannot be a fabric port or a member port of an existing mirroring group;...
  • Page 712 To do… Use the command… Remarks Required Configure the current port port link-type trunk By default, the port type is as trunk port Access. Configure the trunk port to port trunk permit vlan permit packets from the Required remote-probe-vlan-id remote-probe VLAN Return to system view quit —...
  • Page 713 To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN. Configure the current VLAN remote-probe vlan enable Required as the remote-probe VLAN Return to system view quit —...

  • Page 714: Displaying And Maintaining Port Mirroring

    To do… Use the command… Remarks Configure trunk port to port trunk permit vlan permit packets from the Required remote-probe-vlan-id remote-probe VLAN Return to system view quit — Create a remote destination mirroring-group group-id Required mirroring group remote-destination Configure the destination mirroring-group group-id port for the remote Required...
  • Page 715 The administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data detection device. Use the local port mirroring function to meet the requirement. Perform the following configurations on Switch C. Configure Ethernet 1/0/1 and Ethernet 1/0/2 as mirroring source ports.

  • Page 716: Remote Port Mirroring Configuration Example

    Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 5500-EI: Switch A, Switch B, and Switch C are Switch 5500-EI series. Department 1 is connected to Ethernet 1/0/1 of Switch A. Department 2 is connected to Ethernet 1/0/2 of Switch A.
  • Page 717 # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group.
  • Page 718 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 3) Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destination mirroring group.
  • Page 719 Table of Contents 1 Web Cache Redirection Configuration ········································································· 1-1 Web Cache Redirection Overview················································································ 1-1 Web Cache Redirection Configuration ········································································· 1-2 Configuration Prerequisites ··················································································· 1-2 Configuration Procedure ······················································································· 1-2 Displaying Web Cache Redirection Configuration ························································· 1-3 Web Cache Redirection Configuration Example ··························································· 1-3 Configuration Example ··························································································...

  • Page 720: Web Cache Redirection Configuration

    Web Cache Redirection Configuration When configuring Web cache redirection, go to these sections for information you are interested in: Web Cache Redirection Overview Web Cache Redirection Configuration Displaying Web Cache Redirection Configuration Web Cache Redirection Configuration Example Web Cache Redirection Overview Usually, users access Web pages through Hypertext Transfer Protocol (HTTP).

  • Page 721: Web Cache Redirection Configuration

    that is frequently accessed by the users in the LAN. It belongs to VLAN 30. The switch connects to the router through VLAN 40. Normally, HTTP traffic of PC 1 and PC 2 are forwarded through VLAN 40 to the router, which then sends the traffic to the Internet. By enabling Web cache redirection function on the switch, HTTP traffic of PC 1 and PC 2 is redirected to Web Cache Server through VLAN 30.

  • Page 722: Displaying Web Cache Redirection Configuration

    Follow these steps to configure Web cache redirection in Ethernet port view: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number webcache address Required Configure Web cache ip-address mac server parameters mac-address vlan vlan-id Not configured by default.
  • Page 723 The market department belongs to VLAN 10 and is connected to port Ethernet 1/0/1 of the switch. The IP address of VLAN 10 interface is 192.168.1.1/24. The R&D department belongs to VLAN 20 and is connected to port Ethernet 1/0/2 of the switch.
  • Page 724 Configuration procedure # Create VLAN 10 for the market department, and assign an IP address 192.168.1.1 to the VLAN-interface 10. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] port Ethernet 1/0/1 [Sysname-vlan10] quit [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ip address 192.168.1.1 24 [Sysname-Vlan-interface10] quit # Create VLAN 20 for the R&D department, and assign an IP address 192.168.2.1 to the VLAN-interface 20.
  • Page 725 # Configure port Ethernet 1/0/4 (through which the switch connects to the Web Cache Server) as a Truck port, and configure the port to allow the packets of VLAN 40 and VLAN 50 to pass through. [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] port link-type trunk [Sysname-Ethernet1/0/4] port trunk permit vlan 40 50 [Sysname-Ethernet1/0/4] quit...
  • Page 726 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 5500-EI···················································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-3 Setting the PoE Mode on a Port······································································································1-4 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 727: Poe Configuration

    PoE Configuration When configuring PoE, go to these sections for information you are interested in: PoE Overview PoE Configuration PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously.

  • Page 728: Enabling The Poe Feature On A Port

    Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. When AC power input is adopted for the switch, the maximum total power that can be provided is 300 W.
  • Page 729 Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Software of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE Feature on a Port Follow these steps to enable the PoE feature on a port: To do…...

  • Page 730: Setting The Poe Mode On A Port

    5500-EI supports two PoE management modes, auto and manual. The auto mode is adopted by default. auto: When the switch is close to its full load in supplying power, it will first supply power to the PDs that are connected to the ports with critical priority, and then supply power to the PDs that are connected to the ports with high priority.

  • Page 731: Configuring The Pd Compatibility Detection Function

    Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.

  • Page 732: Upgrading The Pse Processing Software Online

    When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.

  • Page 733: Poe Configuration Example

    Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing update fabric { file-url | software of the fabric switch Optional device-name file-url } online Displaying PoE Configuration To do… Use the command…...
  • Page 734 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.

  • Page 735: Poe Profile Configuration

    PoE Profile Configuration When configuring PoE profile, go to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration Displaying PoE Profile Configuration PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 5500-EI provides the PoE profile features.
  • Page 736 To do… Use the command… Remarks Required Enable the PoE feature poe enable on a port Disabled by default. Optional Configure PoE mode poe mode { signal | spare } for Ethernet ports signal by default. Configure the relevant Configure the PoE Optional features in priority for Ethernet...

  • Page 737: Displaying Poe Profile Configuration

    Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed information display poe-profile { all-profile | Available in any about the PoE profiles created interface interface-type interface-number | view on the switch name profile-name } PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is a Switch 5500-EI supporting PoE.
  • Page 738 Network diagram Figure 2-1 PoE profile application Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone IP Phone IP Phone IP Phone Configuration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
  • Page 739 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports. [SwitchA] apply poe-profile Profile1 interface Ethernet1/0/1 to Ethernet1/0/5 # Apply the configured Profile 2 to Ethernet 1/0/6 through Ethernet 1/0/10 ports.
  • Page 740 Table of Contents 1 XRN Fabric Configuration·························································································································1-1 Introduction to XRN·································································································································1-1 Establishment of an XRN Fabric ·····································································································1-1 How XRN Works······························································································································1-5 XRN Fabric Configuration ·······················································································································1-6 XRN Fabric Configuration Task List ································································································1-6 Specifying the Fabric Port of a Switch·····························································································1-6 Specifying the VLAN Used to Form an XRN Fabric········································································1-7 Setting a Unit ID for a Switch ··········································································································1-8 Assigning a Unit Name to a Switch ·································································································1-9 Assigning an XRN Fabric Name to a Switch ···················································································1-9...

  • Page 741: Xrn Fabric Configuration

    XRN Fabric Configuration When configuring XRN fabric, go to these sections for information you are interested in: Introduction to XRN XRN Fabric Configuration Displaying and Maintaining XRN Fabric XRN Fabric Configuration Example Introduction to XRN Intelligent Resilient Framework (XRN), a feature particular to Switch 5500-EI series switches, is a new technology for building the core of a network.
  • Page 742 Figure 1-2 Port connection mode for Switch 5500-EI series ring topology XRN fabric H3C S3600 Speed :Green=100Mbps ,Yellow=10Mbps Duplx :Green=Full Duplx ,Yellow=Half Duplx Series 11 12 15 16 17 18 19 20 21 22 23 24 Console Unit Mode Green=Speed Yellow=Duplex 10/100Base-TX 1000 Base...
  • Page 743 As the basis of the XRN function, the Fabric Topology Management (FTM) program manages and maintains the entire topology of a fabric. With fabric ports configured, the FTM program releases information of the device through the fabric ports. The device information includes Unit ID, CPU MAC, device type ID, fabric port information, and all fabric configuration information.
  • Page 744 Status Analysis Solution Two fabric ports of the Pull out one end of the cable same device (that is, the and connect it to a fabric port of right port and the left port) another switch. are connected. The left and right fabric Indicates Connect the left and right ports ports of the devices are...

  • Page 745: How Xrn Works

    Then the system automatically synchronizes the configurations to the device with the smallest unit ID and changes the fabric name. With the above operations completed, the device can be added to the fabric and work normally. You need to enable the XRN automatic fabric function on all the devices including the candidate switch in the fabric to enable the candidate switch to download software and discovery neighbors and thus be added to the fabric normally.

  • Page 746: Xrn Fabric Configuration

    In this way, the forwarding table entries of each device in the fabric can be consistent. Even if the master fails, other devices can use the forwarding table synchronized from the master to perform layer 3 forwarding, thus ensuring the accuracy of forwarding path. After re-electing the master, the fabric will restart routing update.

  • Page 747: Specifying The Vlan Used To Form An Xrn Fabric

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet interface view — interface-number Required Specify the current port as the port link-type xrn-fabric No port is specified as the fabric port of a switch fabric port by default.

  • Page 748: Setting A Unit Id For A Switch

    To do… Use the command… Remarks Required Specify the VLAN used to form By default, the VLAN used to ftm fabric-vlan vlan-id an XRN fabric form the XRN fabric is VLAN 4093 You cannot specify an existing VLAN to form an XRN fabric; otherwise, your configuration fails. Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric.

  • Page 749: Assigning A Unit Name To A Switch

    Unit IDs in an XRN fabric are not always arranged in order of 1 to 8. Unit IDs of an XRN fabric can be inconsecutive. After you change the unit ID of switches, the following operations are performed. If the modified unit ID does not exist in the XRN fabric, the system sets its priority to 5 and saves it in the unit Flash memory.

  • Page 750: Setting The Xrn Fabric Authentication Mode

    Follow these steps to assign a fabric name to a switch: To do… Use the command… Remarks Enter system view system-view — Optional Assign a fabric name to the sysname sysname By default, the XRN fabric switch name is 5500-EI. Setting the XRN Fabric Authentication Mode Only the switches with the same XRN fabric authentication mode can form an XRN fabric.

  • Page 751: Displaying And Maintaining Xrn Fabric

    You need to enable the XRN automatic fabric function on all the devices including the newly added device in the fabric to enable the newly added device to download software and discovery neighbors and thus be added to the fabric normally. After you configure the XRN automatic fabric function on Slave, execute the save command to save the configurations as soon as possible.
  • Page 752 Network Diagram Figure 1-4 Network diagram for forming an XRN fabric Configuration Procedure Configure Switch A. # Configure fabric ports. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable [Sysname] fabric-port GigabitEthernet1/0/26 enable # Configure the unit name as Unit 1. [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello.
  • Page 753 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-3 Cluster Configuration Task List···············································································································1-9 Configuring the Management Device ······························································································1-9 Configuring Member Devices ········································································································1-13 Managing a Cluster through the Management Device··································································1-15 Configuring the Enhanced Cluster Features ·················································································1-16 Displaying and Maintaining Cluster Configuration ················································································1-18 Cluster Configuration Examples ···········································································································1-19...

  • Page 754: Cluster

    Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way.

  • Page 755: Roles In A Cluster

    Figure 1-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.

  • Page 756: How A Cluster Works

    Role Configuration Function Members of a cluster Normally, a member device is Discovers the information about its neighbors, processes Member device not assigned an the commands forwarded by the management device, external IP and reports log. The member devices of a luster are address under the management of the management device.
  • Page 757 Neighbor Discovery Protocol (NDP) Neighbor Topology Discovery Protocol (NTDP) Cluster A cluster configures and manages the devices in it through the above three protocols. Cluster management involves topology information collection and the establishment/maintenance of a cluster. Topology information collection and cluster establishment/maintenance are independent from each other.
  • Page 758 The management device collects the topology information periodically. You can also launch an operation of topology information collection by executing related commands. The process of topology information collection is as follows. The management device sends NTDP topology collection requests periodically through its NTDP-enabled ports.
  • Page 759 On the management device, you need to enable the cluster function and configure cluster parameters. On the member/candidate devices, however, you only need to enable the cluster function so that they can be managed by the management device. Cluster maintenance Adding a candidate device to a cluster To create a cluster, you need to determine the device to operate as the management device first.
  • Page 760 device to Active; otherwise, it changes the state of the member device (in Connect state) to Disconnect, in which case the management device considers the member device disconnected. Likewise, if this member device, which is in Connect state, receives a handshake packet or management packet from the management device within the information holdtime, it changes its state to Active;...
  • Page 761 Tracing a device in a cluster In practice, you need to implement the following in a cluster sometimes: Know whether there is a loop in the cluster Locate which port on which switch initiates a network attack Determine the port and switch that a MAC address corresponds to Locate which switch in the cluster has a fault Check whether a link in the cluster and the devices on the link comply with the original plan In these situations, you can use the tracemac command to trace a device in the cluster by specifying a...

  • Page 762: Cluster Configuration Task List

    Cluster Configuration Task List Before configuring a cluster, you need to determine the roles and functions the switches play. You also need to configure the related functions, preparing for the communication between devices within the cluster. Complete the following tasks to configure cluster: Task Remarks Configuring the Management Device...
  • Page 763 Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports: To do… Use the command… Remarks Enter system view system-view — Required Enable NDP globally ndp enable By default, NDP is enabled globally. ndp enable interface In system view port-list...
  • Page 764 To do… Use the command… Remarks Enter system view system-view — Optional Configure the range to collect By default, the system collects ntdp hop hop-value topology information topology information from the devices within three hops. Optional Configure the device forward delay of topology collection ntdp timer hop-delay time By default, the device forward...
  • Page 765 To do… Use the command… Remarks Required Build a cluster build name name: Cluster name. Required Configure a multicast MAC By default, the cluster multicast cluster-mac H-H-H address for the cluster MAC address is 0180-C200-000A. Optional Set the interval for the cluster-mac syn-interval By default, the interval to send management device to send...

  • Page 766: Configuring Member Devices

    To do… Use the command… Remarks Optional Configure a shared FTP server By default, the management ftp-server ip-address for the cluster device acts as the shared FTP server. Optional Configure a shared TFTP tftp-server ip-address By default, no shared TFTP server for the cluster server is configured.
  • Page 767 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 5500-EI series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 768: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view —...

  • Page 769: Configuring The Enhanced Cluster Features

    To do… Use the command… Remarks Return to system view quit — Return to user view quit — Optional cluster switch-to Switch between management { member-number | You can use this command device and member device mac-address H-H-H | switch to the view of a member administrator } device and switch back.
  • Page 770 Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management function Required Configuring cluster device blacklist Required Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed.

  • Page 771: Displaying And Maintaining Cluster Configuration

    Configuring cluster device blacklist Follow these steps to configure the cluster device blacklist on a management device: To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — Optional Add the MAC address of a black-list add-mac specified device to the cluster By default, the cluster blacklist...

  • Page 772: Cluster Configuration Examples

    When you display the cluster topology information, the devices attached to the switch that is listed in the backlist will not be displayed. Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: A Switch 5500-EI series switch serves as the management device. The rest are member devices.
  • Page 773 # Enable NDP globally and on Ethernet 1/0/1. <Sysname> system-view [Sysname] ndp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ndp enable [Sysname-Ethernet1/0/1] quit # Enable NTDP globally and on Ethernet 1/0/1. [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function.
  • Page 774 [Sysname-Ethernet1/0/2] ntdp enable [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] ntdp enable [Sysname-Ethernet1/0/3] quit # Set the topology collection range to 2 hops. [Sysname] ntdp hop 2 # Set the delay for a member device to forward topology collection requests to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 ms.

  • Page 775: Network Management Interface Configuration Example

    # Connect the member device to the remote shared FTP server of the cluster. <aaa_1.Sysname> ftp cluster # Download the file named aaa.txt from the shared TFTP server of the cluster to the member device. <aaa_1.Sysname> tftp cluster get aaa.txt # Upload the file named bbb.txt from the member device to the shared TFTP server of the cluster.
  • Page 776 Network diagram Figure 1-5 Network diagram for network management interface configuration Configuration procedure # Enter system view and configure VLAN 3 as the management VLAN. <Sysname> system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30.

  • Page 777: Enhanced Cluster Feature Configuration Example

    [aaa_0.Sysname-cluster] # Configure VLAN-interface 2 as the network management interface. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] nm-interface Vlan-interface 2 Enhanced Cluster Feature Configuration Example Network requirements The cluster operates properly. Add the device with the MAC address 0001-2034-a0e5 to the cluster blacklist, that is, prevent the device from being managed and maintained by the cluster.
  • Page 778 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-2 Configuring Trap-Related Functions ·······································································································1-5 Configuring Basic Trap Functions ···································································································1-5 Configuring Extended Trap Function·······························································································1-5 Enabling Logging for Network Management···························································································1-6 Displaying SNMP ····································································································································1-6 SNMP Configuration Example ················································································································1-7 SNMP Configuration Example·········································································································1-7 2 RMON Configuration ·································································································································2-1...

  • Page 779: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 780: Configuring Basic Snmp Functions

    Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well. Set the basic ACL specified by the community name. Supported MIBs An SNMP packet carries management variables with it.
  • Page 781 By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the switch version { { v1 | v2c | v3 }* | location is "...
  • Page 782 By default, the contact snmp-agent sys-info information for system Set system information and { contact sys-contact | maintenance is " 3Com specify to enable SNMPv3 on location sys-location | version Corporation.", the system the switch { { v1 | v2c | v3 }* | all } } location is "...

  • Page 783: Configuring Trap-Related Functions

    Configuring Trap-Related Functions Configuring Basic Trap Functions traps refer to those sent by managed devices to the NMS without request. They are used to report some urgent and important events (for example, the rebooting of managed devices). Note that basic SNMP configuration is performed before you configure basic trap function. Follow these steps to configure basic trap function: To do…...

  • Page 784: Enabling Logging For Network Management

    Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the linkUp/linkDown Configure the extended trap snmp-agent trap ifmib link trap adopts the standard format function extended defined in IF-MIB. For details, refer to RFC 1213.

  • Page 785: Snmp Configuration Example

    To do… Use the command… Remarks Display trap list information display snmp-agent trap-list Display the currently configured display snmp-agent community [ read | community name write ] Display the currently configured display snmp-agent mib-view [ exclude | MIB view include | viewname view-name ] SNMP Configuration Example SNMP Configuration Example Network requirements...
  • Page 786 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.

  • Page 787: Rmon Configuration

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.

  • Page 788: Commonly Used Rmon Groups

    error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
  • Page 789 Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

  • Page 790: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 791 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 792 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-3 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 793: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 794: Configuring Udp Helper

    Table 1-1 List of default UDP ports Protocol UDP port number DNS (Domain Name System) NetBIOS-DS (NetBIOS Datagram Service) NetBIOS-NS (NetBIOS Name Service) TACACS (Terminal Access Controller Access Control System) TFTP (Trivial File Transfer Protocol) Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do…...

  • Page 795: Displaying And Maintaining Udp Helper

    On an S5500-EI Series Ethernet Switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, UDP Helper is available only when the ip forward-broadcast command is configured in system view. For details about the ip forward-broadcast command, refer to the IP Address and Performance part of this manual.
  • Page 796 Network diagram Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure # Enable Switch A to receive directed broadcasts to a directly connected network. <SwitchA> system-view [SwitchA] ip forward-broadcast # Enable UDP Helper on Switch A. [SwitchA] udp-helper enable # Configure the switch to forward broadcasts containing the destination UDP port number 137.
  • Page 797 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 798: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 799: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.

  • Page 800: Ntp Implementation Modes

    Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 801 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer Network Clock synchronization Works in passive peer request packet mode automatically Response packet In peer mode, both sides can be synchronized to Synchronize each other In the symmetric peer mode, the local S5500-EI Ethernet switch serves as the symmetric-active peer...
  • Page 802 Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on 3Com S5500-EI series Ethernet switches. Table 1-1 NTP implementation modes on 3Com S5500-EI series Ethernet switches NTP implementation mode Configuration on S5500-EI series switches Configure the local S5500-EI Ethernet switch to work in the NTP client mode.

  • Page 803: Ntp Configuration Task List

    When a 3Com S5500-EI Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S5500-EI Ethernet switch has been synchronized.

  • Page 804: Configuring Ntp Server/Client Mode

    Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.

  • Page 805: Configuring Ntp Broadcast Mode

    To do… Use the command… Remarks Required ntp-service unicast-peer { remote-ip | Specify a peer-name } [ authentication-keyid key-id | By default, a switch is not symmetric-passive priority | source-interface Vlan-interface configured to work in the peer for the switch vlan-id | version number ]* symmetric mode.

  • Page 806: Configuring Ntp Multicast Mode

    To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode Follow these steps to configure a switch to work in the NTP broadcast client mode: To do…...

  • Page 807: Configuring Access Control Right

    Configuring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view —...

  • Page 808: Configuring Ntp Authentication

    The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.
  • Page 809 Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view — Required Enable the NTP authentication ntp-service authentication function enable Disabled by default. Required ntp-service Configure the NTP...

  • Page 810: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key authentication-keyid key-id authentication key is configured. Enter VLAN interface view interface Vlan-interface vlan-id — In NTP broadcast server Configure on the mode and NTP multicast ntp-service broadcast-server NTP broadcast...

  • Page 811: Displaying Ntp Configuration

    If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.
  • Page 812 To do… Use the command… Remarks Display the information about the display ntp-service sessions maintained by NTP sessions [ verbose ] Display the brief information about NTP servers along the path display ntp-service trace from the local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...

  • Page 813: Configuring Ntp Symmetric Peer Mode

    [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
  • Page 814 Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.

  • Page 815: Configuring Ntp Broadcast Mode

    Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2.

  • Page 816: Configuring Ntp Multicast Mode

    View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
  • Page 817 Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).

  • Page 818: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 819 To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 820 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-6 Configuring the User Interfaces for SSH Clients·············································································1-7 Configuring the SSH Management Functions·················································································1-7 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-8 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ····················································1-10...

  • Page 821: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 822: Ssh Operating Process

    There are two types of key algorithms: Symmetric key algorithm The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 823 The client and the server start to communicate with each Data exchange other. Currently, the switch that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the switch that serves as an SSH client supports only SSH2. Unless otherwise noted, SSH refers to SSH2 throughout this document.

  • Page 824: Ssh Server And Client

    Authentication negotiation The negotiation steps are as follows: The client sends an authentication request to the server. The authentication request contains username, authentication type, and authentication-related information. For example, if the authentication type is password, the content is the password. The server starts to authenticate the user.
  • Page 825 The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...

  • Page 826: Configuring The Ssh Server

    Configuring the SSH Server The session establishment between an SSH client and the SSH server involves five stages. Similarly, SSH server configuration involves five aspects, as shown in the following table. Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for...

  • Page 827: Configuring The User Interfaces For Ssh Clients

    Configuring the User Interfaces for SSH Clients An SSH client will access the device through a terminal “VTY” user interface. Therefore, you need to configure the device user interface to accept SSH clients and allow SSH login. Note that the configuration takes effect at the next login.

  • Page 828: Configuring The Ssh Server To Be Compatible With Ssh1 Clients

    Optional Set the SSH authentication By default, the SSH ssh server timeout seconds timeout time authentication timeout time is 60 seconds. Optional Set the number of SSH ssh server By default, the number of SSH authentication retry attempts authentication-retries times authentication retry attempts is 3.
  • Page 829 As different clients may support different public key algorithms, the key pairs negotiated between the server and clients may be different. Therefore, you need to generate both RSA and DSA key pairs on the server to ensure that clients can log in to the server successfully. You can specify an algorithm for publickey authentication as needed.

  • Page 830: Creating An Ssh User And Specifying An Authentication Type

    Destroy the DSA public-key local destroy dsa key pair Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login. An SSH user is represented as a set of user attributes on the SSH server.

  • Page 831: Specifying A Service Type For An Ssh User On The Server

    are used and different authentication types are ssh user username Create an SSH user, and specified, the authentication authentication-type { all | specify an authentication type type specified with the ssh password | password-publickey for it user authentication-type | publickey } command takes precedence.

  • Page 832: Configuring The Public Key Of A Client On The Server

    Required ssh user username Specify a service type for an service-type { stelnet | sftp | By default, an SSH user can SSH user all } use the service type of stelnet. If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user.

  • Page 833: Assigning A Public Key To An Ssh User

    Return to public key view from public-key-code end — public key edit view Exit public key view and return peer-public-key end — to system view Follow these steps to import the public key from a public key file: To do... Use the command...

  • Page 834: Configuring The Ssh Client

    Follow these steps to export the RSA host public key: To do... Use the command... Remarks Enter system view system-view — public-key local export rsa Export the RSA host public key { openssh | ssh1 | ssh2 } Required to a specified file [ filename ] Follow these steps to export the DSA host public key: To do...

  • Page 835: Configuring An Ssh Client That Runs Ssh Client Software

    Configuring an SSH Client The authentication mode is Configuring an SSH Client that Assumed by an SSH2-Capable publickey Runs SSH Client Software Switch Whether Configuring an SSH Client first-authentication is — Assumed by an SSH2-Capable supported Switch Configuring an SSH Client that Runs SSH Client Software A variety of SSH client software are available, such as PuTTY and OpenSSH.
  • Page 836 The following takes the client software of PuTTY Version 0.58 as an example to illustrate how to configure the SSH client: Generating a client key To generate a client key, run PuTTYGen.exe, and select from the Parameters area the type of key you want to generate, either SSH-2 RSA or SSH-2 DSA, then click Generate.
  • Page 837 Figure 1-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. 1-17...
  • Page 838 Figure 1-5 Generate the client keys (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private”...
  • Page 839 Figure 1-7 Generate the client keys (5) Specifying the IP address of the Server Launch PuTTY.exe. The following window appears. 1-19...
  • Page 840 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 841 Figure 1-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 842: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    From the category on the left of the window, select Connection/SSH/Auth. The following window appears. Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username.
  • Page 843 Configuring the SSH client for publickey authentication When the authentication mode is publickey, you need to configure the RSA or DSA public key of the client on the server: To generate a key pair on the client, refer to Configuring Key Pairs.
  • Page 844 With first-time authentication enabled, an SSH client that is not configured with the SSH server's host public key saves the host public key sent by the server without authenticating the server. Attackers may exploit the vulnerability to initiate man-in-middle attacks by acting as an SSH server. Therefore, it is recommended to disable first-time authentication unless you are sure that the SSH server is reliable.

  • Page 845: Displaying And Maintaining Ssh Configuration

    Required In this command, you can also specify preferred exchange algorithm, encryption algorithms HMAC ssh2 { host-ip | host-name } algorithms between the server [ port-num ] [ identity-key { dsa and client. | rsa } | prefer_kex { dh_group1 | HMAC: Hash-based message dh_exchange_group } | authentication code...

  • Page 846: Comparison Of Ssh Commands With The Same Functions

    Display the mappings between host public keys and SSH display ssh server-info servers saved on a client Display the current source IP address or the IP address of display ssh2 source-ip the source interface specified for the SSH Client. Comparison of SSH Commands with the Same Functions After the SSH protocol supports the DSA asymmetric key algorithm, some SSH configuration commands are changed.

  • Page 847: Ssh Configuration Examples

    After RSA key pairs are generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the switch is working in SSH1-compatible mode, but only one public key (the host public key) when the switch is working in SSH2 mode.
  • Page 848 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 849 Figure 1-12 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-13 appears.

  • Page 850: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 851 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 852 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 853 [Switch-Vlan-interface2] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 854 Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.

  • Page 855: When Switch Acts As Server For Password And Hwtacacs Authentication

    Figure 1-18 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.
  • Page 856 Network diagram Figure 1-19 Switch acts as server for password and HWTACACS authentication Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign it an IP address. This address will be used as the IP address of the SSH server for SSH connections.
  • Page 857 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Apply the scheme to the ISP domain. [Switch] domain bbb [Switch-isp-bbb] scheme hwtacacs-scheme hwtac [Switch-isp-bbb] quit # Configure an SSH user, specifying the switch to perform password authentication for the user. [Switch] ssh user client001 authentication-type password Configure the SSH client # Configure an IP address (192.168.1.1 in this case) for the SSH client.

  • Page 858: When Switch Acts As Server For Publickey Authentication

    Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the HWTACACS server.
  • Page 859 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 860 Before performing the following steps, you must generate an RSA public key pair (using the client software) on the client, save the key pair in a file named public, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the SSH client configuration part. . # Import the client’s public key named Switch001 from file public.
  • Page 861 Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). 1-41...
  • Page 862 Figure 1-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case).
  • Page 863 Figure 1-27 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-28 appears.
  • Page 864 Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. 1-44...

  • Page 865: When Switch Acts As Client For Password Authentication

    Figure 1-29 SSH client configuration interface (3) Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username.
  • Page 866 Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login.

  • Page 867: When Switch Acts As Client For Publickey Authentication

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
  • Page 868 # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs.

  • Page 869: When Switch Acts As Client And First-Time Authentication Is Not Supported

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
  • Page 870 Network diagram Figure 1-32 Switch acts as client and first-time authentication is not supported Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client.
  • Page 871 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
  • Page 872 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> 1-52...
  • Page 873 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-4 File System Configuration Examples ······························································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6...

  • Page 874: File System Management Configuration

    Prompt Mode Configuration Optional The 3com 5500-EI series Ethernet switches support Expandable Resilient Networking (XRN), and allow you to access a file on a switch in one of the following ways: To access a file on the specified unit, you need to specify the file in universal resource locator (URL) format and starting with unit[No.]>flash:/, where [No.] represents the unit ID of the switch.

  • Page 875: Directory Operations

    Directory Operations The file system provides directory-related functions, such as: Creating/deleting a directory Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations: To do… Use the command… Remarks Optional Create a directory mkdir directory Available in user view Optional...

  • Page 876: Flash Memory Operations

    To do… Use the command… Remarks Optional rename fileurl-source Rename a file fileurl-dest Available in user view Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...

  • Page 877: Prompt Mode Configuration

    The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration You can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, deleting or overwriting a file.

  • Page 878: File Attribute Configuration

    Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30 hostkey -rwh Apr 02 2000 00:47:38 serverkey -rw- 1220 Apr 02 2000 00:06:57 song.cfg -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin -rwh Apr 01 2000 23:55:53...

  • Page 879: Booting With The Startup File

    For the Web file and configuration file, 3com may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order. The device selects Web files in the following steps: If the default Web file exists, the device will boot with the default Web file;...

  • Page 880: Configuring File Attributes

    Configuring File Attributes You can configure and view the main attribute or backup attribute of the file used for the next startup of a switch, and change the main or backup attribute of the file. Follow these steps to configure file attributes: To do…...

  • Page 881: Configuration File Backup And Restoration

    Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file backup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
  • Page 882 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 883: Introduction To Ftp And Sftp

    Binary mode for program file transfer ASCII mode for text file transfer A 3com switch 5500-EI can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that a 3com switch 5500-EI acts as in FTP...

  • Page 884: Introduction To Sftp

    With a 3com switch 5500-EI serving as an FTP client, the seven-segment digital LED on the front panel of the switch rotates clockwise when the FTP client (the 3com switch 5500-EI) is downloading files from an FTP server, and stops rotating when the file downloading is finished, as...
  • Page 885 Disabled by default. Only one user can access a 3com switch 5500-EI at a given time when the latter operates as an FTP server. Operating as an FTP server, a 3com switch 5500-EI cannot receive a file whose size exceeds its storage space.
  • Page 886 Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 887 Required server With a 3com switch 5500-EI acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the 3com switch 5500-EI will disconnect the user after the data transmission is completed.

  • Page 888: Ftp Configuration: A Switch Operating As An Ftp Client

    Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. By default, no banner is Configure a shell banner header shell text...
  • Page 889 To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — [ port-number ] ] Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred Specify to transfer files in in ASCII characters.
  • Page 890 To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote put localfile [ remotefile ] FTP server Rename a file on the remote rename remote-source server remote-dest Log in with the specified user...

  • Page 891: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 892 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.

  • Page 893: Ftp Banner Display Configuration Example

    Boot ROM menu. 3com switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 894: Ftp Configuration: A Switch Operating As An Ftp Client

    Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server.
  • Page 895 Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) Configure the switch (FTP client) # Log in to the switch.

  • Page 896: Sftp Configuration: A Switch Operating As An Sftp Server

    <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server...

  • Page 897: Sftp Configuration: A Switch Operating As An Sftp Client

    For configurations on client software, see the corresponding configuration manual. Currently a 3com switch 5500-EI operating as an SFTP server supports the connection of only one SFTP user. When multiple users attempt to log in to the SFTP server or multiple connections are enabled on a client, only the first user can log in to the SFTP user.
  • Page 898 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword prefer_ctos_cipher { 3des | depends on the number of des | aes128 } | Enter SFTP client view...

  • Page 899: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 900 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 901 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 902 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 903: Tftp Configuration

    A 3com switch 5500-EI can act as a TFTP client only. When a 3com switch 5500-EI serving as a TFTP client downloads files from the TFTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise, and it stops rotating when...

  • Page 904: Tftp Configuration: A Switch Operating As A Tftp Client

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP — client TFTP Configuration: A Switch Specifying the source interface Operating as a TFTP Client or source IP address for an Optional FTP client For details, see the TFTP server configuration —...

  • Page 905: Tftp Configuration Example

    To do… Use the command… Remarks tftp tftp-server source-ip Optional Specify the source IP address ip-address { get source-file used for the current connection [ dest-file ] | put source-file-url Not specified by default. [ dest-file ] } Enter system view system-view —...
  • Page 906 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 907 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 908 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 909: Information Center

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 910 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 911 Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...

  • Page 912: System Information Format

    Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output destinations.
  • Page 913 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 914 %Dec 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “3Com”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.

  • Page 915: Information Center Configuration

    Source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context This field provides the content of the system information. Information Center Configuration Information Center Configuration Task List Complete the following tasks to configure information center:...

  • Page 916: Configuring To Display The Time Stamp With The Utc Time Zone

    If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. In the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt (except the Y/N string) will be echoed after the output, but your input will be displayed in a new line.
  • Page 917 To do… Use the command… Remarks Optional Enable system info-center console channel By default, the switch uses information output to { channel-number | information channel 0 to output the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } channel Optional Configure the output...

  • Page 918: Setting To Output System Information To A Monitor Terminal

    Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Optional Enable the debugging/log/trap terminal monitor information terminal display function Enabled by default. Optional Enable debugging information terminal debugging terminal display function Disabled by default.

  • Page 919: Setting To Output System Information To A Log Host

    When there are multiple Telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such parameter made by one user will also be reflected on all other user terminals. To view debugging information of specific modules, you need to set the information type as debug when setting the system information output rules, and enable debugging for corresponding modules through the debugging command.

  • Page 920: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Optional By default, debugging information output info-center switch-on { unit Enable information is enabled, and log and trap information unit-id | master | all } output for a specified output are disabled for the master switch [ debugging | logging | switch in a fabric in a fabric.

  • Page 921: Setting To Output System Information To The Log Buffer

    To do… Use the command… Remarks Optional By default, the switch uses Enable system info-center trapbuffer [channel information channel 3 to output information output to the { channel-number | channel-name } | trap information to the trap trap buffer size buffersize]* buffer, which can holds up to 256 items by default.

  • Page 922: Displaying And Maintaining Information Center

    To do… Use the command… Remarks Optional info-center snmp channel Enable information By default, the switch outputs trap { channel-number | output to the SNMP NMS information to SNMP through channel-name } channel 5. info-center source { modu-name | default } channel Optional Configure the output { channel-number |...

  • Page 923: Information Center Configuration Examples

    Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-1 Network diagram for log output to a Unix log host Network...

  • Page 924: Log Output To A Linux Log Host

    When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name. The device name (facility) and received log information severity level specified in the file “/etc/syslog.conf”...
  • Page 925 <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off Configure the log host:...

  • Page 926: Log Output To The Console

    Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-3 Network diagram for log output to the console Configuration procedure # Enable the information center.
  • Page 927 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
  • Page 928 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-2 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-8 Loading by FTP through Ethernet Port··························································································1-10 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-16...

  • Page 929: Introduction To Loading Approaches

    Boot ROM and Host Software Loading The configuration of auto power down on Ethernet interfaces is added. For the detailed configuration, refer to Enabling Auto Power Down on an Ethernet Port. Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading.

  • Page 930: Local Boot Rom And Software Loading

    BOOT Menu Starting..****************************************************************** Switch 5500-EI 52-Port BOOTROM, Version 3.03 ****************************************************************** Copyright (c) 2004-2008 3Com Corporation and its licensors. Creation date : Aug 22 2008, 14:05:45 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size...

  • Page 931: Loading By Xmodem Through Console Port

    To enter the BOOT menu, you should press <Ctrl+B> within five seconds (full startup mode) or one second (fast startup mode) after the information “Press Ctrl-B to enter BOOT Menu...” displays. Otherwise, the system starts to extract the program; and if you want to enter the BOOT Menu at this time, you will have to restart the switch.
  • Page 932 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 2: Press 3 in the above menu to download the Boot ROM using XModem. The system displays the following setting menu for download baudrate: Please select your download baudrate: 1.* 9600 2.
  • Page 933 Figure 1-1 Properties dialog box Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3.
  • Page 934 Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program. Step 6: Press <Enter> to start downloading the program. The system displays the following information: Now please start transfer file with XMODEM protocol. If you want to exit, Press <Ctrl+X>.
  • Page 935 Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted.

  • Page 936: Loading By Tftp Through Ethernet Port

    The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading. You can also use the xmodem get command to load host software through the Console port (of AUX type).
  • Page 937 TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu. At the prompt "Enter your choice(0-9):" in the BOOT Menu, press <6> or <Ctrl+U>, and then press <Enter>...

  • Page 938: Loading By Ftp Through Ethernet Port

    When loading Boot ROM and host software using TFTP through BOOT menu, you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability. Loading by FTP through Ethernet Port Introduction to FTP FTP is an application-layer protocol in the TCP/IP protocol suite.

  • Page 939: Remote Boot Rom And Software Loading

    Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm Switch IP address :10.1.1.2 Server IP address :10.1.1.1 FTP User Name :Switch FTP User Password :abc Step 5: Press <Enter>.
  • Page 940 As shown in Figure 1-8, a PC is used as both the configuration device and the FTP server. You can telnet to the switch, and then execute the FTP commands to download the Boot ROM program switch.btm from the remote FTP server (whose IP address is 10.1.1.1) to the switch. Figure 1-8 Remote loading using FTP Client Step 1: Download the program to the switch using FTP commands.
  • Page 941 Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch. After the above operations, the Boot ROM and host software loading is completed.
  • Page 942 [Sysname-luser-test] password simple pass [Sysname-luser-test] service-type ftp Step 4: Enable FTP client software on the PC. Refer to Figure 1-10 for the command line interface in Windows operating system. Figure 1-10 Command line interface Step 5: Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored.
  • Page 943 Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13. Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname>...

  • Page 944: Remote Loading Using Tftp

    Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for the next startup of the switch.

  • Page 945: Basic System Configuration And Debugging

    — from user view Optional Set the system sysname sysname name of the switch By default, the name is 3Com. Optional Return from current view to lower level quit If the current view is user view, you will quit the view current user interface.

  • Page 946: Displaying The System Status

    Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system display version Available in any view Display the information about users logging onto the display users [ all ] switch Debugging the System...

  • Page 947: Displaying Debugging Status

    You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Required Enable system debugging for debugging module-name Disabled for all modules by specific module [ debugging-option ] default.

  • Page 948: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 949: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 950: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...

  • Page 951: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.

  • Page 952: Upgrading The Host Software In The Fabric

    Currently, in the S5500-EI series Ethernet switches, the auto power down configuration does not take effect on 1000BASE-X SFP Ports Upgrading the Host Software in the Fabric You can execute the following command on any device in a Fabric to use specified host software to upgrade all devices in a Fabric, thus realizing the software version consistency in this Fabric.

  • Page 953: Displaying The Device Management Configuration

    To do… Use the command… Remarks display transceiver interface Display main parameters of Available for all pluggable [ interface-type the pluggable transceiver(s) transceivers interface-number ] Display part of the electrical display transceiver Available for anti-spoofing label information of the manuinfo interface pluggable transceiver(s) anti-spoofing transceiver(s) [ interface-type...

  • Page 954: Remote Switch App Upgrade Configuration Example

    To do… Use the command… Remarks Display system diagnostic information or save system diagnostic information to a file with display diagnostic-information the extension .diag into the Flash memory Display enabled debugging on a display debugging { fabric | unit specified switch or all switches in the unit-id } [ interface interface-type fabric interface-number ] [ module-name ]...
  • Page 955 Refer to the Login Operation part of this manual for configuration commands and steps about telnet user. Execute the telnet command on the PC to log into the switch. The following prompt appears: <Sysname> If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones.
  • Page 956 Unit 1: The current boot app is: switch.app The main boot app is: switch.app The backup boot app is: # Reboot the switch to upgrade the Boot ROM and host software of the switch. <Sysname> reboot Start to check configuration with next startup configuration file, please wait..
  • Page 957 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Configuring the TPID for VLAN-VPN Packets·················································································1-2 Inner-to-Outer Tag Priority Replicating and Mapping······································································1-3 Transparent IGMP Message Transmission on a VLAN-VPN Port ··················································1-3 VLAN-VPN Configuration························································································································1-3 VLAN-VPN Configuration Task List·································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-4 Configuring the TPID Value for VLAN-VPN Packets on a Port·······················································1-4 Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature·······························1-5...

  • Page 958: Vlan-Vpn Configuration

    VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.

  • Page 959: Implementation Of Vlan-Vpn

    Figure 1-2 Structure of packets with double-layer VLAN tags Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: It provides Layer 2 VPN tunnels that are simpler. VLAN-VPN can be implemented through manual configuration.

  • Page 960: Inner-To-Outer Tag Priority Replicating And Mapping

    VLAN-VPN frame as needed. When doing that, you should set the same TPID on both the customer-side port and the service provider-side port. The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag.

  • Page 961: Enabling The Vlan-Vpn Feature For A Port

    Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-VPN Packets on a Port Optional Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature Optional Enabling Transparent IGMP Message Transmission on a VLAN-VPN Port Optional Caution: As XRN fabric is mutually exclusive with VLAN-VPN, make sure that XRN fabric is disabled on the...

  • Page 962: Configuring The Inner-To-Outer Tag Priority Replicating And Mapping Feature

    Note: Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 5500-EI switch. For the Switch 5500-EI series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.

  • Page 963: Displaying And Maintaining Vlan-Vpn Configuration

    To do… Use the command… Description Required Enable transparent IGMP By default, transparent IGMP message transmission on the igmp transparent enable message transmission is VLAN-VPN port disabled on a VLAN-VPN port. Caution: If your switch is required to process the IGMP messages received on a VLAN-VPN port (for example, because IGMP or IGMP snooping is enabled on the port), you must disable transparent IGMP message transmission on the port so that the switch can process the IGMP messages normally.
  • Page 964 Network diagram Figure 1-4 Network diagram for VLAN-VPN configuration Configuration procedure Configure Switch A. # Enable the VLAN-VPN feature on Ethernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchA>...
  • Page 965 [SwitchB] interface Ethernet 1/0/21 [SwitchB-Ethernet1/0/21] vlan-vpn enable # Set the TPID value of Ethernet1/0/22 to 0x9200 (for intercommunication with the devices in the public network) and set the port as a trunk port permitting packets of VLAN 1040. [SwitchB-Ethernet1/0/22] vlan-vpn tpid 9200 [SwitchB-Ethernet1/0/22] quit [SwitchB] interface Ethernet 1/0/21 [SwitchB-Ethernet1/0/22] port link-type trunk...

  • Page 966: Selective Qinq Configuration

    Selective QinQ Configuration When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the packets with different inner VLAN tags.

  • Page 967: Mac Address Replicating

    telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network. After the selective QinQ feature and the inner-to-outer tag mapping feature are enabled on the port connecting Switch A to these users, the port will add different outer VLAN tags to the packets according to their inner VLAN tags.

  • Page 968: Selective Qinq Configuration

    Likewise, the entries in the MAC address table of the outer VLAN can also be replicated to that of the default VLAN on a port, through which the outbound port to the service provider network can be determined through the MAC address table of the default VLAN and user packets destined for the service provider can be unicast.

  • Page 969: Selective Qinq Configuration Example

    Note: Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do...
  • Page 970 The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
  • Page 971 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
  • Page 972 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000. [SwitchB] interface Ethernet 1/0/12 [SwitchB-Ethernet1/0/12] port link-type hybrid [SwitchB-Ethernet1/0/12] port hybrid pvid...

  • Page 973: Bpdu Tunnel Configuration

    BPDU Tunnel Configuration When configuring BPDU tunnel, go to these sections for information you are interested in: BPDU Tunnel Overview BPDU Tunnel Configuration Displaying and Maintaining BPDU Tunnel Configuration BPDU Tunnel Configuration Example BPDU Tunnel Overview Introduction to the BPDU Tunnel Feature Normally, Layer 2 protocols are needed in a LAN for network topology maintenance and management.
  • Page 974 Figure 3-1 BPDU Tunnel network hierarchy When a BPDU packet coming from a customer network reaches an edge device in the service provider network, the edge device changes the destination MAC address carried in the packet from a protocol-specific MAC address to a private multicast MAC address, which can be defined using a command.

  • Page 975: Bpdu Tunnel Configuration

    Caution: To prevent the devices in the service provider network from processing the tunnel packets as other protocol packets, the MAC address of a tunnel packet must be a multicast address uniquely assigned to the BPDU tunnel in the service provider network. BPDU Tunnel Configuration You can establish BPDU tunnels between Switch 5500-EI series Ethernet switches for the packets of the following protocols:...

  • Page 976: Displaying And Maintaining Bpdu Tunnel Configuration

    Note: The BPDU Tunnel is unavailable to all the ports of a device if the device has the fabric feature enabled on one of its ports. If BPDU tunnel transparent transmission is enabled for packets of a protocol, the protocol cannot be enabled on the port.
  • Page 977 Network diagram Figure 3-4 Network diagram for BPDU Tunnel configuration Configuration procedure Configure Provide1. # Disable STP on Ethernet1/0/1. <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp disable # Enable the BPDU tunnel feature for STP BPDUs on Ethernet1/0/1. [Sysname-Ethernet1/0/1] bpdu-tunnel stp # Enable the VLAN-VPN feature on Ethernet1/0/1 and use VLAN 100 to transmit user data packets through BPDU tunnels.
  • Page 978 # Configure the destination MAC address for the packets transmitted in the tunnel. [Sysname-Ethernet1/0/4] quit [Sysname] bpdu-tunnel tunnel-dmac 010f-e233-8b22 # Configure Ethernet1/0/3 as a trunk port that permits packets of all VLANs. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] port link-type trunk [Sysname-Ethernet1/0/3] port trunk permit vlan all...
  • Page 979 Table of Contents 1 remote-ping Configuration ·······················································································································1-1 remote-ping Overview ·····························································································································1-1 Introduction to remote-ping ·············································································································1-1 Test Types Supported by remote-ping ····························································································1-2 remote-ping Test Parameters··········································································································1-2 remote-ping Configuration ······················································································································1-4 remote-ping Server Configuration ···································································································1-4 remote-ping Client Configuration·····································································································1-5 Displaying remote-ping Configuration ···························································································1-22 remote-ping Configuration Examples····································································································1-22 ICMP Test······································································································································1-22 DHCP Test ····································································································································1-24 FTP Test········································································································································1-25...

  • Page 980: Remote-Ping Configuration

    remote-ping Configuration When configuring remote-ping, go to these sections for information you are interested in: remote-ping Overview remote-ping Configuration remote-ping Configuration Examples remote-ping Overview Introduction to remote-ping remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks.

  • Page 981: Test Types Supported By Remote-Ping

    Test Types Supported by remote-ping Among the test types supported by remote-ping, only the ICMP test can be performed when XRN fabric is enabled; all other test types cannot be performed when XRN fabric is enabled. Table 1-1 Test types supported by remote-ping Supported test types Description ICMP test...
  • Page 982 Test parameter Description You can use remote-ping to test a variety of protocols, see Table 1-1 for details. To perform a type of test, you must first create a test group of this Test type (test-type) type. One test group can be of only one remote-ping test type. If you modify the test type of a test group using the test-type command, the parameter settings, test results, and history records of the original test type will be all cleared.

  • Page 983: Remote-Ping Configuration

    Test parameter Description File name for FTP Name of a file to be transferred between remote-ping client and FTP operation (filename) server Size of a file to be uploaded in an FTP Size of a file to be uploaded in an FTP test test(filesize) Jitter test is used to collect statistics about delay jitter in UDP packet transmission...

  • Page 984: Remote-Ping Client Configuration

    Note that: The remote-ping server function is needed only for jitter, TCP, and UDP tests. You can configure multiple TCP/UDP listening services on one remote-ping server, with each listening service corresponding to a specific destination IP address and port number. remote-ping Client Configuration remote-ping client configuration After remote-ping client is enabled, you can create multiple test groups for different tests, without the...
  • Page 985 To do… Use the command… Remarks Optional Configure the number of count times By default, each test makes probes per test one probe. Optional Configure the packet size datasize size By default, the packet size is 56 bytes. Optional By default, the numbers Configure a stuffing character datafill string between 0 and 255 are stuffed...
  • Page 986 To do… Use the command… Remarks Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds. Optional Configure the type of service tos value By default, the service type is (ToS) zero. Start the test test-enable Required Required...
  • Page 987 To do… Use the command… Remarks Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining history keep-time keep-time By default, the retaining time of history time of history record record is 120 minutes. Configure statistics Optional interval and the...
  • Page 988 To do… Use the command… Remarks Required Configure the source IP source-ip ip-address By default, no source IP address is address configured. Optional Configure the source source-port port-number port By default, no source port is configured. Required Configure the test type test-type ftp By default, the test type is ICMP.
  • Page 989 To do… Use the command… Remarks Optional Configure the type of tos value service By default, the service type is zero. Optional Configure the type of By default, the type of FTP operation is ftp-operation { get | put } FTP operation get, that is, the FTP operation will get a file from the FTP server.
  • Page 990 To do… Use the command… Remarks Optional Configure the source port source-port port-number By default, no source port is configured. Required Configure the test type test-type http By default, the test type is ICMP. Optional Configure the number of count times By default, each test makes probes per test one probe.
  • Page 991 To do… Use the command… Remarks Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds. Optional Configure the type of service tos value By default, the service type is zero. Optional By default, the type of HTTP Configure the type of HTTP http-operation { get | post } operation is get, that is, the...
  • Page 992 To do… Use the command… Remarks Optional Configure the source port source-port port-number By default, no source port is configured. Required test-type jitter [ codec Configure the test type By default, the test type is codec-value ] ICMP. Optional Configure the number of count times By default, each test makes probes per test...
  • Page 993 To do… Use the command… Remarks Optional By default, TTL is 20. Configure the TTL ttl number The sendpacket passroute command voids the ttl command. Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made.
  • Page 994 To do… Use the command… Remarks Optional Configure the source port source-port port-number By default, no source port is configured. Required Configure the test type test-type snmpquery By default, the test type is ICMP. Optional Configure the number of count times By default, each test makes probes per test one probe.
  • Page 995 To do… Use the command… Remarks Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds. Optional Configure the type of service tos value By default, the service type is zero. Start the test Required test-enable Required...
  • Page 996 To do… Use the command… Remarks Optional Configure the number of count times probes per test By default, one probe is made per time. Optional Configure a test description string By default, no description information is description configured. Optional Configure the automatic By default, the automatic test interval is frequency interval test interval...
  • Page 997 Configuring UDP test on remote-ping client Follow these steps to configure UDP test on remote-ping client: To do… Use the command… Remarks Enter system view system-view — Required Enable the remote-ping client remote-ping-agent enable By default, the remote-ping client function function is disabled.
  • Page 998 To do… Use the command… Remarks Optional Configure a test description string By default, no description information is description configured. Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the history keep-time retaining time of By default, the retaining time of history keep-time history record...
  • Page 999 To do… Use the command… Remarks Required Enable the remote-ping client remote-ping-agent enable By default, the remote-ping function client function is disabled. Required remote-ping Create a remote-ping test administrator-name operation- By default, no test group is group and enter its view configured.
  • Page 1000 To do… Use the command… Remarks Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made. Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds.

This manual is also suitable for:

5500-ei series

Table of Contents