3Com 4500G Family Configuration Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. 4500G Series
  6. Configuration manual

3Com 4500G Family Configuration Manual

24/48 port
Hide thumbs Also See for 4500G Family:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

3Com Switch 4500G Family

Configuration Guide

Switch 4500G 24-Port
Switch 4500G 48-Port
Switch 4500G PWR 24-Port
Switch 4500G PWR 48-Port
Product Version:
V05.02.00
Manual Version:
6W101-20100310
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

Chapters

Table of Contents
loading

Related Manuals for 3Com 4500G Family

Summary of Contents for 3Com 4500G Family

  • Page 1: Configuration Guide

    3Com Switch 4500G Family Configuration Guide Switch 4500G 24-Port Switch 4500G 48-Port Switch 4500G PWR 24-Port Switch 4500G PWR 48-Port Product Version: V05.02.00 Manual Version: 6W101-20100310 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 Copyright © 2009-2010, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

  • Page 3: About This Manual

    About This Manual Organization 3Com Switch 4500G Family Configuration Guide is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Ethernet Link Ethernet Port Port Isolation MSTP Aggregation 01-Access Volume LLDP VLAN GVRP QinQ BPDU Tunneling Mirroring IP Addressing...
  • Page 4 Conventions The manual uses the following conventions: Command conventions Convention Description Boldface The keywords of a command line are in Boldface. italic Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated by vertical bars. { x | y | ...
  • Page 5 3Com Switch 4500G Family Getting This guide provides all the information you need to install Started Guide and use the 3Com Switch 4500G Family. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL:...

  • Page 6: Table Of Contents

    Table of Contents 1 Correspondence between Documentation and Software······································································1-1 2 Product Features ·······································································································································2-1 Introduction to Product ····························································································································2-1 Feature Lists ···········································································································································2-1 3 Features······················································································································································3-1 Access Volume ·······································································································································3-1 IP Services Volume·································································································································3-3 IP Routing Volume ··································································································································3-4 Multicast Volume·····································································································································3-5 QoS Volume············································································································································3-5 Security Volume ······································································································································3-6 High Availability Volume··························································································································3-7 System Volume ·······································································································································3-8...

  • Page 7: Correspondence Between Documentation And Software

    Correspondence between Documentation and Software 3Com Switch 4500G Family Configuration Guide-V05.02.00 and 3Com Switch 4500G Family Command Reference Guide-V05.02.00 are for the software version V05.02.00 and V05.02.00P19 of the 3Com switch 4500G. The supported features are different between these software versions. For details, refer to Table 1-1.
  • Page 8 Software Added and Modified Features Compared With Manual Version The Earlier Version Modified 06-Security Volume/ 12-ARP arp detection mode command features Attack Protection Deleted — — features V05.02.00 — — —...

  • Page 9: Product Features

    Product Features Introduction to Product 3Com Switches 4500G are Gigabit Ethernet switching products which have abundant service features. They are designed as distribution and access devices for intranets and metropolitan area networks (MANs). They can also be used for connecting server groups in data centers. Feature Lists 3Com Switches 4500G support abundant features and the related documents are divided into the volumes as listed in...
  • Page 10 Volume Features Basic System Device File System Login Configuration Management Management MAC Address HTTP SNMP RMON Table System 08-System Information Maintaining and Hotfix Volume Center Debugging Cluster Stack Management Management Automatic Configuration...

  • Page 11: Features

    Features The following sections provide an overview of the main features of each module supported by the 3Com Switch 4500G. Access Volume Table 3-1 Features in Access volume Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface...
  • Page 12 Features Description LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: LLDP Introduction to LLDP Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping...

  • Page 13: Ip Services Volume

    IP Services Volume Table 3-2 Features in the IP Services volume Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.

  • Page 14: Ip Routing Volume

    Features Description A network node that supports both IPv4 and IPv6 is called a dual stack node. A dual stack node configured with an IPv4 address and an IPv6 address can have both IPv4 and IPv6 packets transmitted. This document Dual Stack describes: Dual stack overview...

  • Page 15: Multicast Volume

    Multicast Volume Table 3-4 Features in Multicast volume Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.

  • Page 16: Security Volume

    Security Volume Table 3-6 Features in the Security volume Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration HWTACACS configuration...

  • Page 17: High Availability Volume

    Features Description Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, this document describes SSL related configuration. Public Key This document describes Public Key Configuration. Configuration An ACL is used for identifying traffic based on a series of preset matching criteria.

  • Page 18: System Volume

    Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...
  • Page 19 Features Description Basic system configuration involves the configuration of device name, system clock, welcome message, user privilege levels and so on. This document describes: Basic System Configuration Configuration display Basic configurations CLI features Through the device management function, you can view the current condition of your device and configure running parameters.
  • Page 20 Features Description For the majority of protocols and features supported, the system provides corresponding debugging information to help users diagnose errors. This System Maintenance document describes: and Debugging Maintenance and debugging overview Maintenance and debugging configuration As the system information hub, Information Center classifies and manages all types of system information.
  • Page 21 Features Description Network Time Protocol (NTP) is the TCP/IP that advertises the accurate time throughout the network. This document describes: NTP overview Configuring the Operation Modes of NTP Configuring Optional Parameters of NTP Configuring Access-Control Rights Configuring NTP Authentication A cluster is a group of network devices. Cluster management is to implement management of large numbers of distributed network devices.
  • Page 22 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
  • Page 23 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
  • Page 24 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
  • Page 25 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
  • Page 26 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 27 Acronyms Full spelling LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol Loss of continuity Call Logging Line Rate...
  • Page 28 Acronyms Full spelling MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP Multicast Source Discovery Protocol...
  • Page 29 Acronyms Full spelling NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
  • Page 30 Acronyms Full spelling Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return QACL...
  • Page 31 Acronyms Full spelling Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active Subnetwork Bandwidth Management...
  • Page 32 Acronyms Full spelling Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree Return...
  • Page 33 Acronyms Full spelling Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch Virtual Private Network...

  • Page 34: Manual Version

    Access Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The Access Volume is organized as follows: Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring an Auto-negotiation Transmission Rate Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface Configuring Loopback Testing on an Ethernet Interface...
  • Page 35 Features Description MSTP is used to eliminate loops in a LAN. It is compatible with STP and RSTP. This document describes: MSTP Introduction to MSTP Configuring MSTP LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links.
  • Page 36 Features Description Port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. Traffic mirroring is implemented by a QoS policy, which defines certain match criteria to match the packets to be mirrored and defines the action of mirroring such packets to the specified destination.
  • Page 37 Table of Contents 1 Ethernet Port Configuration ·····················································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Basic Ethernet Port Configuration ···································································································1-1 Configuring an Auto-negotiation Transmission Rate·······································································1-2 Configuring Flow Control on an Ethernet Port ················································································1-3 Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Port················1-4 Configuring Loopback Testing on an Ethernet Port ········································································1-4 Configuring a Port Group·················································································································1-5 Configuring Storm Suppression ······································································································1-5...

  • Page 38: Ethernet Port Configuration

    Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding port. For a Combo port, the electrical port and the corresponding optical port are TX-SFP multiplexed.

  • Page 39: Configuring An Auto-Negotiation Transmission Rate

    Similarly, if you configure the transmission rate for an Ethernet port by using the speed command with the auto keyword specified, the transmission rate is determined through auto-negotiation too. For a Gigabit Ethernet port, you can specify the transmission rate by its auto-negotiation capacity. For details, refer to Configuring an Auto-negotiation Transmission Rate.

  • Page 40: Configuring Flow Control On An Ethernet Port

    Figure 1-1 An application diagram of auto-negotiation transmission rate As shown in Figure 1-1, the network card transmission rate of the server group (Server 1, Server 2, and Server 3) is 1000 Mbps, and the transmission rate of GigabitEthernet 1/0/4, which provides access to the external network for the server group, is 1000 Mbps too.

  • Page 41: Configuring The Suppression Time Of Physical-Link-State Change On An Ethernet Port

    Follow these steps to enable flow control on an Ethernet port: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable flow control flow-control Disabled by default Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Port An Ethernet port operates in one of the two physical link states: up or down.

  • Page 42: Configuring A Port Group

    To do… Use the command… Remarks Optional Enable loopback testing loopback { external | internal } Disabled by default. As for the internal loopback test and external loopback test, if a port is down (port state shown as DOWN), only the former is available on it; if the port is shut down (port state shown as ADM or Administratively DOWN), both are unavailable.

  • Page 43: Setting The Interval For Collecting Ethernet Port Statistics

    The storm suppression ratio settings configured for an Ethernet port may get invalid if you enable the storm constrain for the port. For information about the storm constrain function, see Configuring the Storm Constrain Function on an Ethernet Follow these steps to set storm suppression ratios for one or multiple Ethernet ports: To do…...

  • Page 44: Enabling Forwarding Of Jumbo Frames

    To do… Use the command… Remarks Optional Set the interval for collecting By default, the interval for flow-interval interval statistics on the Ethernet port collecting port statistics is 300 seconds. Enabling Forwarding of Jumbo Frames Due to tremendous amount of traffic occurring on an Ethernet port, it is likely that some frames greater than the standard Ethernet frame size are received.

  • Page 45: Configuring The Mdi Mode For An Ethernet Port

    To do… Use the command… Remarks Enter system view system-view — Required Enable global loopback loopback-detection enable detection Disabled by default Optional Configure the interval for port loopback-detection loopback detection interval-time time 30 seconds by default interface interface-type Enter Ethernet port view —...

  • Page 46: Testing The Cable On An Ethernet Port

    3 and pin 6 are used for transmitting signals. To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the MDI mode depending on the cable types. Normally, the auto mode is recommended. The other two modes are useful only when the device cannot determine the cable type.
  • Page 47 and takes corresponding actions (that is, blocking or shutting down the port and sending trap messages and logs) when the traffic detected exceeds the threshold. Alternatively, you can configure the storm suppression function to control a specific type of traffic. As the function and the storm constrain function are mutually exclusive, do not enable them at the same time on an Ethernet port.

  • Page 48: Displaying And Maintaining An Ethernet Port

    To do… Use the command… Remarks Optional Specify to send log when the By default, the system sends traffic detected exceeds the log when the traffic detected upper threshold or drops down storm-constrain enable log exceeds the upper threshold or below the lower threshold from drops down below the lower a point higher than the upper...
  • Page 49 To do… Use the command… Remarks Display the information about a display port-group manual manual port group or all the Available in any view [ all | name port-group-name ] port groups Display the information about display loopback-detection Available in any view the loopback function display storm-constrain Display the information about...
  • Page 50 Table of Contents 1 Ethernet Link Aggregation Configuration·······························································································1-1 Overview ·················································································································································1-1 Basic Concepts································································································································1-2 Aggregating Links in Static Mode····································································································1-5 Aggregating Links in Dynamic Mode·······························································································1-7 Load Sharing Criteria for Link Aggregation Groups ········································································1-8 Ethernet Link Aggregation Configuration Task List ················································································1-9 Configuring an Aggregation Group ·········································································································1-9 Configuration Guidelines ·················································································································1-9 Configuring a Static Aggregation Group························································································1-10 Configuring a Dynamic Aggregation Group···················································································1-10...

  • Page 51: Ethernet Link Aggregation Configuration

    Ethernet Link Aggregation Configuration When configuring Ethernet link aggregation, go to these sections for information you are interested in: Overview Ethernet Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregate Interface Configuring Load Sharing for Link Aggregation Groups Displaying and Maintaining Ethernet Link Aggregation Ethernet Link Aggregation Configuration Examples The extended LACP function is added in V05.02.00P19 on the 3Com Switch 4500G.

  • Page 52: Basic Concepts

    Basic Concepts Aggregation group, member port, aggregate interface Link aggregation is implemented through link aggregation groups. An aggregation group is a group of Ethernet interfaces aggregated together. For each aggregation group, a logical interface, called an aggregate interface is created. To an upper layer entity that uses the link aggregation service, a link aggregation group looks like a single logical link and data traffic is transmitted through the aggregate interface.
  • Page 53 Table 1-1 Class-two configurations Item Considerations Port isolation Whether the port has joined an isolation group QinQ enable state (enable/disable), TPID for VLAN tags, outer VLAN QinQ tags to be added, inner-to-outer VLAN priority mappings, inner-to-outer VLAN tag mappings, inner VLAN ID substitution mappings Permitted VLAN IDs, default VLAN, link type (trunk, hybrid, or access), IP VLAN subnet-based VLAN configuration, protocol-based VLAN configuration,...
  • Page 54 Table 1-2 Basic and extended LACP functions Category Description Implemented through the basic LACPDU fields including the system LACP priority, system MAC address, port LACP priority, port number, and operational key. Each member port in a LACP-enabled aggregation group exchanges the Basic LACP functions above information with its peer.

  • Page 55: Aggregating Links In Static Mode

    Currently, the 3Com Switch 4500G family support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Link aggregation modes There are two link aggregation modes: dynamic and static.
  • Page 56 Selecting a reference port The system selects a reference port from the member ports that are in the up state and have the same class-two configurations as the aggregate interface. The candidate ports are sorted by duplex and speed in this order: full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed.

  • Page 57: Aggregating Links In Dynamic Mode

    Because any port attribute or class-two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services, you are recommended to do that with caution. A port that joins the static aggregation group after the selected port limit has been reached will not be placed in the selected state even if it should be in normal cases.

  • Page 58: Load Sharing Criteria For Link Aggregation Groups

    Figure 1-3 Set the state of a member port in a dynamic aggregation group Set the aggregation state of a member port Is there any hardware restriction? Is the port up? Port attribute/class-two configurations same as the reference port? Port attribute/class-two configurations same as the peer port of the reference port? More candidate ports than...

  • Page 59: Ethernet Link Aggregation Configuration Task List

    MAC addresses carried in packets IP addresses carried in packets Port numbers carried in packets Ethernet Link Aggregation Configuration Task List Complete the following tasks to configure Ethernet link aggregation: Task Remarks Configuring an Configuring a Static Aggregation Group Aggregation Select either task Configuring a Dynamic Aggregation Group Group...

  • Page 60: Configuring A Static Aggregation Group

    Configuring a Static Aggregation Group To guarantee a successful static aggregation, ensure that the ports at both ends of each link are in the same aggregation state. Follow these steps to configure a static aggregation group: To do... Use the command... Remarks Enter system view system-view...

  • Page 61: Configuring An Aggregate Interface

    To do... Use the command... Remarks Required When you create a Layer 2 Create a Layer 2 aggregate interface bridge-aggregation aggregate interface, the system interface and enter the Layer 2 interface-number automatically creates a Layer 2 aggregate interface view static aggregation group numbered the same.

  • Page 62: Enabling Link State Trapping For An Aggregate Interface

    Enabling Link State Trapping for an Aggregate Interface With the link state trapping function enabled, an aggregate interface generates linkUp trap messages when its link goes up and linkDown trap messages when its link goes down. For more information, refer to SNMP Configuration in the System Volume.
  • Page 63 You can configure global or group-specific load sharing criteria. A link aggregation group preferentially uses the group-specific load sharing criteria. If no group-specific load sharing criteria is available, it uses the global load sharing criteria. Configuring the global link-aggregation load sharing criteria Follow these steps to configure the global link-aggregation load sharing criteria: To do...

  • Page 64: Displaying And Maintaining Ethernet Link Aggregation

    Currently, when you configure the load sharing criterion or criteria for a link aggregation group, the switch supports the following criteria: Use a source IP address alone. Use a destination IP address alone. Use a source MAC address alone. Use or a destination MAC address alone. Combine a source IP address and a destination IP address.

  • Page 65: Static Aggregation Configuration Example

    Static Aggregation Configuration Example Network requirements As shown in Figure 1-4: Device A and Device B are connected through their respective Layer 2 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3. Configure a Layer 2 static link aggregation group on Device A and Device B respectively , enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20 at one end to communicate with VLAN 20 at the other end.
  • Page 66 [DeviceA-gigabitethernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-gigabitethernet1/0/2] port link-aggregation group 1 [DeviceA-gigabitethernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-gigabitethernet1/0/3] port link-aggregation group 1 [DeviceA-gigabitethernet1/0/3] quit # Configure Layer 2 aggregate interface 1 as a trunk port and assign it to VLANs 10 and 20. This configuration automatically propagates to all the member ports in link aggregation group 1.

  • Page 67: Dynamic Aggregation Configuration Example

    [DeviceA] display link-aggregation load-sharing mode Link-Aggregation Load-Sharing Mode: destination-mac address, source-mac address The output shows that all link aggregation groups created on the device perform load sharing based on source and destination MAC addresses. Dynamic Aggregation Configuration Example Network requirements As shown in Figure 1-5: Device A and Device B are connected through their respective Layer 2 Ethernet interfaces...
  • Page 68 [DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic [DeviceA-Bridge-Aggregation1] quit # Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-gigabitethernet1/0/1] port link-aggregation group 1 [DeviceA-gigabitethernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-gigabitethernet1/0/2] port link-aggregation group 1 [DeviceA-gigabitethernet1/0/2] quit [DeviceA] interface gigabitethernet 1/0/3 [DeviceA-gigabitethernet1/0/3] port link-aggregation group 1 [DeviceA-gigabitethernet1/0/3] quit...

  • Page 69: Aggregation Load Sharing Configuration Example

    ------------------------------------------------------------------------------- BAGG1 0x8000, 000f-e2ff-0002 Shar The output shows that link aggregation group 1 is a load sharing Layer 2 dynamic aggregation group and it contains three selected ports. # Display the global link-aggregation load sharing criteria on Device A. [DeviceA] display link-aggregation load-sharing mode Link-Aggregation Load-Sharing Mode: destination-mac address, source-mac address The output shows that all link aggregation groups created on the device perform load sharing based on...
  • Page 70 # Create VLAN 20, and assign port GigabitEthernet1/0/6 to VLAN 20. [DeviceA] vlan 20 [DeviceA-vlan20] port gigabitEthernet 1/0/6 [DeviceA-vlan20] quit # Create Layer 2 aggregate interface 1, and configure the load sharing criterion for the link aggregation group as the source MAC addresses of packets. [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac [DeviceA-Bridge-Aggregation1] quit...
  • Page 71 This configuration automatically propagates to all the member ports in link aggregation group 2. [DeviceA] interface bridge-aggregation 2 [DeviceA-Bridge-Aggregation2] port link-type trunk [DeviceA-Bridge-Aggregation2] port trunk permit vlan 10 20 Please wait... Done. Configuring GigabitEthernet1/0/3... Done. Configuring GigabitEthernet1/0/4... Done. [DeviceA-Bridge-Aggregation2] quit Configure Device B Configure Device B as you configure Device A.
  • Page 72 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring the Isolation Group ··············································································································1-1 Assigning a Port to the Isolation Group···························································································1-1 Displaying and Maintaining Isolation Groups··························································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 73: Port Isolation Configuration

    VLAN, allowing for great flexibility and security. Currently: 3Com Switch 4500G family support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.

  • Page 74: Displaying And Maintaining Isolation Groups

    Displaying and Maintaining Isolation Groups To do… Use the command… Remarks Display the isolation group display port-isolate group Available in any view information Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device.
  • Page 75 Uplink port support: NO Group ID: 1 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
  • Page 76 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Why STP ·········································································································································1-1 Protocol Packets of STP··················································································································1-2 Basic Concepts in STP····················································································································1-2 How STP works ·······························································································································1-3 Introduction to RSTP·······························································································································1-9 Introduction to MSTP ····························································································································1-10 Why MSTP ····································································································································1-10 Basic Concepts in MSTP···············································································································1-11 How MSTP Works ·························································································································1-14 Implementation of MSTP on Devices ····························································································1-15 Protocols and Standards ···············································································································1-15...

  • Page 77: Mstp Configuration

    MSTP Configuration BPDU dropping is added in V05.02.00P19 on the 3Com Switch 4500G. For details, please refer to Enabling BPDU Dropping. When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP MSTP Configuration Task List Configuring MSTP...

  • Page 78: Protocol Packets Of Stp

    Protocol Packets of STP STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol packets. STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient information for the network devices to complete spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used for calculating a spanning tree and maintaining the spanning tree topology.

  • Page 79: How Stp Works

    Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
  • Page 80 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connecting the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
  • Page 81 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device Table 1-3 describes the process of selecting the root port and designated ports.
  • Page 82 Figure 1-2 Network diagram for the STP algorithm Device A With priority 0 Device B With priority 1 Device C With priority 2 Initial state of each device Table 1-4 shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port...
  • Page 83 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 84 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...

  • Page 85: Introduction To Rstp

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

  • Page 86: Introduction To Mstp

    Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

  • Page 87: Basic Concepts In Mstp

    Basic Concepts in MSTP Figure 1-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU Region D0 BPDU Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2...
  • Page 88 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 1-4, for example, the VLAN-to-instance mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
  • Page 89 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.

  • Page 90: How Mstp Works

    Port states In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.

  • Page 91: Implementation Of Mstp On Devices

    Within an MST region, the packet is forwarded along the corresponding MSTI. Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on Devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
  • Page 92 Task Remarks Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Configuring Path Costs of Ports Optional the leaf nodes Configuring Port Priority...

  • Page 93: Configuring Mstp

    Configuring MSTP Configuring an MST Region Make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view —...

  • Page 94: Configuring The Root Bridge Or A Secondary Root Bridge

    Configuring the Root Bridge or a Secondary Root Bridge MSTP can determine the root bridge of a spanning tree through MSTP calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system.

  • Page 95: Configuring The Work Mode Of An Mstp Device

    After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, refer to Configuring the Priority of a Device.

  • Page 96: Configuring The Maximum Hops Of An Mst Region

    After configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address will be selected as the root bridge of the spanning tree. Configuring the Maximum Hops of an MST Region By setting the maximum hops of an MST region, you can restrict the region size.

  • Page 97: Configuring Timers Of Mstp

    Based on the network diameter you configured, MSTP automatically sets an optimal hello time, forward delay, and max age for the device. The configured network diameter is effective for the CIST only, and not for MSTIs. Each MST region is considered as a device. The network diameter must be configured on the root bridge.

  • Page 98: Configuring The Timeout Factor

    To do... Use the command... Remarks Optional Configure the max age timer stp timer max-age time 2,000 centiseconds (20 seconds) by default The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced;...

  • Page 99: Configuring The Maximum Port Rate

    To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout factor of the device stp timer-factor factor 3 by default Configuring the Maximum Port Rate The maximum rate of a port refers to the maximum number of BPDUs the port can send within each hello time.

  • Page 100: Configuring Path Costs Of Ports

    To do... Use the command... Remarks Enter Ethernet interface interface interface-type Enter view, or Layer 2 aggregate interface-number Required interface interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required Configure the current ports as edge ports stp edged-port enable All ports are non-edge ports by default.
  • Page 101 Table 1-7 Link speed vs. path cost Duplex state Link speed 802.1d-1998 802.1t Private standard — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate Link 2 Ports 1,000,000 1,800 10 Mbps Aggregate Link 3 Ports 666,666 1,600 Aggregate Link 4 Ports 500,000 1,400 Single Port...

  • Page 102: Configuring Port Priority

    If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. When the path cost of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition.

  • Page 103: Configuring The Link Type Of Ports

    When the priority of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition. Generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends on the index number of the port. Changing the priority of a port triggers a new spanning tree calculation process.

  • Page 104: Enabling The Output Of Port State Transition Information

    dot1s: 802.1s-compliant standard format, and legacy: Compatible format By default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format.

  • Page 105: Enabling The Mstp Feature

    To do... Use the command... Remarks Required Enable output of port state transition stp port-log { all | This function is enabled by information instance instance-id } default. Enabling the MSTP Feature You must enable MSTP for the device before any other MSTP-related configurations can take effect. Make this configuration on the root bridge and on the leaf nodes separately.

  • Page 106: Configuring Digest Snooping

    By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP) mode. You can perform mCheck on a port through the following two approaches, which lead to the same result. Performing mCheck globally Follow these steps to perform global mCheck: To do...
  • Page 107 Before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run MSTP. Configuring the Digest Snooping feature You can enable Digest Snooping only on a device that is connected to a third-party device that uses its private key to calculate the configuration digest.

  • Page 108: Configuring No Agreement Check

    Digest Snooping configuration example Network requirements Device A and Device B connect to Device C, a third-party device, and all these devices are in the same region. Enable Digest Snooping on Device A and Device B so that the three devices can communicate with one another.
  • Page 109 Figure 1-7 shows the rapid state transition mechanism on MSTP designated ports. Figure 1-7 Rapid state transition of an MSTP designated port Figure 1-8 shows rapid state transition of an RSTP designated port. Figure 1-8 Rapid state transition of an RSTP designated port Downstream device Upstream device Proposal for rapid transition...

  • Page 110: Configuring Protection Functions

    To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter interface Layer 2 aggregate interface-number Required or port group interface view Use either command. view port-group manual Enter port group view port-group-name Required Enable No Agreement Check...
  • Page 111 ports and start a new spanning tree calculation process. This will cause a change of network topology. Under normal conditions, these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs maliciously to attack the devices, network instability will occur. MSTP provides the BPDU guard function to protect the system against such attacks.
  • Page 112 To do... Use the command... Remarks Enter port group port-group manual view port-group-name Required Enable the root guard function for stp root-protection the port(s) Disabled by default Among loop guard, root guard and edge port settings, only one function (whichever is configured the earliest) can take effect on a port at the same time.
  • Page 113 Enabling TC-BPDU guard When receiving topology change (TC) BPDUs (the BPDUs used to notify topology changes), a switch flushes its forwarding address entries. If someone forges TC-BPDUs to attack the switch, the switch will receive a large number of TC-BPDUs within a short time and be busy with forwarding address entry flushing.

  • Page 114: Displaying And Maintaining Mstp

    To do... Use the command... Remarks Required Enable BPDU dropping for the bpdu-drop any port(s) Disabled by default Displaying and Maintaining MSTP To do... Use the command... Remarks View information about abnormally Available in any view display stp abnormal-port blocked ports View information about ports blocked Available in any view display stp down-port...
  • Page 115 Figure 1-10 Network diagram for MSTP configuration Configuration procedure VLAN and VLAN member port configuration Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B respectively, create VLAN 10, VLAN 20, and VLAN 40 on Device C, and create VLAN 20, VLAN 30, and VLAN 40 on Device D; configure the ports on these devices as trunk ports and assign them to related VLANs.
  • Page 116 <DeviceB> system-view [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable MSTP globally.
  • Page 117 # Activate MST region configuration. [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Enable MSTP globally. [DeviceD] stp enable Verifying the configurations You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
  • Page 118 GigabitEthernet1/0/2 ALTE DISCARDING NONE GigabitEthernet1/0/3 ROOT FORWARDING NONE Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown in Figure 1-11. Figure 1-11 MSTIs corresponding to different VLANs 1-42...
  • Page 119 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-2 How LLDP Works ····························································································································1-5 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-8 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8 Configuring the Management Address and Its Encoding Format ···················································1-9...

  • Page 120: Lldp Configuration

    LLDP Configuration Displaying the LLDP information about the neighboring devices in the form of a list is added in V05.02.00P19 on the 3Com Switch 4500G. For details, please refer to the keyword list in the command display lldp neighbor-information. When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration...

  • Page 121: Basic Concepts

    Basic Concepts LLDP frames LLDP sends device information in LLDP data units (LLDPDUs). LLDPDUs are encapsulated in Ethernet II or SNAP frames. Ethernet II-encapsulated LLDP frame format Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame...
  • Page 122 The fields in the frame are described in Table 1-2: Table 1-2 Description of the fields in a SNAP-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address. The MAC address of the sending port.
  • Page 123 Type Description Remarks ID of the sending port. If MED TLVs are included in the LLDPDU, the port ID TLV carries the MAC address of the sending port or the bridge Port ID MAC in case the port does not have a MAC address. If no MED TLVs are included, the port ID TLV carries the port name.

  • Page 124: How Lldp Works

    Type Description Indicates the supported maximum frame size. It is now the MTU Maximum Frame Size of the port. LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’...

  • Page 125: Protocols And Standards

    TxRx mode. A port in this mode sends and receives LLDP frames. Tx mode. A port in this mode only sends LLDP frames. Rx mode. A port in this mode only receives LLDP frames. Disable mode. A port in this mode does not send or receive LLDP frames. Each time the LLDP operating mode of a port changes, its LLDP protocol state machine re-initializes.

  • Page 126: Performing Basic Lldp Configuration

    Task Remarks Setting Other LLDP Parameters Optional Setting an Encapsulation Format for LLDPDUs Optional Configuring CDP Compatibility Optional Configuring LLDP Trapping Optional LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports.

  • Page 127: Setting The Lldp Re-Initialization Delay

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Enter interface view interface-number Ethernet Required interface Use either command. view or port Enter port port-group manual group view group view port-group-name Optional lldp admin-status { disable | Set the LLDP operating mode rx | tx | txrx } TxRx by default.

  • Page 128: Configuring The Management Address And Its Encoding Format

    To do… Use the command… Remarks Enter Enter Ethernet interface interface-type interface-number Ethernet interface view Required interface Use either view or Enter port command. port-group manual port-group-name port group group view view Optional lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | By default, all system-name } | dot1-tlv { all | port-vlan-id |...

  • Page 129: Setting Other Lldp Parameters

    Setting Other LLDP Parameters The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDP frames to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.

  • Page 130: Configuring Cdp Compatibility

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Enter Ethernet interface view interface-number Required interface view or Use either command. Enter port port-group manual port group view group view port-group-name Required Ethernet II encapsulation Set the encapsulation format for format applies by default.

  • Page 131: Configuring Cdp Compatibility

    Configuring CDP Compatibility CDP-compatible LLDP operates in one of the follows two modes: TxRx, where CDP packets can be transmitted and received. Disable, where CDP packets can neither be transmitted nor be received. To make CDP-compatible LLDP take effect on certain ports, first enable CDP-compatible LLDP globally and configure CDP-compatible LLDP to operate in TxRx mode.

  • Page 132: Displaying And Maintaining Lldp

    To do… Use the command… Remarks Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP lldp timer notification-interval traps interval 5 seconds by default Displaying and Maintaining LLDP To do…...

  • Page 133: Configuration Procedure

    Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx...
  • Page 134 Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors...

  • Page 135: Cdp-Compatible Lldp Configuration Example

    Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/2 of Switch A does not connect any neighboring devices.
  • Page 136 # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP to operate in TxRx mode, and configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
  • Page 137 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-7 Assigning a Trunk Port to a VLAN···································································································1-8 Assigning a Hybrid Port to a VLAN ·································································································1-9...

  • Page 138: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration MAC-Based VLAN Configuration Protocol-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview...

  • Page 139: Vlan Fundamentals

    Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation.

  • Page 140: Types Of Vlan

    The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

  • Page 141: Configuring Basic Settings Of A Vlan Interface

    As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. For isolate-user-VLANs or secondary VLANs, if you have used the isolate-user-vlan command to create mappings between them, you cannot remove them until you remove the mappings between them first.

  • Page 142: Port-Based Vlan Configuration

    Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.
  • Page 143 Figure 1-4 Network diagram for port link type configuration Default VLAN By default, VLAN 1 is the default VLAN for all ports. You can configure the default VLAN for a port as required. Use the following guidelines when configuring the default VLAN on a port: Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.

  • Page 144: Assigning An Access Port To A Vlan

    Actions (in the inbound direction) Actions (in the outbound Port type direction) Untagged frame Tagged frame Receive the frame if its VLAN ID is the same as the default VLAN ID. Tag the frame with Remove the default VLAN tag and Access the default VLAN Drop the frame if its...

  • Page 145: Assigning A Trunk Port To A Vlan

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Required interface view interface-number Use either command. In Ethernet interface view, the Enter Layer-2 interface subsequent configurations apply aggregate bridge-aggregation to the current port. interface view interface-number Enter port...

  • Page 146: Assigning A Hybrid Port To A Vlan

    Follow these steps to assign a trunk port to one or multiple VLANs: To do… Use the command… Remarks Enter system view system-view — Enter Required interface interface-type Ethernet Use either command. interface-number interface view In Ethernet interface view, the subsequent configurations Enter Layer-2...
  • Page 147 Follow these steps to assign a hybrid port to one or multiple VLANs: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface interface-type Required interface view interface-number Use either command. In Ethernet interface view, Enter Layer-2 interface bridge-aggregation subsequent aggregate...

  • Page 148: Mac-Based Vlan Configuration

    MAC-Based VLAN Configuration Introduction to MAC-Based VLAN MAC-based VLANs group VLAN members by MAC address. They are mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices. MAC-based VLAN implementation With MAC-based VLAN configured, the device processes received packets as follows: When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the source MAC address of the frame for a match.

  • Page 149: Protocol-Based Vlan Configuration

    MAC-based VLANs are available only on hybrid ports. Because MAC-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation. With MSTP enabled, if the MST instance for the corresponding VLAN is blocked, the packet with the unknown source MAC address will fail to be sent to the CPU.

  • Page 150: Configuring A Protocol-Based Vlan

    Protocol-based VLANs are only applicable on hybrid ports. In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT). The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP. A protocol-based VLAN is defined by a protocol template comprised of encapsulation format and protocol type.
  • Page 151 To do… Use the command… Remarks current port. In port group view, the subsequent configurations apply to all ports in the port group. Enter port port-group manual Layer-2 aggregate group view port-group-name interface view, subsequent configurations apply Layer-2 aggregate interface and all its member ports.

  • Page 152: Ip Subnet-Based Vlan Configuration

    IP Subnet-Based VLAN Configuration Introduction In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet. This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.

  • Page 153: Displaying And Maintaining Vlan

    After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports. If it fails to do that on an aggregation member port, it simply skips the port and moves to the next port.
  • Page 154 GigabitEthernet 1/0/1 allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through. Figure 1-5 Network diagram for port-based VLAN configuration Configuration procedure Configure Device A # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. <DeviceA>...
  • Page 155 Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 9216 Broadcast MAX-ratio: 100% Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Allow jumbo frame to pass PVID: 100 Mdi type: auto Link delay is 0(sec) Port link-type: trunk...

  • Page 156: Isolate-User-Vlan Configuration

    Isolate-User-VLAN Configuration When configuring an isolate-user VLAN, go to these sections for information you are interested in: Overview Configuring Isolate-User-VLAN Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example Overview An isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.
  • Page 157 Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VLAN as its default VLAN; Assign non-trunk ports to each secondary VLAN and ensure that at least one port in a secondary VLAN takes the secondary VLAN as its default VLAN; Associate the isolate-user-VLAN with the specified secondary VLANs.

  • Page 158: Displaying And Maintaining Isolate-User-Vlan

    Displaying and Maintaining Isolate-User-VLAN To do... Use the command... Remarks Display the mapping between an display isolate-user-vlan isolate-user-VLAN and its secondary Available in any view [ isolate-user-vlan-id ] VLAN(s) Isolate-User-VLAN Configuration Example Network requirements Connect Device A to downstream devices Device B and Device C; Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet 1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3.
  • Page 159 [DeviceB] vlan 2 [DeviceB-vlan2] port gigabitethernet 1/0/2 [DeviceB-vlan2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 Configure Device C # Configure the isolate-user-VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port gigabitethernet 1/0/5 [DeviceC-vlan6] quit # Configure the secondary VLANs.
  • Page 160 gigabitethernet 1/0/2 gigabitethernet 1/0/5 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5...

  • Page 161: Voice Vlan Configuration

    Voice VLAN Configuration When configuring a voice VLAN, go to these sections for information you are interested in: Overview Configuring a Voice VLAN Displaying and Maintaining Voice VLAN Voice VLAN Configuration Overview As voice communication technologies grow more mature, voice devices are more and more widely deployed, especially on broadband networks, where voice traffic and data traffic often co-exist.

  • Page 162: Voice Vlan Assignment Modes

    Number OUI address Vendor 00e0-bb00-0000 3Com phone In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense.
  • Page 163 Figure 3-2 Only IP phones access the network Both modes forward tagged packets according to their tags. The following tables list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from IP phones when different voice VLAN assignment modes are configured.

  • Page 164: Security Mode And Normal Mode Of Voice Vlans

    Table 3-3 Required configurations on ports of different links types in order for the ports to support tagged voice traffic Voice VLAN Support for Port link type assignment untagged voice Configuration requirements mode traffic Automatic — Access Configure the default VLAN of the port as Manual the voice VLAN.

  • Page 165: Configuring A Voice Vlan

    Table 3-4 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN Packet type Packet processing mode working mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the Packets carrying the voice VLAN;...

  • Page 166: Setting A Port To Operate In Manual Voice Vlan Assignment Mode

    To do... Use the command... Remarks Optional voice vlan mac-address By default, each voice VLAN has default OUI Add a recognizable oui mask oui-mask addresses configured. Refer to Table 3-1 OUI address [ description text ] the default OUI addresses of different vendors.

  • Page 167: Displaying And Maintaining Voice Vlan

    To do... Use the command... Remarks Refer to Assigning an Access Access port Use one of the three Assign the Port to a VLAN. approaches. port in manual voice VLAN Refer to Assigning a Trunk Port After you assign an access port Trunk port assignment to a...
  • Page 168 Device A uses voice VLAN 2 to transmit voice packets for IP phone A and voice VLAN 3 to transmit voice packets for IP phone B. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to work in automatic voice VLAN assignment mode. In addition, if one of them has not received any voice packet in 30 minutes, the port is removed from the corresponding voice VLAN automatically.

  • Page 169: Manual Voice Vlan Assignment Mode Configuration Example

    [DeviceA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2. [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] voice vlan mode auto [DeviceA-GigabitEthernet1/0/2] port link-type hybrid [DeviceA-GigabitEthernet1/0/2] voice vlan 3 enable [DeviceA-GigabitEthernet1/0/2] quit Verification # Display the OUI addresses, OUI address masks, and description strings supported currently. <DeviceA>...
  • Page 170 Figure 3-4 Network diagram for manual voice VLAN assignment mode configuration Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000.
  • Page 171 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # Display the current voice VLAN state. <DeviceA> display voice vlan state Maximum of Voice VLANs: 8 Current Voice VLANs: 1 Voice VLAN security mode: Security Voice VLAN aging time: 1440 minutes Voice VLAN enabled port and its mode: PORT VLAN...
  • Page 172 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-3 Protocols and Standards ·················································································································1-4 GVRP Configuration Task List ················································································································1-4 Configuring GVRP Functions··················································································································1-4 Configuring GARP Timers·······················································································································1-5 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Examples···············································································································1-7 GVRP Configuration Example I·······································································································1-7 GVRP Configuration Example II······································································································1-8 GVRP Configuration Example III·····································································································1-9...

  • Page 173: Gvrp Configuration

    GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
  • Page 174 Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This helps you save bandwidth. Join timer ––...

  • Page 175: Gvrp

    GARP message format Figure 1-1 GARP message format Figure 1-1 illustrates the GARP message format. Table 1-1 describes the GARP message fields. Table 1-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each containing Message ––...

  • Page 176: Protocols And Standards

    about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

  • Page 177: Configuring Garp Timers

    To do… Use the command… Remarks Enter Ethernet Enter Ethernet interface view, interface view or interface interface-type Required Layer 2 Layer 2 aggregate interface-number aggregate interface view Perform either of the interface view, commands. or port-group Enter port-group port-group manual view view port-group-name...

  • Page 178: Displaying And Maintaining Gvrp

    To do… Use the command… Remarks Enter Required Enter Ethernet or Ethernet Layer 2 interface interface-type Perform either of the interface aggregate interface-number commands. view, Layer interface view Depending on the view you 2 aggregate accessed, the subsequent interface configuration takes effect on a view, or Enter port-group port-group manual...

  • Page 179: Gvrp Configuration Examples

    To do… Use the command… Remarks display gvrp state interface Display the current GVRP state interface-type interface-number vlan Available in any view vlan-id display gvrp statistics [ interface Display statistics about GVRP Available in any view interface-list ] Display the global GVRP state display gvrp status Available in any view Display the information about...

  • Page 180: Gvrp Configuration Example Ii

    [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] gvrp [DeviceB-GigabitEthernet1/0/1] quit # Create VLAN 3 (a static VLAN).

  • Page 181: Gvrp Configuration Example Iii

    [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1.
  • Page 182 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to forbidden on the port. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] gvrp registration forbidden [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally.
  • Page 183 Table of Contents 1 QinQ Configuration ···································································································································1-1 Introduction to QinQ ································································································································1-1 Background and Benefits ················································································································1-1 How QinQ Works·····························································································································1-2 QinQ Frame Structure ·····················································································································1-2 Implementations of QinQ·················································································································1-3 Modifying the TPID in a VLAN Tag ·································································································1-3 Protocols and Standards ·················································································································1-4 QinQ Configuration Task List··················································································································1-5 Configuring Basic QinQ ··························································································································1-5 Enabling Basic QinQ ·······················································································································1-5 Configuring Selective QinQ·····················································································································1-5...

  • Page 184: Qinq Configuration

    QinQ Configuration When configuring QinQ, go to these sections for information you are interested in: Introduction to QinQ QinQ Configuration Task List Configuring Basic QinQ Configuring Selective QinQ Configuring the TPID Value in VLAN Tags QinQ Configuration Examples Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that a customer uses on the private network;...

  • Page 185: How Qinq Works

    How QinQ Works The devices in the public network forward a frame only according to its outer VLAN tag and learn its source MAC address into the MAC address table of the outer VLAN. The inner VLAN tag of the frame is transmitted as the payload.

  • Page 186: Implementations Of Qinq

    Figure 1-2 Single-tagged frame structure vs. double-tagged Ethernet frame structure The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN tag is 4 bytes. Therefore, you are recommended to increase the MTU of each interface on the service provider network.

  • Page 187: Protocols And Standards

    Figure 1-3 VLAN tag structure of an Ethernet frame The device determines whether a received frame carries a SVLAN tag or a CVLAN tag by checking the corresponding TPID value. Upon receiving a frame, the device compares the configured TPID value with the value of the TPID field in the frame.

  • Page 188: Qinq Configuration Task List

    QinQ Configuration Task List Table 1-2 QinQ configuration task list Configuration task Remarks Configuring Basic QinQ Optional Configuring Selective QinQ Configuring an Outer VLAN Tagging Policy Optional Configuring the TPID Value in VLAN Tags Optional QinQ requires configurations only on the service provider network, not on the customer network. QinQ configurations made in Ethernet interface view take effect on the current interface only;...

  • Page 189: Configuring The Tpid Value In Vlan Tags

    Follow these steps to configure an outer VLAN tagging policy: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet or Layer-2 interface interface-type Enter aggregate interface-number Required interface interface view view or port Use either command group view Enter port group port-group manual...
  • Page 190 Make configuration to achieve the following: Frames of VLAN 200 through VLAN 299 can be exchanged between Customer A1and Customer A2 through VLAN 10 of the service provider network. Frames of VLAN 250 through VLAN 350 can be exchanged between Customer B1 and Customer B2 through VLAN 50 of the service provider network.
  • Page 191 [ProviderA-GigabitEthernet1/0/2] port hybrid vlan 50 untagged # Enable basic QinQ on GigabitEthernet 1/0/2. [ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3 # Configure GigabitEthernet 1/0/3 as a trunk port to permit frames of VLAN 10 and 50 to pass through. [ProviderA] interface gigabitethernet 1/0/3 [ProviderA-GigabitEthernet1/0/3] port link-type trunk [ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 10 50...

  • Page 192: Comprehensive Selective Qinq Configuration Example

    Comprehensive Selective QinQ Configuration Example Network requirements Provider A and Provider B are edge devices on the service provider network and are interconnected through trunk ports. They belong to SVLAN 1000 and SVLAN 2000 separately. Customer A, Customer B and Customer C are edge devices on the customer network. Third-party devices with a TPID value of 0x8200 are deployed between Provider A and Provider B.
  • Page 193 # Tag CVLAN 10 frames with SVLAN 1000. [ProviderA-GigabitEthernet1/0/1] qinq vid 1000 [ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/1-vid-1000] quit # Tag CVLAN 20 frames with SVLAN 2000. [ProviderA-GigabitEthernet1/0/1] qinq vid 2000 [ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20 [ProviderA-GigabitEthernet1/0/1-vid-2000] quit [ProviderA-GigabitEthernet1/0/1] quit Configure GigabitEthernet 1/0/2 # Configure GigabitEthernet 1/0/2 as a hybrid port to permit frames of VLAN 1000 to pass through, and configure GigabitEthernet 1/0/2 to send packets of VLAN 1000 with tag removed.
  • Page 194 [ProviderB-GigabitEthernet1/0/2] qinq vid 2000 [ProviderB-GigabitEthernet1/0/2-vid-2000] raw-vlan-id inbound 20 # Set the TPID value in the outer tag to 0x8200. [ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type 8200 Configuration on third-party devices Configure the third-party devices between Provider A and Provider B as follows: configure the port connecting GigabitEthernet 1/0/3 of Provider A and that connecting GigabitEthernet 1/0/1 of Provider B to allow tagged frames of VLAN 1000 and VLAN 2000 to pass through.
  • Page 195 Table of Contents 1 BPDU Tunneling Configuration················································································································1-1 Introduction to BPDU Tunneling ·············································································································1-1 Background ·····································································································································1-1 BPDU Tunneling Implementation ····································································································1-2 Configuring BPDU Tunneling··················································································································1-4 Configuration Prerequisites ·············································································································1-4 Enabling BPDU Tunneling···············································································································1-4 Configuring Destination Multicast MAC Address for BPDUs ··························································1-5 BPDU Tunneling Configuration Examples ······························································································1-5 BPDU Tunneling for STP Configuration Example···········································································1-5 BPDU Tunneling for PVST Configuration Example ········································································1-6...

  • Page 196: Bpdu Tunneling Configuration

    BPDU Tunneling Configuration BPDU tunneling support the transparent transmission of these types of Layer 2 protocol packets in V05.02.00P19: CDP, DLDP, EOAM, GVRP, HGMP, LACP, LLDP, PAGP, PVST, UDLD and VTP. When configuring BPDU tunneling, go to these sections for information you are interested in: Introduction to BPDU Tunneling Configuring BPDU Tunneling BPDU Tunneling Configuration Examples...

  • Page 197: Bpdu Tunneling Implementation

    After receiving a Layer 2 protocol packet from User A network 1, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a specific multicast MAC address, and then forwards the packet in the service provider network; The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network 2.
  • Page 198 To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was introduced. BPDU tunneling delivers the following benefits: BPDUs can be transparently transmitted. BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network.

  • Page 199: Configuring Bpdu Tunneling

    Configuring BPDU Tunneling Configuration Prerequisites Before configuring BPDU tunneling for a protocol, enable the protocol in the customer network first. Assign the port on which you want to enable BPDU tunneling on the PE device and the connected port on the CE device to the same VLAN. Configure ports connecting network devices in the service provider network as trunk ports allowing packets of any VLAN to pass through.

  • Page 200: Configuring Destination Multicast Mac Address For Bpdus

    To do… Use the command… Remarks Enter system view — system-view Enter Layer 2 aggregate interface bridge-aggregation — interface view interface-number Required Enable BPDU tunneling for a bpdu-tunnel dot1q { cdp | protocol on the Layer 2 By default, BPDU tunneling for gvrp | hgmp | pvst | stp | vtp } aggregate interface a protocol is disabled.

  • Page 201: Bpdu Tunneling For Pvst Configuration Example

    Figure 1-3 Network diagram for configuring BPDU tunneling for STP Configuration procedure Configuration on PE 1 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. <PE1> system-view [PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Create VLAN 2 and assign GigabitEthernet1/0/1 to VLAN 2. [PE1] vlan 2 [PE1-vlan2] quit [PE1] interface gigabitethernet 1/0/1...
  • Page 202 All ports that connect service provider devices and customer devices and those that interconnect service provider devices are trunk ports and allow packets of any VLAN to pass through. PVST is enabled for VLANs 1 through 4094 on User A’s network. It is required that, after the configuration, CE 1 and CE 2 implement consistent PVST calculation across the service provider network, that...
  • Page 203 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-3 Configuring Remote Port Mirroring ·········································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring a Remote Source Mirroring Group (on the Source Device)·········································1-4 Configuring a Remote Destination Mirroring Group (on the Destination Device) ···························1-6 Displaying and Maintaining Port Mirroring ······························································································1-7 Port Mirroring Configuration Examples ···································································································1-7...

  • Page 204: Port Mirroring Configuration

    Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
  • Page 205 Figure 1-1 Local port mirroring implementation How the device processes packets Traffic mirrored to Mirroring port Monitor port Monitor port Mirroring port Data monitoring device Remote port mirroring Remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown Figure 1-2.

  • Page 206: Configuring Local Port Mirroring

    Destination device The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group.

  • Page 207: Configuring Remote Port Mirroring

    A local port mirroring group takes effect only after its mirroring and monitor ports are configured. To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port mirroring group can have multiple mirroring ports, but only one monitor port. A mirroring or monitor port to be configured cannot belong to an existing port mirroring group.
  • Page 208 To do… Use the command… Remarks mirroring-group groupid Required In system view mirroring-port mirroring-port-list You configure multiple { both | inbound | outbound } mirroring ports in a mirroring group. interface interface-type In system view, you can interface-number Configure assign a list of mirroring [ mirroring-group groupid ] mirroring ports to the mirroring...

  • Page 209: Configuring A Remote Destination Mirroring Group (On The Destination Device)

    To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group. You are recommended to use a remote probe VLAN exclusively for the mirroring purpose. A port can belong to only one mirroring group.

  • Page 210: Displaying And Maintaining Port Mirroring

    When configuring the monitor port, use the following guidelines: The port can belong to only the current mirroring group. Disable these functions on the port: STP, MSTP, and RSTP. You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.

  • Page 211: Remote Port Mirroring Configuration Example

    Figure 1-3 Network diagram for local port mirroring configuration Switch A R&D department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data monitoring device Switch B Marketing department Configuration procedure Configure Switch C. # Create a local port mirroring group. <SwitchC> system-view [SwitchC] mirroring-group 1 local # Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports.
  • Page 212 As shown in Figure 1-4, the administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source device, Switch B as the intermediate device, and Switch C as the destination device.
  • Page 213 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 2 Configure Switch B (the intermediate device). # Configure port GigabitEthernet 1/0/1 as a trunk port and configure the port to permit the packets of VLAN 2. <SwitchB> system-view [SwitchB] interface GigabitEthernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] port link-type trunk [SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 2 [SwitchB-GigabitEthernet1/0/1] quit...

  • Page 214: Traffic Mirroring Configuration

    Traffic Mirroring Configuration When configuring traffic mirroring, go to these sections for information you are interested in: Traffic Mirroring Overview Configuring Traffic Mirroring Displaying and Maintaining Traffic Mirroring Traffic Mirroring Configuration Examples Traffic Mirroring Overview Traffic mirroring is the action of copying the specified packets to the specified destination for packet analyzing and monitoring.

  • Page 215: Mirroring Traffic To The Cpu

    To do… Use the command… Remarks Required Create a behavior and enter traffic behavior behavior-name By default, no traffic behavior view behavior exists. Required Specify the destination mirror-to interface interface-type By default, traffic mirroring is interface for traffic mirroring interface-number not configured in a traffic behavior.

  • Page 216: Applying A Qos Policy

    To do… Use the command… Remarks Exit policy view quit — Apply the QoS policy Applying a QoS Policy Required Applying a QoS Policy For details about applying a QoS policy, see QoS Configuration in the QoS Volume. Apply a QoS policy to an interface By applying a QoS policy to an interface, you can regulate the traffic sent or received on the interface.

  • Page 217: Displaying And Maintaining Traffic Mirroring

    For details about the qos vlan-policy command, see QoS Commands in the QoS Volume. Applying the QoS policy globally You can apply a QoS policy globally to the inbound or outbound direction of all ports. Follow these steps to apply the QoS policy globally: To do…...

  • Page 218: Configuration Procedure

    Figure 2-1 Network diagram for configuring traffic mirroring to a port Configuration Procedure Configure Switch: # Enter system view. <Sysname> system-view # Configure basic IPv4 ACL 2000 to match packets with the source IP address 192.168.0.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 192.168.0.1 0 [Sysname-acl-basic-2000] quit # Create class 1 and configure the class to use ACL 2000 for traffic classification.
  • Page 219 IP Services Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The IP Services Volume is organized as follows: Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration...
  • Page 220 Features Description UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified server. This document describes: UDP Helper UDP Helper overview UDP Helper configuration Internet protocol version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet protocol version 4 (IPv4).
  • Page 221 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing······························································································1-5...

  • Page 222: Ip Addressing Configuration

    IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...

  • Page 223: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

  • Page 224: Configuring Ip Addresses

    In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts.

  • Page 225: Ip Addressing Configuration Example

    The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment.

  • Page 226: Displaying And Maintaining Ip Addressing

    <Switch> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted...
  • Page 227 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-2 ARP Address Resolution Process···································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-4 Configuring a Static ARP Entry ·······································································································1-4 Configuring the Maximum Number of ARP Entries for an Interface ···············································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-5 Enabling the ARP Entry Check ·······································································································1-5 Configuring ARP Quick Notify ·········································································································1-5...

  • Page 228: Arp Configuration

    This document is organized as follows: ARP Configuration Proxy ARP Configuration ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP Support for configuring ARP Quick Notify is newly added in V05.02.00P19 of 3Com 4500G series Ethernet switches, For details, refer to Configuring ARP Quick Notify.

  • Page 229: Arp Message Format

    ARP Message Format Figure 1-1 ARP message format The following explains the fields in Figure 1-1. Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet. Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800”...

  • Page 230: Arp Table

    After receiving the ARP reply, Host A adds the MAC address of Host B to its ARP table. Meanwhile, Host A encapsulates the IP packet and sends it out. Figure 1-2 ARP address resolution process If Host A is not on the same subnet with Host B, Host A first sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway.

  • Page 231: Configuring Arp

    in the non-permanent static ARP entry, the device adds the interface receiving the ARP reply to the non-permanent static ARP entry. Then the entry can be used for forwarding IP packets. Usually ARP dynamically resolves IP addresses to MAC addresses, without manual intervention. To allow communication with a device using a fixed IP-to-MAC mapping, configure a short static ARP entry for it.

  • Page 232: Setting The Aging Time For Dynamic Arp Entries

    To do… Use the command… Remarks Set the maximum number of Optional dynamic ARP entries that an arp max-learning-num number 2048 by default. interface can learn Setting the Aging Time for Dynamic ARP Entries To keep pace with the network changes, the ARP table is refreshed. Each dynamic ARP entry in the ARP table has a limited lifetime rather than is always valid.

  • Page 233: Arp Configuration Example

    Figure 1-3 ARP quick notify application scenario With ARP quick notify enabled, the device updates the corresponding ARP entry immediately after the change of the mapping between a MAC address and an outbound interface to ensure nonstop data forwarding. Follow these steps to enable ARP quick notify: To do…...

  • Page 234: Configuring Gratuitous Arp

    [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface vlan-interface 10 [Sysname-vlan-interface10] arp max-learning-num 1000 [Sysname-vlan-interface10] quit [Sysname] arp static 192.168.1.1 000f-e201-0000 10 gigabitethernet 1/0/1 Configuring Gratuitous ARP Introduction to Gratuitous ARP A gratuitous ARP packet is a special ARP packet, in which the sender IP address and the target IP address are both the IP address of the sender, the sender MAC address is the MAC address of the sender, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
  • Page 235 To do… Use the command… Remarks Clear ARP entries from the reset arp { all | dynamic | static | interface ARP table Available in user view interface-type interface-number } For distributed devices Clearing ARP entries from the ARP table may cause communication failures.

  • Page 236: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Enabling Proxy ARP Displaying and Maintaining Proxy ARP Proxy ARP Overview If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network) or that is isolated from the sending host at Layer 2, the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 237: Local Proxy Arp

    You can solve the problem by enabling proxy ARP on Switch. After that, Switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, Switch seems to be a proxy of Host B. A main advantage of proxy ARP is that it is added on a single router without disturbing routing tables of other routers in the network.

  • Page 238: Displaying And Maintaining Proxy Arp

    To do… Use the command… Remarks Required Enable local proxy ARP local-proxy-arp enable Disabled by default. Displaying and Maintaining Proxy ARP To do… Use the command… Remarks Display whether proxy ARP is display proxy-arp [ interface Available in any view enabled vlan-interface vlan-id ] Display whether local proxy...

  • Page 239: Local Proxy Arp Configuration Example In Case Of Port Isolation

    [Switch-Vlan-interface1] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 [Switch-Vlan-interface2] proxy-arp enable [Switch-Vlan-interface2] quit Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, respectively.

  • Page 240: Local Proxy Arp Configuration Example In Isolate-User-Vlan

    # Configure an IP address of VLAN-interface 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
  • Page 241 [SwitchB-vlan2] port gigabitethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/3 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port gigabitethernet 1/0/1 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A # Create VLAN 5 and add GigabitEthernet 1/0/1 to it. <SwitchA>...
  • Page 242 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP Address Allocation ·······················································································································1-2 Allocation Mechanisms····················································································································1-2 Dynamic IP Address Allocation Process ·························································································1-2 IP Address Lease Extension ···········································································································1-3 DHCP Message Format ··························································································································1-3 DHCP Options·········································································································································1-4 DHCP Options Overview ·················································································································1-4 Introduction to DHCP Options ·········································································································1-4 Self-Defined Options ·······················································································································1-5 Protocols and Standards·························································································································1-8 2 DHCP Relay Agent Configuration ············································································································2-1...
  • Page 243 Prerequisites····································································································································4-5 Configuring DHCP Snooping to Support Option 82 ········································································4-5 Displaying and Maintaining DHCP Snooping ·························································································4-7 DHCP Snooping Configuration Examples ······························································································4-7 DHCP Snooping Configuration Example·························································································4-7 DHCP Snooping Option 82 Support Configuration Example ··························································4-8 5 BOOTP Client Configuration ····················································································································5-1 Introduction to BOOTP Client ·················································································································5-1 BOOTP Application ·························································································································5-1 Obtaining an IP Address Dynamically ·····························································································5-2 Protocols and Standards ·················································································································5-2...

  • Page 244: Dhcp Overview

    This document is organized as follows: DHCP Overview DHCP Relay Agent Configuration DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Overview Support for enabling the DHCP relay agent to periodically refresh dynamic client entries is newly added in V05.02.00P19 of 3Com 4500G series Ethernet switches. For details, refer to Configuring dynamic binding update interval.

  • Page 245: Dhcp Address Allocation

    A DHCP client can get an IP address and other configuration parameters from a DHCP server on another subnet via a DHCP relay agent. For information about the DHCP relay agent, refer to Introduction to DHCP Relay Agent. DHCP Address Allocation Allocation Mechanisms DHCP supports three mechanisms for IP address allocation.

  • Page 246: Ip Address Lease Extension

    After receiving the DHCP-ACK message, the client probes whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within a specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

  • Page 247: Dhcp Options

    secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast;...

  • Page 248: Self-Defined Options

    Option 121: Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table.
  • Page 249 Figure 1-6 Format of the value field of the ACS parameter sub-option The value field of the service provider identifier sub-option contains the service provider identifier. Figure 1-7 shows the format of the value field of the PXE server address sub-option. Currently, the value of the PXE server type can only be 0.
  • Page 250 Figure 1-8 Sub-option 1 in normal padding format Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 1-9 Sub-option 2 in normal padding format Verbose padding format The padding contents for sub-options in the verbose padding format are as follows:...

  • Page 251: Protocols And Standards

    Sub-option 1: IP address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable.

  • Page 252: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Examples Troubleshooting DHCP Relay Agent Configuration The DHCP relay agent configuration is supported only on VLAN interfaces.

  • Page 253: Dhcp Relay Agent Support For Option 82

    Figure 2-1 DHCP relay agent application DHCP client DHCP client IP network DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process).

  • Page 254: Dhcp Relay Agent Configuration Task List

    If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing normal the original Option 82 with the Option 82 padded in normal format.

  • Page 255: Enabling The Dhcp Relay Agent On An Interface

    Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Disabled by default. Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agent will forward the request to a DHCP server for address allocation.

  • Page 256: Configuring The Dhcp Relay Agent Security Functions

    To do… Use the command… Remarks Required Correlate the DHCP server dhcp relay server-select By default, no interface is group with the current interface group-id correlated with any DHCP server group. You can specify up to twenty DHCP server groups on the relay agent and eight DHCP server addresses for each DHCP server group.
  • Page 257 Before enabling IP address check on an interface, you need to enable the DHCP service, and enable the DHCP relay agent on the interface; otherwise, the IP address check configuration is ineffective. The dhcp relay address-check enable command only checks IP and MAC addresses of clients. When using the dhcp relay security static command to bind an interface to a static binding entry, make sure that the interface is configured as a DHCP relay agent;...

  • Page 258: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request

    Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view system-view — Required Enable unauthorized DHCP dhcp relay server-detect server detection Disabled by default. With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP server.
  • Page 259 Configuring the DHCP relay agent to support Option 82 Follow these steps to configure the DHCP relay agent to support Option 82: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the relay agent to dhcp relay information...

  • Page 260: Displaying And Maintaining Dhcp Relay Agent Configuration

    Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display information about DHCP display dhcp relay { all | server groups correlated to a specified interface interface-type or all interfaces interface-number } display dhcp relay information Display Option 82 configuration { all | interface interface-type information on the DHCP relay agent...

  • Page 261: Dhcp Relay Agent Option 82 Support Configuration Example

    Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.

  • Page 262: Troubleshooting Dhcp Relay Agent Configuration

    # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations. [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string company001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function normally.

  • Page 263: Dhcp Client Configuration

    DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 264: Displaying And Maintaining The Dhcp Client

    An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface.
  • Page 265 <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address dhcp-alloc...

  • Page 266: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 267: Application Environment Of Trusted Ports

    Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries.

  • Page 268: Dhcp Snooping Support For Option 82

    Figure 4-2 Configure trusted ports in a cascaded network Table 4-1 describes roles of the ports shown in Figure 4-2. Table 4-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GE1/0/1 GE1/0/3...

  • Page 269: Configuring Dhcp Snooping Basic Functions

    If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format.

  • Page 270: Configuring Dhcp Snooping To Support Option 82

    You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
  • Page 271 To do… Use the command… Remarks dhcp-snooping information format Configure the Optional { normal | verbose padding format for [ node-identifier { mac | normal by default. Option 82 sysname | user-defined node-identifier } ] } Optional By default, the code type depends on the padding format of Option 82.

  • Page 272: Displaying And Maintaining Dhcp Snooping

    Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping [ ip Display DHCP snooping entries ip-address ] display dhcp-snooping Display Option 82 configuration information information { all | interface Available in any on the DHCP snooping device interface-type interface-number } view Display DHCP packet statistics on the...

  • Page 273: Dhcp Snooping Option 82 Support Configuration Example

    [SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 4-3, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace. On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.

  • Page 274: Bootp Client Configuration

    BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 275: Obtaining An Ip Address Dynamically

    Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

  • Page 276: Displaying And Maintaining Bootp Client Configuration

    Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on a display bootp client [ interface Available in any view BOOTP client interface-type interface-number ] BOOTP Client Configuration Example Network requirement As shown in Figure 5-1, Switch B’s port belonging to VLAN 1 is connected to the LAN.
  • Page 277 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 DNS Proxy·······································································································································1-3 Configuring the DNS Client·····················································································································1-4 Configuring Static Domain Name Resolution ··················································································1-4 Configuring Dynamic Domain Name Resolution·············································································1-4 Configuring the DNS Proxy·····················································································································1-5 Displaying and Maintaining DNS ············································································································1-5 DNS Configuration Examples ·················································································································1-5 Static Domain Name Resolution Configuration Example································································1-5 Dynamic Domain Name Resolution Configuration Example···························································1-6...

  • Page 278: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the DNS Client Configuring the DNS Proxy Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Configuration This document only covers IPv4 DNS configuration. For information about IPv6 DNS configuration, refer to IPv6 Basics Configuration in the IP Services Volume.
  • Page 279 The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, it sends a query to a higher level DNS server. This process continues until a result, whether successful or not, is returned. The DNS client returns the resolution result to the application after receiving a response from the DNS server.

  • Page 280: Dns Proxy

    If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS Proxy Introduction to DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 1-2, a DNS client sends a DNS request to the DNS proxy, which forwards the...

  • Page 281: Configuring The Dns Client

    Configuring the DNS Client Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do… Use the command… Remarks Enter system view system-view –– Configure a mapping between a host Required name and IP address in the static ip host hostname ip-address Not configured by default.

  • Page 282: Configuring The Dns Proxy

    Configuring the DNS Proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view system-view — Required Enable DNS proxy dns proxy enable Disabled by default. Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name display ip host...

  • Page 283: Dynamic Domain Name Resolution Configuration Example

    data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 284 Figure 1-5, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 1-5 Create a zone # Create a mapping between the host name and IP address. Figure 1-6 Add a host Figure 1-6, right click zone com, and then select New Host to bring up a dialog box as shown in Figure...
  • Page 285 Figure 1-7 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Execute the ping host command on the Switch to verify that the communication between the Switch...

  • Page 286: Dns Proxy Configuration Example

    DNS Proxy Configuration Example Network requirements Specify Switch A as the DNS server of Switch B (the DNS client). Switch A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Switch B implements domain name resolution through Switch A. Figure 1-8 Network diagram for DNS proxy Configuration procedure Before performing the following configuration, assume that Switch A, the DNS server, and the host are...

  • Page 287: Troubleshooting Dns Configuration

    # Specify the DNS server 2.1.1.2. [SwitchB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Switch B to verify that the communication between the Switch and the host is normal and that the corresponding destination IP address is 3.1.1.1. [SwitchB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)
  • Page 288 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Overview ·······················································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuration Example ····················································································································1-2 Configuring TCP Optional Parameters ···································································································1-3 Configuring ICMP to Send Error Packets ·······························································································1-4...

  • Page 289: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Optional Parameters Configuring ICMP to Send Error Packets Displaying and Maintaining IP Performance Optimization IP Performance Overview In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 290: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...

  • Page 291: Configuring Tcp Optional Parameters

    [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to the host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2.

  • Page 292: Configuring Icmp To Send Error Packets

    Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management.
  • Page 293 If the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” ICMP error packet. When forwarding a packet, if the MTU of the sending interface is smaller than the packet but the packet has been set “Don’t Fragment”, the device will send the source a “fragmentation needed and Don’t Fragment (DF)-set”...

  • Page 294: Displaying And Maintaining Ip Performance Optimization

    Displaying and Maintaining IP Performance Optimization To do… Use the command… Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics Display statistics of IP packets display ip statistics Display statistics of ICMP flows display icmp statistics Available in any view...
  • Page 295 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-1 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Examples······································································································1-2 UDP Helper Configuration Example································································································1-2...

  • Page 296: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examples UDP Helper can be currently configured on VLAN interfaces only. Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 297: Displaying And Maintaining Udp Helper

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Specify the destination server to which UDP packets udp-helper server ip-address No destination server is specified are to be forwarded by default. The UDP Helper enabled device cannot forward DHCP broadcast packets. That is to say, the UDP port number cannot be set to 67 or 68.
  • Page 298 Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure The following configuration assumes that a route from Switch A to the network segment 10.2.0.0/16 is available. # Enable UDP Helper. <SwitchA> system-view [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1.
  • Page 299 Table of Contents 1 IPv6 Basics Configuration ························································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-5 IPv6 PMTU Discovery ·····················································································································1-8 Introduction to IPv6 DNS ·················································································································1-9 Protocols and Standards ·················································································································1-9 IPv6 Basics Configuration Task List ·······································································································1-9 Configuring Basic IPv6 Functions ·········································································································1-10 Enabling IPv6 ································································································································1-10 Configuring an IPv6 Unicast Address····························································································1-10...

  • Page 300: Ipv6 Basics Configuration

    IPv6 Basics Configuration When configuring IPv6 basics, go to these sections for information you are interested in: IPv6 Overview IPv6 Basics Configuration Task List Configuring Basic IPv6 Functions Configuring IPv6 NDP Configuring PMTU Discovery Configuring IPv6 TCP Properties Configuring ICMPv6 Packet Sending Configuring IPv6 DNS Client Displaying and Maintaining IPv6 Basics Configuration IPv6 Configuration Example...
  • Page 301 the IPv4 address size, the basic IPv6 header size is 40 bytes and is only twice the IPv4 header size (excluding the Options field). Figure 1-1 Comparison between IPv4 packet header format and basic IPv6 packet header format Adequate address space The source and destination IPv6 addresses are both 128 bits (16 bytes) long.

  • Page 302: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol Version 6 (ICMPv6) messages that manage the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) router discovery messages, and ICMPv4 redirection messages and provides a series of other functions.
  • Page 303 Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of distance).

  • Page 304: Introduction To Ipv6 Neighbor Discovery Protocol

    Multicast address IPv6 multicast addresses listed in Table 1-2 are reserved for special purpose. Table 1-2 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all nodes multicast address FF02::1 Link-local scope all nodes multicast address FF01::2 Node-local scope all routers multicast address FF02::2 Link-local scope all routers multicast address FF05::2...
  • Page 305 Duplicate address detection Router/prefix discovery and address autoconfiguration Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 1-3 Types and functions of ICMPv6 messages ICMPv6 message Number Function Used to acquire the link-layer address of a neighbor Neighbor solicitation (NS) Used to verify whether the neighbor is reachable message...
  • Page 306 After receiving the NS message, node B judges whether the destination address of the packet is its solicited-node multicast address. If yes, node B learns the link-layer address of node A, and then unicasts an NA message containing its link-layer address. Node A acquires the link-layer address of node B from the NA message.

  • Page 307: Ipv6 Pmtu Discovery

    The router returns an RA message containing information such as prefix information option. (The router also regularly sends an RA message.) The node automatically generates an IPv6 address and other information for its interface according to the address prefix and other configuration parameters in the RA message. In addition to an address prefix, the prefix information option also contains the preferred lifetime and valid lifetime of the address prefix.

  • Page 308: Introduction To Ipv6 Dns

    The source host uses its MTU to send packets to the destination host. If the MTU supported by a forwarding interface is smaller than the packet size, the forwarding device will discard the packet and return an ICMPv6 error packet containing the interface MTU to the source host.

  • Page 309: Configuring Basic Ipv6 Functions

    Task Remarks Configuring ICMPv6 Packet Sending Optional Configuring IPv6 DNS Client Optional Configuring Basic IPv6 Functions Enabling IPv6 Before performing IPv6-related configurations, you need to Enable IPv6. Otherwise, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. Follow these steps to Enable IPv6: To do...

  • Page 310: Configuring Ipv6 Ndp

    To do... Use the command... Remarks Automatically Optional generate a link-local ipv6 address auto By default, after an IPv6 address for the link-local Configure site-local address or interface an IPv6 aggregatable global unicast link-local address is configured for an Manually assign a address interface, a link-local address ipv6 address...

  • Page 311: Configuring The Maximum Number Of Neighbors Dynamically Learned

    Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view system-view — ipv6 neighbor ipv6-address mac-address { vlan-id Configure a static port-type port-number | interface interface-type Required neighbor entry interface-number } You can adopt either of the two methods above to configure a static neighbor entry. After a static neighbor entry is configured by using the first method, the device needs to resolve the corresponding Layer 2 port information of the VLAN interface.
  • Page 312 Table 1-4 Parameters in an RA message and their descriptions Parameters Description When sending an IPv6 packet, a host uses the value to fill the Cur Hop Limit Cur hop limit field in IPv6 headers. The value is also filled into the Cur Hop Limit field in response messages of a device.
  • Page 313 To do… Use the command… Remarks Disable the RA Required message undo ipv6 nd ra halt By default, RA messages are suppressed. suppression Optional By default, the maximum interval for sending RA messages is 600 seconds, and Configure the the minimum interval is 200 seconds. maximum and ipv6 nd ra interval minimum intervals for...

  • Page 314: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad

    Configuring the Maximum Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for duplicate address detection after acquiring an IPv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message.

  • Page 315: Configuring Ipv6 Tcp Properties

    Follow these steps to configure the aging time for dynamic PMTUs: To do… Use the command… Remarks Enter system view system-view — Optional Configure the aging time for ipv6 pathmtu age age-time dynamic PMTUs 10 minutes by default. Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered.

  • Page 316: Enable Sending Of Multicast Echo Replies

    To do… Use the command… Remarks Enter system view system-view — Optional By default, the capacity of a token bucket is 10 Configure the Ipv6 icmp-error { bucket and the update interval is 100 milliseconds. That capacity and bucket-size | ratelimit is, at most 10 IPv6 ICMP error packets can be update interval of interval } *...

  • Page 317: Configuring Ipv6 Dns Client

    Configuring IPv6 DNS Client Configuring Static IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between a host name and an IPv6 address. When using such applications as Telnet, you can directly input a host name and the system will resolve the host name into an IPv6 address.

  • Page 318: Displaying And Maintaining Ipv6 Basics Configuration

    Displaying and Maintaining IPv6 Basics Configuration To do… Use the command… Remarks Display DNS suffix information display dns domain [ dynamic ] Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information Display IPv6 DNS server information display dns ipv6 server [ dynamic ] Display the IPv6 FIB entries display ipv6 fib [ ipv6-address ] Display the host name to IPv6...

  • Page 319: Ipv6 Configuration Example

    The display dns domain command is the same as the one of IPv4 DNS. For details about the commands, refer to DNS Commands in the IP Services Volume. IPv6 Configuration Example Network requirements Host, Switch A and Switch B are directly connected through Ethernet ports. Add the Ethernet ports into corresponding VLANs, configure IPv6 addresses for the VLAN interfaces and verify the connectivity between them.
  • Page 320 Configure Switch B # Enable IPv6. <SwitchB> system-view [SwitchB] ipv6 # Configure an aggregatable global unicast address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ipv6 address 3001::2/64 # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [SwitchB-Vlan-interface2] ipv6 route-static 2001:: 64 3001::1 Configure Host Enable IPv6 for Host to automatically get an IPv6 address through IPv6 NDP.
  • Page 321 ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es):...
  • Page 322 ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234 Global unicast address(es): 3001::2, subnet is 3001::/64...
  • Page 323 OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify the connectivity between them. When you ping a link-local address, you should use the “–i” parameter to specify an interface for the link-local address.

  • Page 324: Troubleshooting Ipv6 Basics Configuration

    Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up.
  • Page 325 Table of Contents 1 Dual Stack Configuration··························································································································1-1 Dual Stack Overview·······························································································································1-1 Configuring Dual Stack ···························································································································1-1...

  • Page 326: Dual Stack Overview

    Dual Stack Configuration When configuring dual stack, go to these sections for information you are interested in: Dual Stack Overview Configuring Dual Stack Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack.
  • Page 327 To do… Use the command… Remarks Required ip address ip-address By default, no IP Configure an IPv4 address for the interface { mask | mask-length } address is [ sub ] configured. ipv6 address Use either Manually specify { ipv6-address prefix-length command.
  • Page 328 Table of Contents 1 sFlow Configuration ··································································································································1-1 sFlow Overview·······································································································································1-1 Introduction to sFlow ·······················································································································1-1 Operation of sFlow ··························································································································1-1 Configuring sFlow ···································································································································1-2 Displaying and Maintaining sFlow···········································································································1-2 sFlow Configuration Example ·················································································································1-3 Troubleshooting sFlow Configuration ·····································································································1-4 The Remote sFlow Collector Cannot Receive sFlow Packets ························································1-4...

  • Page 329: Sflow Configuration

    Supporting traffic monitoring on Gigabit and higher-speed networks. Providing scalability to allow one sFlow collector to monitor multiple or more sFlow agents. Implementing the low-cost sFlow agent. Currently, only the sFlow agent function is supported on 3Com Switch 4500G family. Operation of sFlow sFlow operates as follows: With sFlow enabled, a physical port encapsulates sampled data into packets and sends them to the sFlow agent.

  • Page 330: Configuring Sflow

    200000 by default. a packet The sFlow agent and sFlow collector must not have the same IP address. Currently, you can specify at most two sFlow collectors on 3Com Switch 4500G family. Displaying and Maintaining sFlow To do… Use the command…...

  • Page 331: Sflow Configuration Example

    sFlow Configuration Example Network requirements Host A and Server are connected to Switch through GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Host B works as an sFlow collector with IP address 3.3.3.2 and port number 6343, and is connected to Switch through GigabitEthernet 1/0/3. GigabitEthernet 1/0/3 belongs to VLAN 1, having an IP address of 3.3.3.1.

  • Page 332: Troubleshooting Sflow Configuration

    Collector IP:3.3.3.2 Port:6343 Interval(s): 30 sFlow Port Information: Interface Direction Rate Mode Status Eth1/1 In/Out 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets. Analysis sFlow is not enabled globally because the sFlow agent or/and the sFlow collector is/are not specified.
  • Page 333 IP Routing Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The IP Routing Volume is organized as follows: Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
  • Page 334 Table of Contents 1 IP Routing Overview··································································································································1-1 Routing····················································································································································1-1 Routing Table and FIB Table ··········································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Displaying and Maintaining a Routing Table···························································································1-4...

  • Page 335: Ip Routing Overview

    IP Routing Overview Go to these sections for information you are interested in: Routing Routing Protocol Overview Displaying and Maintaining a Routing Table The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. ting Routing in the Internet is achieved through routers.
  • Page 336 A local routing table store s the routes found by all protocols and determines the optimal routes that the router will deliver to the FIB table to guide p acket forwarding. The selection of an optimal route is based on the preferences of routing protoc ols and metrics of routes.

  • Page 337: Routing Protocol Overview

    Figure 1-1 A sample routing tabl Router A Router F 17.0.0.1 17.0.0.0 17.0.0.3 16.0.0.2 11.0.0.2 17.0.0.2 Router D 16.0.0.0 11.0.0.0 14.0.0.3 11.0.0.1 16.0.0.1 14.0.0.2 14.0.0.4 Router B Router G 14.0.0.0 15.0.0.2 12.0.0.1 14.0.0.1 Router E 12.0.0.0 15.0.0.0 13.0.0.2 15.0.0.1 12.0.0.2 13.0.0.3 13.0.0.1 13.0.0.0...

  • Page 338: Displaying And Maintaining A Routing Table

    Routing approach Priority DIRECT STATIC UNKNOWN The smaller the priority value, the higher the priority. The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. Each static route can be configured with a different priority. IPv4 and IPv6 routes have their own respective routing tables.
  • Page 339 To do… Use the command… Remarks Display routing information display ipv6 routing-table acl acl6-number Available in any permitted by an IPv6 ACL [ verbose ] view Display routing information display ipv6 routing-table ipv6-prefix Available in any permitted by an IPv6 prefix list ipv6-prefix-name [ verbose ] view Display IPv6 routing...
  • Page 340 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-3 Detecting Reachability of the Static Route’s Nexthop ············································································1-3 Detecting Nexthop Reachability Through Track··············································································1-3 Displaying and Maintaining Static Routes·······························································································1-4 Static Route Configuration Example ·······································································································1-5 Basic Static Route Configuration Example······················································································1-5...

  • Page 341: Static Routing Configuration

    Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Detecting Reachability of the Static Route’s Nexthop Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.

  • Page 342: Application Environment Of Static Routing

    The network administrator can configure a default route with both destination and mask being 0.0.0.0. The router forwards any packet whose destination address fails to match any entry in the routing table to the next hop of the default static route. Some dynamic routing protocols, such as RIP.

  • Page 343: Configuration Procedure

    Configuration Procedure Follow these steps to configure a static route: To do… Use the command… Remarks Enter system view system-view — Required By default, ip route-static dest-address { mask | mask-length } preference for { next-hop-address | interface-type interface-number Configure a static static routes is 60, [ next-hop-address ] } [ preference route...

  • Page 344: Displaying And Maintaining Static Routes

    Network requirements To detect the reachability of a static route's nexthop through a Track entry, you need to create a Track first. For detailed Track configuration procedure, refer to Track Configuration in the High Availability Volume. Configuration procedure Follow these steps to detect the reachability of a static route's nexthop through Track: To do…...

  • Page 345: Static Route Configuration Example

    Static Route Configuration Example Basic Static Route Configuration Example Network requirements The IP addresses and masks of the switches and hosts are shown in the following figure. Static routes are required for interconnection between any two hosts. Figure 1-1 Network diagram for static route configuration Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes...
  • Page 346 Destination/Mask Proto Cost NextHop Interface 0.0.0.0/0 Static 60 1.1.4.2 Vlan500 1.1.2.0/24 Direct 0 1.1.2.3 Vlan300 1.1.2.3/32 Direct 0 127.0.0.1 InLoop0 1.1.4.0/30 Direct 0 1.1.4.1 Vlan500 1.1.4.1/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 # Display the IP routing table of Switch B.
  • Page 347 <1 ms <1 ms <1 ms 1.1.6.1 <1 ms <1 ms <1 ms 1.1.4.1 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
  • Page 348 Table of Contents 1 RIP Configuration ······································································································································1-1 RIP Overview ··········································································································································1-1 Operation of RIP······························································································································1-1 Operation of RIP······························································································································1-2 RIP Version ·····································································································································1-2 RIP Message Format·······················································································································1-3 Supported RIP Features··················································································································1-5 Protocols and Standards ·················································································································1-5 Configuring RIP Basic Functions ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Configuring RIP Route Control ···············································································································1-7 Configuring an Additional Routing Metric ························································································1-7 Configuring RIPv2 Route Summarization························································································1-8 Disabling Host Route Reception ·····································································································1-9...

  • Page 349: Rip Configuration

    RIP Configuration The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. When configuring RIP, go to these sections for information you are interested in: RIP Overview Configuring RIP Basic Functions Configuring RIP Route Control Configuring RIP Network Optimization Displaying and Maintaining RIP...

  • Page 350: Rip Version

    Egress interface: Packet outgoing interface. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. Route tag: Identifies a route, used in a routing policy to flexibly control routes. For information about routing policy, refer to Routing Policy Configuration in the IP Routing Volume.

  • Page 351: Rip Message Format

    RIPv1, a classful routing protocol, supports message advertisement via broadcast only. RIPv1 protocol messages do not carry mask information, which means it can only recognize routing information of natural networks such as Class A, B, C. That is why RIPv1 does not support discontiguous subnets. RIPv2 is a classless routing protocol.
  • Page 352 RIPv2 message format The format of RIPv2 message is similar to RIPv1. Figure 1-2 shows it. Figure 1-2 RIPv2 Message Format The differences from RIPv1 are stated as following. Version: Version of RIP. For RIPv2 the value is 0x02. Route Tag: Route Tag. IP Address: Destination IP address.

  • Page 353: Protocols And Standards

    RFC 1723 only defines plain text authentication. For information about MD5 authentication, refer to RFC 2453 “RIP Version 2”. With RIPv1, you can configure the authentication mode in interface view. However, the configuration will not take effect because RIPv1 does not support authentication. Supported RIP Features The current implementation supports the following RIP features.
  • Page 354 If you make some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled. RIP runs only on the interfaces residing on the specified networks. Therefore, you need to specify the network after enabling RIP to validate RIP on a specific interface. You can enable RIP on all interfaces using the command network 0.0.0.0.

  • Page 355: Configuring Rip Route Control

    Follow these steps to configure a RIP version: To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] –– Optional By default, if an interface has a RIP version specified, the version takes precedence over the global one.

  • Page 356: Configuring Ripv2 Route Summarization

    The outbound additional metric is added to the metric of a sent route, and the route’s metric in the routing table is not changed. The inbound additional metric is added to the metric of a received route before the route is added into the routing table, and the route’s metric is changed.

  • Page 357: Disabling Host Route Reception

    To do… Use the command… Remarks rip summary-address ip-address Advertise a summary route Required { mask | mask-length } You need to disable RIPv2 route automatic summarization before advertising a summary route on an interface. Disabling Host Route Reception Sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources.

  • Page 358: Configuring Inbound/Outbound Route Filtering

    To do… Use the command… Remarks Optional Enable RIP to advertise a default-route { only | originate } default route [ cost cost ] Not enabled by default Return to system view quit –– interface interface-type Enter interface view –– interface-number Optional rip default-route { { only |...

  • Page 359: Configuring A Priority For Rip

    Configuring a Priority for RIP Multiple IGP protocols may run in a router. If you want RIP routes to have a higher priority than those learned by other routing protocols, you can assign RIP a smaller priority value to influence optimal route selection.

  • Page 360: Configuring Rip Timers

    Configuring RIP Timers Follow these steps to configure RIP timers: To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] –– Optional timers { garbage-collect garbage-collect-value | suppress The default update timer, timeout Configure values for suppress-value | timeout timer, suppress timer, and...

  • Page 361: Enabling Zero Field Check On Incoming Ripv1 Messages

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable poison reverse rip poison-reverse Disabled by default Enabling Zero Field Check on Incoming RIPv1 Messages Some fields in the RIPv1 message must be zero. These fields are called zero fields. You can enable zero field check on received RIPv1 messages.

  • Page 362: Configuring Ripv2 Message Authentication

    Configuring RIPv2 Message Authentication RIPv2 supports two authentication modes: plain text and MD5. In plain text authentication, the authentication information is sent with the RIP message, which however cannot meet high security needs. Follow these steps to configure RIPv2 message authentication: To do…...

  • Page 363: Configuring Rip-To-Mib Binding

    Configuring RIP-to-MIB Binding This task allows you to enable a specific RIP process to receive SNMP requests. Follow these steps to bind RIP to MIB: To do… Use the command… Remarks Enter system view system-view –– Optional Bind RIP to MIB rip mib-binding process-id By default, MIB is bound to RIP process 1.

  • Page 364: Rip Configuration Examples

    RIP Configuration Examples Configuring RIP Version Network requirements As shown in Figure 1-4, enable RIPv2 on all interfaces on Switch A and Switch B. Figure 1-4 Network diagram for RIP version configuration Configuration procedure Configure an IP address for each interface (only the IP address configuration for the VLAN interfaces is given in the following examples) # Configure Switch A.

  • Page 365: Configuring Rip Route Redistribution

    # Display the RIP routing table of Switch A. [SwitchA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect -------------------------------------------------------------------------- Peer 192.168.1.2 on Vlan-interface100 Destination/Mask Nexthop Cost Flags...
  • Page 366 Configure route redistribution on Switch B to make RIP 200 redistribute direct routes and routes from RIP 100. Thus, Switch C can learn routes destined for 10.2.1.0/24 and 11.1.1.0/24, while Switch A cannot learn routes destined for 12.3.1.0/24 and 16.4.1.0/24. Configure a filtering policy on Switch B to filter out the route 10.2.1.1/24 from RIP 100, making the route not advertised to Switch C.
  • Page 367 [SwitchC] display ip routing-table Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Proto Cost NextHop Interface 12.3.1.0/24 Direct 0 12.3.1.2 Vlan200 12.3.1.2/32 Direct 0 127.0.0.1 InLoop0 16.4.1.0/24 Direct 0 16.4.1.1 Vlan400 16.4.1.1/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32...

  • Page 368: Configuring An Additional Metric For A Rip Interface

    16.4.1.0/24 Direct 0 16.4.1.1 Vlan400 16.4.1.1/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 Configuring an Additional Metric for a RIP Interface Network requirements As shown in the following figure: RIP is enabled on all the interfaces of Switch A, Switch B, Switch C, Switch D, and Switch E. The switches are interconnected through RIPv2.

  • Page 369: Troubleshooting Rip

    [SwitchC-rip-1] network 1.0.0.0 [SwitchC-rip-1] version 2 [SwitchC-rip-1] undo summary # Configure Switch D. <SwitchD> system-view [SwitchD] rip 1 [SwitchD-rip-1] network 1.0.0.0 [SwitchD-rip-1] version 2 [SwitchD-rip-1] undo summary # Configure Switch E. <SwitchE> system-view [SwitchE] rip 1 [SwitchE-rip-1] network 1.0.0.0 [SwitchE-rip-1] version 2 [SwitchE-rip-1] undo summary # Display the IP routing table of Switch A.

  • Page 370: Route Oscillation Occurred

    No RIP updates are received when the links work well. Analysis: After enabling RIP, you must use the network command to enable corresponding interfaces. Make sure no interfaces are disabled from handling RIP messages. If the peer is configured to send multicast messages, the same should be configured on the local end. Solution: Use the display current-configuration command to check RIP configuration Use the display rip command to check whether some interface is disabled...
  • Page 371 Table of Contents 1 IPv6 Static Routing Configuration ···········································································································1-1 Introduction to IPv6 Static Routing··········································································································1-1 Features of IPv6 Static Routes········································································································1-1 Default IPv6 Route ··························································································································1-1 Configuring an IPv6 Static Route············································································································1-1 Configuration prerequisites ·············································································································1-1 Configuring an IPv6 Static Route ····································································································1-2 Displaying and Maintaining IPv6 Static Routes ······················································································1-2 IPv6 Static Routing Configuration Example ····························································································1-2...

  • Page 372: Ipv6 Static Routing Configuration

    IPv6 Static Routing Configuration When configuring IPv6 Static Routing, go to these sections for information you are interested in: Introduction to IPv6 Static Routing Configuring an IPv6 Static Route Displaying and Maintaining IPv6 Static Routes IPv6 Static Routing Configuration Example The term “router”...

  • Page 373: Configuring An Ipv6 Static Route

    Enabling IPv6 packet forwarding Ensuring that the neighboring nodes are IPv6 reachable Configuring an IPv6 Static Route Follow these steps to configure an IPv6 static route: To do… Use the commands… Remarks Enter system view system-view — Required ipv6 route-static ipv6-address prefix-length [ interface-type The default Configure an IPv6 static route...
  • Page 374 Figure 1-1 Network diagram for static routes Configuration procedure Configure the IPv6 addresses of all VLAN interfaces (Omitted) Configure IPv6 static routes. # Configure the default IPv6 static route on SwitchA. <SwitchA> system-view [SwitchA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on SwitchB. <SwitchB>...
  • Page 375 NextHop : 1::1 Preference Interface : Vlan-interface100 Cost Destination : 1::1/128 Protocol : Direct NextHop : ::1 Preference Interface : InLoop0 Cost Destination : FE80::/10 Protocol : Direct NextHop : :: Preference Interface : NULL0 Cost # Verify the connectivity with the ping command. [SwitchA] ping ipv6 3::1 PING 3::1 : 56 data bytes, press CTRL_C to break...
  • Page 376 Table of Contents 1 RIPng Configuration··································································································································1-1 Introduction to RIPng ······························································································································1-1 RIPng Working Mechanism ·············································································································1-1 RIPng Packet Format ······················································································································1-2 RIPng Packet Processing Procedure ······························································································1-3 Protocols and Standards ·················································································································1-3 Configuring RIPng Basic Functions ········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-4 Configuring RIPng Route Control ···········································································································1-4 Configuring an Additional Routing Metric ························································································1-4 Configuring RIPng Route Summarization ·······················································································1-5 Advertising a Default Route·············································································································1-5...

  • Page 377: Ripng Configuration

    RIPng Configuration When configuring RIPng, go to these sections for information you are interested in: Introduction to RIPng Configuring RIPng Basic Functions Configuring RIPng Route Control Tuning and Optimizing the RIPng Network Displaying and Maintaining RIPng RIPng Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction to RIPng RIP next generation (RIPng) is an extension of RIP-2 for IPv4.

  • Page 378: Ripng Packet Format

    Each RIPng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: Destination address: IPv6 address of a host or a network. Next hop address: IPv6 address of a neighbor along the path to the destination. Egress interface: Outbound interface that forwards IPv6 packets.

  • Page 379: Ripng Packet Processing Procedure

    Figure 1-3 IPv6 prefix RTE format IPv6 prefix (16 octets) Route tag Prefix length Metric IPv6 prefix: Destination IPv6 address prefix. Route tag: Route tag. Prefix len: Length of the IPv6 address prefix. Metric: Cost of a route. RIPng Packet Processing Procedure Request packet When a RIPng router first starts or needs to update some entries in its routing table, generally a multicast request packet is sent to ask for needed routes from neighbors.

  • Page 380: Configuration Procedure

    Configure an IP address for each interface, and make sure all nodes are reachable to one another. Configuration Procedure Follow these steps to configure the basic RIPng functions: To do… Use the command… Remarks Enter system view system-view –– Required Create a RIPng process and ripng [ process-id ] enter RIPng view...

  • Page 381: Configuring Ripng Route Summarization

    The inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route’s metric is changed. Follow these steps to configure an inbound/outbound additional routing metric: To do… Use the command…...

  • Page 382: Configuring A Ripng Route Filtering Policy

    Configuring a RIPng Route Filtering Policy You can reference a configured IPv6 ACL or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow these steps to configure a RIPng route filtering policy: To do…...

  • Page 383: Tuning And Optimizing The Ripng Network

    Tuning and Optimizing the RIPng Network This section describes how to tune and optimize the performance of the RIPng network as well as applications under special network environments. Before tuning and optimizing the RIPng network, complete the following tasks: Configure a network layer address for each interface Configure the basic RIPng functions This section covers the following topics: Configuring RIPng Timers...

  • Page 384: Configuring Zero Field Check On Ripng Packets

    same interface to prevent routing loops between neighbors. Follow these steps to configure split horizon: To do… Use the command… Remarks Enter system view system-view –– Enter interface view interface interface-type interface-number –– Optional Enable the split horizon ripng split-horizon function Enabled by default Generally, you are recommended to enable split horizon to prevent routing loops.

  • Page 385: Displaying And Maintaining Ripng

    Displaying and Maintaining RIPng To do… Use the command… Remarks Display configuration display ripng [ process-id ] Available in any view information of a RIPng process Display routes in the RIPng display ripng process-id database Available in any view database Display the routing information display ripng process-id route Available in any view...
  • Page 386 [SwitchB] interface vlan-interface 200 [SwitchB-Vlan-interface200] ripng 1 enable [SwitchB-Vlan-interface200] quit [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ripng 1 enable [SwitchB-Vlan-interface100] quit # Configure Switch C. <SwitchC> system-view [SwitchC] ripng 1 [SwitchC-ripng-1] quit [SwitchC] interface vlan-interface 200 [SwitchC-Vlan-interface200] ripng 1 enable [SwitchC-Vlan-interface200] quit [SwitchC] interface vlan-interface 500 [SwitchC-Vlan-interface500] ripng 1 enable [SwitchC-Vlan-interface500] quit...
  • Page 387 via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec Dest 5::/64, via FE80::200:2FF:FE64:8904, cost 2, tag 0, A, 31 Sec Dest 3::/64, via FE80::200:2FF:FE64:8904, cost 1, tag 0, A, 31 Sec Configure Switch B to filter incoming and outgoing routes. [SwitchB] acl ipv6 number 2000 [SwitchB-acl6-basic-2000] rule deny source 3::/64 [SwitchB-acl6-basic-2000] rule permit...
  • Page 388 Table of Contents 1 Route Policy Configuration ······················································································································1-1 Introduction to Route Policy ····················································································································1-1 Route Policy Application··················································································································1-1 Route Policy Implementation···········································································································1-1 Filters ···············································································································································1-2 Route Policy Application··················································································································1-2 Route Policy Configuration Task List ······································································································1-2 Defining Filters ········································································································································1-3 Prerequisites····································································································································1-3 Defining an IP-prefix List ·················································································································1-3 Configuring a Route Policy ·····················································································································1-4 Prerequisites····································································································································1-4 Creating a Route Policy···················································································································1-5 Defining if-match Clauses················································································································1-5...

  • Page 389: Route Policy Configuration

    Route Policy Configuration A route policy is used on a router for route filtering and attributes modification when routes are received, advertised, or redistributed. When configuring route policy, go to these sections for information you are interested in: Introduction to Route Policy Route Policy Configuration Task List Defining Filters Configuring a Route Policy...

  • Page 390: Filters

    Filters There are six types of filters: ACL, IP prefix list, and route policy. ACL involves IPv4 ACL and IPv6 ACL. An ACL is configured to match the destinations or next hops of routing information. For ACL configuration, refer to ACL configuration in the Security Volume. IP prefix list IP prefix list involves IPv4 and IPv6 prefix list.

  • Page 391: Defining Filters

    Task Defining Filters Defining an IP-prefix List Creating a Route Policy Configuring a Route Policy Defining if-match Clauses Defining apply Clauses Defining Filters Prerequisites Before configuring this task, you need to decide on: IP-prefix list name Matching address range Defining an IP-prefix List Define an IPv4 prefix list Identified by name, an IPv4 prefix list can comprise multiple items.

  • Page 392: Configuring A Route Policy

    Define an IPv6 prefix list Identified by name, each IPv6 prefix list can comprise multiple items. Each item specifies a prefix range to match and is identified by an index number. An item with a smaller index number is matched first. If one item is matched, the IPv6 prefix list is passed, and the routing information will not go to the next item.

  • Page 393: Creating A Route Policy

    Name of the route policy, and node numbers Match criteria Attributes to be modified Creating a Route Policy Follow these steps to create a route policy: To do… Use the command… Remarks Enter system view system-view — Create a route policy, specify a route-policy route-policy-name { permit | node for it and enter route Required...

  • Page 394: Defining Apply Clauses

    To do… Use the command… Remarks Match IPv4 routing if-match ip { next-hop | information whose next Optional route-source } { acl hop or source is acl-number | ip-prefix Not configured by default. specified in the ACL or ip-prefix-name } IP prefix list if-match ipv6 { address | Match IPv6 routing information...

  • Page 395: Displaying And Maintaining The Route Policy

    To do… Use the command… Remarks Optional Not set by default. apply ip-address for IPv4 routes next-hop ip-address The setting does not apply to redistributed routing information. Set the next Optional apply ipv6 next-hop Not set by default. for IPv6 routes ipv6-address The setting does not apply to redistributed routing information.
  • Page 396 Figure 1-1 Network diagram for route policy application to route redistribution Configuration procedure Configure Switch A. # Configure IP addresses of the interfaces (omitted). # Configure RIP basic functions. <SwitchA> system-view [SwitchA] rip [SwitchA-rip-1] version 2 [SwitchA-rip-1] undo summary [SwitchA-rip-1] network 192.168.1.0 [SwitchA-rip-1] quit # Configure three static routes.

  • Page 397: Applying A Route Policy To Ipv6 Route Redistribution

    Display the RIP routing table of Switch B and verify the configuration. [SwitchB] display rip 1 route Route Flags: R - RIP, T - TRIP Permanent, Aging, Suppressed, Garbage-collect ---------------------------------------------------------------------- Peer 192.168.1.3 on Vlan-interface100 Destination/Mask Nexthop Cost Flags 20.0.0.0/8 192.168.1.3 40.0.0.0/8 192.168.1.3 The display shows that Switch B has only the routing information permitted by ACL 2000.

  • Page 398: Troubleshooting Route Policy Configuration

    [SwitchA] ipv6 route-static 20:: 32 11::2 [SwitchA] ipv6 route-static 30:: 32 11::2 [SwitchA] ipv6 route-static 40:: 32 11::2 # Configure a route policy. [SwitchA] ip ipv6-prefix a index 10 permit 30:: 32 [SwitchA] route-policy static2ripng deny node 0 [SwitchA-route-policy] if-match ipv6 address prefix-list a [SwitchA-route-policy] quit [SwitchA] route-policy static2ripng permit node 10 [SwitchA-route-policy] quit...

  • Page 399: Ipv6 Routing Information Filtering Failure

    Analysis At least one item of the IP prefix list should be configured as permit mode, and at least one node in the Route policy should be configured as permit mode. Solution Use the display ip ip-prefix command to display IP prefix list information. Use the display route-policy command to display route policy information.
  • Page 400 IP Multicast Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The IP Multicast Volume is organized as follows: Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.
  • Page 401 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques····································································1-1 Features of Multicast ·······················································································································1-4 Common Notations in Multicast·······································································································1-5 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Addresses ························································································································1-7 Multicast Protocols ························································································································1-11 Multicast Packet Forwarding Mechanism ·····························································································1-13...

  • Page 402: Multicast Overview

    Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
  • Page 403 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
  • Page 404 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.

  • Page 405: Features Of Multicast

    Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.

  • Page 406: Common Notations In Multicast

    For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1. Table 1-1 An analogy between TV transmission and multicast transmission TV transmission Multicast transmission A TV station transmits a TV program through A multicast source sends multicast data to a a channel.

  • Page 407: Multicast Architecture

    ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance.

  • Page 408: Multicast Addresses

    Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses IPv4 multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
  • Page 409 Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
  • Page 410 Description When set to 0, it indicates that this address is an IPv6 multicast address permanently-assigned by IANA When set to 1, it indicates that this address is a transient, or dynamically assigned IPv6 multicast address Scope: 4 bits, indicating the scope of the IPv6 internetwork for which the multicast traffic is intended. Possible values of this field are given in Table 1-5.
  • Page 411 Figure 1-6 IPv4-to-MAC address mapping The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv4 address are lost.

  • Page 412: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP/MLD, PIM/IPv6 PIM, MSDP, and MBGP/IPv6 MBGP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping/MLD Snooping, and multicast VLAN/IPv6 multicast VLAN.
  • Page 413 In the ASM model, multicast routes come in intra-domain routes and inter-domain routes. An intra-domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an AS so as to deliver multicast data to receivers. Among a variety of mature intra-domain multicast routing protocols, protocol independent multicast (PIM) is a popular one.

  • Page 414: Multicast Packet Forwarding Mechanism

    Multicast Packet Forwarding Mechanism In a multicast model, a multicast source sends information to the host group identified by the multicast group address in the destination address field of IP multicast packets. Therefore, to deliver multicast packets to receivers located in different parts of the network, multicast routers on the forwarding path usually need to forward multicast packets received on one incoming interface to multiple outgoing interfaces.
  • Page 415 Table of Contents 1 IGMP Snooping Configuration ·················································································································1-1 IGMP Snooping Overview·······················································································································1-1 Principle of IGMP Snooping ············································································································1-1 Basic Concepts in IGMP Snooping ·································································································1-2 How IGMP Snooping Works············································································································1-3 Protocols and Standards ·················································································································1-5 IGMP Snooping Configuration Task List·································································································1-5 Configuring Basic Functions of IGMP Snooping·····················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling IGMP Snooping ················································································································1-6 Configuring the Version of IGMP Snooping ····················································································1-7...

  • Page 416: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

  • Page 417: Basic Concepts In Igmp Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

  • Page 418: How Igmp Snooping Works

    Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 1-1 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
  • Page 419 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.

  • Page 420: Protocols And Standards

    Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message. Upon receiving the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port on which it received the IGMP leave message: If any IGMP report in response to the group-specific query is received on the port (suppose it is a...

  • Page 421: Configuring Basic Functions Of Igmp Snooping

    Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.

  • Page 422: Configuring The Version Of Igmp Snooping

    IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.

  • Page 423: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.

  • Page 424: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip...

  • Page 425: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip...

  • Page 426: Configuring Igmp Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port/Layer 2 interface interface-type interface-number Required aggregate port view or port...

  • Page 427: Configuring Igmp Queries And Responses

    It is meaningless to configure an IGMP Snooping querier in a multicast network running IGMP. Although an IGMP Snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address. Configuring IGMP Queries and Responses You can tune the IGMP general query interval based on actual condition of the network.

  • Page 428: Configuring Source Ip Address Of Igmp Queries

    To do... Use the command... Remarks Configure the maximum Optional igmp-snooping max-response-time response time to IGMP general interval 10 seconds by default queries Optional Configure the IGMP igmp-snooping last-member query interval last-member-query-interval interval 1 second by default In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries.

  • Page 429: Configuring A Multicast Group Filter

    Before configuring an IGMP Snooping policy, prepare the following data: ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports Configuring a Multicast Group Filter On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users.

  • Page 430: Configuring The Function Of Dropping Unknown Multicast Data

    Disabled by default 3Com Switch 4500G family, when enabled to filter IPv4 multicast data based on the source ports, are automatically enabled to filter IPv6 multicast data based on the source ports. Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table.

  • Page 431: Configuring Igmp Report Suppression

    To do... Use the command... Remarks Required Enable the function of dropping igmp-snooping unknown multicast data drop-unknown Disabled by default Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.

  • Page 432: Configuring Multicast Group Replacement

    When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again. If you have configured static or simulated joins on a port, however, when the number of multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated...

  • Page 433: Displaying And Maintaining Igmp Snooping

    Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required...

  • Page 434: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is required on Router A, IGMP Snooping version 2 is required on Switch A, and Router A will act as the IGMP querier on the subnet.
  • Page 435 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping and the function of dropping unknown multicast traffic in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable...

  • Page 436: Static Port Configuration

    IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A has joined multicast...

  • Page 437: Network Diagram

    Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 Router A 1.1.1.1/24 IGMP querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure...
  • Page 438 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] igmp-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable IGMP Snooping globally. <SwitchB> system-view [SwitchB] igmp-snooping [SwitchB-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable IGMP Snooping in the VLAN.
  • Page 439 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port.

  • Page 440: Igmp Snooping Querier Configuration

    IGMP Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer 2–only network environment, two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, Host A and Host C are receivers of multicast group 224.1.1.1, while Host B and Host D are receivers of multicast group 225.1.1.1.
  • Page 441 # Enable the IGMP-Snooping querier function in VLAN 100 [SwitchA-vlan100] igmp-snooping querier # Set the source IP address of IGMP general queries and group-specific queries to 192.168.1.1 in VLAN 100. [SwitchA-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [SwitchA-vlan100] igmp-snooping special-query source-ip 192.168.1.1 [SwitchA-vlan100] quit Configure Switch B # Enable IGMP Snooping globally.

  • Page 442: Troubleshooting Igmp Snooping Configuration

    Troubleshooting IGMP Snooping Configuration Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding. Analysis IGMP Snooping is not enabled. Solution Enter the display current-configuration command to view the running status of IGMP Snooping. If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally, and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.
  • Page 443 Table of Contents 1 Multicast VLAN Configuration··················································································································1-1 Introduction to Multicast VLAN················································································································1-1 Multicast VLAN Configuration Task List··································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN···············································································1-3 Configuring Port-Based Multicast VLAN ·································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring Multicast VLAN Ports ···································································································1-5 Displaying and Maintaining Multicast VLAN ···························································································1-6 Multicast VLAN Configuration Examples ································································································1-6...

  • Page 444: Multicast Vlan Configuration

    Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
  • Page 445 Figure 1-2 Sub-VLAN-based multicast VLAN Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A IGMP querier VLAN 4 Receiver Host C After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-VLANs.

  • Page 446: Multicast Vlan Configuration Task List

    For information about IGMP Snooping, router ports, and member ports, refer to IGMP Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN: Task Remarks Configuring Sub-VLAN-Based Multicast VLAN...

  • Page 447: Configuring Port-Based Multicast Vlan

    The VLAN to be configured as a multicast VLAN must exist. The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of another multicast VLAN. The total number of sub-VLANs of a multicast VLAN must not exceed 63. Configuring Port-Based Multicast VLAN When configuring port-based multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the multicast VLAN.

  • Page 448: Configuring Multicast Vlan Ports

    Follow these steps to configure user port attributes: To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group port-group { manual view Use either command port-group-name | aggregation agg-id } Required Configure the user port link port link-type hybrid...

  • Page 449: Displaying And Maintaining Multicast Vlan

    Configuring multicast VLAN ports in port view or port group view Follow these steps to configure multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Required Configure the specified VLAN as a multicast VLAN and enter multicast-vlan vlan-id Not a multicast VLAN by...
  • Page 450 Configure the sub-VLAN-based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Network diagram Figure 1-4 Network diagram for sub-VLAN-based multicast VLAN configuration Source IGMP querier Router A...
  • Page 451 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable [SwitchA-vlan10] quit...
  • Page 452 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port.

  • Page 453: Port-Based Multicast Vlan Configuration

    Port-Based Multicast VLAN Configuration Network requirements As shown in Figure 1-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/1, and to Switch A through GigabitEthernet 1/0/2. IGMPv2 is required on Router A. IGMPv2 Snooping is required on Switch A. Router A acts as the IGMP querier.
  • Page 454 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable IGMP Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable...
  • Page 455 Total 1 multicast-vlan(s) Multicast vlan 10 subvlan list: no subvlan port list: GE1/0/2 GE1/0/3 GE1/0/4 # View the IGMP Snooping multicast group information on Switch A. [SwitchA] display igmp-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.
  • Page 456 Table of Contents 1 MLD Snooping Configuration···················································································································1-1 MLD Snooping Overview ························································································································1-1 Introduction to MLD Snooping·········································································································1-1 Basic Concepts in MLD Snooping···································································································1-2 How MLD Snooping Works ·············································································································1-3 Protocols and Standards ·················································································································1-5 MLD Snooping Configuration Task List ··································································································1-5 Configuring Basic Functions of MLD Snooping ······················································································1-6 Configuration Prerequisites ·············································································································1-6 Enabling MLD Snooping··················································································································1-6 Configuring the Version of MLD Snooping ······················································································1-7...

  • Page 457: Mld Snooping Configuration

    MLD Snooping Configuration When configuring MLD Snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups.

  • Page 458: Basic Concepts In Mld Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, MLD Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, IPv6 multicast group members).

  • Page 459: How Mld Snooping Works

    Whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. On an MLD Snooping-enabled switch, the ports that received MLD general queries with the source address other than 0::0 or IPv6 PIM hello messages are dynamic router ports.
  • Page 460 General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet. Upon receiving an MLD general query, the switch forwards it through all ports in the VLAN except the port on which it received the MLD query and performs the following: If the port on which it the switch received the MLD query is a dynamic router port in its router port list, the switch resets the aging timer for this dynamic router port.

  • Page 461: Protocols And Standards

    If the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the MLD done message instead of forwarding it to any port. If the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the MLD done message to all router ports in the native VLAN.

  • Page 462: Configuring Basic Functions Of Mld Snooping

    Task Remarks Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filtering Optional Configuring an MLD Configuring MLD Report Suppression Optional Snooping Policy Configuring Maximum Multicast Groups that Can Be Optional Joined on a Port Configuring IPv6 Multicast Group Replacement Optional Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.

  • Page 463: Configuring Mld Snooping Port Functions

    To do... Use the command... Remarks Enter VLAN view vlan vlan-id — Required Enable MLD Snooping in the mld-snooping enable VLAN Disabled by default MLD Snooping must be enabled globally before it can be enabled in a VLAN. When you enable MLD Snooping in a specified VLAN, this function takes effect for ports in this VLAN only.

  • Page 464: Configuring Aging Timers For Dynamic Ports

    Configure the corresponding port groups Before configuring MLD Snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging timer of dynamic member ports, and IPv6 multicast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires.

  • Page 465: Configuring Simulated Joining

    Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 interface-number Required aggregate port view or port Use either approach port-group manual group view port-group-name mld-snooping static-group Required Configure the port(s) as static ipv6-group-address [ source-ip...

  • Page 466: Configuring Fast Leave Processing

    Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping host-join Required Configure simulated joining ipv6-group-address [ source-ip...

  • Page 467: Configuring Mld Snooping Querier

    Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port/Layer 2 Required interface-number...

  • Page 468: Configuring Mld Queries And Responses

    To do... Use the command... Remarks Enter system view system-view — Enter VLAN view — vlan vlan-id Required Enable the MLD Snooping mld-snooping querier querier Disabled by default It is meaningless to configure an MLD Snooping querier in an IPv6 multicast network running MLD. Although an MLD Snooping querier does not take part in MLD querier elections, it may affect MLD querier elections because it sends MLD general queries with a low source IPv6 address.

  • Page 469: Configuring Source Ipv6 Addresses Of Mld Queries

    Configuring MLD queries and responses in a VLAN Follow these steps to configure MLD queries and responses in a VLAN To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional mld-snooping query-interval Configure MLD query interval interval 125 seconds by default...

  • Page 470: Configuring An Mld Snooping Policy

    Configuring an MLD Snooping Policy Configuration Prerequisites Before configuring an MLD Snooping policy, complete the following tasks: Enable MLD Snooping in the VLAN Before configuring an MLD Snooping policy, prepare the following data: IPv6 ACL rule for IPv6 multicast group filtering The maximum number of IPv6 multicast groups that can pass the ports Configuring an IPv6 Multicast Group Filter On a MLD Snooping–enabled switch, the configuration of an IPv6 multicast group filter allows the...

  • Page 471: Configuring Ipv6 Multicast Source Port Filtering

    To do... Use the command... Remarks Required By default, no group filter is Configure an IPv6 multicast mld-snooping group-policy configured on the current group filter acl6-number [ vlan vlan-list ] port, that is, hosts on this port can join any valid IPv6 multicast group.

  • Page 472: Configuring Mld Report Suppression

    Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device, the Layer 3 device directly connected with it will receive duplicate MLD reports from these members.

  • Page 473: Configuring Ipv6 Multicast Group Replacement

    When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD Snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again.

  • Page 474: Displaying And Maintaining Mld Snooping

    Configuring IPv6 multicast group replacement on a port or a group of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view system-view —...

  • Page 475: Mld Snooping Configuration Examples

    MLD Snooping Configuration Examples Configuring IPv6 Group Policy and Simulated Joining Network requirements As shown in Figure 1-3, Router A connects to the IPv6 multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. Router A is the MLD querier on the subnet. MLDv1 is required on Router A, MLD Snooping version 1 is required on Switch A, and Router A will act as the MLD querier on the subnet.
  • Page 476 [RouterA-GigabitEthernet1/0/2] pim ipv6 dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable MLD Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] mld-snooping enable...

  • Page 477: Static Port Configuration

    IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A have joined IPv6 multicast group FF1E::101.
  • Page 478 Network diagram Figure 1-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1::2/64 GE1/0/1 2001::1/64 Router A 1::1/64 MLD querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure...
  • Page 479 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mld-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable MLD Snooping globally. <SwitchB> system-view [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable MLD Snooping in the VLAN.
  • Page 480 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port.

  • Page 481: Mld Snooping Querier Configuration

    MLD Snooping Querier Configuration Network requirements As shown in Figure 1-5, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.

  • Page 482: Troubleshooting Mld Snooping

    [SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable the MLD Snooping feature in VLAN 100. [SwitchB-vlan100] mld-snooping enable [SwitchB-vlan100] quit Configurations of Switch C and Switch D are similar to the configuration of Switch B.

  • Page 483: Configured Ipv6 Multicast Group Policy Fails To Take Effect

    Configured IPv6 Multicast Group Policy Fails to Take Effect Symptom Although an IPv6 multicast group policy has been configured to allow hosts to join specific IPv6 multicast groups, the hosts can still receive IPv6 multicast data addressed to other groups. Analysis The IPv6 ACL rule is incorrectly configured.
  • Page 484 Table of Contents 1 IPv6 Multicast VLAN Configuration ·········································································································1-1 Introduction to IPv6 Multicast VLAN ·······································································································1-1 IPv6 Multicast VLAN Configuration Task List ·························································································1-3 Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN ······································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based IPv6 Multicast VLAN·······································································1-3 Configuring Port-Based IPv6 Multicast VLAN·························································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-4 Configuring IPv6 Multicast VLAN Ports···························································································1-5...

  • Page 485: Ipv6 Multicast Vlan Configuration

    IPv6 Multicast VLAN Configuration When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Task List Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN Configuring Port-Based IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...
  • Page 486 Figure 1-2 Sub-VLAN-based IPv6 multicast VLAN IPv6 Multicast packets VLAN 10 (IPv6 Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Source Router A Switch A MLD querier VLAN 4 Receiver Host C After the configuration, MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub-VLANs.

  • Page 487: Ipv6 Multicast Vlan Configuration Task List

    For information about MLD Snooping, router ports, and member ports, refer to MLD Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN: Configuration task Remarks Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN...

  • Page 488: Configuring Port-Based Ipv6 Multicast Vlan

    To do… Use the command… Remarks Required Configure the specified VLAN(s) as sub-VLAN(s) of the subvlan vlan-list By default, an IPv6 multicast IPv6 multicast VLAN VLAN has no sub-VLANs. The VLAN to be configured as an IPv6 multicast VLAN must exist. The VLANs to be configured as the sub-VLANs of the IPv6 multicast VLAN must exist and must not be sub-VLANs of another IPv6 multicast VLAN.

  • Page 489: Configuring Ipv6 Multicast Vlan Ports

    To do... Use the command... Remarks Enter system view system-view — interface interface-type interface-number Required Enter port view or port group view Use either approach. port-group manual port-group-name Required Configue the user port link type port link-type hybrid as hybrid Access by default Specify the user VLAN that Required...

  • Page 490: Displaying And Maintaining Ipv6 Multicast Vlan

    Configure IPv6 multicast VLAN ports in terface view or port group view Follow these steps to configure IPv6 multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view system-view — Configure the specified Required VLAN as an IPv6 multicast multicast-vlan ipv6 vlan-id...
  • Page 491 Configure the sub-VLAN-based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Figure 1-4 Network diagram for sub-VLAN-based IPv6 multicast VLAN configuration Source MLD querier Router A...
  • Page 492 The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable MLD Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Configure VLAN 10 as an IPv6 multicast VLAN and configure VLAN 2 through VLAN 4 as its...

  • Page 493: Port-Based Multicast Vlan Configuration Example

    IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/3 Vlan(id):4. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port.
  • Page 494 Switch A’s GigabitEthernet 1/0/1 belongs to VLAN 10, GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 belong to VLAN 2 through VLAN 4 respectively, and Host A through Host C are attached to GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 of Switch A. The IPv6 multicast source sends IPv6 multicast data to IPv6 multicast group FF1E::101. Host A, Host B, and Host C are receivers of the IPv6 multicast group.
  • Page 495 # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Create VLAN 2 and enable MLD Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] mld-snooping enable [SwitchA-vlan2] quit...
  • Page 496 Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 3 port.
  • Page 497 QoS Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The QoS Volume is organized as follows: Features Description For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.
  • Page 498 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Introduction to QoS Service Models ·······································································································1-1 Best-Effort Service Model················································································································1-1 IntServ Service Model ·····················································································································1-1 DiffServ Service Model ····················································································································1-2 QoS Techniques Overview ·····················································································································1-2 Positions of the QoS Techniques in a Network···············································································1-2 2 QoS Configuration Approaches···············································································································2-1 QoS Configuration Approach Overview ··································································································2-1 Non Policy-Based Configuration ·····································································································2-1...
  • Page 499 Configuration Example ····················································································································4-5 Displaying and Maintaining Traffic Policing, GTS, and Line Rate ··························································4-5 5 Congestion Management Configuration ·································································································5-1 Congestion Management Overview········································································································5-1 Causes, Impacts, and Countermeasures of Congestion·································································5-1 Congestion Management Policies···································································································5-1 Congestion Management Configuration Approaches ·············································································5-4 Configuring Congestion Management ····································································································5-5 Configuring SP Queuing··················································································································5-5 Configure WRR Queuing·················································································································5-5 Configuring WFQ Queuing ··············································································································5-6 Configuring SP+WRR Queues ········································································································5-7...

  • Page 500: Qos Overview

    QoS Overview This chapter covers the following topics: Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Introduction to QoS For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.

  • Page 501: Diffserv Service Model

    However, the Inter-Serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the Inter-Serv model is poor in scalability, and therefore, it is hard to be deployed in the core Internet network.
  • Page 502 Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets.

  • Page 503: Qos Configuration Approaches

    QoS Configuration Approaches This chapter covers the following topics: QoS Configuration Approach Overview Configuring a QoS Policy QoS Configuration Approach Overview Two approaches are available for you to configure QoS: policy-based and non policy-based. Some QoS features can be configured in either approach while some can be configured only in one approach.

  • Page 504: Configuring A Qos Policy

    Configuring a QoS Policy Figure 2-1 shows how to configure a QoS policy. Figure 2-1 QoS policy configuration procedure Defining a Class To define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: To do…...
  • Page 505 Form Description Specifies to match an IPv6 ACL specified by its number or name. The access-list-number argument specifies an ACL by its number, which acl ipv6 { access-list-number | name acl-name } ranges from 2000 to 3999; the name acl-name keyword-argument combination specifies an ACL by its name.

  • Page 506: Defining A Traffic Behavior

    If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class, the actual logical relationship between these rules is or.

  • Page 507: Applying The Qos Policy

    To do… Use the command… Remarks Enter system view — system-view Create a policy and enter policy qos policy policy-name Required view Associate a class with a classifier tcl-name behavior Required behavior in the policy behavior-name If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the ACL are organized as a class and the behavior defined in the QoS policy applies to the class regardless of whether the match mode of the if-match clause is deny or permit.
  • Page 508 Follow these steps to apply the QoS policy to an interface: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port...
  • Page 509 If a user profile is active, the QoS policy, except ACLs referenced in the QoS policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced ACLs cannot be modified either. The QoS policies applied in user profile view support only the remark, car, and filter actions.

  • Page 510: Displaying And Maintaining Qos Policies

    Displaying and Maintaining QoS Policies To do… Use the command… Remarks Display information about a display qos policy class and the corresponding user-defined [ policy-name Available in any view actions associated by a policy [ classifier classifier-name ] ] display qos policy interface Display information about the [ interface-type Available in any view...

  • Page 511: Priority Mapping Configuration

    Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Priority Mapping Configuration Tasks Configuring Priority Mapping Displaying and Maintaining Priority Mapping Priority Mapping Configuration Examples Priority Mapping Overview Introduction to Priority Mapping The priorities of a packet determine its transmission priority.

  • Page 512: Priority Trust Mode On A Port

    The default priority mapping tables (as shown in Appendix B Default Priority Mapping Tables) are available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority mapping table cannot meet your requirements, you can modify the priority mapping table as required. Priority Trust Mode on a Port The priority trust mode on a port decides which priority is used for priority mapping table lookup.

  • Page 513: Priority Mapping Configuration Tasks

    Figure 3-1 Priority mapping procedure for an Ethernet packet Receive a packet on a port Which priority is 802.1p trusted on the Port priority in packets port? Use the port priority as the Use the port priority DSCP 802.1p priority for Is the packet as the 802.1p priority in packets...

  • Page 514: Configuring Priority Mapping

    Task Remarks Configuring a Priority Mapping Table Optional Configuring the Priority Trust Mode on a Port Optional Configuring the Port Priority of a Port Optional Configuring Priority Mapping Configuring a Priority Mapping Table Follow these steps to configure an uncolored priority mapping table: To do…...

  • Page 515: Configuring The Port Priority Of A Port

    To do… Use the command… Remarks Trust the undo qos trust port priority Display the priority trust Optional display qos trust interface mode configuration on [ interface-type interface-number ] Available in any view the port Configuring the Port Priority of a Port You can change the port priority of a port used for priority mapping.
  • Page 516 For information about priority marking, refer to Priority Marking Configuration. Network requirements As shown in Figure 3-2, the enterprise network of a company interconnects all departments through Device. The network is described as follows: The marketing department connects to GigabitEthernet 1/0/1 of Device, which sets the 802.1p priority of traffic from the marketing department to 3.
  • Page 517 Figure 3-2 Network diagram for priority mapping table and priority marking configuration Configuration procedure Configure trusting port priority # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device> system-view [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] qos priority 3 [Device-GigabitEthernet1/0/1] quit # Set the port priority of GigabitEthernet 1/0/2 to 4.
  • Page 518 Configure priority marking # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated traffic treatment.

  • Page 519: Traffic Policing And Line Rate Configuration

    Traffic Policing and Line Rate Configuration When configuring traffic policing and line rate, go to these sections for information you are interested in: Traffic Policing and Line Rate Overview Configuring Traffic Policing Configuring the Line Rate Displaying and Maintaining Traffic Policing, GTS, and Line Rate Traffic Policing and Line Rate Overview Without limits on user traffic, a network can be overwhelmed very easily.

  • Page 520: Traffic Policing

    Complicated evaluation You can set two token buckets, the C bucket and the E bucket, to evaluate traffic in a more complicated environment and achieve more policing flexibility. For example, traffic policing uses four parameters: CIR: Rate at which tokens are put into the C bucket, that is, the average packet transmission or forwarding rate allowed by the C bucket.

  • Page 521: Line Rate

    Line Rate The line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic control. With line rate configured on an interface, all packets to be sent through the interface are firstly handled by the token bucket at line rate. If there are enough tokens in the token bucket, packets can be forwarded;...

  • Page 522: Configuration Example

    To do… Use the command… Remarks car cir committed-information-rate [ cbs committed-burst-size [ ebs Configure a traffic policing excess-burst-size ] ] [ pir Required action peak-information-rate ] [ green action ] [ red action ] [ yellow action ] Exit behavior view quit —...

  • Page 523: Configuring The Line Rate

    Configuring the Line Rate Configuration Procedure Follow these steps to configure the line rate: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface interface-number Settings in interface view take interface view effect on the current interface;...

  • Page 524: Congestion Management Configuration

    Congestion Management Configuration When configuring hardware congestion management, go to these sections for information you are interested in: Congestion Management Overview Congestion Management Configuration Approaches Configuring Congestion Management Displaying and Maintaining Congestion Management Congestion Management Overview Causes, Impacts, and Countermeasures of Congestion Network congestion is a major factor contributed to service quality degrading on a traditional network.
  • Page 525 queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. The Switch 4500G series support the following four queue scheduling methods: Scheduling all queues with the strict priority (SP) algorithm. Scheduling all queues with the weighted round robin (WRR) algorithm.
  • Page 526 Figure 5-3 Schematic diagram for WRR queuing Assume there are eight output queues on a port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 5, 3, 1, 1, 5, 3, 1, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).

  • Page 527: Congestion Management Configuration Approaches

    Short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with FQ, WFQ takes weights into account when determining the queue scheduling order. Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic.

  • Page 528: Configuring Congestion Management

    Task Remarks Configuring WFQ Queuing Optional Configuring SP+WRR Queues Optional Configuring Congestion Management Configuring SP Queuing Configuration procedure Follow these steps to configure SP queuing: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface...

  • Page 529: Configuring Wfq Queuing

    To do… Use the command… Remarks Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port port-group manual group view effect on all ports in the port group view...

  • Page 530: Configuring Sp+Wrr Queues

    To do… Use the command… Remarks group view settings in port group view take Enter port port-group manual effect on all ports in the port group view port-group-name group. Required By default, all the ports adopt the WRR queue scheduling Enable WFQ queuing qos wfq algorithm, with the weight...

  • Page 531: Configuration Example

    To do… Use the command… Remarks Enter Use either command interface interface-type Enter interface view interface-number interface Settings in interface view take effect view or on the current interface; settings in Enter port port-group manual port group port group view take effect on all ports group view port-group-name view...

  • Page 532: Displaying And Maintaining Congestion Management

    Displaying and Maintaining Congestion Management To do… Use the command… Remarks Display WRR queue display qos wrr interface [ interface-type configuration information interface-number ] Available in any Display SP queue configuration display qos sp interface [ interface-type view information interface-number ] Display WFQ queue display qos wfq interface [ interface-type configuration information...

  • Page 533: Traffic Filtering Configuration

    Traffic Filtering Configuration When configuring traffic filtering, go to these sections for information you are interested in: Traffic Filtering Overview Configuring Traffic Filtering Traffic Filtering Configuration Example Traffic Filtering Overview You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status.

  • Page 534: Traffic Filtering Configuration Example

    To do… Use the command… Remarks Associate the class with the classifier tcl-name behavior traffic behavior in the QoS — behavior-name policy Exit policy view quit — Applying the QoS policy to an To an interface — interface Apply the Applying the QoS policy to online To online users —...
  • Page 535 # Create a behavior named behavior_1, and configure the traffic filtering action for the behavior to drop packets. [DeviceA] traffic behavior behavior_1 [DeviceA-behavior-behavior_1] filter deny [DeviceA-behavior-behavior_1] quit # Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the policy.

  • Page 536: Priority Marking Configuration

    Priority Marking Configuration When configuring priority marking, go to these sections for information you are interested in: Priority Marking Overview Configuring Priority Marking Priority Marking Configuration Example Priority Marking Overview Priority marking can be used together with priority mapping. For details, refer to Priority Mapping Table and Priority Marking Configuration Example.

  • Page 537: Priority Marking Configuration Example

    To do… Use the command… Remarks Set the IP precedence for remark ip-precedence Optional packets ip-precedence-value Set the local precedence remark local-precedence Optional for packets local-precedence Exit behavior view quit — Create a policy and enter — qos policy policy-name policy view Associate the class with classifier tcl-name behavior...
  • Page 538 Figure 7-1 Network diagram for priority marking configuration Internet Data server Host A 192.168.0.1/24 GE1/0/1 GE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.3/24 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1.
  • Page 539 [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [Device] traffic behavior behavior_mserver [Device-behavior-behavior_mserver] remark local-precedence 3 [Device-behavior-behavior_mserver] quit # Create a behavior named behavior_fserver, and configure the action of setting the local precedence value to 2 for the behavior.

  • Page 540: Traffic Redirecting Configuration

    Traffic Redirecting Configuration When configuring traffic redirecting, go to these sections for information you are interested in: Traffic Redirecting Overview Configuring Traffic Redirecting Traffic Redirecting Overview Traffic Redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing.
  • Page 541 Generally, the action of redirecting traffic to the CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. You can use the display traffic behavior command to view the traffic redirecting configuration.

  • Page 542: Class-Based Accounting Configuration

    Class-Based Accounting Configuration When configuring class-based accounting, go to these sections for information you are interested in: Class-Based Accounting Overview Configuring Class-Based Accounting Displaying and Maintaining Traffic Accounting Class-Based Accounting Configuration Example Class-Based Accounting Overview Class-based accounting collects statistics on a per-traffic class basis. For example, you can define the action to collect statistics for traffic sourced from a certain IP address.

  • Page 543: Displaying And Maintaining Traffic Accounting

    Displaying and Maintaining Traffic Accounting After completing the configuration above, you can verify the configuration with the display qos policy interface, or display qos vlan-policy command depending on the occasion where the QoS policy is applied. Class-Based Accounting Configuration Example Class-Based Accounting Configuration Example Network requirements As shown in...
  • Page 544 # Display traffic statistics to verify the configuration. [DeviceA] display qos policy interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Direction: Inbound Policy: policy Classifier: classifier_1 Operator: AND Rule(s) : If-match acl 2000 Behavior: behavior_1 Accounting Enable: 58 (Packets)

  • Page 545: Appendix

    Appendix This chapter covers the following appendixes: Appendix A Acronym Appendix B Default Priority Mapping Tables Appendix C Introduction to Packet Precedences Appendix A Acronym Table 10-1 Appendix A Acronym Acronym Full spelling Assured Forwarding Best Effort Committed Access Rate Committed Burst Size CBWFQ Class Based Weighted Fair Queuing...

  • Page 546: Appendix B Default Priority Mapping Tables

    Acronym Full spelling Provider Edge Per-hop Behavior Peak Information Rate Priority Queuing Quality of Service Random Early Detection RSVP Resource Reservation Protocol Real Time Protocol Service Level Agreement Traffic Engineering Type of Service Traffic Policing Traffic Shaping VoIP Voice over IP Virtual Private Network Weighted Fair Queuing WRED...

  • Page 547: Appendix C Introduction To Packet Precedences

    Input priority value dot1p-lp mapping dot1p-dp mapping Table 10-3 The default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables Input priority value dscp-dp mapping dscp-dot1p mapping DSCP Drop precedence (dp) 802.1p priority (dot1p) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47...
  • Page 548 Table 10-4 Description on IP precedence IP precedence (decimal) IP precedence (binary) Description Routine priority immediate flash flash-override critical internet network Table 10-5 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21...

  • Page 549: 802.1P Priority

    802.1p Priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 10-2 An Ethernet frame with an 802.1Q tag header As shown in Figure 10-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two...
  • Page 550 Table of Contents 1 User Profile Configuration························································································································1-1 User Profile Overview ·····························································································································1-1 User Profile Configuration·······················································································································1-1 User Profile Configuration Task List································································································1-1 Creating a User Profile ····················································································································1-2 Applying a QoS Policy to User Profile ·····························································································1-2 Enabling a User Profile····················································································································1-3 Displaying and Maintaining User Profile ·································································································1-3...

  • Page 551: User Profile Configuration

    User Profile Configuration When configuring user profile, go to these sections for information you are interested in: User Profile Overview User Profile Configuration Displaying and Maintaining User Profile User Profile Overview User profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.

  • Page 552: Creating A User Profile

    Creating a User Profile Configuration Prerequisites Before creating a user profile, you need to configure authentication parameters. User profile supports 802.1X authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and binding between a user profile and user) on the client, the device and authentication server.

  • Page 553: Enabling A User Profile

    When a user profile is active, you cannot configure or remove the QoS policy applied to it. The QoS policies applied in user profile view support only the remark, car, and filter actions. Do not apply an empty QoS policy in user profile view, because even if you can do that, the user profile cannot be activated.
  • Page 554 Security Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The Security Volume is organized as follows: Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration...
  • Page 555 Features Description Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. This document describes: Enabling Port Security Setting the Maximum Number of Secure MAC Addresses Port Security Setting the Port Security Mode Configuring Port Security Features...
  • Page 556 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-8 Differences Between HWTACACS and RADIUS············································································1-8 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
  • Page 557 Specifying the HWTACACS Authentication Servers·····································································1-32 Specifying the HWTACACS Authorization Servers·······································································1-32 Specifying the HWTACACS Accounting Servers··········································································1-33 Setting the Shared Key for HWTACACS Packets·········································································1-34 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-34 Setting Timers Regarding HWTACACS Servers ··········································································1-35 Displaying and Maintaining HWTACACS······················································································1-36 AAA Configuration Examples················································································································1-36 AAA for Telnet Users by a HWTACACS Server ···········································································1-36 AAA for Telnet Users by Separate Servers···················································································1-38...

  • Page 558: Aaa Configuration

    AAA Configuration Command line accounting method of HWTACACS function is added in V05.02.00P19 of 3Com Switch 4500G. For details, refer to Configuring AAA Accounting Methods for an ISP Domain. When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS...

  • Page 559: Introduction To Radius

    When a user tries to establish a connection to the NAS and to obtain the rights to access other networks or some network resources, the NAS authenticates the user or the corresponding connection. The NAS can transparently pass the user’s AAA information to the server (RADIUS server or HWTACACS server). The RADIUS/HWTACACS protocol defines how a NAS and a server exchange user information between them.

  • Page 560: Security And Authentication Mechanisms

    connection requests, authenticates users, and returns the processing results (for example, rejecting or accepting the user access request) to the clients. In general, the RADIUS server maintains three databases, namely, Users, Clients, and Dictionary, as shown in Figure 1-2: Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses.

  • Page 561: Radius Packet Format

    Figure 1-3 Basic message exchange process of RADIUS Host RADIUS client RADIUS server 1) Username and password 2) Access-Request 3) Access-Accept/Reject 4) Accounting-Request (start) 5) Accounting-Response 6) The host accesses the resources 7) Accounting-Request (stop) 8) Accounting-Response 9) Notification of access termination The following is how RADIUS operates: The host initiates a connection request carrying the username and password to the RADIUS client.
  • Page 562 Figure 1-4 RADIUS packet format Descriptions of the fields are as follows: The Code field (1-byte long) is for indicating the type of the RADIUS packet. Table 1-1 gives the possible values and their meanings. Table 1-1 Main values of the Code field Code Packet type Description...
  • Page 563 The Authenticator field (16-byte long) is used to authenticate replies from the RADIUS server, and is also used in the password hiding algorithm. There are two kinds of authenticators: request authenticator and response authenticator. The Attribute field, with a variable length, carries the specific authentication, authorization, and accounting information for defining configuration details of the request or response.

  • Page 564: Extended Radius Attributes

    Attribute Attribute Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id The attribute types listed in Table 1-2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2568.

  • Page 565: Introduction To Hwtacacs

    Figure 1-5 Segment of a RADIUS packet containing an extended attribute Introduction to HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to RADIUS, it uses a client/server model for information exchange between NAS and HWTACACS server.
  • Page 566 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 567: Protocols And Standards

    11) The HWTACACS server sends back an authentication response indicating that the user has passed authentication. 12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now.

  • Page 568: Radius Configuration Task List

    For login users, it is necessary to configure the authentication mode for logging into the user interface as scheme. For detailed information, refer to Login Configuration of the System Volume. AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional...
  • Page 569 HWTACACS Configuration Task List Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Server Optional Setting Timers Regarding HWTACACS Servers Optional...
  • Page 570 For the NAS, each user belongs to an ISP domain. A NAS can accommodate up to 16 ISP domains, including the default ISP domain named system. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain. Follow these steps to create an ISP domain: To do…...
  • Page 571 A self-service RADIUS server, for example, iMC, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Configuring AAA Authentication Methods for an ISP Domain In AAA, authentication, authorization, and accounting are separate processes.
  • Page 572 To do… Use the command… Remarks Optional authentication lan-access { local Specify the authentication method | none | radius-scheme The default authentication method for LAN users radius-scheme-name [ local ] } is used by default. authentication login Optional { hwtacacs-scheme Specify the authentication method hwtacacs-scheme-name [ local ] | The default authentication method...
  • Page 573 of these types is called an EXEC user). The default right for FTP users is to use the root directory of the device. Before configuring authorization methods, complete these three tasks: For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS authentication scheme;...
  • Page 574 The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme.

  • Page 575: Configuring Local User Attributes

    Follow these steps to configure AAA accounting methods for an ISP domain: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter domain isp-name Required ISP domain view Optional Enable the accounting optional accounting optional feature Disabled by default...

  • Page 576: Configuring User Group Attributes

    A local user represents a set of user attributes configured on a device and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry for it in the local user database of the device as follows: create a local user and configure attributes in local user view.
  • Page 577 To do… Use the command… Remarks Optional When created, a local user Place the local user to the state of state { active | block } is in the state of active by active or blocked default, and the user can request network services.

  • Page 578: Tearing Down User Connections Forcibly

    user interface. For details regarding authentication method and commands accessible to user interface, refer to Login Configuration in the System Volume. Binding attributes are checked upon authentication of a local user. If the checking fails, the user fails the authentication. Therefore, be cautious when deciding which binding attributes should be configured for a local user.

  • Page 579: Configuring Radius

    To do… Use the command… Remarks display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface Display information about Available in any view interface-type interface-number | ip specified or all user connections ip-address | mac mac-address | ucibindex ucib-index | user-name user-name | vlan vlan-id ]...

  • Page 580: Specifying The Radius Authentication/Authorization Servers

    A RADIUS scheme can be referenced by more than one ISP domain at the same time. Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: To do… Use the command… Remarks Enter system view system-view —...

  • Page 581: Setting The Shared Key For Radius Packets

    To do… Use the command… Remarks Enable the device to buffer Optional stop-accounting-buffer stop-accounting requests enable Enabled by default getting no responses Set the maximum number of Optional retry stop-accounting stop-accounting request retry-times 500 by default transmission attempts Set the maximum number of Optional retry realtime-accounting accounting request...

  • Page 582: Setting The Upper Limit Of Radius Request Retransmission Attempts

    The shared key configured on the device must be the same as that configured on the RADIUS server. Setting the Upper Limit of RADIUS Request Retransmission Attempts Because RADIUS uses UDP packets to carry data, the communication process is not reliable. If a NAS receives no response from the RADIUS server before the response timeout timer expires, it is required to retransmit the RADIUS request.

  • Page 583: Setting The Status Of Radius Servers

    If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. When a third-party RADIUS is used, you can configure the RADIUS server to standard or extended. When iMC server is used, you must configure the RADIUS server to extended. Setting the Status of RADIUS Servers By setting the status of RADIUS servers to block or active, you can control which servers the device will communicate with for authentication, authorization, and accounting or turn to when the current...

  • Page 584: Configuring Attributes Related To Data To Be Sent To The Radius Server

    To do… Use the command… Remarks Set the status of the secondary state secondary accounting RADIUS accounting server { active | block } The server status set by the state command cannot be saved in the configuration file and will be restored to active every time the server restarts.

  • Page 585: Setting Timers Regarding Radius Servers

    Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name. In this case, the device must remove the domain name before sending a username including a domain name. You can configure the user-name-format without-domain command on the device for this purpose.

  • Page 586: Configuring Radius Accounting-On

    To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting interval minutes 12 minutes by default The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75 and the upper limit of this product is determined by the upper limit of the timeout time of different access modules.

  • Page 587: Specifying A Security Policy Server

    The accounting-on feature needs to cooperate with the iMC network management system. Specifying a Security Policy Server The core of the EAD solution is integration and cooperation, and the security policy server system is the management and control center. As a collection of software, the security policy server system provides functions such as user management, security policy management, security status assessment, security cooperation control, and security event audit.

  • Page 588: Configuring Hwtacacs

    Displaying and Maintaining RADIUS To do… Use the command… Remarks Display the configuration information of a specified display radius scheme Available in any view RADIUS scheme or all RADIUS [ radius-scheme-name ] schemes Display statistics about RADIUS display radius statistics Available in any view packets display stop-accounting-buffer...

  • Page 589: Specifying The Hwtacacs Authentication Servers

    Up to 16 HWTACACS schemes can be configured. A scheme can be deleted only when it is not referenced. Specifying the HWTACACS Authentication Servers Follow these steps to specify the HWTACACS authentication servers: To do… Use the command… Remarks Enter system view system-view —...

  • Page 590: Specifying The Hwtacacs Accounting Servers

    To do… Use the command… Remarks commands Specify the secondary secondary authorization No authorization server by default HWTACACS authorization ip-address [ port-number ] server It is recommended to specify only the primary HWTACACS authorization server if backup is not required. If both the primary and secondary authorization servers are specified, the secondary one is used when the primary one is not reachable.

  • Page 591: Setting The Shared Key For Hwtacacs Packets

    It is recommended to specify only the primary HWTACACS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.

  • Page 592: Setting Timers Regarding Hwtacacs Servers

    To do… Use the command… Remarks data-flow-format { data Optional { byte | giga-byte | kilo-byte Specify the unit for data flows or The defaults are as follows: | mega-byte } | packet packets to be sent to a { giga-packet | kilo-packet | byte for data flows, and HWTACACS server mega-packet |...

  • Page 593: Aaa Configuration Examples

    For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly The real-time accounting interval must be a multiple of 3.
  • Page 594 Figure 1-7 Configure AAA for Telnet users by a HWTACACS server Authentication/Accounting server 10.1.1.1/24 Internet Telnet user Switch Configuration procedure # Configure the IP addresses of the interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.

  • Page 595: Aaa For Telnet Users By Separate Servers

    AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1-8, configure the switch to provide local authentication, HWTACACS authorization, and RADIUS accounting services to Telnet users. The user name and the password for Telnet users are both hello.

  • Page 596: Aaa For Ssh Users By A Radius Server

    [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit # Configure the AAA methods for the ISP domain. [Switch] domain bbb [Switch-isp-bbb] authentication login local [Switch-isp-bbb] authorization login hwtacacs-scheme hwtac...
  • Page 597 This example assumes that the RADIUS server runs iMC PLAT 3.20-R2602 or iMC UAM 3.60-E6102. # Add an access device. Log into the iMC management platform, select the Service tab, and select Access Service > Access Device from the navigation tree to enter the Access Device page. Then, click Add to enter the Add Access Device window and perform the following configurations: Set both the shared keys for authentication and accounting packets to expert Specify the ports for authentication and accounting as 1812 and 1813 respectively...
  • Page 598 Figure 1-11 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 599: Troubleshooting Aaa

    [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad [Switch-isp-bbb] accounting login radius-scheme rad [Switch-isp-bbb] quit When using SSH to log in, a user enters a username in the form userid@bbb for authentication using domain bbb.

  • Page 600: Troubleshooting Hwtacacs

    The communication links between the NAS and the RADIUS server work well at both physical and link layers. The IP address of the RADIUS server is correctly configured on the NAS. UDP ports for authentication/authorization/accounting configured on the NAS are the same as those configured on the RADIUS server.
  • Page 601 Table of Contents 1 802.1X Configuration·································································································································1-1 802.1X Overview·····································································································································1-1 Architecture of 802.1X ·····················································································································1-2 Authentication Modes of 802.1X ·····································································································1-2 Basic Concepts of 802.1X ···············································································································1-2 EAP over LANs································································································································1-3 EAP over RADIUS···························································································································1-5 802.1X Authentication Triggering ····································································································1-5 Authentication Process of 802.1X ···································································································1-6 802.1X Timers ·································································································································1-8 Extensions to 802.1X·······················································································································1-9 Features Working Together with 802.1X·························································································1-9 Configuring 802.1X ·······························································································································1-11...

  • Page 602: X Configuration

    802.1X Configuration Online user handshake security function and 802.1x re-authentication function are added in V05.02.00P19 of 3Com Switch 4500G. For details, refer to Online User Handshake Function Configuring 802.1X parameters for a port. When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview Configuring 802.1X Configuring an 802.1X Guest VLAN...

  • Page 603: Architecture Of 802.1X

    802.1X Authentication Triggering Authentication Process of 802.1X 802.1X Timers Features Working Together with 802.1X Architecture of 802.1X 802.1X operates in the typical client/server model and defines three entities: client, device, and server, as shown in Figure 1-1. Figure 1-1 Architecture of 802.1X Client: An entity to be authenticated by the device residing on the same LAN.

  • Page 604: Eap Over Lans

    The controlled port is open to allow data traffic to pass only when it is in the authorized state. The controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them. Authorized state and unauthorized state The device uses the authentication server to authenticate a client trying to access the LAN and controls the status of the controlled port depending on the authentication result, putting the controlled port in the...
  • Page 605 Figure 1-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender. Type: Type of the EAPOL frame. Table 1-1 lists the types that the device currently supports. Table 1-1 Types of EAPOL frames Type Description...

  • Page 606: Eap Over Radius

    EAP over RADIUS Two attributes of RADIUS are intended for supporting EAP authentication: EAP-Message and Message-Authenticator. For information about RADIUS packet format, refer to AAA Configuration in the Security Volume. EAP-Message The EAP-Message attribute is used to encapsulate EAP packets. Figure 1-5 shows its encapsulation format.

  • Page 607: Authentication Process

    Authentication Process of 802.1X An 802.1X device communicates with a remotely located RADIUS server in two modes: EAP relay and EAP termination. The following description takes the EAP relay as an example to show the 802.1X authentication process. EAP relay EAP relay is an IEEE 802.1X standard mode.
  • Page 608 Upon receiving the EAP-Response/Identity packet, the device relays the packet in a RADIUS Access-Request packet to the authentication server. When receiving the RADIUS Access-Request packet, the RADIUS server compares the identify information against its user information table to obtain the corresponding password information. Then, it encrypts the password information using a randomly generated challenge, and sends the challenge information through a RADIUS Access-Challenge packet to the device.

  • Page 609: 802.1X Timers

    Figure 1-8 Message exchange in EAP termination mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [ EAP-Request / Identity ]...

  • Page 610: Extensions To 802.1X

    Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.
  • Page 611 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.

  • Page 612: Configuring 802.1X

    The online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device. Using illegal client software for handshake message exchange may result in escape from some security inspection functions, such as proxy detection and dual network interface card (NIC) detection.

  • Page 613: Configuring 802.1X For A Port

    To do… Use the command… Remarks Set the port access control dot1x port-method { macbased | Optional method for portbased } [ interface macbased by default specified or all interface-list ] ports Set the maximum Optional dot1x max-user user-number number of users [ interface interface-list ] 256 by default for specified or...
  • Page 614 To do… Use the command… Remarks Enter system view system-view — In system view dot1x interface interface-list Required Enable 802.1X Use either approach. for one or more interface interface-type interface-number In Ethernet ports Disabled by default interface view dot1x Configuring 802.1X parameters for a port Follow these steps to configure 802.1X parameters for a port: To do…...

  • Page 615: Configuring An 802.1X Guest Vlan

    The iNode client software and iMC server are recommended to ensure the normal operation of the online user handshake security function. Once enabled with the 802.1X multicast trigger function, a port sends multicast trigger messages to the client periodically to initiate authentication. For a user-side device sending untagged traffic, the voice VLAN function and 802.1X are mutually exclusive and cannot be configured together on the same port.

  • Page 616: Displaying And Maintaining 802.1X

    Displaying and Maintaining 802.1X To do… Use the command… Remarks Display 802.1X session display dot1x [ sessions | information, statistics, or statistics ] [ interface Available in any view configuration information of interface-list ] specified or all ports reset dot1x statistics [ interface Clear 802.1X statistics Available in user view interface-list ]...
  • Page 617 The following configuration procedure covers most AAA/RADIUS configuration commands for the device, while configuration on the 802.1X client and RADIUS server are omitted. For information about AAA/RADIUS configuration commands, refer to AAA Configuration in the Security Volume. # Configure the IP addresses for each interface. (Omitted) # Add local access user localuser, enable the idle cut function, and set the idle cut interval.

  • Page 618: Guest Vlan And Vlan Assignment Configuration Example

    [Device-isp-aabbcc.net] quit # Configure aabbcc.net as the default domain. [Device] domain default enable aabbcc.net # Enable 802.1X globally. [Device] dot1x # Enable 802.1X for port GigabitEthernet 1/0/1. [Device] interface GigabitEthernet 1/0/1 [Device-GigabitEthernet1/0/1] dot1x [Device-GigabitEthernet1/0/1] quit # Set the port access control method. (Optional. The default settings meet the requirement.) [Device] dot1x port-method macbased interface GigabitEthernet 1/0/1 Guest VLAN and VLAN Assignment Configuration Example Network requirements...
  • Page 619 Figure 1-11 Network diagram with the port in the guest VLAN Figure 1-12 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration in the Security Volume. Configurations on the 802.1X client and RADIUS server are omitted.

  • Page 620: Acl Assignment Configuration Example

    [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Configure authentication domain system and specify to use RADIUS scheme 2000 for users of the domain. [Device] domain system [Device-isp-system] authentication default radius-scheme 2000 [Device-isp-system] authorization default radius-scheme 2000 [Device-isp-system] accounting default radius-scheme 2000 [Device-isp-system] quit # Enable 802.1X globally.
  • Page 621 Figure 1-13 Network diagram for ACL assignment Configuration procedure # Configure the IP addresses of the interfaces. (Omitted) # Configure the RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit...
  • Page 622 C:\> 1-21...

  • Page 623: 802.1X-Based Ead Fast Deployment Configuration

    802.1X-based EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview Configuring EAD Fast Deployment Displaying and Maintaining EAD Fast Deployment EAD Fast Deployment Configuration Example Troubleshooting EAD Fast Deployment EAD Fast Deployment Overview Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution.

  • Page 624: Configuring Ead Fast Deployment

    Configuring EAD Fast Deployment Currently, MAC authentication and port security cannot work together with EAD fast deployment. Once MAC authentication or port security is enabled globally, the EAD fast deployment is disabled automatically. Configuration Prerequisites Enable 802.1X globally. Enable 802.1X on the specified port, and set the access control mode to auto. Configuration Procedure Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access...

  • Page 625: Displaying And Maintaining Ead Fast Deployment

    Configuring the IE redirect URL Follow these steps to configure the IE redirect URL: To do… Use the command… Remarks Enter system view system-view — Required Configure the IE redirect URL dot1x url url-string No redirect URL is configured by default. The redirect URL and the freely accessible network segment must belong to the same network segment.
  • Page 626 After successful 802.1X authentication, the host can access outside network. Figure 2-1 Network diagram for EAD fast deployment Internet Free IP: WEB server 192.168.2.3/24 GE1/0/1 192.168.2.0/24 192.168.1.1/24 Host Device 192.168.1.10/24 Configuration procedure Configure the WEB server Before using the EAD fast deployment function, you need to configure the WEB server to provide the download service of 802.1X client software.

  • Page 627: Troubleshooting Ead Fast Deployment

    Troubleshooting EAD Fast Deployment Users Cannot be Redirected Correctly Symptom When a user enters an external website address in the IE browser, the user is not redirected to the specified URL. Analysis The address is in the string format. In this case, the operating system of the host regards the string a website name and tries to have it resolved.
  • Page 628 Table of Contents 1 HABP Configuration ··································································································································1-1 Introduction to HABP·······························································································································1-1 Configuring HABP ···································································································································1-2 Configuring the HABP Server··········································································································1-2 Configuring an HABP Client ············································································································1-2 Displaying and Maintaining HABP ··········································································································1-3 HABP Configuration Example·················································································································1-3...

  • Page 629: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X or MAC authentication enabled access device to bypass 802.1X authentication and MAC authentication.

  • Page 630: Configuring Habp

    server learns the MAC addresses of all the clients, it registers the MAC addresses as HABP entries. Then, link layer frames exchanged between the clients can bypass the 802.1X authentication on ports of the server without affecting the normal operation of the whole network. All HABP packets must travel in a specified VLAN.

  • Page 631: Displaying And Maintaining Habp

    Follow these steps to configure an HABP client: To do… Use the command… Remarks Enter system view system-view — Optional habp enable Enable HABP Enabled by default Optional Configure HABP to work in client undo habp server mode HABP works in client mode by default. Displaying and Maintaining HABP To do…...
  • Page 632 Figure 1-2 Network diagram for HABP configuration Configuration procedure Configure Switch A # Perform 802.1X related configurations on Switch A. For detailed configurations, refer to 802.1X Configuration in the Security Volume. # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in the management VLAN.
  • Page 633 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 RADIUS-Based MAC Authentication·······························································································1-1 Local MAC Authentication ···············································································································1-2 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 VLAN Assigning·······························································································································1-2 Guest VLAN of MAC Authentication································································································1-2 ACL Assigning ·································································································································1-3 Configuring MAC Authentication·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 Configuring a Guest VLAN······················································································································1-4 Configuration Prerequisites ·············································································································1-4...

  • Page 634: Mac Authentication Configuration

    MAC Authentication Configuration Support for guest VLAN of MAC authentication is added in V05.02.00P19 of 3Com Switch 4500G. For details, refer to Guest VLAN of MAC Authentication Configuring a Guest VLAN. When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication...

  • Page 635: Local Mac Authentication

    Local MAC Authentication In local MAC authentication, the device performs authentication of users locally and different items need to be manually configured for users on the device according to the specified type of username: If the type of username is MAC address, a local user must be configured for each user on the device, using the MAC address of the accessing user as both the username and password.

  • Page 636: Acl Assigning

    MAC authentication supports MAC-based guest VLAN (MGV). With MGV configured on a port, users failing the authentication on the port are authorized to access the resources in the guest VLAN. If a user in the guest VLAN initiates another authentication process but fails the authentication, the device will keep the user in the guest VLAN.

  • Page 637: Configuring A Guest Vlan

    To do… Use the command… Remarks MAC authentication The default ISP domain is used by default. Optional mac-authentication timer Set the offline detect timer offline-detect offline-detect-value 300 seconds by default Optional mac-authentication timer quiet Set the quiet timer quiet-value 60 seconds by default Optional mac-authentication timer Set the server timeout timer...

  • Page 638: Displaying And Maintaining Mac Authentication

    Different ports can be configured with different guest VLANs, but a port can be configured with only one guest VLAN. If you configure both the 802.1X authentication MGV and the MAC authentication MGV on a port, only the 802.1X authentication MGV will take effect. For description on 802.1X authentication MGV, refer to 802.1X Configuration in the Security Volume.
  • Page 639 Configuration procedure Configure MAC authentication on the device # Add a local user, setting the username and password as 00-e0-fc-12-34-56, the MAC address of the user. <Device> system-view [Device] local-user 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net, and specify that the users in the domain use local authentication.

  • Page 640: Radius-Based Mac Authentication Configuration Example

    RADIUS-Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the RADIUS server. MAC authentication is required on every port to control user access to the Internet. Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.

  • Page 641: Acl Assignment Configuration Example

    # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify to use the username aaa and password 123456 for MAC authentication of all users.
  • Page 642 Figure 1-3 Network diagram for ACL assignment Configuration procedure Make sure that there is a route available between the RADIUS server and the switch. In this example, the switch uses the default username type (user MAC address) for MAC authentication. Therefore, you need to add the username and password of each user on the RADIUS server correctly.
  • Page 643 [Sysname] mac-authentication user-name-format mac-address # Enable MAC authentication for port GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-authentication After completing the above configurations, you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions. C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out.
  • Page 644 Table of Contents 1 Port Security Configuration······················································································································1-1 Introduction to Port Security····················································································································1-1 Port Security Overview ····················································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-2 Support for Guest VLAN··················································································································1-5 Port Security Configuration Task List······································································································1-5 Enabling Port Security·····························································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Setting the Maximum Number of Secure MAC Addresses·····································································1-6 Setting the Port Security Mode ···············································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuring Procedure·····················································································································1-7...

  • Page 645: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Introduction to Port Security Port Security Configuration Task List Displaying and Maintaining Port Security Port Security Configuration Examples Troubleshooting Port Security Introduction to Port Security Port Security Overview Port security is a MAC address-based security mechanism for network access controlling.

  • Page 646: Port Security Modes

    Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames from the MAC address for three minutes (unmodifiable).
  • Page 647 Feature that On the port, if you want to… Use the security mode… can be triggered These security mode naming rules may help you remember the modes: userLogin specifies 802.1X authentication and port-based access control. macAddress specifies MAC address authentication. Else specifies that the authentication method before Else is applied first.
  • Page 648 wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. Perform MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication for users and services multiple users. Perform a combination of MAC authentication and 802.1X authentication macAddressOrUserLoginSecure This mode is the combination of macAddressWithRadius and userLoginSecure modes.

  • Page 649: Support For Guest Vlan

    userLogin specifies port-based 802.1X authentication. macAddress specifies MAC address authentication. Else specifies that the authentication method before Else is applied first. If the authentication fails, the protocol type of the authentication request determines whether to turn to the authentication method following the Else. In a security mode with Or, the protocol type of the authentication request determines which authentication method is to be used.

  • Page 650: Setting The Maximum Number Of Secure Mac Addresses

    To do… Use the command… Remarks Required Enable port security port-security enable Disabled by default Note that: Enabling port security resets the following configurations on a port to the bracketed defaults. Then, values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically: 802.1X (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled)

  • Page 651: Setting The Port Security Mode

    Setting the Port Security Mode Configuration Prerequisites Before setting the port security mode, ensure that: 802.1X is disabled, the port access control method is macbased, and the port access control mode is auto. MAC authentication is disabled. The port does not belong to any aggregation group. The above requirements must be all met.

  • Page 652: Configuring Port Security Features

    You cannot change the maximum number of secure MAC addresses allowed on a port that operates in autoLearn mode. OUI, defined by IEEE, is the first 24 bits of the MAC address and uniquely identifies a device vendor. You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows only one 802.1X user and one user whose MAC address contains a specified OUI.

  • Page 653: Configuring Intrusion Protection

    Configuring Intrusion Protection The intrusion protection enables a device to perform either of the following security policies when it detects illegal frames: blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards frames with blocked source MAC addresses. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.

  • Page 654: Configuring Secure Mac Addresses

    Configuring Secure MAC Addresses Secure MAC addresses are special MAC addresses. They never age out or get lost if saved before the device restarts. One secure MAC address can be added to only one port in the same VLAN. Thus, you can bind a MAC address to one port in the same VLAN.

  • Page 655: Displaying And Maintaining Port Security

    To do… Use the command… Remarks interface-number Required Ignore the authorization port-security authorization By default, a port uses the information from the RADIUS ignore authorization information from the server RADIUS server. Displaying and Maintaining Port Security To do… Use the command… Remarks Display port security configuration information, operation information,...
  • Page 656 [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to autoLearn. [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn # Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 Verify the configuration After completing the above configurations, you can use the following command to view the port security configuration information:...

  • Page 657: Configuring The Userloginwithoui Mode

    MAC Addr: 0.2.0.0.0.21 VLAN ID: 1 IfAdminStatus: 1 In addition, you will see that the port security feature has disabled the port if you issue the following command: [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..
  • Page 658 Figure 1-2 Network diagram for configuring the userLoginWithOUI mode Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume. Configurations on the host and RADIUS servers are omitted. Configure the RADIUS protocol # Configure a RADIUS scheme named radsun.
  • Page 659 # Add five OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 [Switch] port-security oui 1234-0300-1111 index 3 [Switch] port-security oui 1234-0400-1111 index 4 [Switch] port-security oui 1234-0500-1111 index 5 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI. [Switch-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui Verify the configuration After completing the above configurations, you can use the following command to view the...
  • Page 660 Index is 5, OUI value is 123405 GigabitEthernet1/0/1 is link-up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X users: <Switch>...

  • Page 661: Configuring The Macaddresselseuserloginsecure Mode

    MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 Learned GigabitEthernet1/0/1 AGING 1 mac address(es) found Configuring the macAddressElseUserLoginSecure Mode Network requirements The client is connected to the switch through GigabitEthernet 1/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet. Restrict port GigabitEthernet 1/0/1 of the switch as follows: Allow more than one MAC authenticated user to log on.

  • Page 662: Configuration Information

    Verify the configuration After completing the above configurations, you can use the following command to view the port security configuration information: <Switch> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction...

  • Page 663: Troubleshooting Port Security

    The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto...

  • Page 664: Cannot Configure Secure Mac Addresses

    Cannot Configure Secure MAC Addresses Symptom Cannot configure secure MAC addresses. [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Error: Security MAC address configuration failed. Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
  • Page 665 Table of Contents 1 IP Source Guard Configuration················································································································1-1 IP Source Guard Overview ·····················································································································1-1 Configuring a Static Binding Entry ··········································································································1-2 Configuring Dynamic Binding Function···································································································1-2 Displaying and Maintaining IP Source Guard ·························································································1-3 IP Source Guard Configuration Examples ······························································································1-3 Static Binding Entry Configuration Example····················································································1-3 Dynamic Binding Function Configuration Example ·········································································1-4 Troubleshooting IP Source Guard ··········································································································1-6 Failed to Configure Static Binding Entries and Dynamic Binding Function·····································1-6...

  • Page 666: Ip Source Guard Configuration

    IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through...

  • Page 667: Configuring A Static Binding Entry

    Configuring a Static Binding Entry Follow these steps to configure a static binding entry: To do… Use the command… Remarks system-view Enter system view — Enter Ethernet port view interface interface-type interface-number — user-bind { ip-address ip-address | Required ip-address ip-address mac-address Configure a static binding entry No static binding entry mac-address | mac-address mac-address }...

  • Page 668: Displaying And Maintaining Ip Source Guard

    To implement dynamic binding in IP source guard, make sure that DHCP snooping or DHCP Relay is configured and works normally. For DHCP configuration information, refer to DHCP Configuration in the System Volume. The dynamic binding function can be configured on Ethernet ports and VLAN interfaces. A port takes only the latest dynamic binding entries configured on it.

  • Page 669: Dynamic Binding Function Configuration Example

    Configuration procedure Configure Switch A # Configure the IP addresses of various interfaces (omitted). # Configure port GigabitEthernet 1/0/2 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-05 and the source IP address of 192.168.0.3 to pass. <SwitchA>...
  • Page 670 On port GigabitEthernet 1/0/1 of Switch A, enable dynamic binding function to prevent attackers from using forged IP addresses to attack the server. For detailed configuration of a DHCP server, refer to DHCP Configuration in the IP Service Volume. Network diagram Figure 1-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A...

  • Page 671: Troubleshooting Ip Source Guard

    The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function.
  • Page 672 Table of Contents 1 SSH2.0 Configuration································································································································1-1 SSH2.0 Overview····································································································································1-1 Introduction to SSH2.0 ····················································································································1-1 Operation of SSH ····························································································································1-1 Configuring the Device as an SSH Server······························································································1-4 SSH Server Configuration Task List································································································1-4 Generating a DSA or RSA Key Pair ································································································1-4 Enabling SSH Server·······················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring a Client Public Key·······································································································1-6 Configuring an SSH User ················································································································1-7 Setting the SSH Management Parameters ·····················································································1-8...

  • Page 673: Ssh2.0 Configuration

    SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device.
  • Page 674 Stages Description After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary...
  • Page 675 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.

  • Page 676: Configuring The Device As An Ssh Server

    back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request. Interaction In this stage, the server and the client exchanges data in the following way: The client encrypts and sends the command to be executed to the server.

  • Page 677: Enabling Ssh Server

    For details about the public-key local create command, refer to Public Key Commands in the Security Volume. To ensure that all SSH clients can log into the SSH server successfully, you are recommended to generate both DSA and RSA key pairs on the SSH server. This is because different SSH clients may use different publickey algorithms, though a single client usually uses only one type of publickey algorithm.

  • Page 678: Configuring A Client Public Key

    To do… Use the command… Remarks Required Set the login authentication mode authentication-mode scheme By default, the authentication to scheme [ command-authorization ] mode is password. Optional Configure the user interface(s) to protocol inbound { all | ssh } All protocols are supported by support SSH login default.

  • Page 679: Configuring An Ssh User

    To do… Use the command… Remarks Enter system view system-view — Enter public key view public-key peer keyname — Enter public key code view public-key-code begin — Required Configure a client public key Enter the content of the public key Spaces and carriage returns are allowed between characters.

  • Page 680: Setting The Ssh Management Parameters

    A user without an SSH account can still pass password authentication and log into the server through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH. An SSH server supports up to 1024 SSH users. The service type of an SSH user can be Stelnet (Secure Telnet) or SFTP (Secure FTP).

  • Page 681: Configuring The Device As An Ssh Client

    To do… Use the command… Remarks Optional Enable the SSH server to work with ssh server compatible-ssh1x By default, the SSH server can SSH1 clients enable work with SSH1 clients. Optional Set the RSA server key pair update ssh server rekey-interval hours 0 by default, that is, the RSA server interval key pair is not updated.

  • Page 682: Configuring Whether First-Time Authentication Is Supported

    Configuring Whether First-time Authentication is Supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client.

  • Page 683: Displaying And Maintaining Ssh

    To do... Use the command… Remarks preferred HMAC ssh2 ipv6 server [ port-number ] [ identity-key { dsa algorithms and | rsa } | prefer-ctos-cipher { aes128 | des } | preferred key prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } For an IPv4 exchange algorithm | prefer-kex { dh-group-exchange | dh-group1 |...
  • Page 684 Figure 1-1 Switch acts as server for password authentication Configuration procedure Configure the SSH server # Generate RSA and DSA key pairs and enable the SSH server. <Switch> system-view [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1.

  • Page 685: When Switch Acts As Server For Publickey Authentication

    Figure 1-2 SSH client configuration interface In the window shown in Figure 1-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
  • Page 686 Configure the SSH client # Generate an RSA key pair. Run PuTTYGen.exe, select SSH-2 RSA and click Generate. Figure 1-4 Generate a key pair on the client 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-5.
  • Page 687 Figure 1-5 Generate a key pair on the client 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a key pair on the client 3) Likewise, to save the private key, click Save private key.
  • Page 688 Figure 1-7 Save a key pair on the client 4) Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SSH server # Generate RSA and DSA key pairs and enable SSH server. <Switch>...
  • Page 689 Figure 1-8 SSH client configuration interface 1) Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK. 1-17...

  • Page 690: Ssh Client Configuration Examples

    Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface.
  • Page 691 # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 692: When Switch Acts As Client For Publickey Authentication

    0D757262C4584C44C211F18BD96E5F0 [SwitchA-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 [SwitchA-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3 68950387811C7DA33021500C773218C [SwitchA-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 [SwitchA-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD [SwitchA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-key-code]485348 [SwitchA-pkey-key-code] public-key-code end [SwitchA-pkey-public-key] peer-public-key end # Specify the host public key for the SSH server (10.165.87.136) as key1. [SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1 [SwitchA] quit # Establish an SSH connection to server 10.165.87.136.
  • Page 693 Configuration procedure During SSH server configuration, the client public key is required. Therefore, you are recommended to use the client software to generate a DSA key pair on the client before configuring the SSH server. Configure the SSH client # Create VLAN interface 1 and assign an IP address to it. <SwitchA>...
  • Page 694 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Later, you will find that you have logged into Switch B successfully. 1-22...

  • Page 695: Sftp Service

    SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 696: Configuring The Sftp Connection Idle Timeout Period

    When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.

  • Page 697: Working With The Sftp Directories

    To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | Establish a rsa } | prefer-ctos-cipher { aes128 | des } | connection to prefer-ctos-hmac { md5 | md5-96 | sha1 | the remote IPv4 sha1-96 } | prefer-kex { dh-group-exchange | SFTP server dh-group1 | dh-group14 } | prefer-stoc-cipher...

  • Page 698: Working With Sftp Files

    Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files Deleting a file Follow these steps to work with SFTP files: To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } |...

  • Page 699: Terminating The Connection To The Remote Sftp Server

    Terminating the Connection to the Remote SFTP Server Follow these steps to terminate the connection to the remote SFTP server: To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { aes128 | des } | Required prefer-ctos-hmac { md5 | md5-96 | sha1 |...
  • Page 700 [SwitchA] quit Then, you need to transmit the public key file to the server through FTP or TFTP. Configure the SFTP server # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server.
  • Page 701 Are you sure to delete it? [Y/N]:y This operation may take a long time.Please wait... File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx...

  • Page 702: Sftp Server Configuration Example

    <SwitchA> SFTP Server Configuration Example Network requirements As shown in Figure 2-2, an SSH connection is established between the host and the switch. The host, an SFTP client, logs into the switch for file management and file transfer. An SSH user uses password authentication with the username being client002 and the password being aabbcc.
  • Page 703 There are many kinds of SSH client software. The following takes the PSFTP of Putty Version 0.58 as an example. The PSFTP supports only password authentication. # Establish a connection with the remote SFTP server. Run the psftp.exe to launch the client interface as shown in Figure 2-3, and enter the following command:...
  • Page 704 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-3 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-5 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-7...

  • Page 705: Pki Configuration

    PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...

  • Page 706: Architecture Of Pki

    An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).

  • Page 707: Applications Of Pki

    PKI repository A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database. It stores and manages information like certificate requests, certificates, keys, CRLs and logs while providing a simple query function. LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service.

  • Page 708: Configuring An Entity Dn

    Task Remarks Configuring an Entity DN Required Configuring a PKI Domain Required Submitting a Certificate Request in Auto Mode Required Submitting a PKI Certificate Request Use either approach Submitting a Certificate Request in Manual Mode Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair...

  • Page 709: Configuring A Pki Domain

    To do… Use the command… Remarks Optional Configure the common name for common-name name No common name is specified by the entity default. Optional Configure the country code for the country country-code-str No country code is specified by entity default. Optional Configure the FQDN for the entity fqdn name-str...
  • Page 710 any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. You are recommended to deploy an independent RA. URL of the registration server An entity sends a certificate request to the registration server through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA.

  • Page 711: Submitting A Pki Certificate Request

    Currently, up to two PKI domains can be created on a device. The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate request. Currently, the URL of the server for certificate request does not support domain name resolving. Submitting a PKI Certificate Request When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate.

  • Page 712: Retrieving A Certificate Manually

    To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — Optional Set the certificate request mode to certificate request mode manual manual Manual by default Return to system view quit — Refer to Retrieving a Certificate Retrieve a CA certificate manually...

  • Page 713: Configuring Pki Certificate Verification

    Prepare for certificate verification. Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration. Follow these steps to retrieve a certificate manually: To do… Use the command… Remarks Enter system view system-view — pki retrieval-certificate { ca | local } domain Online domain-name Retrieve a...

  • Page 714: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Manually pki retrieval-crl domain Retrieve CRLs Required domain-name pki validate-certificate { ca | Verify the validity of a certificate Required local } domain domain-name Configuring CRL-checking-disabled PKI certificate verification Follow these steps to configure CRL-checking-disabled PKI certificate verification: To do…...

  • Page 715: Deleting A Certificate

    Deleting a Certificate When a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or CA certificate. Follow these steps to delete a certificate: To do… Use the command… Remarks Enter system view system-view...

  • Page 716: Pki Configuration Examples

    To do… Use the command… Remarks display pki certificate Display information about one or all attribute-group { group-name | Available in any view certificate attribute groups all } Display information about one or all display pki certificate certificate attribute-based access access-control-policy Available in any view control policies...
  • Page 717 Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values. # Configure extended attributes. After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server.
  • Page 718 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 719: Requesting A Certificate From A Ca Running Windows 2003 Server

    D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33...
  • Page 720 plug-in installation completes, a URL is displayed, which you need to configure on the switch as the URL of the server for certificate registration. Modify the certificate service attributes From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server and SCEP plug-in have been installed successfully, there should be two certificates issued by the CA to the RA.
  • Page 721 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..

  • Page 722: Configuring A Certificate Attribute-Based Access Control Policy

    X509v3 Subject Key Identifier: B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier: keyid:9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points: URI:http://l00192b/CertEnroll/CA%20server.crl URI:file://\\l00192b\CertEnroll\CA server.crl Authority Information Access: CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt 1.3.6.1.4.1.311.20.2: .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e Signature Algorithm: sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B (Omitted) You can also use some other display commands to view detailed information about the CA certificate.
  • Page 723 For detailed information about SSL configuration, refer to SSL Configuration in the Security Volume. For detailed information about HTTPS configuration, refer to HTTP Configuration in the System Volume. The PKI domain to be referenced by the SSL policy must be created in advance. For detailed configuration of the PKI domain, refer to Configure the PKI domain.

  • Page 724: Troubleshooting Pki

    Troubleshooting PKI Failed to Retrieve a CA Certificate Symptom Failed to retrieve a CA certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No trusted CA is specified. The URL of the registration server for certificate request is not correct or not configured.

  • Page 725: Failed To Retrieve Crls

    Failed to Retrieve CRLs Symptom Failed to retrieve CRLs. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved before you try to retrieve CRLs. The IP address of LDAP server is not configured.
  • Page 726 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...

  • Page 727: Ssl Configuration

    SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.

  • Page 728: Ssl Protocol Stack

    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at...

  • Page 729: Configuring An Ssl Server Policy

    Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

  • Page 730: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
  • Page 731 <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Create a PKI domain named 1, specify the trusted CA as ca server, the authority for certificate request as RA, the URL of the RA server as http://10.1.2.2/certsrv/mscep/mscep.dll, and the entity for certificate request as en.

  • Page 732: Configuring An Ssl Client Policy

    For details about PKI configuration commands, refer to PKI Commands in the Security Volume. For details about the public-key local create rsa command, refer to Public Key Commands in the Security Volume. For details about HTTPS, refer to HTTP Configuration in the System Volume. Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server.

  • Page 733: Troubleshooting Ssl

    To do… Use the command… Remarks information { policy-name | all } Display SSL client policy display ssl client-policy information { policy-name | all } Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or...
  • Page 734 Table of Contents 1 Public Key Configuration··························································································································1-1 Asymmetric Key Algorithm Overview······································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...

  • Page 735: Public Key Configuration

    Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Asymmetric Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Asymmetric Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.

  • Page 736: Configuring The Local Asymmetric Key Pair

    Encryption/decryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.

  • Page 737: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.

  • Page 738: Displaying And Maintaining Public Keys

    Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP. If you choose to input the public key, the public key must be in a correct format.

  • Page 739: Public Key Configuration Examples

    Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.

  • Page 740: Importing The Public Key Of A Peer From A Public Key File

    307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.
  • Page 741 NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits of the modulus[default = 1024]: Generating Keys... ++++++ ++++++ ++++++++ ++++++++ # Display the public keys of the created RSA key pairs. [DeviceA] display public-key local rsa public ===================================================== Time of Key pair created: 09:50:06...
  • Page 742 Password: 230 User logged in. [ftp] binary 200 Type set to I. [ftp] put devicea.pub 227 Entering Passive Mode (10,1,1,2,5,148). 125 BINARY mode data connection already open, transfer starting for /devicea.pub. 226 Transfer complete. FTP: 299 byte(s) sent in 0.189 second(s), 1.00Kbyte(s)/sec. Import the host public key of Device A to Device B # Import the host public key of Device A from the key file devicea.pub to Device B.
  • Page 743 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to ACL ·································································································································1-1 Introduction······································································································································1-1 Application of ACLs on the Switch ··································································································1-1 Introduction to IPv4 ACL ·························································································································1-2 IPv4 ACL Classification ···················································································································1-2 IPv4 ACL Naming ····························································································································1-3 IPv4 ACL Match Order ····················································································································1-3 IPv4 ACL Step ·································································································································1-4 Effective Period of an IPv4 ACL ······································································································1-4 IP Fragments Filtering with IPv4 ACL ·····························································································1-4 Introduction to IPv6 ACL ·························································································································1-5...
  • Page 744 Configuring a Basic IPv6 ACL·················································································································3-1 Configuration Prerequisites ·············································································································3-1 Configuration Procedure··················································································································3-1 Configuration Example ····················································································································3-2 Configuring an Advanced IPv6 ACL ·······································································································3-3 Configuration Prerequisites ·············································································································3-3 Configuration Procedure··················································································································3-3 Configuration Example ····················································································································3-4 Configuring an Ethernet Frame Header ACL··························································································3-4 Copying an IPv6 ACL······························································································································3-4 Configuration Prerequisites ·············································································································3-4 Configuration Procedure··················································································································3-4 Displaying and Maintaining IPv6 ACLs ···································································································3-5 IPv6 ACL Configuration Example ···········································································································3-5...

  • Page 745: Acl Overview

    ACL Overview The following functions are added in V05.02.00 of the Switch 4500G series: Applying an ACL for packet filtering and outputting packet filtering logs. For details, refer to Application for Packet Filtering. The established keyword that is used to specify the TCP flags ACK and RST in advanced IPv4/IPv6 ACL rules.

  • Page 746: Introduction To Ipv4 Acl

    Hardware-based application: An ACL is assigned to a piece of hardware. For example, an ACL is applied to an Ethernet interface or VLAN interface for packet filtering or is referenced by a QoS policy for traffic classification. Note that when an ACL is referenced to implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect;...

  • Page 747: Ipv4 Acl Naming

    IPv4 ACL Naming When creating an IPv4 ACL, you can specify a unique name for it. Afterwards, you can identify the ACL by its name. An IPv4 ACL can have only one name. Whether to specify a name for an ACL is up to you. After creating an ACL, you cannot specify a name for it, nor can you change or remove its name.

  • Page 748: Ipv4 Acl Step

    Depth-first match for an Ethernet frame header ACL The following shows how your device performs depth-first match in an Ethernet frame header ACL: Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask. If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks.

  • Page 749: Introduction To Ipv6 Acl

    Introduction to IPv6 ACL This section covers these topics: IPv6 ACL Classification IPv6 ACL Naming IPv6 ACL Match Order IPv6 ACL Step Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 1-2.

  • Page 750: Ipv6 Acl Step

    Depth-first match for a basic IPv6 ACL The following shows how your device performs depth-first match in a basic IPv6 ACL: Sort rules by source IPv6 address prefix first and compare packets against the rule configured with a longer prefix for the source IPv6 address. In case of a tie, compare packets against the rule configured first.

  • Page 751: Ipv4 Acl Configuration

    IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs IPv4 ACL Configuration Example Creating a Time Range...

  • Page 752: Configuration Example

    on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

  • Page 753: Configuration Procedure

    Configuration Procedure Follow these steps to configure a basic IPv4 ACL: To do… Use the command… Remarks Enter system view system-view –– Required acl number acl-number The default match order is config. Create a basic IPv4 ACL [ name acl-name ] If you specify a name for an IPv4 ACL and enter its view [ match-order { auto |...

  • Page 754: Configuring An Advanced Ipv4 Acl

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # Verify the configuration. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP...

  • Page 755: Configuration Example

    To do… Use the command… Remarks Optional Set the rule numbering step step-value step 5 by default Optional Configure a description for the advanced IPv4 description text By default, an advanced IPv4 ACL has no ACL description. Optional Configure a rule rule rule-id comment text By default, an IPv4 ACL rule has no description...

  • Page 756: Configuring An Ethernet Frame Header Acl

    Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type. They are numbered in the range 4000 to 4999. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first.

  • Page 757: Configuration Example

    Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

  • Page 758: Displaying And Maintaining Ipv4 Acls

    The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL. Displaying and Maintaining IPv4 ACLs To do... Use the command… Remarks Display information about one or all IPv4 display acl { acl-number | all | Available in any ACLs...

  • Page 759: Configuration Procedure

    Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day Define an ACL to control access to the salary query server # Configure a rule to control access of the R&D Department to the salary query server.
  • Page 760 [Switch] interface GigabitEthernet 1/0/2 [Switch-GigabitEthernet1/0/2] qos apply policy p_rd inbound [Switch-GigabitEthernet1/0/2] quit # Apply QoS policy p_market to interface GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet 1/0/3 [Switch-GigabitEthernet1/0/3] qos apply policy p_market inbound 2-10...

  • Page 761: Ipv6 Acl Configuration

    IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Configuring an Ethernet Frame Header ACL For the Ethernet frame header ACL configuration, refer to 169HConfiguring an Ethernet Frame Header ACL.
  • Page 762 To do… Use the command… Remarks Optional Set the rule numbering step step-value step 5 by default Optional Configure a description description text By default, a basic IPv6 ACL has no ACL for the basic IPv6 ACL description. Optional Configure a rule rule rule-id comment text By default, an IPv6 ACL rule has no rule description...

  • Page 763: Configuring An Advanced Ipv6 Acl

    Configuring an Advanced IPv6 ACL Advanced IPv6 ACLs match packets based on the source IPv6 address, destination IPv6 address, protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number, TCP/UDP destination port number, ICMP message type, and ICMP message code. Advanced IPv6 ACLs are numbered in the range 3000 to 3999.

  • Page 764: Copying An Ipv6 Acl

    You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.

  • Page 765: Displaying And Maintaining Ipv6 Acls

    To do… Use the command… Remarks Copy an existing IPv6 ACL acl ipv6 copy { source-acl6-number | name to generate a new one of source-acl6-name } to { dest-acl6-number | Required the same type name dest-acl6-name } The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL.
  • Page 766 Configuration Procedure # Create an IPv6 ACL 2000. <Switch> system-view [Switch] acl ipv6 number 2000 [Switch-acl6-basic-2000] rule deny source 4050::9000/120 [Switch-acl6-basic-2000] quit # Configure class c_rd for packets matching IPv6 ACL 2000. [Switch] traffic classifier c_rd [Switch-classifier-c_rd] if-match acl ipv6 2000 [Switch-classifier-c_rd] quit # Configure traffic behavior b_rd to deny matching packets.

  • Page 767: Acl Application For Packet Filtering

    ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering IPv4 Packets Filtering IPv6 Packets ACL Application Example You can apply an ACL to the inbound or direction of an Ethernet interface or VLAN interface to filter packets: Applied to an Ethernet interface, an ACL can filter all IPv4 packets and IPv6 packets that are received on the interface.

  • Page 768: Filtering Ipv6 Packets

    To do… Use the command… Remarks Exit to system view quit — Required Configure the interval for acl logging frequence By default, the interval is 0, that collecting and outputting IPv4 frequence is, no IPv4 packet filtering logs packet filtering logs are output.

  • Page 769: Acl Application Example

    The packet filtering statistics are managed and output as device log information by the information center. The packet filtering statistics are of the severity level of 6, that is, informational. Informational messages are not output to the console by default; therefore, you need to modify the log information output rule for the informational message output to be sent to the console or other destinations.

  • Page 770: Applying An Acl To A Vlan Interface

    [DeviceA-acl-basic-2009] quit # Apply ACL 2009 to the inbound direction of interface GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound # Configure the device to collect and output IPv4 packet filtering logs at an interval of 10 minutes. [DeviceA] acl logging frequence 10 # Configure the device to output informational log messages to the console.
  • Page 771 Table of Contents 1 ARP Attack Protection Configuration······································································································1-1 ARP Attack Protection Overview ············································································································1-1 ARP Attack Protection Configuration Task List ······················································································1-1 Configuring ARP Defense Against IP Packet Attacks ············································································1-2 Introduction······································································································································1-2 Configuring ARP Source Suppression ····························································································1-2 Enabling ARP Black Hole Routing ··································································································1-3 Displaying and Maintaining ARP Source Suppression ···································································1-3 Configuring ARP Packet Rate Limit ········································································································1-3 Introduction······································································································································1-3...

  • Page 772: Arp Attack Protection Configuration

    ARP Attack Protection Configuration When configuring ARP attack Protection, go to these sections for information you are interested in: Configuring ARP Defense Against IP Packet Attacks Configuring ARP Packet Rate Limit Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Active Acknowledgement Configuring ARP Detection For modification of arp detection mode command in V05.02.00P19 of 3Com 4500G series Ethernet...

  • Page 773: Configuring Arp Defense Against Ip Packet Attacks

    Task Remarks Packet Attacks Optional Enabling ARP Black Configure this function on gateways Hole Routing (recommended). Optional Configuring ARP Packet Rate Limit Configure this function on access devices (recommended). Optional Configuring Source MAC Address Based Configure this function on gateways ARP Attack Detection (recommended).

  • Page 774: Enabling Arp Black Hole Routing

    To do… Use the command… Remarks Enter system view system-view — Required Enable ARP source suppression arp source-suppression enable Disabled by default. Set the maximum number of packets with the same source IP address but Optional arp source-suppression limit unresolvable destination IP limit-value 10 by default.

  • Page 775: Configuring Source Mac Address Based Arp Attack Detection

    To do… Use the command… Remarks Required Configure ARP packet rate arp rate-limit { disable | By default, the ARP packet rate limit limit rate pps drop } is enabled and is 100 pps. Configuring Source MAC Address Based ARP Attack Detection Introduction This feature allows the device to check the source MAC address of ARP packets.

  • Page 776: Displaying And Maintaining Source Mac Address Based Arp Attack Detection

    Displaying and Maintaining Source MAC Address Based ARP Attack Detection To do… Use the command… Remarks Display attacking entries display arp anti-attack source-mac Available in any detected [ interface interface-type interface-number ] view Configuring ARP Packet Source MAC Address Consistency Check Introduction This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message, so that the gateway...

  • Page 777: Configuring Arp Detection

    To do… Use the command… Remarks Enter system view system-view — Required Enable the ARP active arp anti-attack active-ack enable acknowledgement function Disabled by default. Configuring ARP Detection For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume. For information about 802.1X, refer to 802.1X Configuration in the Security Volume.
  • Page 778 After you enable ARP detection based on 802.1X security entries, the device, upon receiving an ARP packet from an ARP untrusted port, compares the ARP packet against the 802.1X security entries. If an entry with matching source IP and MAC addresses, port index, and VLAN ID is found, the ARP packet is considered valid.
  • Page 779 To do… Use the command… Remarks Enter Ethernet interface interface interface-type — view interface-number Optional Configure the port as a arp detection trust The port is an untrusted port by trusted port default. Return to system view — quit Required Use this command on software arp detection mode version 3Com 4500G V05.02.00P19...

  • Page 780: Configuring Arp Detection Based On Specified Objects

    If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be checked against DHCP snooping entries.

  • Page 781: Arp Detection Configuration Example I

    To do… Use the command… Remarks Clear the ARP detection reset arp detection statistics [ interface Available in user view statistics interface-type interface-number ] ARP Detection Configuration Example I Network requirements Enable DHCP snooping on Switch B. Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass.

  • Page 782: Arp Detection Configuration Example Ii

    [SwitchB-GigabitEthernet1/0/1] quit # Configure a static IP Source Guard binding entry on GigabitEthernet 1/0/2. [SwitchB] interface gigabitethernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] user-bind ip-address 10.1.1.5 mac-address 0001-0203-0405 vlan 10 [SwitchB-GigabitEthernet1/0/2] quit # Configure a static IP Source Guard binding entry on GigabitEthernet 1/0/3. [SwitchB] interface gigabitethernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10...
  • Page 783 Configure Host A and Host B as 802.1x clients (the configuration procedure is omitted) and configure them to upload IP addresses for ARP detection. Configure Switch B # Enable the 802.1x function. <SwitchB> system-view [SwitchB] dot1x [SwitchB] interface gigabitethernet 1/0/1 [SwitchB-GigabitEthernet1/0/1] dot1x [SwitchB-GigabitEthernet1/0/1] quit [SwitchB] interface gigabitethernet 1/0/2...
  • Page 784 High Availability Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The High Availability Volume is organized as follows: Features Description Smart Link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink networking. This document describes: Smart Link Smart Link Overview Configuring a Smart Link Device...
  • Page 785 Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...
  • Page 786 Table of Contents 1 Smart Link Configuration ·························································································································1-2 Smart Link Overview ·······························································································································1-2 Terminology·····································································································································1-3 How Smart Link Works ····················································································································1-4 Smart Link Configuration Task List ·········································································································1-5 Configuring a Smart Link Device ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuring Protected VLANs for a Smart Link Group····································································1-6 Configuring Member Ports for a Smart Link Group·········································································1-6 Configuring Role Preemption for a Smart Link Group·····································································1-7 Enabling the Sending of Flush Messages ·······················································································1-7...

  • Page 787: Smart Link Configuration

    Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview To avoid single-point failures and guarantee network reliability, downstream devices are usually dual uplinked to upstream devices.

  • Page 788: Terminology

    For more information about STP and RRPP, refer to MSTP Configuration in the Access Volume and RRPP Configuration in the High Availability Volume. Smart Link is a feature developed to address the slow convergence issue with STP. It provides link redundancy as well as fast convergence in a dual uplink network, allowing the backup link to take over quickly when the primary link fails.

  • Page 789: How Smart Link Works

    Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Device A, Device B, and Device E in Figure 1-1) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries.

  • Page 790: Smart Link Configuration Task List

    configured with role preemption, GE1/0/1 takes over to forward traffic as soon as the former master link recovers, while GE1/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism A ring network may carry traffic of multiple VLANs. Smart link can forward traffic of different VLANs in different smart link groups, thus implementing load sharing.

  • Page 791: Configuring Protected Vlans For A Smart Link Group

    A loop may occur on the network during the time when STP is disabled but Smart Link has not yet taken effect on a port. Configuring Protected VLANs for a Smart Link Group Follow these steps to configure the protected VLANs for a smart link group: To do…...

  • Page 792: Configuring Role Preemption For A Smart Link Group

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view or layer 2 interface interface-type — aggregate interface view interface-number Configure member ports for a smart link port smart-link group group-id Required group { master | slave } Configuring Role Preemption for a Smart Link Group Follow these steps to configure role preemption for a smart link group: To do…...

  • Page 793: Smart Link Device Configuration Example

    The control VLAN configured for a smart link group must be different from that configured for any other smart link group. Make sure that the configured control VLAN already exists, and assign the smart link group member ports to the control VLAN. The control VLAN of a smart link group should also be one of its protected VLANs.

  • Page 794: Configuring An Associated Device

    Configuring an Associated Device Enabling the Receiving of Flush Messages You do not need to enable all ports on the associated devices to receive flush messages sent from the transmit control VLAN, only those on the master and slave links between the smart link device and the destination device.

  • Page 795: Displaying And Maintaining Smart Link

    Displaying and Maintaining Smart Link To do... Use the command… Remarks Display smart link group display smart-link group Available in any view information { group-id | all } Display information about the display smart-link flush Available in any view received flush messages Clear the statistics about flush reset smart-link statistics Available in user view...
  • Page 796 [DeviceC-mst-region] instance 1 vlan 11 to 20 [DeviceC-mst-region] instance 2 vlan 21 to 30 [DeviceC-mst-region] active region-configuration [DeviceC-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately, and configure them as trunk ports that permit VLANs 1 through 30. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk...
  • Page 797 [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceD-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 2 as the protected VLANs.
  • Page 798 [DeviceE] interface gigabitethernet 1/0/1 [DeviceE-GigabitEthernet1/0/1] port link-type trunk [DeviceE-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/1] smart-link flush enable [DeviceE-GigabitEthernet1/0/1] quit [DeviceE] interface gigabitethernet 1/0/2 [DeviceE-GigabitEthernet1/0/2] port link-type trunk [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/2] smart-link flush enable [DeviceE-GigabitEthernet1/0/2] quit [DeviceE] interface gigabitethernet 1/0/3 [DeviceE-GigabitEthernet1/0/3] port link-type trunk...

  • Page 799: Multiple Smart Link Groups Load Sharing Configuration Example

    You can use the display smart-link flush command to display the flush messages received on each device. For example: # Display the flush messages received on Device B. [DeviceB] display smart-link flush Received flush packets Receiving interface of the last flush packet : GigabitEthernet1/0/3 Receiving time of the last flush packet : 16:25:21 2009/02/21...
  • Page 800 [DeviceC-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately, configure the ports as trunk ports, and assign them to VLAN 1 through VLAN 200. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable...
  • Page 801 # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports and assign them to VLANs 1 through 200; enable flush message receiving on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 and configure VLAN 10 and VLAN 101 as the receive control VLANs. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200...
  • Page 802 [DeviceA-GigabitEthernet1/0/2] smart-link flush enable control-vlan 10 101 [DeviceA-GigabitEthernet1/0/2] quit Verifying the configurations You can use the display smart-link group command to display the smart link group configuration on each device. For example: # Display the smart link group configuration on Device C. [DeviceC] display smart-link group all Smart link group 1 information: Device ID: 000f-e23d-5af0...
  • Page 803 Table of Contents 1 Monitor Link Configuration ······················································································································1-1 Overview ·················································································································································1-1 Terminology·····································································································································1-1 How Monitor Link Works··················································································································1-2 Configuring Monitor Link ·························································································································1-2 Configuration Prerequisites ·············································································································1-2 Creating a Monitor Link Group ········································································································1-2 Configuring Monitor Link Group Member Ports···············································································1-3 Displaying and Maintaining Monitor Link ································································································1-3 Monitor Link Configuration Example ·······································································································1-4...

  • Page 804: Monitor Link Configuration

    Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function. Monitor link is usually used in conjunction with Layer 2 topology protocols.

  • Page 805: How Monitor Link Works

    Uplink/Downlink ports Uplink port and downlink port are two port roles in monitor link groups: Uplink ports refer to the monitored ports. The state of a monitor link group adapts to that of its member uplink ports. When a monitor link group contains no uplink port or all the uplink ports are down, the monitor link group becomes down;...

  • Page 806: Configuring Monitor Link Group Member Ports

    Configuring Monitor Link Group Member Ports You can configure member ports for a monitor link group either in monitor link group view or interface view. The configurations made in these two views lead to the same result. In monitor link group view Follow these steps to configure member ports for a monitor link group in monitor link group view: To do…...

  • Page 807: Monitor Link Configuration Example

    Monitor Link Configuration Example Network requirements As shown in Figure 1-2: VLANs 1 through 10, 11 through 20, and 21 through 30 are mapped to MSTIs 0, 1, and 2 respectively. Traffic of VLANs 1 through 30 on Device C is dual-uplinked to Device A through a smart link group.
  • Page 808 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1, and configure all the VLANs mapped to MSTIs 0 through 2 as the protected VLANs for smart link group 1.
  • Page 809 [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceB-GigabitEthernet1/0/1] smart-link flush enable [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceB-GigabitEthernet1/0/2] smart-link flush enable [DeviceB-GigabitEthernet1/0/2] quit # Create monitor link group 1, and then configure GigabitEthernet 1/0/1 as an uplink port and GigabitEthernet 1/0/2 as a downlink port for monitor link group 1.
  • Page 810 Member Role Status ------------------------------------------ GigabitEthernet1/0/1 UPLINK GigabitEthernet1/0/2 DOWNLINK UP # Check information about monitor link group 1 on Device D. [DeviceD] display monitor-link group 1 Monitor link group 1 information: Group status: DOWN Last-up-time: 16:35:27 2009/4/21 Last-down-time: 16:37:19 2009/4/21 Member Role Status ------------------------------------------...
  • Page 811 Table of Contents 1 RRPP Configuration ··································································································································1-1 RRPP Overview ······································································································································1-1 Background ·····································································································································1-1 Basic Concepts in RRPP·················································································································1-2 RRPPDUs········································································································································1-4 RRPP Timers···································································································································1-5 How RRPP Works ···························································································································1-5 Typical RRPP Networking ···············································································································1-7 Protocols and Standards ·················································································································1-9 RRPP Configuration Task List ················································································································1-9 Creating an RRPP Domain ···················································································································1-10 Configuring Control VLANs···················································································································1-11 Configuring Protected VLANs ···············································································································1-11 Configuring RRPP Rings ······················································································································1-12...

  • Page 812: Rrpp Overview

    RRPP Configuration When configuring RRPP, go to these sections for information you are interested in: RRPP Overview RRPP Configuration Task List Creating an RRPP Domain Configuring Control VLANs Configuring Protected VLANs Configuring RRPP Rings Activating an RRPP Domain Configuring RRPP Timers Configuring an RRPP Ring Group Displaying and Maintaining RRPP RRPP Configuration Examples...

  • Page 813: Basic Concepts In Rrpp

    Basic Concepts in RRPP Figure 1-1 RRPP networking diagram RRPP domain The interconnected devices with the same domain ID and control VLANs constitute an RRPP domain. An RRPP domain contains the following elements: primary ring, subring, control VLAN, master node, transit node, primary port, secondary port, common port, and edge port.
  • Page 814 IP address configuration is prohibited on the control VLAN interfaces. Data VLAN A data VLAN is a VLAN dedicated to transferring data packets. Both RRPP ports and non-RRPP ports can be assigned to a data VLAN. Node Each device on an RRPP ring is referred to as a node. The role of a node is configurable. There are the following node roles: Master node: Each ring has one and only one master node.

  • Page 815: Rrppdus

    Common port and edge port The ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in Figure 1-1, Device B and Device C lie on Ring 1 and Ring 2.

  • Page 816: Rrpp Timers

    RRPPDUs of subrings are transmitted as data packets in the primary ring, while RRPPDUs of the primary ring can only be transmitted within the primary ring. RRPP Timers When RRPP checks the link state of an Ethernet ring, the master node sends Hello packets out the primary port according to the Hello timer and determines whether its secondary port receives the Hello packets based on the Fail timer.
  • Page 817 while sending Common-Flush-FDB packet to instruct all the transit nodes, the edge nodes and the assistant-edge nodes to update their own MAC entries and ARP/ND entries. After each node updates its own entries, traffic is switched to the normal link. Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the RRPP domain on the transit nodes, the edge nodes, or the assistant-edge nodes are brought up again.

  • Page 818: Typical Rrpp Networking

    Typical RRPP Networking Here are several typical networking applications. Single ring As shown in Figure 1-2, there is only a single ring in the network topology. In this case, you only need to define an RRPP domain. Figure 1-2 Schematic diagram for a single-ring network Tangent rings As shown in Figure...
  • Page 819 Figure 1-4 Schematic diagram for an intersecting-ring network Dual homed rings As shown in Figure 1-5, there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an RRPP domain, and configure one ring as the primary ring and the other rings as subrings.

  • Page 820: Protocols And Standards

    Figure 1-6 Schematic diagram for a single-ring load balancing network Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C Intersecting-ring load balancing In an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in Figure 1-7, Ring 1 is the primary ring and Ring 2 is the subring in both Domain 1 and...

  • Page 821: Creating An Rrpp Domain

    Complete the following tasks to configure RRPP: Task Remarks Required Creating an RRPP Domain Perform this task on all nodes in the RRPP domain. Required Configuring Control VLANs Perform this task on all nodes in the RRPP domain. Required Configuring Protected VLANs Perform this task on all nodes in the RRPP domain.

  • Page 822: Configuring Control Vlans

    Configuring Control VLANs Before configuring RRPP rings in an RRPP domain, configure the same control VLANs for all nodes in the RRPP domain first. Perform this configuration on all nodes in the RRPP domain to be configured. Follow these steps to configure control VLANs: To do…...

  • Page 823: Configuring Rrpp Rings

    Configuring RRPP Rings When configuring an RRPP ring, you must make some configurations on the ports connecting each node to the RRPP ring before configuring the nodes. RRPP ports, that is, ports connecting devices to an RRPP ring, must be Layer-2 GE ports, Layer-2 XGE ports, or Layer-2 aggregate interfaces and cannot be member ports of any aggregation group, service loopback group, or smart link group.

  • Page 824: Configuring Rrpp Nodes

    For detailed information about the port link-type trunk command and port trunk permit vlan { vlan-id-list | all } command, refer to VLAN Commands in the Access Volume. For detailed information about the undo stp enable command, refer to MSTP Commands in the Access Volume.
  • Page 825 To do… Use the command… Remarks Enter system view system-view — Enter RRPP domain view — rrpp domain domain-id ring ring-id node-mode transit Specify the current device as a [ primary-port interface-type transit node of the ring, and interface-number ] [ secondary-port Required specify the primary port and the interface-type interface-number ] level...

  • Page 826: Activating An Rrpp Domain

    Activating an RRPP Domain To activate an RRPP domain on the current device, enable the RRPP protocol and RRPP rings for the RRPP domain on the current device. Perform this operation on all nodes in the RRPP domain. Follow these steps to activate an RRPP domain: To do…...

  • Page 827: Configuring An Rrpp Ring Group

    The Fail timer value must be equal to or greater than three times the Hello timer value. To avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the Fail timer value on the master node of the subring and that on the master node of the primary ring is greater than twice the Hello timer value of the master node of the subring.

  • Page 828: Displaying And Maintaining Rrpp

    Displaying and Maintaining RRPP To do… Use the command… Remarks Display brief RRPP information display rrpp brief Display RRPP group display rrpp ring-group configuration information [ ring-group-id ] Available in any view Display detailed RRPP display rrpp verbose domain information domain-id [ ring ring-id ] display rrpp statistics domain Display RRPP statistics...
  • Page 829 <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] undo stp enable [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/2] qos trust dot1p [DeviceA-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and...

  • Page 830: Intersecting Ring Configuration Example

    [DeviceB] rrpp domain 1 [DeviceB-rrpp-domain1] control-vlan 4092 [DeviceB-rrpp-domain1] protected-vlan reference-instance 0 to 16 # Configure Device B as the transit node of primary ring 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceB-rrpp-domain1] ring node-mode...
  • Page 831 Figure 1-9 Network diagram for intersecting rings configuration Configuration procedure Configuration on Device A # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
  • Page 832 [DeviceA] rrpp enable Configuration on Device B # Disable STP on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets. <DeviceB>...
  • Page 833 <DeviceC> system-view [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/1] qos trust dot1p [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceC-GigabitEthernet1/0/2] qos trust dot1p [DeviceC-GigabitEthernet1/0/2] quit [DeviceC] interface gigabitethernet 1/0/3...
  • Page 834 [DeviceD-GigabitEthernet1/0/1] qos trust dot1p [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceD-GigabitEthernet1/0/2] qos trust dot1p [DeviceD-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1.

  • Page 835: Intersecting-Ring Load Balancing Configuration Example

    [DeviceE-rrpp-domain1] ring node-mode master primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 1 [DeviceE-rrpp-domain1] ring 2 enable [DeviceE-rrpp-domain1] quit # Enable RRPP. [DeviceE] rrpp enable Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device.
  • Page 836 Configuration procedure Configuration on Device A # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit [DeviceA] vlan 20 [DeviceA-vlan20] quit [DeviceA] stp region-configuration [DeviceA-mst-region] instance 1 vlan 10 [DeviceA-mst-region] instance 2 vlan 20...
  • Page 837 [DeviceA] rrpp domain 2 [DeviceA-rrpp-domain2] control-vlan 105 [DeviceA-rrpp-domain2] protected-vlan reference-instance 2 # Configure Device A as the master node of primary ring 1, with GigabitEthernet 1/0/2 as the master port and GigabitEthernet 1/0/1 as the secondary port, and enable ring 1. [DeviceA-rrpp-domain2] ring node-mode...
  • Page 838 [DeviceB-GigabitEthernet1/0/3] port link-type trunk [DeviceB-GigabitEthernet1/0/3] undo port trunk permit vlan 1 [DeviceB-GigabitEthernet1/0/3] port trunk permit vlan 20 [DeviceB-GigabitEthernet1/0/3] qos trust dot1p [DeviceB-GigabitEthernet1/0/3] quit # Disable STP on GigabitEthernet 1/0/4, configure the port as a trunk port, remove it from VLAN 1, and assign it to VLAN 10, and configure it to trust the 802.1p precedence of the received packets.
  • Page 839 # Enable RRPP. [DeviceB] rrpp enable Configuration on Device C # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceC> system-view [DeviceC] vlan 10 [DeviceC-vlan10] quit [DeviceC] vlan 20 [DeviceC-vlan20] quit [DeviceC] stp region-configuration...
  • Page 840 [DeviceC-GigabitEthernet1/0/4] port link-type trunk [DeviceC-GigabitEthernet1/0/4] undo port trunk permit vlan 1 [DeviceC-GigabitEthernet1/0/4] port trunk permit vlan 10 [DeviceC-GigabitEthernet1/0/4] qos trust dot1p [DeviceC-GigabitEthernet1/0/4] quit # Create RRPP domain 1, configure VLAN 10 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1.
  • Page 841 [DeviceD] vlan 20 [DeviceD-vlan20] quit [DeviceD] stp region-configuration [DeviceD-mst-region] instance 1 vlan 10 [DeviceD-mst-region] instance 2 vlan 20 [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
  • Page 842 [DeviceD-rrpp-domain2] quit # Enable RRPP. [DeviceD] rrpp enable Configuration on Device E # Create VLAN 20, map VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceE> system-view [DeviceE] vlan 20 [DeviceE-vlan20] quit [DeviceE] stp region-configuration [DeviceE-mst-region] instance 2 vlan 20 [DeviceE-mst-region] active region-configuration [DeviceE-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk...
  • Page 843 <DeviceF> system-view [DeviceF] vlan 10 [DeviceF-vlan10] quit [DeviceF] stp region-configuration [DeviceF-mst-region] instance 1 vlan 10 [DeviceF-mst-region] active region-configuration [DeviceF-mst-region] quit # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10, and configure them to trust the 802.1p precedence of the received packets.

  • Page 844: Troubleshooting

    [DeviceC-rrpp-ring-group1] domain 2 ring 2 [DeviceC-rrpp-ring-group1] domain 1 ring 3 Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device. Troubleshooting Symptom: When the link state is normal, the master node cannot receive Hello packets, and the master node unblocks the secondary port.
  • Page 845 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 How DLDP Works····························································································································1-2 DLDP Configuration Task List·················································································································1-8 Enabling DLDP········································································································································1-9 Setting DLDP Mode ································································································································1-9 Setting the Interval for Sending Advertisement Packets·······································································1-10 Setting the DelayDown Timer ···············································································································1-10 Setting the Port Shutdown Mode ··········································································································1-11 Configuring DLDP Authentication ·········································································································1-12 Resetting DLDP State ···························································································································1-12 Displaying and Maintaining DLDP ········································································································1-13...

  • Page 846: Dldp Configuration

    DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...

  • Page 847: How Dldp Works

    Figure 1-1 Correct and incorrect fiber connections Unidirectional connection type 2 Correct fiber conecton Unidirectional connection type 1 One fiber of a fiber pair Is not Cross-connected fibers connected or Is broken Device A Device A Device A GE1/0/50 GE1/0/51 GE1/0/50 GE1/0/51 GE1/0/50...
  • Page 848 State Indicates… All neighbors are bi-directionally reachable or DLDP has been in Advertisement active state for more than five seconds. This is a relatively stable state where no unidirectional link has been detected. DLDP enters this state if it receives a packet from an unknown neighbor.
  • Page 849 DLDP timer Description In the enhanced mode, this timer is triggered if no packet is received from a neighbor when the entry aging timer expires. Enhanced timer is set to 1 second. Enhanced timer After the Enhanced timer is triggered, the device sends up to eight probe packets to the neighbor at a frequency of one packet per second.
  • Page 850 Figure 1-2 A scenario for the Enhanced DLDP mode GE1/0/50 GE1/0/50 (up) (down) Device A Device B Ethernet Tx end Rx end optical port Fiber link Unconnected or broken fiber In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected.
  • Page 851 Table 1-4 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets.
  • Page 852 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and transits to Probe state. If the neighbor information it carries conflicts with the corresponding locally Retrieves the maintained neighbor entry, drops the Echo packet neighbor packet.

  • Page 853: Dldp Configuration Task List

    The DLDP down port sends out a RecoverProbe packet, which carries only information about the local port, every two seconds. Upon receiving the RecoverProbe packet, the remote end returns a RecoverEcho packet. Upon receiving the RecoverEcho packet, the local port checks whether neighbor information in the RecoverEcho packet is the same as the local port information.

  • Page 854: Enabling Dldp

    For DLDP to work properly, enable DLDP on both sides and make sure these settings are consistent: the interval for sending Advertisement packets, DLDP authentication mode, and password. DLDP does not process any link aggregation control protocol (LACP) events. The links in an aggregation are treated as individual links in DLDP.

  • Page 855: Setting The Interval For Sending Advertisement Packets

    Enhanced mode: In this mode, DLDP actively detects neighbors when the corresponding neighbor entries age out. The system can thus identify two types of unidirectional links: cross-connected fibers and disconnected fibers. Follow these steps to set DLDP mode: To do… Use the command…...

  • Page 856: Setting The Port Shutdown Mode

    To do… Use the command… Remarks Enter system view system-view — Optional Set the DelayDown timer dldp delaydown-timer time 1 second by default DelayDown timer setting applies to all DLDP-enabled ports. Setting the Port Shutdown Mode On detecting a unidirectional link, the ports can be shut down in one of the following two modes. Manual mode.

  • Page 857: Configuring Dldp Authentication

    Configuring DLDP Authentication You can guard your network against attacks and vicious probes by configuring an appropriate DLDP authentication mode, which can be clear text authentication or MD5 authentication. If your network is safe, you can choose not to authenticate. Follow these steps to configure DLDP authentication: To do…...

  • Page 858: Displaying And Maintaining Dldp

    Resetting DLDP State in Port view/Port Group View Resetting DLDP state in port view or port group view applies to the current port or all the ports in the port group shut down by DLDP. Follow these steps to reset DLDP state in port view/port group view: To do…...
  • Page 859 Configuration procedure Configuration on Device A # Enable DLDP globally and then on GigabitEthernet1/0/50 and GigabitEthernet 1/0/51 respectively. <DeviceA> system-view [DeviceA] dldp enable [DeviceA] interface gigabitethernet 1/0/50 [DeviceA-GigabitEthernet1/0/50] dldp enable [DeviceA-GigabitEthernet1/0/50] quit [DeviceA] interface gigabitethernet 1/0/51 [DeviceA-GigabitEthernet1/0/51] dldp enable [DeviceA-GigabitEthernet1/0/51] quit # Set the interval for sending Advertisement packets to 6 seconds.
  • Page 860 DLDP global status : enable DLDP interval : 6s DLDP work-mode : enhance DLDP authentication-mode : none DLDP unidirectional-shutdown : auto DLDP delaydown-timer : 2s The number of enabled ports is 2. Interface GigabitEthernet1/0/50 DLDP port state : disable DLDP link state : down The neighbor number of the port is 0.

  • Page 861: Troubleshooting

    Neighbor port index : 59 Neighbor state : two way Neighbor aged time : 11 The output information indicates that both GigabitEthernet 1/0/50 and GigabitEthernet 1/0/51 are in Advertisement state and the links are up, which means unidirectional links are not detected and the two ports are restored.
  • Page 862 Table of Contents 1 Ethernet OAM Configuration ····················································································································1-1 Ethernet OAM Overview ·························································································································1-1 Background ·····································································································································1-1 Major Functions of Ethernet OAM ···································································································1-1 Ethernet OAMPDUs ························································································································1-1 How Ethernet OAM Works ··············································································································1-3 Standards and Protocols ·················································································································1-6 Ethernet OAM Configuration Task List ···································································································1-6 Configuring Basic Ethernet OAM Functions ···························································································1-6 Configuring Link Monitoring ····················································································································1-7 Configuring Errored Symbol Event Detection ·················································································1-7 Configuring Errored Frame Event Detection ···················································································1-7...

  • Page 863: Ethernet Oam Configuration

    Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested in: Ethernet OAM Overview Ethernet OAM Configuration Task List Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Remote Loopback Displaying and Maintaining Ethernet OAM Configuration Ethernet OAM Configuration Example Ethernet OAM Overview Background...
  • Page 864 Figure 1-1 Formats of different types of Ethernet OAMPDUs The fields in an OAMPDU are described as follows: Table 1-1 Description of the fields in an OAMPDU Field Description Destination MAC address of the Ethernet OAMPDU. It is a slow protocol multicast address 0180c2000002. As slow Dest addr protocol packet cannot be forwarded by bridges, Ethernet OAMPDUs cannot be forwarded.

  • Page 865: How Ethernet Oam Works

    Table 1-2 Functions of different types of OAMPDUs OAMPDU type Function Used for transmitting state information of an Ethernet OAM entity (including the Information information about the local device and remote devices, and customized OAMPDU information) to the remote Ethernet OAM entity and maintaining OAM connections Event Used by link monitoring to notify the remote OAM entity when it detects problems...
  • Page 866 OAM connections can be initiated only by OAM entities operating in active OAM mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. No OAM connection can be established between OAM entities operating in passive OAM mode. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs periodically to keep the Ethernet OAM connection valid.
  • Page 867 An unexpected fault, such as power failure, occurred. Critical event An undetermined critical event happened. The support of 3Com Switch 4500G family for information OAMPDUs carrying critical link events is as follows: 3Com Switch 4500G family are able to receive information OAMPDUs carrying the critical link...

  • Page 868: Standards And Protocols

    Remote loopback enables you to check the link status and locate link failures. Performing remote loopback periodically helps to detect network faults in time. Furthermore, performing remote loopback by network segments helps to locate network faults. Standards and Protocols Ethernet OAM is defined in IEEE 802.3h (Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications).

  • Page 869: Configuring Link Monitoring

    Configuring Link Monitoring After Ethernet OAM connections are established, the link monitoring periods and thresholds configured in this section take effect on all Ethernet ports automatically. Configuring Errored Symbol Event Detection An errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold.

  • Page 870: Configuring Errored Frame Seconds Event Detection

    To do… Use the command… Remarks Configure the errored Optional oam errored-frame-period period frame period event period-value 1000 milliseconds by default detection period Configure the errored Optional oam errored-frame-period frame period event threshold threshold-value 1 by default triggering threshold Configuring Errored Frame Seconds Event Detection An errored frame seconds event occurs when the number of error frame seconds detected on a port over a detection interval exceeds the error threshold.

  • Page 871: Displaying And Maintaining Ethernet Oam Configuration

    Because enabling Ethernet OAM remote loopback impacts other services, use this function with caution. Ethernet OAM remote loopback is available only after the Ethernet OAM connection is established and can be performed only by the Ethernet OAM entities operating in active Ethernet OAM mode. Remote loopback is available only on full-duplex links that support remote loopback at both ends.

  • Page 872: Ethernet Oam Configuration Example

    Ethernet OAM Configuration Example Network requirements Enable Ethernet OAM on Device A and Device B to auto-detect link errors between the two devices. Monitor the performance of the link between Device A and Device B by collecting statistics about the error frames received by Device A.. Figure 1-2 Network diagram for Ethernet OAM configuration Configuration procedure Configure Device A...
  • Page 873 Errored-frame Event threshold Errored-frame-period Event period(in ms) 1000 Errored-frame-period Event threshold Errored-frame-seconds Event period(in seconds) Errored-frame-seconds Event threshold According to the above output information, the detection period of errored frame events is 20 seconds, the detection threshold is 10 seconds, and all the other parameters use the default values. You can use the display oam critical-event command to display the statistics of Ethernet OAM critical link events.
  • Page 874 Table of Contents 1 CFD Configuration·····································································································································1-1 Overview ·················································································································································1-1 Basic Concepts in CFD ···················································································································1-1 CFD Functions·································································································································1-4 Protocols and Standards ·················································································································1-4 CFD Configuration Task List···················································································································1-4 Basic Configuration Tasks ······················································································································1-5 Configuring Service Instance ··········································································································1-5 Configuring MEP ·····························································································································1-6 Configuring MIP Generation Rules··································································································1-6 Configuring CC on MEPs························································································································1-7 Configuration Prerequisites ·············································································································1-7 Configuring Procedure·····················································································································1-7 Configuring LB on MEPs·························································································································1-8...

  • Page 875: Overview

    CFD Configuration When configuring CFD, go to these sections for information you are interested in: Overview CFD Configuration Task List Basic Configuration Tasks Configuring CC on MEPs Configuring LB on MEPs Configuring LT on MEPs Displaying and Maintaining CFD CFD Configuration Examples Overview Connectivity Fault Detection (CFD), which conforms to Connectivity Fault Management (CFM) defined by IEEE 802.1ag, is an end-to-end per-VLAN link layer Operations, Administration and Maintenance...
  • Page 876 Figure 1-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can use CFD to rapidly locate failure points. Maintenance association A maintenance association (MA) is a set of maintenance points (MPs) in an MD. An MA is identified by the “MD name + MA name”.
  • Page 877 As shown in Figure 1-2, an outward-facing MEP sends packets to its host port. Figure 1-3 Inward-facing MEP As shown in Figure 1-3, an inward-facing MEP does not send packets to its host port. Rather, it sends packets to other ports on the device. A MIP is internal to an MD.

  • Page 878: Cfd Functions

    CFD Functions CFD works effectively only in properly-configured networks. Its functions, which are implemented through the MPs, include: Continuity check (CC) Loopback (LB) Linktrace (LT) Continuity check Continuity check is responsible for checking the connectivity between MEPs. Connectivity faults are usually caused by device faults or configuration errors.

  • Page 879: Basic Configuration Tasks

    Tasks Remarks Required Basic Configuration Tasks These configurations are the foundation for other configuration tasks. Required Configuring CC on MEPs Configuring the MEPs to send CCMs to manage link connectivity Optional Configuring LB on MEPs Checking link state by testing link connectivity Optional Configuring LT on MEPs Tracing link fault and finding the path between the source MEP and...

  • Page 880: Configuring Mep

    To do... Use the command... Remarks Required Create an MD cfd md md-name level level-value Not created by default Required cfd ma ma-name md md-name Create an MA vlan vlan-id Not created by default Required cfd service-instance instance-id Create a service instance md md-name ma ma-name Not created by default These configuration tasks are the foundation for other CFD configuration tasks.

  • Page 881: Configuring Cc On Meps

    To do... Use the command... Remarks Enter system view system-view — Required cfd mip-rule { explicit | Configure the rules for default } service-instance By default, neither the MIPs nor the rules generating MIPs instance-id for generating MIPs are configured. MIPs are generated on each port automatically according to the rules specified in the cfd mip-rule command.

  • Page 882: Configuring Lb On Meps

    To do... Use the command... Remarks cfd cc service-instance Required Enable CCM sending on a MEP instance-id mep mep-id Disabled by default enable The relationship between the interval field value in the CCM messages, the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1-2.

  • Page 883: Configuration Prerequisites

    To implement the first function, the specified MEP first sends LTM messages to the target MEP. Based on the LTR messages in response to the LTM messages, the path between the two MEPs can be identified. In the latter case, after LT messages automatic sending is enabled, if a MEP fails to receive the CCMs from the remote MEP within 3.5 sending intervals, the link between the two is regarded as faulty and LTMs will be sent out.

  • Page 884: Cfd Configuration Examples

    To do... Use the command... Remarks display cfd linktrace-reply Display LTR information [ service-instance instance-id Available in any view received by a MEP [ mep mep-id ] ] display cfd remote-mep Display the information of a service-instance instance-id Available in any view remote MEP mep mep-id Display the content of the LTR...

  • Page 885: Configuring Mep And Enabling Cc On It

    [DeviceA] cfd enable [DeviceA] cfd md MD_A level 5 [DeviceA] cfd ma MA_MD_A md MD_A vlan 100 [DeviceA] cfd service-instance 1 md MD_A ma MA_MD_A Configuration on Device C <DeviceC> system-view [DeviceC] cfd enable [DeviceC] cfd md MD_B level 3 [DeviceC] cfd ma MA_MD_B md MD_B vlan 100 [DeviceC] cfd service-instance 2 md MD_B ma MA_MD_B Configuration on Device B (configuration on Device D is the same as that on Device B)
  • Page 886 Figure 1-6 Network diagram of MD and MEP configuration Configuration procedure On Device A <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] cfd mep 1001 service-instance 1 inbound [DeviceA-GigabitEthernet1/0/1] cfd remote-mep 5001 service-instance 1 mep 1001 [DeviceA-GigabitEthernet1/0/1] cfd remote-mep 4002 service-instance 1 mep 1001 [DeviceA-GigabitEthernet1/0/1] cfd mep service-instance 1 mep 1001 enable [DeviceA-GigabitEthernet1/0/1] cfd cc service-instance 1 mep 1001 enable On Device B...

  • Page 887: Configuring The Rules For Generating Mips

    [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd mep service-instance 1 mep 5001 enable [DeviceE-GigabitEthernet1/0/4] cfd cc service-instance 1 mep 5001 enable After the above configuration, you can use the commands display cfd mp and display cfd mep to verify your configuration.

  • Page 888: Configuring Lb On Meps

    Configuring LB on MEPs Network requirements Use the LB function to trace the fault source after CC detects a link fault. As shown in Figure 1-6, enable LB on Device A so that Device A can send LBM messages to MEPs on Device D.
  • Page 889 Table of Contents 1 Track Configuration···································································································································1-1 Track Overview ·······································································································································1-1 Collaboration Between the Track Module and the Detection Modules ···········································1-1 Collaboration Between the Track Module and the Application Modules·········································1-2 Track Configuration Task List ·················································································································1-2 Configuring Collaboration Between the Track Module and the Detection Modules ·······························1-2 Configuring Track-NQA Collaboration·····························································································1-2 Configuring Collaboration Between the Track Module and the Application Modules·····························1-3 Configuring Track-Static Routing Collaboration ··············································································1-3...

  • Page 890: Track Overview

    Track Configuration When configuring Track, go to these sections for information you are interested in: Track Overview Track Configuration Task List Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules Displaying and Maintaining Track Object(s) Track Configuration Examples Track Overview...

  • Page 891: Collaboration Between The Track Module And The Application Modules

    If the probe result is invalid (for example, the NQA test group collaborating with the track entry does not exist.), the status of the track entry is Invalid. At present, the detection modules that can collaborate with the Track module is the Network Quality Analyzer (NQA).

  • Page 892: Configuring Collaboration Between The Track Module And The Application Modules

    When you configure a Track object, the specified NQA test group and Reaction entry can be nonexistent. In this case, the status of the configured Track object is Invalid. Configuring Collaboration Between the Track Module and the Application Modules Configuring Track-Static Routing Collaboration You can check the validity of a static route in real time by establishing collaboration between Track and static routing.

  • Page 893: Displaying And Maintaining Track Object

    For the configuration of Track-Static Routing collaboration, the specified static route can be an existent or nonexistent one. For an existent static route, the static route and the specified Track object are associated directly; for a nonexistent static route, the system creates the static route and then associates it with the specified Track object.
  • Page 894 # Configure the address of the next hop of the static route to Switch C as 10.2.1.1, and configure the static route to associate with Track object 1. <SwitchA> system-view [SwitchA] ip route-static 10.1.1.2 24 10.2.1.1 track 1 Configure an NQA test group on Switch A. # Create an NQA test group with the administrator admin and the operation tag test.
  • Page 895 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 The output information above indicates the NQA test result, that is, the next hop 10.2.1.1 is reachable (the status of the Track object is Positive), and the configured static route is valid. # Remove the IP address of interface VLAN-interface 3 on Switch B. <SwitchB>...
  • Page 896 System Volume Organization Manual Version 6W101-20100310 Product Version V05.02.00 Organization The System Volume is organized as follows: Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login...
  • Page 897 Features Description A major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: File System File system management Management Configuration File Management FTP configuration...
  • Page 898 Features Description The Power over Ethernet (PoE) feature enables the power sourcing equipment (PSE) to feed powered devices (PDs) from Ethernet ports through twisted pair cables. This document describes: PoE overview Configuring the PoE Interface Configuring PoE power management Configuring the PoE monitoring function Online upgrading the PSE processing software Configuring a PD Disconnection Detection Mode Enabling the PSE to detect nonstandard PDs...
  • Page 899 Features Description A stack is a set of network devices. Administrators can group multiple network devices into a stack and manage them as a whole. Therefore, stack management can help reduce customer investments and simplify network management. This document describes: Stack Management Stack Configuration Overview Configuring the Master Device of a Stack...
  • Page 900 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-3...
  • Page 901 Configuration procedure ··················································································································4-3 Command Accounting Configuration Example ·······················································································4-4 Network diagram ·····························································································································4-4 Configuration procedure ··················································································································4-4 5 Logging in Through Web-based Network Management System ··························································5-1 Introduction ·············································································································································5-1 Web Server Configuration·······················································································································5-1 Displaying Web Users·····························································································································5-2 Configuration Example····························································································································5-2 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Specifying Source for Telnet Packets ·····································································································7-1 Introduction ·············································································································································7-1...

  • Page 902: Logging In To An Ethernet Switch

    Logging In to an Ethernet Switch When logging in to an Ethernet switch, go to these sections for information you are interested in: Logging In to an Ethernet Switch Introduction to User Interface Specifying Source for Telnet Packets Controlling Login Users Logging In to an Ethernet Switch You can log in to a 3Com Switch 4500G in one of the following ways: Logging In Through the Console Port...

  • Page 903: Users And User Interfaces

    Users and User Interfaces A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
  • Page 904 To do… Use the command… Remarks Display the information about You can execute this command the current user interface/all display users [ all ] in any view. user interfaces Display the physical attributes and configuration of the display user-interface [ type You can execute this command current/a specified user number | number ] [ summary ]...

  • Page 905: Logging In Through The Console Port

    Logging In Through the Console Port When logging in through the Console port, go to these sections for information you are interested in: Introduction Setting Up the Connection to the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Configuring Command Authorization...
  • Page 906 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created.
  • Page 907 Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <4500G>) appears after the user presses the Enter key. The default username is “admin“...
  • Page 908 Configuration Description configuration Optional By default, the check mode of parity { even | mark | Check mode the Console port is set to none | odd | space } “none”, which means no check bit. Optional Stop bits stopbits { 1 | 1.5 | 2 } The default stop bits of a Console port is 1.
  • Page 909 Console Port Login Configurations for Different Authentication Modes Table 2-3 lists Console port login configurations for different authentication modes. Table 2-3 Console port login configurations for different authentication modes Authentication Configuration Description mode Refer to Console Port Login None Configure not to authenticate users Configuration with Authentication Mode Being None for details.
  • Page 910 Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.
  • Page 911 [Sysname-ui-aux0] idle-timeout 6 After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
  • Page 912 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).
  • Page 913 Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...
  • Page 914 Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
  • Page 915 # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.
  • Page 916 Follow these steps to enable command authorization: To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface view user-interface aux 0 — Required Disabled by default, that is, Enable command authorization command authorization users can execute commands without authorization.

  • Page 917: Setting Up The Connection To The Console Port

    Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Connection EstablishmentTelnet Connection Establishment Telnet Login Configuration with Authentication Mode Being None Telnet Login Configuration with Authentication Mode Being Password Telnet Login Configuration with Authentication Mode Being Scheme Configuring Command Authorization Configuring Command Accounting...
  • Page 918 # Enable the Telnet server function and configure the IP address of the management VLAN interface as 202.38.160.92, and .the subnet mask as 255.255.255.0. <Sysname> system-view [Sysname] telnet server enable [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.38.160.92 255.255.255.0 Step 2: Before Telnet users can log in to the switch, corresponding configurations should have been performed on the switch according to different authentication modes for them.
  • Page 919 Step 6: After successfully Telnetting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? at any time for help. Refer to the following chapters for the information about the commands. A Telnet connection will be terminated if you delete or modify the IP address of the VLAN interface in the Telnet session.

  • Page 920: Common Configuration

    Common Configuration Table 3-2 lists the common Telnet configuration. Table 3-2 Common Telnet configuration Configuration Remarks Enter system view system-view — By default, a switch does Make the switch to operate as a Telnet telnet server enable not operate as a Telnet Server server user-interface vty...

  • Page 921: Configuration Procedure

    Telnet Login Configuration Task List Telnet login configurations vary when different authentication modes are adopted. Table 3-3 Telnet login configuration tasks when different authentication modes are adopted Task Description Telnet Login Configuration with Authentication Configure not to authenticate users logging in user Mode Being None interfaces Configure to authenticate users logging in to user...

  • Page 922: Telnet Login Configuration With Authentication Mode Being Password

    Network diagram Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
  • Page 923 Note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0:...

  • Page 924: Telnet Login Configuration With Authentication Mode Being Scheme

    Telnet Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
  • Page 925 For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user to be “guest”.

  • Page 926: Logging In Through Ssh

    # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.

  • Page 927: Configuring Command Accounting

    Configuring Command Accounting Command accounting allows the HWTACACS server to record all executed commands that are supported by the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command will be recorded on the HWTACACS server.

  • Page 928: User Interface Configuration Examples

    User Interface Configuration Examples User Authentication Configuration Example Network diagram As shown in Figure 4-1, command levels should be configured for different users to secure Device: The device administrator accesses Device through the console port on Host A. When the administrator logs in to the device, username and password are not required.

  • Page 929: Command Authorization Configuration Example

    [Device-ui-vty0-4] quit # Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the RADIUS server. Set the shared key for authentication packets to expert for the scheme and the RADIUS server type of the scheme to extended.
  • Page 930 Configuration procedure # Assign an IP address to Device to make Device be reachable from Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on Device. <Device> system-view [Device] telnet server enable # Set to use username and password authentication when users use VTY 0 to log in to Device. The command that the user can execute depends on the authentication result.

  • Page 931: Command Accounting Configuration Example

    Command Accounting Configuration Example Network diagram As shown in Figure 4-3, configure the commands that the login users execute to be recorded on the HWTACACS server to control and monitor user operations. Figure 4-3 Network diagram for configuring command accounting HWTACAS server 192.168.2.20/24 Console Connection...
  • Page 932 [Device-radius-rad] quit # Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users [Device] domain system [Device-isp-system] accounting command hwtacacs-scheme tac [Device-isp-system] quit...

  • Page 933: Web Server Configuration

    Logging in Through Web-based Network Management System Introduction An 3Com Switch 4500G has a built-in Web server. You can log in to a Switch 4500G through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server. To log in to a Switch 4500G through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.

  • Page 934: Displaying Web Users

    To do… Use the command… Remarks Optional Configure the authorization authorization-attribute level By default, no authorization attributes for the local user level attribute is configured for a local user. Optional Specify the service types for service-type telnet By default, no service is the local user authorized to a user.
  • Page 935 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...

  • Page 936: Connection Establishment Using Nms

    Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

  • Page 937: Specifying Source For Telnet Packets

    Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.

  • Page 938: Displaying The Source Ip Address/Interface Specified For Telnet Packets

    To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.

  • Page 939: Controlling Telnet Users

    Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 8-1.

  • Page 940: Controlling Telnet Users By Source And Destination Ip Addresses

    To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr Define rules for the ACL sour-wildcard | any } | Required time-range time-name | fragment | logging ]* Quit to system view quit —...

  • Page 941: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume. Follow these steps to control Telnet users by source MAC addresses: To do…...

  • Page 942: Controlling Network Management Users By Source Ip Addresses

    Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny source any [Sysname-acl-basic-2000] quit # Apply the ACL. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses...
  • Page 943 To do… Use the command… Remarks snmp-agent group { v1 | v2c } group-name configuration [ read-view read-view ] [ write-view write-view ] customs of NMS [ notify-view notify-view ] [ acl acl-number ] Apply the ACL while users, you can configuring the SNMP snmp-agent group v3 group-name reference an...

  • Page 944: Controlling Web Users By Source Ip Addresses

    Controlling Web Users by Source IP Addresses The 3Com Switch 4500G support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches. Prerequisites The control policies to be implemented on Web users are decided, including the source IP addresses to be controlled and the control action, that is, whether to allow or deny the access.
  • Page 945 Figure 8-3 Configure an ACL to control the access of HTTP users to the switch 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Create a basic ACL. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.
  • Page 946 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Entering System View ·····························································································································1-2 Exiting the Current View ·························································································································1-2 Exiting to User View ································································································································1-3 Configuring the Device Name ·················································································································1-3 Configuring the System Clock·················································································································1-3 Configuring the system clock ··········································································································1-3 Displaying the system clock ············································································································1-4 Enabling/Disabling the Display of Copyright Information········································································1-6 Configuring a Banner ······························································································································1-7 Introduction to banners····················································································································1-7...

  • Page 947: Basic Configurations

    Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Entering System View Exiting the Current View Exiting to User View Configuring the Device Name Configuring the System Clock Enabling/Disabling the Display of Copyright Information Configuring a Banner Configuring CLI Hotkeys...

  • Page 948: Entering System View

    To do… Use the command… Remarks display current-configuration [ [ configuration [ configuration ] | Display the current validated interface [ interface-type ] configurations of the device [ interface-number ] ] [ by-linenum ] [ | { begin | exclude | include } regular-expression ] ] Display the configuration saved display saved-configuration...

  • Page 949: Exiting To User View

    Exiting to User View This feature allows you to return to user view easily from any non user view, without the need to execute the quit command repeatedly. You can also use the hot key Ctrl+Z to return to user view from the current view.

  • Page 950: Displaying The System Clock

    To do… Use the command… Remarks is configured on the device, and clock summer-time the UTC time zone is applied. zone-name repeating start-time start-date end-time end-date add-time Displaying the system clock The system clock is decided by the commands clock datetime, clock timezone and clock summer-time.
  • Page 951 System clock displayed by the Configuration Example display clock command Configure: clock datetime 1:00 2007/1/1 and clock summer-time ss If date-time is not in the daylight saving one-off 1:00 2006/1/1 1:00 2006/8/8 2 time range, date-time is displayed. Display: 01:00:00 UTC Mon 01/01/2007 1 and 3 Configure: clock datetime 8:00...

  • Page 952: Enabling/Disabling The Display Of Copyright Information

    System clock displayed by the Configuration Example display clock command Configure: clock datetime 1:00 If the value of 2007/1/1, clock timezone zone-time "date-time"±"zone-offset" is not in the add 1 and clock summer-time ss summer-time range, one-off 1:00 2007/1/1 1:00 2007/8/8 2 "date-time"±"zone-offset"...

  • Page 953: Configuring A Banner

    To do… Use the command… Remarks Enter system view system-view — Optional Enable the display of copyright copyright-info enable information Enabled by default. Required Disable the display of copyright undo copyright-info enable information Enabled by default. Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration.

  • Page 954: Configuring Cli Hotkeys

    Follow these steps to configure a banner: To do… Use the command… Remarks Enter system view system-view — Configure the banner to be displayed at login header incoming text Optional (available for Modem login users) Configure the banner to be displayed at login header login text Optional authentication...

  • Page 955: Configuring Command Alias

    Hotkey Function Ctrl+F Moves the cursor one character to the right. Ctrl+H Deletes the character to the left of the cursor. Ctrl+K Terminates an outgoing connection. Displays the next command in the history command buffer. Ctrl+N Ctrl+P Displays the previous command in the history command buffer. Ctrl+R Redisplays the current line information.

  • Page 956: Configuring User Privilege Levels And Command Levels

    The command alias function well meets the users’ requirements for preferred form of frequently used commands, and thus facilitates network configurations as well as respects users' usage habits. Follow these steps to configure command aliases: To do… Use the command… Remarks Enter system view system-view...

  • Page 957: Configuring User Privilege Level

    Level Privilege Description Includes commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after Monitor being configured. After the device is restarted, the commands at this level will be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send.
  • Page 958 To do… Use the command… Remarks For remote authentication, if Using remote you do not configure the authentication user level, the user level (RADIUS, Configure user level on the depends on the default HWTACACS, authentication server configuration and LDAP authentication server. authentication For the description of user interface, refer to Login Configuration in the System Volume;...
  • Page 959 To do… Use the command… Remarks Required if users adopt the SSH login mode, and only username, instead of password Configure the authentication For the details, refer to SSH2.0 is needed at authentication. type for SSH users as Configuration in the Security After the configuration, the publickey Volume.
  • Page 960 By default, when users telnet to the device, they can only use the following commands after passing the authentication: <Sysname> ? User view commands: cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection super...

  • Page 961: Switching User Privilege Level

    Switching user privilege level Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters;...

  • Page 962: Modifying Command Level

    Modifying command level All the commands in a view are defaulted to different levels, as shown in Table 1-3. The administrator can modify the command level based on users’ needs to make users of a lower level use commands with a higher level or improve device security. Follow these steps to modify the command level: To do…...
  • Page 963 For the detailed description of the display users command, refer to Login Commands in the System Volume. Support for the display configure-user and display current-configuration command depends on the device model. The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface.

  • Page 964: Cli Features

    CLI Features This section covers the following topics: Introduction to CLI Online Help with Command Lines Synchronous Information Output Undo Form of a Command Editing Features CLI Display Saving History Command Command Line Error Information Introduction to CLI CLI is an interaction interface between devices and users. Through CLI, you can configure your devices by entering commands and view the output information and verify your configurations, thus facilitating your configuration and management of your devices.

  • Page 965: Synchronous Information Output

    bootrom Update/read/backup/restore bootrom Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Show running system information ..omitted..

  • Page 966: Undo Form Of A Command

    You can use the info-center synchronous command to enable synchronous information output. For the detailed description of this function, refer to Information Center Configuration in the System Volume. Undo Form of a Command Adding the keyword undo can form an undo command. Almost every configuration command has an undo form.

  • Page 967: Cli Display

    CLI Display By filtering the output information, you can find the wanted information effectively. If there is a lot of information to be displayed, the system displays the information in multiple screens. When the information is displayed in multiple screens, you can also filter the output information to pick up the wanted information.
  • Page 968 Character Meaning Remarks Underline. If it is at the beginning or the end of a For example, “a_b” can match “a b” or regular expression, it equals ^ “a(b”; “_ab” can only match a line or $; in other cases, it equals starting with “ab”;...

  • Page 969: Multiple-Screen Output

    Character Meaning Remarks It must match a string For example, “\Bt” can match “t” in \Bcharacter containing character, and there “install”, but not “t” in “big top”. can no spaces before character. Used to match For example, “v\w” can match “vlan”, character1character2.

  • Page 970: Saving History Commands

    Action Function Press Enter when information display pauses Continues to display information of the next line. Press Ctrl+C when information display pauses Stops the display and the command execution. Ctrl+E Moves the cursor to the end of the current line. PageUp Displays information on the previous page.
  • Page 971 Table 2-4 Common command line errors Error information Cause The command was not found. The keyword was not found. % Unrecognized command found at '^' position. Parameter type error The parameter value is beyond the allowed range. % Incomplete command found at '^' Incomplete command position.
  • Page 972 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Upgrading Device Software ····················································································································1-4 Device Software Overview ··············································································································1-4 Upgrading the Boot ROM Program Through Command Lines ·······················································1-4 Upgrading the Boot File Through Command Lines·········································································1-5 Disabling Boot ROM Access···················································································································1-5...

  • Page 973: Device Management Overview

    Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Disabling Boot ROM Access Configuring a Detection Interval Clearing the 16-bit Interface Indexes Not Used in the Current System...

  • Page 974: Rebooting A Device

    maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.

  • Page 975: Configuring The Scheduled Automatic Execution Function

    Device reboot may result in the interruption of the ongoing services. Use these commands with caution. Before device reboot, use the save command to save the current configurations. For details about the save command, refer to File System Configuration in the System Volume. Before device reboot, use the commands of display startup and display boot-loader to check if the configuration file and boot file for the next boot are configured.

  • Page 976: Upgrading Device Software

    characters need to be input, the system automatically inputs a default character string, or inputs an empty character string when there is no default character string. For the commands used to switch user interfaces, such as telnet, ftp, and ssh2, the commands used to switch views, such as system-view, quit, and the commands used to modify status of a user that is executing commands, such as super, the operation interface, command view and status of the current user are not changed after the automatic execution function is performed.

  • Page 977: Upgrading The Boot File Through Command Lines

    Upgrading the Boot ROM Program Through Command Lines. Reboot the device to make the specified Boot ROM program take effect. Follow these steps to upgrade the Boot ROM program: To do… Use the command… Remarks Enter system view system-view — Optional Enable the validity check bootrom-update...

  • Page 978: Configuring A Detection Interval

    whether you press Ctrl+B or not, the system does not enter the Boot ROM menu, but enters the command line configuration interface directly. In addition, you need to set the Boot ROM access password when you enter the Boot ROM menu for the first time to protect the Boot ROM against operations of illegal users.

  • Page 979: Identifying And Diagnosing Pluggable Transceivers

    To do… Use the command… Remarks Clear the 16-bit interface Required indexes saved but not used in reset unused porttag Available in user view. the current system A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter N to cancel the operation, the command will not be executed.

  • Page 980: Diagnosing Pluggable Transceivers

    To do… Use the command… Remarks display transceiver interface Display key parameters of the Available for all pluggable [ interface-type pluggable transceiver(s) transceivers. interface-number ] Display part of the electrical display transceiver manuinfo Available for anti-spoofing label information of the interface [ interface-type pluggable transceiver(s) anti-spoofing transceiver(s)

  • Page 981: Device Management Configuration Examples

    To do… Use the command… Remarks Display electrical label display device manuinfo Available in any view information of the device Display the temperature display environment Available in any view information of devices Display the operating state of display fan fan-id Available in any view fans in a device Display the usage of the...
  • Page 982 Figure 1-2 Network diagram for remote scheduled automatic upgrade Configuration procedure Configuration on the FTP server (Note that configurations may vary with different types of servers) Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa directory).
  • Page 983 [ftp] get auto-update.txt # Download file new-config.cfg on the FTP server. [ftp]get new-config.cfg # Download file soft-version2.bin on the FTP server. [ftp] binary [ftp] get soft-version2.bin [ftp] bye <Device> # Modify the extension of file auto-update.txt as .bat. <Device> rename auto-update.txt auto-update.bat To ensure correctness of the file, you can use the more command to view the content of the file.
  • Page 984 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Management ·······················································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-3 Batch Operations·····························································································································1-5 Storage Medium Operations ···········································································································1-5 Setting File System Prompt Modes ·································································································1-6 File System Operations Example ····································································································1-6 Configuration File Management··············································································································1-7 Configuration File Overview ············································································································1-7 Saving the Current Configuration ····································································································1-8...

  • Page 985: File System Management Configuration

    File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Management Configuration File Management Displaying and Maintaining Device Configuration File System Management This section covers these topics: File System Overview Filename Formats Directory Operations File Operations...

  • Page 986: Directory Operations

    Format Description Length Example Specifies a file in the specified storage medium on the device. flash:/test/a.cfg: Indicates that drive:/[path]/file- drive represents the storage 1 to 135 a file named a.cfg is in the test name medium name. The 3Com characters folder under the root directory Switch 4500G use flashes as of the flash memory.

  • Page 987: File Operations

    The directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory under this directory. For file deletion, refer to the delete command; for subdirectory deletion, refer to the rmdir command. After you execute the rmdir command successfully, the files in the recycle bin under the directory will be automatically deleted.
  • Page 988 Copying a file To do… Use the command… Remarks Required Copy a file copy fileurl-source fileurl-dest Available in user view Moving a file To do… Use the command… Remarks Required Move a file move fileurl-source fileurl-dest Available in user view Deleting a file To do…...

  • Page 989: Batch Operations

    To do… Use the command… Remarks Required Delete the file under the current reset recycle-bin [ /force ] directory and in the recycle bin Available in user view Batch Operations A batch file is a set of executable commands. Executing a batch file equals executing the commands in the batch file one by one.

  • Page 990: Setting File System Prompt Modes

    When you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file. Setting File System Prompt Modes The file system provides the following two prompt modes: alert: In this mode, the system warns you about operations that may bring undesirable...

  • Page 991: Configuration File Management

    drw- Feb 16 2006 15:28:14 mytest 15240 KB total (2521 KB free) # Return to the upper directory. <Sysname> cd .. # Display the current working directory. <Sysname> pwd flash: Configuration File Management The device provides the configuration file management function with a user-friendly command line interface (CLI) for you to manage the configuration files conveniently.

  • Page 992: Saving The Current Configuration

    Coexistence of multiple configuration files Multiple configuration files can be stored on a storage medium of a device. You can save the configuration used in different environments as different configuration files. In this case, when the device moves between these networking environments, you just need to specify the corresponding configuration file as the startup configuration file for the next boot of the device and restart the device, so that the device can adapt to the network rapidly, saving the configuration workload.

  • Page 993: Specifying A Startup Configuration File For The Next System Startup

    The fast saving mode is suitable for environments where power supply is stable. The safe mode, however, is preferred in environments where stable power supply is unavailable or remote maintenance is involved. Follow the steps below to save the current configuration: To do…...

  • Page 994: Backing Up The Startup Configuration File

    A configuration file must use .cfg as its extension name and the startup configuration file must be saved under the root directory of the storage medium. Backing Up the Startup Configuration File The backup function allows you to copy the startup configuration file to be used at the next system startup from the device to the TFTP server for backup.

  • Page 995: Restoring The Startup Configuration File

    To do… Use the command… Remarks Delete the startup configuration Required reset saved-configuration file for the next startup from the [ backup | main ] Available in user view storage medium This command will permanently delete the configuration file from the device. Use it with caution. Restoring the Startup Configuration File The restore function allows you to copy a configuration file from TFTP server to the device and specify the file as the startup configuration file to be used at the next system startup.
  • Page 996 To do… Use the command… Remarks display current-configuration [ [ configuration [ configuration ] | interface Display the current [ interface-type ] Available in any view configuration [ interface-number ] ] [ by-linenum ] [ | { begin | include | exclude } text ] ] 1-12...

  • Page 997: Ftp Configuration

    FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 998 Table 2-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the Use the ftp command to device can log in to it directly; if Device (FTP client) establish the connection to the not, the device must obtain the remote FTP server FTP username and password...

  • Page 999: Configuring The Ftp Client

    Configuring the FTP Client Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in FTP client view.

  • Page 1000: Establishing An Ftp Connection

    If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.

This manual is also suitable for:

4500g 24-port4500g 48-port4500g pwrSwitch 4800g pwr 48-portSwitch 4800g pwr 24-port

Table of Contents