Page 1: Configuration Guide
3Com Switch 4210G Family Configuration Guide Switch 4210G 24-Port Switch 4210G 48-Port Switch 4210G NT 24-Port Switch 4210G NT 48-Port Switch 4210G PWR 24-Port Switch 4210G PWR 48-Port Product Version: Release 2202 Manual Version: 6W100-20100205 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough,...
Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
Page 3: About This Manual
About This Manual Organization 3Com Switch 4210G Family Configuration Guide is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Ethernet Port Link Aggregation Port Isolation MSTP Isolate-User-VL 01-Access LLDP VLAN Voice VLAN Volume BPDU GVRP QinQ Port Mirroring...
Page 4 Volume Features Logging In Logging In User Interface Logging In to an Through the Through Configuration Ethernet Switch Console Port Telnet/SSH Examples Logging in Through Web-based Specifying Logging In Controlling Login Network Source for Through NMS Users Management Telnet Packets System Basic System Device...
Page 5: Related Documentation
3Com Switch 4210G Family Getting This guide provides all the information you need to install Started Guide and use the 3Com Switch 4210G Family. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
Page 6: Table Of Contents
Table of Contents 1 Product Features ·······································································································································1-1 Introduction to Product ····························································································································1-1 Feature Lists ···········································································································································1-1 2 Features······················································································································································2-1 Access Volume ·······································································································································2-1 IP Services Volume·································································································································2-3 IP Routing Volume ··································································································································2-5 Multicast Volume·····································································································································2-5 QoS Volume············································································································································2-6 Security Volume ······································································································································2-7 High Availability Volume··························································································································2-9 System Volume ·····································································································································2-10...
Page 7: Product Features
(MANs). They can also be used for connecting server groups in data centers. The 3Com Switches 4210G support the innovative Intelligent Resilient Framework (IRF) technology. With IRF, multiple 4210G switches can be interconnected as a logical entity to form a new intelligent network featuring high availability, scalability, and manageability.
Page 8 Volume Features Traffic Policing, QoS Overview Configuration Priority Mapping Traffic Shaping, Approaches and Line Rate 05-QoS Volume Congestion Traffic Filtering Priority Marking Traffic Redirecting Management Class-Based Traffic Mirroring User Profile Appendix Accounting EAD Fast 802.1X HABP Deployment Port Security IP Source Guard SSH2.0 06-Security Authentication...
Page 9: Features
Features The following sections provide an overview of the main features of each module supported by the Switch 4210G. Access Volume Table 2-1 Features in Access volume Features Description This document describes: Combo Port Configuration Basic Ethernet Interface Configuration Configuring Flow Control on an Ethernet Interface...
Page 10 Features Description LLDP enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: LLDP Introduction to LLDP Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping...
Page 11: Ip Services Volume
IP Services Volume Table 2-2 Features in the IP Services volume Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.
Page 12 Features Description As a DHCP security feature, DHCP snooping can ensure DHCP clients to obtain IP addresses from authorized DHCP servers and record IP-to-MAC mappings of DHCP clients.This document describes: DHCP Snooping DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP...
Page 13: Ip Routing Volume
IP Routing Volume Table 2-3 Features in the IP Routing volume Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
Page 14: Qos Volume
QoS Volume Table 2-5 Features in the QoS ACL volume Features Description For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. This document describes: QoS Overview Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Two approaches are available for you to configure QoS: policy-based and non policy-based.
Page 15: Security Volume
Features Description This document describes: Acronym Appendix Default Priority Mapping Tables Introduction to Packet Precedences Security Volume Table 2-6 Features in the Security volume Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.
Page 16 Features Description By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through, thus improving the network security. This document describes: IP Source Guard Configuring a Static Binding Entry Configuring Dynamic Binding Function SSH ensures secure login to a remote device in a non-secure network environment.
Page 17: High Availability Volume
High Availability Volume Table 2-7 Features in the High Availability volume Features Description Smart Link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink networking. This document describes: Smart Link Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Monitor link is a port collaboration function used to enable a device to be aware of the up/down state change of the ports on an indirectly connected...
Page 18: System Volume
Command Authorization Configuration Example Command Accounting Configuration Example An switch 4210G has a built-in Web server. You can log in to an switch 4210G through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server. This document...
Page 19 Features Description You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent Logging In Through module on the switch. This document describes: Introduction Connection Establishment Using NMS To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.
Page 20 SNMP log configuration Trap configuration 3Com private MIB involves two styles, 3Com compatible MIB and 3Com new MIB. To implement NMS’s flexible management of the device, the device allows you to configure MIB style, that is, you can switch between MIB Style the two styles of MIBs.
Page 21 Features Description As the system information hub, Information Center classifies and manages all types of system information. This document describes: Information Center Overview Setting to Output System Information to the Console Setting to Output System Information to a Monitor Terminal Information Center Setting to Output System Information to a Log Host Setting to Output System Information to the Trap Buffer...
Page 22 Features Description Intelligent Resilient Framework (IRF) allows you to build an IRF, namely a united device, by interconnecting multiple devices through IRF ports. You can manage all the devices in the IRF by managing the united device. This document describes: IRF Overview IRF Working Process Configuring IRF...
Page 23 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
Page 24 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
Page 25 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
Page 26 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
Page 27 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
Page 28 Acronyms Full spelling LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol...
Page 29 Acronyms Full spelling Multicast Listener Discovery Protocol MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP...
Page 30 Acronyms Full spelling Network Management Station NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
Page 31 Acronyms Full spelling Power over Ethernet Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return...
Page 32 Acronyms Full spelling Resilient Packet Ring Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active...
Page 33 Acronyms Full spelling Shortest Path First Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree...
Page 34 Acronyms Full spelling Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch...
Page 35 Table of Contents 1 Ethernet Port Configuration ·····················································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration···············································································································1-1 Basic Ethernet Interface Configuration····························································································1-2 Configuring Flow Control on an Ethernet Interface ·········································································1-3 Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface ········1-3 Configuring Loopback Testing on an Ethernet Interface·································································1-4 Configuring a Port Group·················································································································1-4 Configuring an Auto-negotiation Transmission Rate·······································································1-5 Configuring Storm Suppression ······································································································1-6...
Page 36 4 MSTP Configuration ··································································································································4-1 Overview ·················································································································································4-1 Introduction to STP ·································································································································4-1 Why STP ·········································································································································4-1 Protocol Packets of STP··················································································································4-1 Basic Concepts in STP····················································································································4-2 How STP works ·······························································································································4-3 Introduction to RSTP·······························································································································4-9 Introduction to MSTP ····························································································································4-10 Why MSTP ····································································································································4-10 Basic Concepts in MSTP···············································································································4-11 How MSTP Works ·························································································································4-14 Implementation of MSTP on Devices ····························································································4-15 Protocols and Standards ···············································································································4-15 MSTP Configuration Task List ··············································································································4-15...
Page 37 Enabling LLDP·································································································································5-7 Setting LLDP Operating Mode ········································································································5-7 Setting the LLDP Re-Initialization Delay ·························································································5-8 Enabling LLDP Polling·····················································································································5-8 Configuring the TLVs to Be Advertised ···························································································5-8 Configuring the Management Address and Its Encoding Format ···················································5-9 Setting Other LLDP Parameters····································································································5-10 Setting an Encapsulation Format for LLDPDUs············································································5-10 Configuring CDP Compatibility ·············································································································5-11 Configuration Prerequisites ···········································································································5-11 Configuring CDP Compatibility······································································································5-12...
Page 38 Voice VLAN Assignment Modes ·····································································································8-2 Security Mode and Normal Mode of Voice VLANs ·········································································8-3 Configuring a Voice VLAN ······················································································································8-4 Configuration Prerequisites ·············································································································8-4 Setting a Port to Operate in Automatic Voice VLAN Assignment Mode ·········································8-4 Setting a Port to Operate in Manual Voice VLAN Assignment Mode ·············································8-5 Displaying and Maintaining Voice VLAN·································································································8-6 Voice VLAN Configuration Examples ·····································································································8-6 Automatic Voice VLAN Mode Configuration Example ····································································8-6...
Page 39 Enabling BPDU Tunneling·············································································································11-4 Configuring Destination Multicast MAC Address for BPDUs ························································11-5 BPDU Tunneling Configuration Examples ····························································································11-5 BPDU Tunneling for STP Configuration Example·········································································11-5 BPDU Tunneling for PVST Configuration Example ······································································11-7 12 Port Mirroring Configuration ················································································································12-1 Introduction to Port Mirroring ················································································································12-1 Classification of Port Mirroring ······································································································12-1 Implementing Port Mirroring ··········································································································12-1 Configuring Local Port Mirroring ···········································································································12-3 Configuring Remote Port Mirroring ·······································································································12-4...
Page 40: Ethernet Port Configuration
Ethernet Port Configuration Ethernet Port Configuration GE and 10GE ports on the Switch 4210G Family are numbered in the following format: interface type A/B/C. A: Number of a member device in an IRF. If no IRF is formed, this value is 1.
Page 41: Basic Ethernet Interface Configuration
In case of a Combo port, only one interface (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Basic Ethernet Interface Configuration Configuring an Ethernet interface Three types of duplex modes are available to Ethernet interfaces:...
Page 42: Configuring Flow Control On An Ethernet Interface
To do… Use the command… Remarks Optional By default, an Ethernet interface is in up Shut down the state. shutdown Ethernet interface To bring up an Ethernet interface, use the undo shutdown command. 10GE ports can be displayed only when 10GE interface module expansion cards are available on the device.
Page 43: Configuring Loopback Testing On An Ethernet Interface
To do… Use the command… Remarks Required Configure the up/down By default, the physical-link-state suppression time of link-delay delay-time change suppression time is not physical-link-state changes configured. Configuring Loopback Testing on an Ethernet Interface You can enable loopback testing to check whether the Ethernet interface functions properly. Note that no data packets can be forwarded during the testing.
Page 44: Configuring An Auto-Negotiation Transmission Rate
Follow these steps to configure a manual port group: To do… Use the command… Remarks Enter system view — system-view Create a manual port group and enter port-group manual Required manual port group view port-group-name Add Ethernet interfaces to the manual Required group-member interface-list port group...
Page 45: Configuring Storm Suppression
This function is available for auto-negotiation-capable Gigabit Layer-2 Ethernet electrical ports only.. If you repeatedly use the speed and the speed auto commands to configure the transmission rate on a port, only the latest configuration takes effect. Configuring Storm Suppression You can use the following commands to suppress the broadcast, multicast, and unknown unicast traffic.
Page 46: Setting The Interval For Collecting Ethernet Interface Statistics
To do… Use the command… Remarks Optional By default, all unknown unicast traffic Set the unknown unicast unicast-suppression is allowed to pass through an storm suppression ratio { ratio | pps max-pps } interface, that is, unknown unicast traffic is not suppressed. If you set storm suppression ratios in Ethernet interface view or port group view repeatedly for an Ethernet interface that belongs to a port group, only the latest settings take effect.
Page 47: Enabling Loopback Detection On An Ethernet Interface
To do… Use the command… Remarks port-group manual In port-group Use any command. port-group-name view Enable the By default, the device jumboframe enable forwarding of allows jumbo frames with jumbo the length of 9,216 bytes interface interface-type frames to pass through all Layer 2 In Ethernet interface-number Ethernet interfaces.
Page 48: Configuring The Mdi Mode For An Ethernet Interface
Loopback detection on a given port is enabled only after the loopback-detection enable command has been configured in both system view and the interface view of the port. Loopback detection on all ports will be disabled after the configuration of the undo loopback-detection enable command under system view.
Page 49: Testing The Cable On An Ethernet Interface
To do… Use the command… Remarks Optional Defaults to auto. That is, the Configure the MDI mode for mdi { across | auto | normal } Ethernet interface determines the Ethernet interface the physical pin roles (transmit or receive) through negotiation. Testing the Cable on an Ethernet Interface 10-Gigabit Ethernet ports and optical interfaces of SFP ports do not support this feature.
Page 50 Blocking the interface. In this case, the interface is blocked and thus stops forwarding the traffic of this type till the traffic detected is lower than the threshold. Note that an interface blocked by the storm constrain function can still forward other types of traffic and monitor the blocked traffic. Shutting down the interface.
Page 51: Displaying And Maintaining An Ethernet Interface
For network stability sake, configure the interval for generating traffic statistics to a value that is not shorter than the default. The storm constrain function, after being enabled, requires a complete statistical period (specified by the storm-constrain interval command) to collect traffic data, and analyzes the data in the next period.
Page 52: Link Aggregation Configuration
Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Configuration Task List Configuring an Aggregation Group Configuring an Aggregate Interface Configuring a Load Sharing Mode for Load-Sharing Link Aggregation Groups Displaying and Maintaining Link Aggregation Link Aggregation Configuration Examples Overview...
Page 53 LACP multi-active detection (MAD) mechanism in an Intelligent Resilient Framework (IRF). Switches of the Switch 4210G Family that support extended LACP functions can function as both member devices and intermediate devices in LACP MAD implementation. For details about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see IRF in the System Volume.
Page 54 Currently, the Switch 4210G Family support returning Marker Response PDUs only after dynamic link aggregation member ports receive Marker PDUs. Operational key When aggregating ports, link aggregation control automatically assigns each port an operational key based on the port attributes, including the configurations of the port rate, duplex mode and link state.
Page 55: Link Aggregation Modes
Some configurations are called class-one configurations. Such configurations, for example, GVRP and MSTP, can be configured on aggregate interfaces and member ports but are not considered during operational key calculation. The change of a class-two configuration setting may affect the select state of link aggregation member ports and thus the ongoing service.
Page 56 Dynamic aggregation mode LACP is enabled on member ports in a dynamic aggregation group. In a dynamic aggregation group, A selected port can receive and transmit LACPDUs. An unselected port can receive and send LACPDUs only if it is up and with the same configurations as those on the aggregate interface.
Page 57: Load Sharing Mode Of An Aggregation Group
Load Sharing Mode of an Aggregation Group The link aggregation groups created on the Switch 4210G Family always operate in load sharing mode, even when they contain only one member port. Link Aggregation Configuration Task List Complete the following tasks to configure link aggregation:...
Page 58: Configuring A Dynamic Aggregation Group
To do... Use the command... Remarks Enter Ethernet interface interface interface-type Required view interface-number Repeat the two steps to assign Assign the Ethernet multiple Ethernet interfaces to interface to the port link-aggregation group number the aggregation group. aggregation group Removing a Layer 2 aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group.
Page 59: Configuring An Aggregate Interface
To do... Use the command... Remarks Optional By default, the LACP priority of a port is 32768. Assign the port a LACP lacp port-priority Changing the LACP priority of a port priority port-priority may affect the selected/unselected state of the ports in the dynamic aggregation group.
Page 60: Shutting Down An Aggregate Interface
Follow these steps to enable linkUp/linkDown trap generation for an aggregate interface: To do... Use the command... Remarks Enter system view — system-view Optional snmp-agent trap enable Enable the trap function By default, linkUp/linkDown [ standard [ linkdown | linkup ] globally trap generation is enabled globally and on all interfaces.
Page 61: Displaying And Maintaining Link Aggregation
types of traffic as needed. For example, for Layer 3 traffic, you can use IP addresses as hash keys for load sharing calculation. You can configure a global load sharing mode for all link aggregation groups or a load sharing mode specific to a link aggregation group as needed.
Page 62: Link Aggregation Configuration Examples
To do... Use the command... Remarks display link-aggregation Display the global or load-sharing mode [ interface aggregation group-specific Available in any view [ bridge-aggregation load sharing mode interface-number ] ] display link-aggregation Display link aggregation details member-port [ interface-type Available in any view of ports interface-number [ to interface-type interface-number ] ]...
Page 63: Layer 2 Dynamic Aggregation Configuration Example
<DeviceA> system-view [DeviceA] link-aggregation load-sharing mode source-mac destination-mac # Create Layer 2 aggregate interface Bridge-aggregation 1. [DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] quit # Assign Layer 2 Ethernet interfaces GigabitEthernet1/0/1 through GigabitEthernet1/0/3 to aggregation group 1. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface GigabitEthernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1...
Page 64: Layer 2 Aggregation Load Sharing Mode Configuration Example
[DeviceA] interface bridge-aggregation 1 [DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic [DeviceA-Bridge-Aggregation1] quit # Assign Layer 2 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA- GigabitEthernet1/0/1] quit [DeviceA] interface GigabitEthernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit [DeviceA] interface GigabitEthernet 1/0/3...
Page 65 # Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1 [DeviceA-GigabitEthernet1/0/2] quit # Create a Layer 2 aggregate interface Bridge-Aggregation 2 and configure the load sharing mode of aggregation group 2 as the destination MAC-based load sharing mode.
Page 66: Port Isolation Configuration
VLAN, allowing for great flexibility and security. Currently: Switch 4210G Family support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.
Page 67: Displaying And Maintaining Isolation Groups
Displaying and Maintaining Isolation Groups To do… Use the command… Remarks Display the isolation group Available in any view display port-isolate group information Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of Device.
Page 68 Uplink port support: NO Group ID: 1 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
Page 69: Mstp Configuration
MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP MSTP Configuration Task List Configuring MSTP Displaying and Maintaining MSTP MSTP Configuration Example Overview As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy.
Page 70: Basic Concepts In Stp
Topology change notification (TCN) BPDUs, used for notifying the concerned devices of network topology changes, if any. Basic Concepts in STP Root bridge A tree network must have a root; hence the concept of root bridge was introduced in STP. There is one and only one root bridge in the entire network, and the root bridge can change along with changes of the network topology.
Page 71: How Stp Works
Figure 4-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
Page 72 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connecting the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
Page 73 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device Table 4-3 describes the process of selecting the root port and designated ports.
Page 74 Figure 4-2 Network diagram for the STP algorithm Device A With priority 0 Device B With priority 1 Device C With priority 2 Initial state of each device Table 4-4 shows the initial state of each device. Table 4-4 Initial state of each device Device Port name BPDU of port...
Page 75 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
Page 76 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...
Page 77: Introduction To Rstp
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.
Page 78: Introduction To Mstp
Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.
Page 79: Basic Concepts In Mstp
Basic Concepts in MSTP Figure 4-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU Region D0 BPDU Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge VLAN 2 mapped to instance 2...
Page 80 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 4-4, for example, the VLAN-to-instance mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
Page 81 During MSTP calculation, a boundary port’s role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on.
Page 82: How Mstp Works
Port states In MSTP, port states fall into the following three: Forwarding: the port learns MAC addresses and forwards user traffic; Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states.
Page 83: Implementation Of Mstp On Devices
Within an MST region, the packet is forwarded along the corresponding MSTI. Between two MST regions, the packet is forwarded along the CST. Implementation of MSTP on Devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
Page 84 Task Remarks Enabling the MSTP Feature Required Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring the Configuring Path Costs of Ports Optional leaf nodes...
Page 85: Configuring Mstp
Configuring MSTP Configuring an MST Region Make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view —...
Page 86: Configuring The Root Bridge Or A Secondary Root Bridge
Configuring the Root Bridge or a Secondary Root Bridge MSTP can determine the root bridge of a spanning tree through MSTP calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system.
Page 87: Configuring The Work Mode Of An Mstp Device
After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, refer to Configuring the Priority of a Device.
Page 88: Configuring The Maximum Hops Of An Mst Region
After configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address will be selected as the root bridge of the spanning tree. Configuring the Maximum Hops of an MST Region By setting the maximum hops of an MST region, you can restrict the region size.
Page 89: Configuring Timers Of Mstp
Based on the network diameter you configured, MSTP automatically sets an optimal hello time, forward delay, and max age for the device. The configured network diameter is effective for the CIST only, and not for MSTIs. Each MST region is considered as a device. The network diameter must be configured on the root bridge.
Page 90: Configuring The Timeout Factor
To do... Use the command... Remarks Optional Configure the max age timer stp timer max-age time 2,000 centiseconds (20 seconds) by default The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced;...
Page 91: Configuring The Maximum Port Rate
To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout factor of the device stp timer-factor factor 3 by default Configuring the Maximum Port Rate The maximum rate of a port refers to the maximum number of BPDUs the port can send within each hello time.
Page 92: Configuring Path Costs Of Ports
To do... Use the command... Remarks Enter Ethernet interface interface interface-type Enter view, or Layer 2 interface-number Required interface aggregate interface view view or port Use either command. group view port-group manual Enter port group view port-group-name Required Configure the current ports as edge ports stp edged-port enable All ports are non-edge ports by default.
Page 93 Table 4-7 Link speed vs. path cost Link speed Duplex state 802.1d-1998 802.1t Private standard — 65535 200,000,000 200,000 Single Port 2,000,000 2,000 Aggregate Link 2 Ports 1,000,000 1,800 10 Mbps Aggregate Link 3 Ports 666,666 1,600 Aggregate Link 4 Ports 500,000 1,400 Single Port...
Page 94: Configuring Port Priority
If you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. When the path cost of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition.
Page 95: Configuring The Link Type Of Ports
When the priority of a port is changed, MSTP will re-calculate the role of the port and initiate a state transition. Generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends on the index number of the port. Changing the priority of a port triggers a new spanning tree calculation process.
Page 96: Enabling The Output Of Port State Transition Information
dot1s: 802.1s-compliant standard format, and legacy: Compatible format By default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format.
Page 97: Enabling The Mstp Feature
To do... Use the command... Remarks Required Enable output of port state transition stp port-log { all | This function is enabled by information instance instance-id } default. Enabling the MSTP Feature You must enable MSTP for the device before any other MSTP-related configurations can take effect. Make this configuration on the root bridge and on the leaf nodes separately.
Page 98: Configuring Digest Snooping
By then, you can perform an mCheck operation to force the port to migrate to the MSTP (or RSTP) mode. You can perform mCheck on a port through the following two approaches, which lead to the same result. Performing mCheck globally Follow these steps to perform global mCheck: To do...
Page 99 Before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run MSTP. Configuring the Digest Snooping feature You can enable Digest Snooping only on a device that is connected to a third-party device that uses its private key to calculate the configuration digest.
Page 100: Configuring No Agreement Check
Digest Snooping configuration example Network requirements Device A and Device B connect to Device C, a third-party device, and all these devices are in the same region. Enable Digest Snooping on Device A and Device B so that the three devices can communicate with one another.
Page 101 Figure 4-7 shows the rapid state transition mechanism on MSTP designated ports. Figure 4-7 Rapid state transition of an MSTP designated port Figure 4-8 shows rapid state transition of an RSTP designated port. Figure 4-8 Rapid state transition of an RSTP designated port Downstream device Upstream device Proposal for rapid transition...
Page 102: Configuring Protection Functions
To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter Layer 2 aggregate interface-number Required interface or interface view port group Use either command. view port-group manual Enter port group view port-group-name Required Enable No Agreement Check...
Page 103 Configuration prerequisites MSTP has been correctly configured on the device. Enabling BPDU guard For access layer devices, the access ports generally connect directly with user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system will automatically set these ports as non-edge ports and start a new spanning tree calculation process.
Page 104 Follow these steps to enable root guard: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type Enter Layer 2 interface-number Required interface view aggregate or port group interface view Use either command. view Enter port group port-group manual...
Page 105: Enabling Bpdu Dropping
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address entry flushes that the switch can perform within a certain period of time after receiving the first TC-BPDU. For TC-BPDUs received in excess of the limit, the switch performs forwarding address entry flush only when the time period expires.
Page 106: Displaying And Maintaining Mstp
Displaying and Maintaining MSTP To do... Use the command... Remarks View information about abnormally Available in any view display stp abnormal-port blocked ports View information about ports blocked Available in any view display stp down-port by STP protection functions View the historical information of port display stp [ instance role calculation for the specified instance-id ] history [ slot...
Page 107 Figure 4-10 Network diagram for MSTP configuration Configuration procedure VLAN and VLAN member port configuration Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B respectively, create VLAN 10, VLAN 20, and VLAN 40 on Device C, and create VLAN 20, VLAN 30, and VLAN 40 on Device D; configure the ports on these devices as trunk ports and assign them to related VLANs.
Page 108 <DeviceB> system-view [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable MSTP globally.
Page 109 # Activate MST region configuration. [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Enable MSTP globally. [DeviceD] stp enable Verifying the configurations You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
Page 110 GigabitEthernet1/0/2 ALTE DISCARDING NONE GigabitEthernet1/0/3 ROOT FORWARDING NONE Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown in Figure 4-11. Figure 4-11 MSTIs corresponding to different VLANs 4-42...
Page 111: Lldp Configuration
LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
Page 112 Figure 5-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 5-1: Table 5-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
Page 113 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
Page 114 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, 3Com switches 4210G support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 5-5 IEEE 802.3 organizationally specific TLVs Type...
Page 115: Operating Modes Of Lldp
management. In addition, LLDP-MED TLVs make deploying voice devices in Ethernet easier. LLDP-MED TLVs are shown in Table 5-6: Table 5-6 LLDP-MED TLVs Type Description Allows a MED endpoint to advertise the supported LLDP-MED LLDP-MED Capabilities TLVs and its device type. Allows a network device or MED endpoint to advertise LAN Network Policy type and VLAN ID of the specific port, and the Layer 2 and...
Page 116: How Lldp Works
How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.
Page 117: Performing Basic Lldp Configuration
LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do…...
Page 118: Setting The Lldp Re-Initialization Delay
Setting the LLDP Re-Initialization Delay When LLDP operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the LLDP re-initialization delay, you can avoid frequent initializations caused by frequent LLDP operating mode changes on a port. Follow these steps to set the LLDP re-initialization delay for ports: To do…...
Page 119: Configuring The Management Address And Its Encoding Format
To do… Use the command… Remarks lldp tlv-enable basic-tlv port-description system-capability system-description | system-name } | dot1-tlv port-vlan-id Optional protocol-vlan-id [ vlan-id ] | vlan-name By default, all types Configure the TLVs to be [ vlan-id ] } | dot3-tlv { all | link-aggregation of LLDP TLVs except advertised | mac-physic | max-frame-size | power } |...
Page 120: Setting Other Lldp Parameters
Setting Other LLDP Parameters The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDP frames to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier.
Page 121: Configuring Cdp Compatibility
To do… Use the command… Remarks Enter system view — system-view Enter Ethernet interface interface-type Enter Ethernet interface view interface-number Required interface view or Use either command. Enter port port group view port-group manual port-group-name group view Required Ethernet II encapsulation format Set the encapsulation format for applies by default.
Page 122: Configuring Cdp Compatibility
Configuring CDP Compatibility CDP-compatible LLDP operates in one of the follows two modes: TxRx, where CDP packets can be transmitted and received. Disable, where CDP packets can neither be transmitted nor be received. To make CDP-compatible LLDP take effect on certain ports, first enable CDP-compatible LLDP globally and configure CDP-compatible LLDP to operate in TxRx mode.
Page 123: Displaying And Maintaining Lldp
To do… Use the command… Remarks Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default Quit to system view — quit Optional Set the interval to send LLDP lldp timer notification-interval traps interval 5 seconds by default Displaying and Maintaining LLDP To do…...
Page 124: Configuration Procedure
Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx...
Page 125 Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s...
Page 126: Cdp-Compatible Lldp Configuration Example
Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV As the sample output shows, GigabitEthernet 1/0/2 of Switch A does not connect any neighboring devices.
Page 127 Configure CDP-compatible LLDP on Switch A. # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP to operate in TxRx mode, and configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
Page 128: Vlan Configuration
VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration MAC-Based VLAN Configuration Protocol-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview...
Page 129: Vlan Fundamentals
Confining broadcast traffic within individual VLANs. This reduces bandwidth waste and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation.
Page 130: Types Of Vlan
The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.
Page 131: Configuring Basic Settings Of A Vlan Interface
As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. For isolate-user-VLANs or secondary VLANs, if you have used the isolate-user-vlan command to create mappings between them, you cannot remove them until you remove the mappings between them first.
Page 132: Port-Based Vlan Configuration
Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.
Page 133: Assigning An Access Port To A Vlan
Do not set the voice VLAN as the default VLAN of a port in automatic voice VLAN assignment mode. Otherwise, the system prompts error information. For information about voice VLAN, refer Voice VLAN Configuration. The local and remote ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly.
Page 134 To do… Use the command… Remarks Required Enter VLAN view vlan vlan-id If the specified VLAN does not exist, this command creates the VLAN first. Assign one or a group of Required access ports to the current port interface-list By default, all ports belong to VLAN 1. VLAN In VLAN view, you only assign the access ports to the current VLAN.
Page 135: Assigning A Trunk Port To A Vlan
Before assigning an access port to a VLAN, create the VLAN first. After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
Page 136: Assigning A Hybrid Port To A Vlan
To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. The local and remote hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly.
Page 137: Mac-Based Vlan Configuration
To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. Before assigning a hybrid port to a VLAN, create the VLAN first. The local and remote hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted properly.
Page 138: Configuring A Mac Address-Based Vlan
The device associates MAC addresses with VLANs dynamically based on the information provided by the authentication server. If a user goes offline, the corresponding MAC address-to-VLAN association is removed automatically. Automatic configuration requires MAC address-to–VLAN mapping be configured on the authentication server. For detailed information, refer to 802.1X Configuration in the Security Volume.
Page 139: Protocol-Based Vlan Configuration
Protocol-Based VLAN Configuration Introduction to Protocol-Based VLAN Protocol-based VLANs are only applicable on hybrid ports. In this approach, inbound packets are assigned to different VLANs based on their protocol types and encapsulation formats. The protocols that can be used for VLAN assignment include IP, IPX, and AppleTalk (AT).
Page 140 To do… Use the command… Remarks Enter Ethernet Required interface interface-type interface view interface-number Use either command. Enter Layer-2 In Ethernet interface view, interface aggregate subsequent bridge-aggregation interface view configurations apply to the interface-number current port. Enter interface In port group view, the view or port subsequent configurations group view...
Page 141: Ip Subnet-Based Vlan Configuration
IP Subnet-Based VLAN Configuration Introduction In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet. This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.
Page 142: Displaying And Maintaining Vlan
To do… Use the command… Remarks Associate the hybrid port(s) with port hybrid ip-subnet-vlan the specified IP subnet-based Required vlan vlan-id VLAN After you configure a command on a Layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member ports.
Page 143: Vlan Configuration Example
To do... Use the command… Remarks reset counters interface Clear statistics on a port [ interface-type Available in user view [ interface-number ] ] The reset counters interface command can be used to clear statistics on a VLAN interface. For more information, refer to Ethernet Interface Commands in the Access Volume.
Page 144 # Configure GigabitEthernet 1/0/1 to permit packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through. [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 2 6 to 50 100 Please wait... Done. [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] quit Configure Device B as you configure Device A. Verification Verifying the configuration on Device A is similar to that of Device B.
Page 145 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output (normal): 0 packets, - bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier The output above shows that: The port (GigabitEthernet 1/0/1) is a trunk port.
Page 146: Isolate-User-Vlan Configuration
Isolate-User-VLAN Configuration When configuring an isolate-user VLAN, go to these sections for information you are interested in: Overview Configuring Isolate-User-VLAN Displaying and Maintaining Isolate-User-VLAN Isolate-User-VLAN Configuration Example Overview An isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.
Page 147 Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VLAN as its default VLAN; Assign non-trunk ports to each secondary VLAN and ensure that at least one port in a secondary VLAN takes the secondary VLAN as its default VLAN; Associate the isolate-user-VLAN with the specified secondary VLANs.
Page 148: Displaying And Maintaining Isolate-User-Vlan
Displaying and Maintaining Isolate-User-VLAN To do... Use the command... Remarks Display the mapping between an display isolate-user-vlan isolate-user-VLAN and its secondary Available in any view [ isolate-user-vlan-id ] VLAN(s) Isolate-User-VLAN Configuration Example Network requirements Connect Device A to downstream devices Device B and Device C; Configure VLAN 5 on Device B as an isolate-user-VLAN, assign the uplink port GigabitEthernet 1/0/5 to VLAN 5, and associate VLAN 5 with secondary VLANs VLAN 2 and VLAN 3.
Page 149 [DeviceB] vlan 2 [DeviceB-vlan2] port gigabitethernet 1/0/2 [DeviceB-vlan2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [DeviceB] isolate-user-vlan 5 secondary 2 to 3 Configure Device C # Configure the isolate-user-VLAN. <DeviceC> system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port gigabitethernet 1/0/5 [DeviceC-vlan6] quit # Configure the secondary VLANs.
Page 150 gigabitethernet 1/0/2 gigabitethernet 1/0/5 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5...
Page 151: Voice Vlan Configuration
OUI address for each vendor’s devices. Table 8-1 The default OUI addresses of different vendors Number OUI address Vendor 0001-e300-0000 Siemens phone 0003-6b00-0000 Cisco phone 0004-0d00-0000 Avaya phone 00d0-1e00-0000 Pingtel phone 0060-b900-0000 Philips/NEC phone 00e0-7500-0000 Polycom phone 00e0-bb00-0000 3Com phone...
Page 152: Voice Vlan Assignment Modes
In general, as the first 24 bits of a MAC address (in binary format), an OUI address is a globally unique identifier assigned to a vendor by IEEE. OUI addresses mentioned in this document, however, are different from those in common sense. OUI addresses in this document are used by the system to determine whether a received packet is a voice packet.
Page 153: Security Mode And Normal Mode Of Voice Vlans
Voice VLAN assignment Voice traffic Port link type mode type Access: not supported Trunk: supported if the default VLAN of the connecting port exists and is not the voice VLAN and the connecting port belongs to the default VLAN Tagged voice traffic Hybrid: supported if the default VLAN of the connecting port exists and is not the voice VLAN, the...
Page 154: Configuring A Voice Vlan
Table 8-3 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN Packet type Packet processing mode working mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the Packets carrying the voice VLAN;...
Page 155: Setting A Port To Operate In Manual Voice Vlan Assignment Mode
Not enabled by default An switch 4210G supports up to eight voice VLANs globally. A protocol-based VLAN on a hybrid port can process only untagged inbound packets, whereas the voice VLAN in automatic mode on a hybrid port can process only tagged voice traffic. Therefore, do not configure a VLAN as both a protocol-based VLAN and a voice VLAN.
Page 156: Displaying And Maintaining Voice Vlan
Required voice vlan enable An switch 4210G supports up to eight voice VLANs globally. You can configure different voice VLANs on different ports at the same time. However, one port can be configured with only one voice VLAN, and this voice VLAN must be a static VLAN that already exists on the device.
Page 157 Figure 8-1 Network diagram for automatic voice VLAN assignment mode configuration Device A Device B Internet GE1/0/1 GE1/0/1 GE1/0/2 VLAN 3 VLAN 2 IP phone A IP phone B 010-1001 010-1002 MAC: 0011-1100-0001 MAC: 0011-2200-0001 Mask: ffff-ff00-0000 Mask: ffff-ff00-0000 0755-2002 PC A PC B MAC: 0022-1100-0002...
Page 158: Manual Voice Vlan Assignment Mode Configuration Example
0011-2200-0000 ffff-ff00-0000 IP phone B 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # Display the current states of voice VLANs. <DeviceA> display voice vlan state Maximum of Voice VLANs: 16 Current Voice VLANs: 2...
Page 159 Figure 8-2 Network diagram for manual voice VLAN assignment mode configuration Configuration procedure # Configure the voice VLAN to operate in security mode. (Optional. A voice VLAN operates in security mode by default.) <DeviceA> system-view [DeviceA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000.
Page 160 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 0060-b900-0000 ffff-ff00-0000 Philips/NEC phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # Display the current voice VLAN state. <DeviceA> display voice vlan state Maximum of Voice VLANs: 16 Current Voice VLANs: 2...
Page 161: Gvrp Configuration
GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
Page 162 Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This helps you save bandwidth. Join timer ––...
Page 163 GARP message format Figure 9-1 GARP message format Figure 9-1 illustrates the GARP message format. Table 9-1 describes the GARP message fields. Table 9-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each Message containing an attribute type and an ––...
Page 164: Gvrp
GVRP GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registration information from other devices to its local database about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information.
Page 165: Configuring Garp Timers
To do… Use the command… Remarks Enter system view –– system-view Required Enable GVRP globally gvrp Globally disabled by default. Enter Ethernet Enter Ethernet interface view, interface view or Layer interface interface-type Required Layer 2 2 aggregate interface interface-number aggregate view Perform either of the interface view,...
Page 166: Displaying And Maintaining Gvrp
To do… Use the command… Remarks Enter Required Enter Ethernet or Ethernet Layer 2 interface interface-type Perform either of the interface aggregate interface-number commands. view, Layer interface view Depending on the view you 2 aggregate accessed, the subsequent interface configuration takes effect on view, or Enter port-group port-group manual...
Page 167: Gvrp Configuration Examples
To do… Use the command… Remarks display gvrp state interface Display the current GVRP state Available in any view interface-type interface-number vlan vlan-id display gvrp statistics [ interface Display statistics about GVRP Available in any view interface-list ] Display the global GVRP state Available in any view display gvrp status Display the information about...
Page 168: Gvrp Configuration Example Ii
[DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceB-GigabitEthernet1/0/1] gvrp [DeviceB-GigabitEthernet1/0/1] quit # Create VLAN 3 (a static VLAN).
Page 169: Gvrp Configuration Example Iii
[DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1.
Page 170 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to forbidden on the port. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] gvrp registration forbidden [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally.
Page 171: Qinq Configuration
QinQ Configuration When configuring QinQ, go to these sections for information you are interested in: Introduction to QinQ QinQ Configuration Task List Configuring Basic QinQ Configuring Selective QinQ Configuring the TPID Value in VLAN Tags QinQ Configuration Examples Throughout this document, customer network VLANs (CVLANs), also called inner VLANs, refer to the VLANs that a customer uses on the private network;...
Page 172: Qinq Frame Structure
Figure 10-1 Schematic diagram of the QinQ feature Customer network A VLAN 1~10 Customer network A VLAN 1~10 VLAN 3 VLAN 3 Network VLAN 4 VLAN 4 Service provider network VLAN 1~20 VLAN 1~20 Customer network B Customer network B As shown in Figure 10-1, customer network A has CVLANs 1 through 10, while customer network B...
Page 173: Implementations Of Qinq
Figure 10-2 Single-tagged frame structure vs. double-tagged Ethernet frame structure The default maximum transmission unit (MTU) of an interface is 1500 bytes. The size of an outer VLAN tag is 4 bytes. Therefore, you are recommended to increase the MTU of each interface on the service provider network.
Page 174 Figure 10-3 VLAN tag structure of an Ethernet frame The device determines whether a received frame carries a SVLAN tag or a CVLAN tag by checking the corresponding TPID value. Upon receiving a frame, the device compares the configured TPID value with the value of the TPID field in the frame.
Page 175: Qinq Configuration Task List
QinQ Configuration Task List Table 10-2 QinQ configuration task list Configuration task Remarks Configuring Basic QinQ Optional Configuring Selective QinQ Based on Ports Use either Configuring Selective QinQ Configuring Selective QinQ through QoS approach Policies Configuring the TPID Value in VLAN Tags Optional QinQ requires configurations only on the service provider network, not on the customer network.
Page 176: Configuring Selective Qinq Based On Ports
Configuring Selective QinQ Based on Ports Switch 4210G series switches support the configuration of basic QinQ and selective QinQ at the same time on a port and when the two features are both enabled on the port, frames that meet the selective QinQ condition are handled with selective QinQ on this port first, and the left frames are handled with basic QinQ.
Page 177: Configuring The Tpid Value In Vlan Tags
To do... Use the command... Remarks Required Create a class and enter traffic classifier classifier-name By default, the relationship class view [ operator { and | or } ] between the match criteria in a class is logical AND. Specify the inner VLAN if-match customer-vlan-id Required ID(s) of matching frames...
Page 178: Qinq Configuration Examples
Follow these steps to configure a TPID value globally: To do... Use the command... Remarks Enter system view — system-view Optional Configure the TPID value in the qinq ethernet-type CVLAN tag or the SVLAN tag hex-value By default, the TPID value is 0x8100 QinQ Configuration Examples Basic QinQ Configuration Example Network requirements...
Page 179 Make sure that the devices in the service provider network have been configured to allow QinQ packets to pass through. Configuration on Provider A Configure GigabitEthernet 1/0/1 # Configure VLAN 10 as the default VLAN of GigabitEthernet 1/0/1. <ProviderA> system-view [ProviderA] interface gigabitethernet 1/0/1 [ProviderA-GigabitEthernet1/0/1] port access vlan 10 # Enable basic QinQ on GigabitEthernet 1/0/1.
Page 180: Selective Qinq Configuration Example (Port-Based Configuration)
# Configure GigabitEthernet 1/0/2 as a hybrid port and configure VLAN 10 as the default VLAN of the port. [ProviderB] interface gigabitethernet 1/0/2 [ProviderB-GigabitEthernet1/0/2] port link-type hybrid [ProviderB-GigabitEthernet1/0/2] port hybrid pvid vlan 10 [ProviderB-GigabitEthernet1/0/2] port hybrid vlan 10 untagged # Enable basic QinQ on GigabitEthernet 1/0/2. [ProviderB-GigabitEthernet1/0/2] qinq enable [ProviderB-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3...
Page 181 Figure 10-5 Network diagram for comprehensive selective QinQ configuration Configuration procedure Make sure that the devices in the service provider network have been configured to allow QinQ packets to pass through. Configuration on Provider A Configure GigabitEthernet 1/0/1 # Configure GigabitEthernet 1/0/1 as a hybrid port to permit frames of VLAN 1000 and VLAN 2000 to pass through, and configure GigabitEthernet 1/0/1 to send packets of these VLANs with tags removed.
Page 182 [ProviderA] interface gigabitethernet 1/0/2 [ProviderA-GigabitEthernet1/0/2] port link-type hybrid [ProviderA-GigabitEthernet1/0/2] port hybrid vlan 1000 untagged # Tag CVLAN 10 frames with SVLAN 1000. [ProviderA-GigabitEthernet1/0/2] qinq vid 1000 [ProviderA-GigabitEthernet1/0/2-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/2-vid-1000] quit [ProviderA-GigabitEthernet1/0/2] quit Configure GigabitEthernet 1/0/3 # Configure GigabitEthernet 1/0/3 as a trunk port to permit frames of VLAN 1000 and VLAN 2000 to pass through.
Page 183: Selective Qinq Configuration Example (Qos Policy-Based Configuration)
Selective QinQ Configuration Example (QoS Policy-Based Configuration) Network requirements As shown in Figure 10-6, Provider A and Provider B are service provider network access devices. Customer A, Customer B, Customer C, and Customer D are customer network access devices. Provider A and Provider B are interconnected through a trunk port, which permits the frames of VLAN 1000, VLAN 2000, and VLAN 3000 to pass through.
Page 184 <ProviderA> system-view Configuration on GigabitEthernet 1/0/1 # Configure the port as a hybrid port permitting frames of VLAN 1000, VLAN 2000, and VLAN 3000 to pass through with the outer VLAN tag removed. [ProviderA] interface gigabitethernet 1/0/1 [ProviderA-GigabitEthernet1/0/1] port link-type hybrid [ProviderA-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 3000 untagged # Configure VLAN 3000 as the default VLAN of GigabitEthernet 1/0/1, and enable basic QinQ on GigabitEthernet 1/0/1.
Page 185 [ProviderA-GigabitEthernet1/0/2] port access vlan 1000 # Enable basic QinQ. Tag frames from VLAN 10 with the outer VLAN tag 1000. [ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quit Configuration on GigabitEthernet 1/0/3. # Configure the port as a trunk port permitting frames of VLAN 1000, VLAN 2000 and VLAN 3000 to pass through.
Page 186 As third-party devices are deployed between Provider A and Provider B, what we discuss here is only the basic configuration that should be made on the devices. Configure that device connecting with GigabitEthernet 1/0/3 of Provider A and the device connecting with GigabitEthernet 1/0/1 of Provider B so that their corresponding ports send tagged frames of VLAN 1000, VLAN 2000 and VLAN 3000.
Page 187: Bpdu Tunneling Configuration
BPDU Tunneling Configuration When configuring BPDU tunneling, go to these sections for information you are interested in: Introduction to BPDU Tunneling Configuring BPDU Tunneling BPDU Tunneling Configuration Examples Introduction to BPDU Tunneling As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network.
Page 188: Bpdu Tunneling Implementation
The encapsulated Layer 2 protocol packet (called bridge protocol data unit, BPDU) is forwarded to PE 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination MAC address of the packet, and then sends the packet to User A network Depending on the device models, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets: Cisco Discovery Protocol (CDP)
Page 189 To allow each network to calculate an independent spanning tree with STP, BPDU tunneling was introduced. BPDU tunneling delivers the following benefits: BPDUs can be transparently transmitted. BPDUs of the same customer network can be broadcast in a specific VLAN across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider network.
Page 190: Configuring Bpdu Tunneling
Configuring BPDU Tunneling Configuration Prerequisites Before configuring BPDU tunneling for a protocol, enable the protocol in the customer network first. Assign the port on which you want to enable BPDU tunneling on the PE device and the connected port on the CE device to the same VLAN. Configure all the ports in the service provider network as trunk ports allowing packets of any VLAN to pass through.
Page 191: Configuring Destination Multicast Mac Address For Bpdus
Enabling BPDU tunneling for a protocol in Layer 2 aggregate interface view Follow these steps to enable BPDU tunneling for a protocol in Layer 2 aggregate interface view: To do… Use the command… Remarks Enter system view — system-view interface Enter Layer 2 aggregate interface —...
Page 192 It is required that, after the configuration, CE 1 and CE 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast MAC address carried in BPDUs be 0x0100-0CCD-CDD0. Figure 11-3 Network diagram for configuring BPDU tunneling for STP Configuration procedure Configuration on PE 1 # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0.
Page 193: Bpdu Tunneling For Pvst Configuration Example
BPDU Tunneling for PVST Configuration Example Network requirements As shown in Figure 11-4: CE 1 and CE 2 are edges devices on the geographically dispersed network of User A; PE 1 and PE 2 are edge devices on the service provider network. All ports used to connect devices in the service provider network are trunk ports and allow packets of any VLAN to pass through.
Page 194 [PE2] interface gigabitethernet 1/0/2 [PE2-GigabitEthernet1/0/2] port link-type trunk [PE2-GigabitEthernet1/0/2] port trunk permit vlan all # Disable STP on GigabitEthernet 1/0/2, and then enable BPDU tunneling for STP and PVST on it. [PE2-GigabitEthernet1/0/2] undo stp enable [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q stp [PE2-GigabitEthernet1/0/2] bpdu-tunnel dot1q pvst 11-8...
Page 195: Port Mirroring Configuration
Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
Page 196 As shown in Figure 12-1, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze. Figure 12-1 Local port mirroring implementation How the device processes packets Traffic mirrored to Mirroring port Monitor port Monitor port Mirroring port Data monitoring device...
Page 197: Configuring Local Port Mirroring
You must ensure that the source device and the destination device can communicate at Layer 2 in the remote probe VLAN. Destination device The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group.
Page 198: Configuring Remote Port Mirroring
To do… Use the command… Remarks [ mirroring-group groupid ] monitor-port A local port mirroring group takes effect only after its mirroring and monitor ports are configured. To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port mirroring group can have multiple mirroring ports, but only one monitor port.
Page 199 To do… Use the command… Remarks Enter system view — system-view Create a remote source mirroring-group groupid Required mirroring group remote-source Required mirroring-group groupid In system view mirroring-port mirroring-port-list You configure multiple { both | inbound | outbound } mirroring ports in a mirroring group.
Page 200: Configuring A Remote Destination Mirroring Group (On The Destination Device)
To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group. You are recommended to use a remote probe VLAN exclusively for the mirroring purpose. A port can belong to only one mirroring group.
Page 201: Displaying And Maintaining Port Mirroring
When configuring the monitor port, use the following guidelines: The port can belong to only the current mirroring group. To ensure operation of your device, do not assign the monitor port to a mirroring VLAN. Disable these functions on the port: STP, MSTP, and RSTP. You are recommended to use a monitor port only for port mirroring.
Page 202: Remote Port Mirroring Configuration Example
Figure 12-3 Network diagram for local port mirroring configuration Switch A R&D department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data monitoring device Switch B Marketing department Configuration procedure Configure Switch C. # Create a local port mirroring group. <SwitchC> system-view [SwitchC] mirroring-group 1 local # Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports.
Page 203 As shown in Figure 12-4, the administrator wants to monitor the packets sent from Department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source device, Switch B as the intermediate device, and Switch C as the destination device.
Page 204 # Configure port GigabitEthernet 1/0/3 as a trunk port and configure the port to permit the packets of VLAN 2. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 2 Configure Switch B (the intermediate device). # Configure port GigabitEthernet 1/0/1 as a trunk port and configure the port to permit the packets of VLAN 2.
Page 205 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing ·····························································································1-5 2 ARP Configuration·····································································································································2-1 ARP Overview·········································································································································2-1 ARP Function ··································································································································2-1...
Page 206 Enabling ARP Defense Against IP Packet Attacks ·········································································4-2 Configuring ARP Active Acknowledgement····························································································4-2 Introduction······································································································································4-2 Configuring the ARP Active Acknowledgement Function ·······························································4-3 Configuring Source MAC Address Based ARP Attack Detection···························································4-3 Introduction······································································································································4-3 Configuration Procedure··················································································································4-3 Displaying and Maintaining Source MAC Address Based ARP Attack Detection···························4-4 Configuring ARP Packet Source MAC Address Consistency Check ·····················································4-4 Introduction······································································································································4-4 Configuring ARP Packet Source MAC Address Consistency Check··············································4-5...
Page 207 Displaying and Maintaining DHCP Relay Agent Configuration ······························································6-9 DHCP Relay Agent Configuration Examples··························································································6-9 DHCP Relay Agent Configuration Example ····················································································6-9 DHCP Relay Agent Option 82 Support Configuration Example····················································6-10 Troubleshooting DHCP Relay Agent Configuration··············································································6-11 7 DHCP Client Configuration·······················································································································7-1 Introduction to DHCP Client····················································································································7-1 Enabling the DHCP Client on an Interface ·····························································································7-1 Displaying and Maintaining the DHCP Client ·························································································7-2 DHCP Client Configuration Example ······································································································7-2...
Page 208 11 IP Performance Optimization Configuration·······················································································11-1 IP Performance Overview ·····················································································································11-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ··········11-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·····························11-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ···························11-2 Configuration Example ··················································································································11-2 Configuring TCP Optional Parameters ·································································································11-3 Configuring ICMP to Send Error Packets ·····························································································11-4...
Page 209 14 Dual Stack Configuration······················································································································14-1 Dual Stack Overview·····························································································································14-1 Configuring Dual Stack ·························································································································14-1 15 sFlow Configuration ······························································································································15-1 sFlow Overview·····································································································································15-1 Introduction to sFlow ·····················································································································15-1 Operation of sFlow ························································································································15-1 Configuring sFlow ·································································································································15-2 Displaying and Maintaining sFlow·········································································································15-2 sFlow Configuration Example ···············································································································15-3 Troubleshooting sFlow Configuration ···································································································15-4 The Remote sFlow Collector Cannot Receive sFlow Packets ······················································15-4...
Page 210: Ip Addressing Configuration
IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...
Page 211: Special Ip Addresses
Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.
Page 212: Configuring Ip Addresses
IP Addressing Configuration Example Assigning an IP Address to an Interface You may assign an interface on the Switch 4210G multiple IP addresses, one primary and multiple secondaries, to connect multiple logical subnets on the same physical subnet. Follow these steps to assign an IP address to an interface: To do…...
Page 213: Ip Addressing Configuration Example
The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment.
Page 214: Displaying And Maintaining Ip Addressing
<Switch> ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted...
Page 215: Arp Configuration
This document is organized as follows: ARP Configuration Proxy ARP Configuration ARP Attack Defense Configuration ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC...
Page 216: Arp Address Resolution Process
hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”. OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply. Sender hardware address: This field specifies the hardware address of the device sending the message.
Page 217: Arp Table
request, in which the target IP address is the IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B. ARP Table After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table.
Page 218: Configuring The Maximum Number Of Arp Entries For A Interface
To do… Use the command… Remarks Enter system view — system-view Required arp static ip-address mac-address Configure a permanent No permanent static ARP entry vlan-id interface-type static ARP entry is configured by default. interface-number Required Configure a non-permanent static ARP No non-permanent static ARP arp static ip-address mac-address entry...
Page 219: Enabling The Arp Entry Check
Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.
Page 220: Configuring Gratuitous Arp
Determining whether its IP address is already used by another device. Informing other devices of its MAC address change so that they can update their ARP entries. A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Page 221: Proxy Arp Configuration
Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Enabling Proxy ARP Displaying and Maintaining Proxy ARP Proxy ARP Overview If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network) or that is isolated from the sending host at Layer 2, the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.
Page 222: Local Proxy Arp
You can solve the problem by enabling proxy ARP on Switch. After that, Switch can reply to the ARP request from Host A with the MAC address of VLAN-interface 1, and forward packets sent from Host A to Host B. In this case, Switch seems to be a proxy of Host B. A main advantage of proxy ARP is that it is added on a single router without disturbing routing tables of other routers in the network.
Page 223: Displaying And Maintaining Proxy Arp
To do… Use the command… Remarks Required Enable local proxy ARP local-proxy-arp enable Disabled by default. Displaying and Maintaining Proxy ARP To do… Use the command… Remarks Display whether proxy ARP is display proxy-arp [ interface Available in any view enabled vlan-interface vlan-id ] Display whether local proxy...
Page 224: Local Proxy Arp Configuration Example In Case Of Port Isolation
[Switch-Vlan-interface1] quit [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0 [Switch-Vlan-interface2] proxy-arp enable [Switch-Vlan-interface2] quit Local Proxy ARP Configuration Example in Case of Port Isolation Network requirements Host A and Host B belong to the same VLAN, and connect to Switch B via GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3, respectively.
Page 225: Local Proxy Arp Configuration Example In Isolate-User-Vlan
# Configure an IP address of VLAN-interface 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to let Host A and Host B communicate at Layer 3.
Page 226 [SwitchB-vlan2] port gigabitethernet 1/0/2 [SwitchB-vlan2] quit [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/3 [SwitchB-vlan3] quit [SwitchB] vlan 5 [SwitchB-vlan5] port gigabitethernet 1/0/1 [SwitchB-vlan5] isolate-user-vlan enable [SwitchB-vlan5] quit [SwitchB] isolate-user-vlan 5 secondary 2 3 Configure Switch A # Create VLAN 5 and add GigabitEthernet 1/0/1 to it. <SwitchA>...
Page 227: Arp Attack Defense Configuration
ARP Attack Defense Configuration When configuring ARP attack defense, go to these sections for information you are interested in: Configuring ARP Source Suppression Configuring ARP Defense Against IP Packet Attacks Configuring ARP Active Acknowledgement Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Packet Rate Limit Configuring ARP Detection...
Page 228: Displaying And Maintaining Arp Source Suppression
Displaying and Maintaining ARP Source Suppression To do… Use the command… Remarks Display the ARP source suppression Available in any view display arp source-suppression configuration information Configuring ARP Defense Against IP Packet Attacks Introduction to ARP Defense Against IP Packet Attacks When forwarding an IP packet, a device depends on ARP to resolve the MAC address of the next hop.
Page 229: Configuring The Arp Active Acknowledgement Function
Then, If an ARP reply is received within five seconds, the gateway updates the ARP entry; If not, the ARP entry is not updated. Configuring the ARP Active Acknowledgement Function Follow these steps to configure ARP active acknowledgement: To do… Use the command…...
Page 230: Displaying And Maintaining Source Mac Address Based Arp Attack Detection
Follow these steps to configure protected MAC addresses: To do… Use the command… Remarks Enter system view — system-view Optional Configure protected MAC arp anti-attack source-mac addresses Not configured by default. exclude-mac mac-address&<1-n> Configuring the aging timer for protected MAC addresses Follow these steps to configure the aging timer for protected MAC addresses: To do…...
Page 231: Configuring Arp Packet Source Mac Address Consistency Check
ARP detection also checks source MAC address consistency of ARP packets, but it is enabled on an access device to detect only ARP packets sent to it. Configuring ARP Packet Source MAC Address Consistency Check Follow these steps to enable ARP packet source MAC address consistency check: To do…...
Page 232 Enabling ARP Detection Based on DHCP Snooping Entries/802.1X Security Entries/Static IP-to-MAC Bindings With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static IP-to-MAC binding entries.
Page 233: Ip-To-Mac Bindings
To do… Use the command… Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Required Disabled by default. That is, ARP Enable ARP detection for detection based on DHCP snooping arp detection enable the VLAN entries/802.1X security entries/static IP-to-MAC bindings is not enabled by default.
Page 234: Configuring Arp Detection Based On Specified Objects
During the DHCP assignment process, when the client receives the DHCP-ACK message from the DHCP server, it broadcasts a gratuitous ARP packet to detect address conflicts. If no response is received in a pre-defined time period, the client uses the assigned IP address. If the client is enabled with ARP detection based on 802.1X security entries, the IP address is not uploaded to the 802.1X device before the client uses the IP address.
Page 235: Displaying And Maintaining Arp Detection
If both the ARP detection based on specified objects and the ARP detection based on snooping entries/802.1X security entries/static IP-to-MAC bindings are enabled, the former one applies first, and then the latter applies. Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.
Page 236: Arp Detection Configuration Example Ii
Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted). Configure a DHCP server (the configuration procedure is omitted). Configure Host A and Host B as DHCP clients (the configuration procedure is omitted). Configure Switch B # Enable DHCP snooping.
Page 237 Figure 4-2 Network diagram for ARP detection configuration Configuration procedure Add all the ports on Switch B into VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A (the configuration procedure is omitted). Configure a DHCP server (the configuration procedure is omitted). Configure Host A and Host B as 802.1x clients (the configuration procedure is omitted) and configure them to upload IP addresses for ARP detection.
Page 238: Dhcp Overview
This document is organized as follows: DHCP Overview DHCP Relay Agent Configuration DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Overview Introduction to DHCP The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts.
Page 239: Dhcp Address Allocation
DHCP Address Allocation Allocation Mechanisms DHCP supports three mechanisms for IP address allocation. Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client. Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease.
Page 240: Ip Address Lease Extension
After receiving the DHCP-ACK message, the client probes whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within a specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.
Page 241: Dhcp Options
secs: Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. flags: The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast;...
Page 242: Self-Defined Options
Option 121: Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table.
Page 243 Figure 5-6 Format of the value field of the ACS parameter sub-option The value field of the service provider identifier sub-option contains the service provider identifier. Figure 5-7 shows the format of the value field of the PXE server address sub-option. Currently, the value of the PXE server type can only be 0.
Page 244 Figure 5-8 Sub-option 1 in normal padding format Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0. Figure 5-9 Sub-option 2 in normal padding format Verbose padding format The padding contents for sub-options in the verbose padding format are as follows:...
Page 245: Protocols And Standards
Sub-option 1: IP address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Sub-option 2: IP address of the backup network calling processor that DHCP clients will contact when the primary one is unreachable.
Page 246: Dhcp Relay Agent Configuration
DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent DHCP Relay Agent Configuration Task List Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Examples Troubleshooting DHCP Relay Agent Configuration The DHCP relay agent configuration is supported only on VLAN interfaces.
Page 247: Dhcp Relay Agent Support For Option
Figure 6-1 DHCP relay agent application DHCP client DHCP client IP network DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process).
Page 248: Dhcp Relay Agent Configuration Task List
If a client’s Handling requesting Padding format The DHCP relay agent will… strategy message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing normal the original Option 82 with the Option 82 padded in normal format.
Page 249: Enabling The Dhcp Relay Agent On An Interface
Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view — system-view Required Enable DHCP dhcp enable Disabled by default. Enabling the DHCP Relay Agent on an Interface With this task completed, upon receiving a DHCP request from the enabled interface, the relay agent will forward the request to a DHCP server for address allocation.
Page 250: Configuring The Dhcp Relay Agent Security Functions
To do… Use the command… Remarks Required Correlate the DHCP server By default, no interface is dhcp relay server-select group with the current interface correlated with any DHCP group-id server group. You can specify up to twenty DHCP server groups on the relay agent and eight DHCP server addresses for each DHCP server group.
Page 251 The dhcp relay address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used. The dhcp relay address-check enable command only checks IP and MAC addresses of clients. You are recommended to configure IP address check on the interface enabled with the DHCP relay agent;...
Page 252: Configuring The Dhcp Relay Agent To Send A Dhcp-Release Request
Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view — system-view Required Enable unauthorized DHCP dhcp relay server-detect server detection Disabled by default. With the unauthorized DHCP server detection enabled, the device puts a record once for each DHCP server.
Page 253 Configuring the DHCP relay agent to support Option 82 Follow these steps to configure the DHCP relay agent to support Option 82: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Enable the relay agent to dhcp relay information...
Page 254: Displaying And Maintaining Dhcp Relay Agent Configuration
the device name must contain no spaces. Otherwise, the DHCP relay agent will drop the message. Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display information about DHCP display dhcp relay { all | server groups correlated to a specified interface interface-type or all interfaces interface-number }...
Page 255: Dhcp Relay Agent Option 82 Support Configuration Example
Figure 6-3 Network diagram for DHCP relay agent Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1.
Page 256: Troubleshooting Dhcp Relay Agent Configuration
Configuration procedure # Specify IP addresses for the interfaces (omitted). # Enable DHCP. <SwitchA> system-view [SwitchA] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1.
Page 257: Dhcp Client Configuration
DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example The DHCP client configuration is supported only on VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.
Page 258: Displaying And Maintaining The Dhcp Client
An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address is configurable for the interface.
Page 259 Configuration procedure Configure Switch A # Enable the DHCP client on VLAN-interface 2. <SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address dhcp-alloc Verification # Use the display dhcp client command to view the IP address and other network parameters assigned to Switch A.
Page 260: Dhcp Snooping Configuration
DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
Page 261: Application Environment Of Trusted Ports
Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries.
Page 262: Dhcp Snooping Support For Option 82
Figure 8-2 Configure trusted ports in a cascaded network Table 8-1 describes roles of the ports shown in Figure 8-2. Table 8-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GE1/0/1 GE1/0/3...
Page 263: Configuring Dhcp Snooping Basic Functions
If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Drop Random Drop the message. Forward the message without changing Keep Random Option 82. Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format.
Page 264: Prerequisites
You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.
Page 265 To do… Use the command… Remarks dhcp-snooping information format Configure the Optional { normal | verbose padding format for [ node-identifier { mac | normal by default. Option 82 sysname | user-defined node-identifier } ] } Optional By default, the code type depends on the padding format of Option 82.
Page 266: Displaying And Maintaining Dhcp Snooping
Displaying and Maintaining DHCP Snooping To do… Use the command… Remarks display dhcp-snooping [ ip Display DHCP snooping entries ip-address ] display dhcp-snooping Display Option 82 configuration information { all | interface Available in any information on the DHCP snooping device interface-type interface-number } view Display DHCP packet statistics on the...
Page 267: Dhcp Snooping Option 82 Support Configuration Example
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchB-GigabitEthernet1/0/1] quit DHCP Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 8-3, enable DHCP snooping and Option 82 support on Switch B. Configure the handling strategy for DHCP requests containing Option 82 as replace. On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.
Page 268: Bootp Client Configuration
BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration BOOTP client configuration only applies to VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.
Page 269: Obtaining An Ip Address Dynamically
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.
Page 270: Displaying And Maintaining Bootp Client Configuration
Displaying and Maintaining BOOTP Client Configuration To do… Use the command… Remarks Display related information on display bootp client [ interface Available in any view a BOOTP client interface-type interface-number ] BOOTP Client Configuration Example Network requirement As shown in Figure 9-1, Switch B’s port belonging to VLAN 1 is connected to the LAN.
Page 271: Dns Configuration
DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the DNS Client Configuring the DNS Proxy Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Configuration This document only covers IPv4 DNS configuration. For information about IPv6 DNS configuration, refer to IPv6 Basics Configuration in the IP Services Volume.
Page 272 The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, it sends a query to a higher level DNS server. This process continues until a result, whether successful or not, is returned. The DNS client returns the resolution result to the application after receiving a response from the DNS server.
Page 273: Dns Proxy
If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS Proxy Introduction to DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 10-2, a DNS client sends a DNS request to the DNS proxy, which forwards the...
Page 274: Configuring The Dns Client
Configuring the DNS Client Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do… Use the command… Remarks Enter system view –– system-view Required Configure a mapping between a host name and IP address in the static Not configured by ip host hostname ip-address name resolution table...
Page 275: Configuring The Dns Proxy
Configuring the DNS Proxy Follow these steps to configure the DNS proxy: To do… Use the command… Remarks Enter system view — system-view Required Enable DNS proxy dns proxy enable Disabled by default. Displaying and Maintaining DNS To do… Use the command… Remarks Display the static domain name display ip host...
Page 276: Dynamic Domain Name Resolution Configuration Example
56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
Page 277 Figure 10-5, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 10-5 Create a zone # Create a mapping between the host name and IP address. Figure 10-6 Add a host Figure 10-6, right click zone com, and then select New Host to bring up a dialog box as shown in Figure...
Page 278 Figure 10-7 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Execute the ping host command on the Switch to verify that the communication between the Switch...
Page 279: Dns Proxy Configuration Example
DNS Proxy Configuration Example Network requirements Specify Switch A as the DNS server of Switch B (the DNS client). Switch A acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. Switch B implements domain name resolution through Switch A. Figure 10-8 Network diagram for DNS proxy Configuration procedure Before performing the following configuration, assume that Switch A, the DNS server, and the host are...
Page 280: Troubleshooting Dns Configuration
# Specify the DNS server 2.1.1.2. [SwitchB] dns server 2.1.1.2 Configuration verification # Execute the ping host.com command on Switch B to verify that the communication between the Switch and the host is normal and that the corresponding destination IP address is 3.1.1.1. [SwitchB] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2)
Page 281: Ip Performance Optimization Configuration
IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Configuring TCP Optional Parameters Configuring ICMP to Send Error Packets Displaying and Maintaining IP Performance Optimization IP Performance Overview In some network environments, you can adjust the IP parameters to achieve best network...
Page 282: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network
Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...
Page 283: Configuring Tcp Optional Parameters
[SwitchA-Vlan-interface3] ip address 1.1.1.2 24 [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B # Enable Switch B to receive directed broadcasts. <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to the host.
Page 284: Configuring Icmp To Send Error Packets
The actual length of the finwait timer is determined by the following formula: Actual length of the finwait timer = (Configured length of the finwait timer – 75) + configured length of the synwait timer Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP.
Page 285 If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable”...
Page 286: Displaying And Maintaining Ip Performance Optimization
Displaying and Maintaining IP Performance Optimization To do… Use the command… Remarks Display current TCP connection state display tcp status Display TCP connection statistics display tcp statistics Display UDP statistics display udp statistics display ip statistics [ slot Display statistics of IP packets slot-number ] display icmp statistics [ slot Display statistics of ICMP flows...
Page 287: Udp Helper Configuration
UDP Helper Configuration When configuring UDP Helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examples UDP Helper can be currently configured on VLAN interfaces only. Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.
Page 288: Displaying And Maintaining Udp Helper
To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Specify the destination server to which UDP packets No destination server is specified udp-helper server ip-address are to be forwarded by default. The UDP Helper enabled device cannot forward DHCP broadcast packets. That is to say, the UDP port number cannot be set to 67 or 68.
Page 289 Figure 12-1 Network diagram for UDP Helper configuration Configuration procedure The following configuration assumes that a route from Switch A to the network segment 10.2.0.0/16 is available. # Enable UDP Helper. <SwitchA> system-view [SwitchA] udp-helper enable # Enable the forwarding broadcast packets with the UDP destination port 55. [SwitchA] udp-helper port 55 # Specify the destination server 10.2.1.1 on VLAN-interface 1.
Page 290: Ipv6 Basics Configuration
IPv6 Basics Configuration When configuring IPv6 basics, go to these sections for information you are interested in: IPv6 Overview IPv6 Basics Configuration Task List Configuring Basic IPv6 Functions Configuring IPv6 NDP Configuring PMTU Discovery Configuring IPv6 TCP Properties Configuring ICMPv6 Packet Sending Configuring IPv6 DNS Client Displaying and Maintaining IPv6 Basics Configuration IPv6 Configuration Example...
Page 291 times the IPv4 address size, the basic IPv6 header size is 40 bytes and is only twice the IPv4 header size (excluding the Options field). Figure 13-1 Comparison between IPv4 packet header format and basic IPv6 packet header format Adequate address space The source and destination IPv6 addresses are both 128 bits (16 bytes) long.
Page 292: Introduction To Ipv6 Address
Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented through a group of Internet Control Message Protocol Version 6 (ICMPv6) messages that manage the information exchange between neighbor nodes on the same link. The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP) messages, Internet Control Message Protocol version 4 (ICMPv4) router discovery messages, and ICMPv4 redirection messages and provides a series of other functions.
Page 293 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of distance).
Page 294 Unassigned address: The unicast address "::” is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet. It cannot be used as a destination IPv6 address. Multicast address IPv6 multicast addresses listed in Table 13-2...
Page 295: Introduction To Ipv6 Neighbor Discovery Protocol
Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol (NDP) uses five types of ICMPv6 messages to implement the following functions: Address resolution Neighbor reachability detection Duplicate address detection Router/prefix discovery and address autoconfiguration Redirection Table 13-3 lists the types and functions of ICMPv6 messages used by the NDP. Table 13-3 Types and functions of ICMPv6 messages ICMPv6 message Number...
Page 296 Figure 13-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of node A and the destination address is the solicited-node multicast address of node B.
Page 297: Ipv6 Pmtu Discovery
If node B uses this IPv6 address, node B returns an NA message. The NA message contains the IPv6 address of node B. Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B.
Page 298: Introduction To Ipv6 Dns
The path MTU (PMTU) discovery mechanism is to find the minimum MTU of all links in the path from the source to the destination. Figure 13-5 shows the working procedure of PMTU discovery. Figure 13-5 Working procedure of PMTU discovery The working procedure of the PMTU discovery is as follows: The source host uses its MTU to send packets to the destination host.
Page 299: Ipv6 Basics Configuration Task List
RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture RFC 3596: DNS Extensions to Support IP Version 6 IPv6 Basics Configuration Task List Complete the following tasks to perform IPv6 basics configuration:...
Page 300 Manual assignment: IPv6 link-local addresses can be assigned manually. Follow these steps to configure an IPv6 unicast address: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number ipv6 address Configure { ipv6-address One of the two commands is an IPv6 Manually assign an...
Page 301: Configuring Ipv6 Ndp
Configuring IPv6 NDP Configuring a Static Neighbor Entry The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry according to the neighbor IPv6 address and the local Layer 3 interface ID.
Page 302: Configuring Parameters Related To Ra Messages
Configuring Parameters Related to RA Messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations. Table 13-4 lists the configurable parameters in an RA message and their descriptions.
Page 303 To do… Use the command… Remarks Optional Configure the hop ipv6 nd hop-limit value limit 64 by default. interface interface-type Enter interface view — interface-number Disable the RA Required message undo ipv6 nd ra halt By default, RA messages are suppressed. suppression Optional By default, the maximum interval for...
Page 304: Configuring The Maximum Number Of Attempts To Send An Ns Message For Dad
The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages. Configuring the Maximum Number of Attempts to Send an NS Message for DAD An interface sends a neighbor solicitation (NS) message for duplicate address detection after acquiring an IPv6 address.
Page 305: Configuring Ipv6 Tcp Properties
MTU. After the aging time expires, the dynamic PMTU is removed and the source host re-determines a dynamic path MTU through the PMTU mechanism. The aging time is invalid for a static PMTU. Follow these steps to configure the aging time for dynamic PMTUs: To do…...
Page 306: Enable Sending Of Multicast Echo Replies
successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot be sent out until the capacity of the token bucket is restored. Follow these steps to configure the capacity and update interval of the token bucket: To do…...
Page 307: Configuring Ipv6 Dns Client
Configuring IPv6 DNS Client Configuring Static IPv6 Domain Name Resolution Configuring static IPv6 domain name resolution is to establish the mapping between a host name and an IPv6 address. When using such applications as Telnet, you can directly input a host name and the system will resolve the host name into an IPv6 address.
Page 308: Displaying And Maintaining Ipv6 Basics Configuration
Displaying and Maintaining IPv6 Basics Configuration To do… Use the command… Remarks Display DNS suffix information display dns domain [ dynamic ] Display IPv6 dynamic domain name display dns ipv6 dynamic-host cache information Display IPv6 DNS server display dns ipv6 server [ dynamic ] information display ipv6 fib [ slot-number ] Display the IPv6 FIB entries...
Page 309: Ipv6 Configuration Example
To do… Use the command… Remarks Clear the statistics of all IPv6 UDP reset udp ipv6 statistics packets The display dns domain command is the same as the one of IPv4 DNS. For details about the commands, refer to DNS Commands in the IP Services Volume. IPv6 Configuration Example Network requirements Host, Switch A and Switch B are directly connected through Ethernet ports.
Page 310 # Specify an aggregatable global unicast address for VLAN-interface 1, and allow it to advertise RA messages (no interface advertises RA messages by default). [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ipv6 address 2001::1/64 [SwitchA-Vlan-interface1] undo ipv6 nd ra halt Configure Switch B # Enable IPv6.
Page 311 InTooShorts: InTruncatedPkts: InHopLimitExceeds: InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: 25747 OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 verbose Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64...
Page 312 InTooShorts: InTruncatedPkts: InHopLimitExceeds: InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: 1012 OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Display the IPv6 interface settings on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface vlan-interface 2 verbose Vlan-interface2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1234...
Page 313 InBadHeaders: InBadOptions: ReasmReqds: ReasmOKs: InFragDrops: InFragTimeouts: OutFragFails: InUnknownProtos: InDelivers: OutRequests: OutForwDatagrams: InNoRoutes: InTooBigErrors: OutFragOKs: OutFragCreates: InMcastPkts: InMcastNotMembers: OutMcastPkts: InAddrErrors: InDiscards: OutDiscards: # Ping Switch A and Switch B on Host, and ping Switch A and Host on Switch B to verify the connectivity between them.
Page 314: Troubleshooting Ipv6 Basics Configuration
1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms As shown in the output information, Host can ping Switch B and Switch A. Troubleshooting IPv6 Basics Configuration Symptom The peer IPv6 address cannot be pinged. Solution Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled.
Page 315: Dual Stack Configuration
Dual Stack Configuration When configuring dual stack, go to these sections for information you are interested in: Dual Stack Overview Configuring Dual Stack Dual Stack Overview Dual stack is the most direct approach to making IPv6 nodes compatible with IPv4 nodes. The best way for an IPv6 node to be compatible with an IPv4 node is to maintain a complete IPv4 stack.
Page 316 To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required ip address ip-address By default, no IP Configure an IPv4 address for the interface { mask | mask-length } address is [ sub ] configured. ipv6 address Use either { ipv6-address prefix-length Manually specify...
Page 317: Sflow Configuration
sFlow Configuration When configuring sFlow, go to these sections for information you are interested in: sFlow Overview Configuring sFlow Displaying and Maintaining sFlow sFlow Configuration Example Troubleshooting sFlow Configuration sFlow Overview Introduction to sFlow Sampled Flow (sFlow) is a traffic monitoring technology mainly used to collect and analyze traffic statistics.
Page 318: Configuring Sflow
Specify the sFlow sampling sflow sampling-mode Currently, the determine mode mode { determine | random } is not supported on Switch 4210G Family. Specify the number of packets Optional out of which the interface will sflow sampling-rate rate 200000 by default.
Page 319: Sflow Configuration Example
sFlow Configuration Example Network requirements Host A and Server are connected to Switch through GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 respectively. Host B works as an sFlow collector with IP address 3.3.3.2 and port number 6343, and is connected to Switch through GigabitEthernet 1/0/3. GigabitEthernet 1/0/3 belongs to VLAN 1, having an IP address of 3.3.3.1.
Page 320: Troubleshooting Sflow Configuration
Collector IP:3.3.3.2 Port:6343 Interval(s): 30 sFlow Port Information: Interface Direction Rate Mode Status GE1/0/1 In/Out 100000 Random Active Troubleshooting sFlow Configuration The Remote sFlow Collector Cannot Receive sFlow Packets Symptom The remote sFlow collector cannot receive sFlow packets. Analysis sFlow is not enabled globally because the sFlow agent or/and the sFlow collector is/are not specified.
Page 321 Table of Contents 1 IP Routing Overview··································································································································1-1 IP Routing and Routing Table·················································································································1-1 Routing ············································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing ··································································································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Displaying and Maintaining a Routing Table ··························································································1-3 2 Static Routing Configuration····················································································································2-1 Introduction ·············································································································································2-1 Static Route ·····································································································································2-1 Default Route···································································································································2-1...
Page 322: Ip Routing Overview
IP Routing Overview Go to these sections for information you are interested in: IP Routing and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing and Routing Table Routing Routing in the Internet is achieved through routers.
Page 323 IP address of the next hop: Specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the IP address of the next hop. Priority for the route. Routes to the same destination but having different nexthops may have different priorities and be found by various routing protocols or manually configured.
Page 324: Routing Protocol Overview
Routing Protocol Overview Static Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perform routing configuration again whenever the network topology changes; it cannot adjust to network changes by itself. Routing Protocols and Routing Priority Different routing protocols may find different routes to the same destination.
Page 325 To do… Use the command… Remarks Display routing information Available in any display ip routing-table ip-prefix permitted by an IPv4 prefix list ip-prefix-name [ verbose ] view Display routes of a routing Available in any display ip routing-table protocol protocol protocol [ inactive | verbose ] view...
Page 326: Static Routing Configuration
Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Detecting Reachability of the Static Route’s Nexthop Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.
Page 327: Application Environment Of Static Routing
Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).
Page 328: Detecting Reachability Of The Static Route's Nexthop
When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface. If you do not specify the preference when configuring a static route, the default preference will be used.
Page 329: Displaying And Maintaining Static Routes
To configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a Track entry. If a static route needs route recursion, the associated track entry must monitor the nexthop of the recursive route instead of that of the static route;...
Page 330 Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes # Configure a default route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Switch B. <SwitchB> system-view [SwitchB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [SwitchB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Switch C <SwitchC>...
Page 331 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 1.1.6.0/24 Direct 0 192.168.1.47 Vlan100 1.1.6.1/32 Direct 0 127.0.0.1 InLoop0 # Use the ping command on Host B to check reachability to Host A, assuming Windows XP runs on the two hosts. C:\Documents and Settings\Administrator>ping 1.1.2.2 Pinging 1.1.2.2 with 32 bytes of data: Reply from 1.1.2.2: bytes=32 time=1ms TTL=255...
Page 332: Ipv6 Static Routing Configuration
IPv6 Static Routing Configuration When configuring IPv6 Static Routing, go to these sections for information you are interested in: Introduction to IPv6 Static Routing Configuring an IPv6 Static Route Displaying and Maintaining IPv6 Static Routes IPv6 Static Routing Configuration Example The term “router”...
Page 333: Configuring An Ipv6 Static Route
Enabling IPv6 packet forwarding Ensuring that the neighboring nodes are IPv6 reachable Configuring an IPv6 Static Route Follow these steps to configure an IPv6 static route: To do… Use the commands… Remarks Enter system view system-view — Required ipv6 route-static ipv6-address prefix-length [ interface-type The default Configure an IPv6 static route...
Page 334 Figure 3-1 Network diagram for static routes Configuration procedure Configure the IPv6 addresses of all VLAN interfaces (Omitted) Configure IPv6 static routes. # Configure the default IPv6 static route on SwitchA. <SwitchA> system-view [SwitchA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on SwitchB. <SwitchB>...
Page 335 NextHop : 1::1 Preference Interface : Vlan-interface100 Cost Destination : 1::1/128 Protocol : Direct NextHop : ::1 Preference Interface : InLoop0 Cost Destination : FE80::/10 Protocol : Direct NextHop : :: Preference Interface : NULL0 Cost # Verify the connectivity with the ping command. [SwitchA] ping ipv6 3::1 PING 3::1 : 56 data bytes, press CTRL_C to break Reply from 3::1...
Page 336 Table of Contents 1 Multicast Overview ····································································································································2-1 Introduction to Multicast ··························································································································2-1 Comparison of Information Transmission Techniques····································································2-1 Features of Multicast ·······················································································································2-4 Common Notations in Multicast·······································································································2-5 Advantages and Applications of Multicast·······················································································2-5 Multicast Models ·····································································································································2-5 Multicast Architecture······························································································································2-6 Multicast Addresses ························································································································2-7 Multicast Protocols ························································································································2-10 Multicast Packet Forwarding Mechanism ·····························································································2-12 2 IGMP Snooping Configuration ·················································································································2-1 IGMP Snooping Overview·······················································································································2-1...
Page 337 Configuring Group Policy and Simulated Joining··········································································2-19 Static Port Configuration················································································································2-21 IGMP Snooping Querier Configuration··························································································2-25 Troubleshooting IGMP Snooping Configuration ···················································································2-27 Switch Fails in Layer 2 Multicast Forwarding ················································································2-27 Configured Multicast Group Policy Fails to Take Effect ································································2-27 3 Multicast VLAN Configuration··················································································································3-1 Introduction to Multicast VLAN················································································································3-1 Multicast VLAN Configuration Task List··································································································3-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································3-3 Configuration Prerequisites ·············································································································3-3...
Page 338 Configuring Maximum Multicast Groups that Can Be Joined on a Port········································4-16 Configuring IPv6 Multicast Group Replacement ···········································································4-17 Displaying and Maintaining MLD Snooping ··························································································4-18 MLD Snooping Configuration Examples ·······························································································4-19 Configuring IPv6 Group Policy and Simulated Joining··································································4-19 Static Port Configuration················································································································4-21 MLD Snooping Querier Configuration ···························································································4-25 Troubleshooting MLD Snooping ···········································································································4-26 Switch Fails in Layer 2 Multicast Forwarding ················································································4-26 Configured IPv6 Multicast Group Policy Fails to Take Effect························································4-27...
Page 339: Multicast Overview
Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
Page 340 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
Page 341 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.
Page 342: Features Of Multicast
Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.
Page 343: Common Notations In Multicast
For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1. Table 1-1 An analogy between TV transmission and multicast transmission TV transmission Multicast transmission A TV station transmits a TV program through A multicast source sends multicast data to a a channel.
Page 344: Multicast Architecture
ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of multicast sources in advance.
Page 345: Multicast Addresses
Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses IPv4 multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.
Page 346 Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
Page 347 Description When set to 0, it indicates that this address is an IPv6 multicast address permanently-assigned by IANA When set to 1, it indicates that this address is a transient, or dynamically assigned IPv6 multicast address Scope: 4 bits, indicating the scope of the IPv6 internetwork for which the multicast traffic is intended.
Page 348: Multicast Protocols
The high-order four bits of a multicast IPv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a MAC address, so five bits of the multicast IPv4 address are lost. As a result, 32 multicast IPv4 addresses map to the same MAC address.
Page 349 Figure 1-8 Positions of Layer 3 multicast protocols Multicast management protocols Typically, the internet group management protocol (IGMP) or multicast listener discovery protocol (MLD) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.
Page 350: Multicast Packet Forwarding Mechanism
Figure 1-9 Position of Layer 2 multicast protocols Source Multicast VLAN /IPv6 Multicast VLAN IGMP Snooping /MLD Snooping Receiver Receiver IPv4/IPv6 multicast packets IGMP Snooping/MLD Snooping Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) and Multicast Listener Discovery Snooping (MLD Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP or MLD messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.
Page 351: Igmp Snooping Configuration
IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.
Page 352: Basic Concepts In Igmp Snooping
Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 2-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, multicast group members).
Page 353: How Igmp Snooping Works
Aging timers for dynamic ports in IGMP Snooping and related messages and actions Table 2-1 Aging timers for dynamic ports in IGMP Snooping and related messages and actions Message before Timer Description Action after expiry expiry For each dynamic IGMP general query of router port, the switch The switch removes Dynamic router port...
Page 354 When receiving a membership report A host sends an IGMP report to the IGMP querier in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the IGMP querier to announce that it is interested in the multicast information addressed to that group.
Page 355: Protocols And Standards
Upon receiving the IGMP leave message from a host, the IGMP querier resolves the multicast group address in the message and sends an IGMP group-specific query to that multicast group through the port that received the leave message. Upon receiving the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port on which it received the IGMP leave message: If any IGMP report in response to the group-specific query is received on the port (suppose it is a...
Page 356: Configuring Basic Functions Of Igmp Snooping
Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.
Page 357: Configuring The Version Of Igmp Snooping
IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.
Page 358: Configuring Aging Timers For Dynamic Ports
Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.
Page 359: Configuring Simulated Joining
Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip...
Page 360: Configuring Fast Leave Processing
Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip...
Page 361: Configuring Igmp Snooping Querier
Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet port/Layer 2 interface interface-type interface-number Required aggregate port view or port...
Page 362: Configuring Igmp Queries And Responses
It is meaningless to configure an IGMP Snooping querier in a multicast network running IGMP. Although an IGMP Snooping querier does not take part in IGMP querier elections, it may affect IGMP querier elections because it sends IGMP general queries with a low source IP address. Configuring IGMP Queries and Responses You can tune the IGMP general query interval based on actual condition of the network.
Page 363: Configuring Source Ip Address Of Igmp Queries
To do... Use the command... Remarks Configure the maximum Optional igmp-snooping max-response-time response time to IGMP general 10 seconds by default interval queries Optional Configure the IGMP igmp-snooping last-member query interval 1 second by default last-member-query-interval interval In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries.
Page 364: Configuring A Multicast Group Filter
Before configuring an IGMP Snooping policy, prepare the following data: ACL rule for multicast group filtering The maximum number of multicast groups that can pass the ports Configuring a Multicast Group Filter On an IGMP Snooping–enabled switch, the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different users.
Page 365: Configuring The Function Of Dropping Unknown Multicast Data
Disabled by default For the Switch 4210G Family, when enabled to filter IPv4 multicast data based on the source ports, are automatically enabled to filter IPv6 multicast data based on the source ports. Configuring the Function of Dropping Unknown Multicast Data Unknown multicast data refers to multicast data for which no entries exist in the IGMP Snooping forwarding table.
Page 366: Configuring Igmp Report Suppression
To do... Use the command... Remarks Required Enable the function of dropping igmp-snooping unknown multicast data Disabled by default drop-unknown Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.
Page 367: Configuring Multicast Group Replacement
When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again. If you have configured static or simulated joins on a port, however, when the number of multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table and applies the static or simulated...
Page 368: Displaying And Maintaining Igmp Snooping
Configuring multicast group replacement on a port or a group of ports Follow these steps to configure multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number...
Page 369: Igmp Snooping Configuration Examples
IGMP Snooping Configuration Examples Configuring Group Policy and Simulated Joining Network requirements As shown in Figure 2-3, Router A connects to the multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is required on Router A, IGMP Snooping version 2 is required on Switch A, and Router A will act as the IGMP querier on the subnet.
Page 370 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping and the function of dropping unknown multicast traffic in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable...
Page 371: Static Port Configuration
IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A has joined multicast...
Page 372 Network diagram Figure 2-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1.1.1.2/24 10.1.1.1/24 GE1/0/1 Router A 1.1.1.1/24 IGMP querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure...
Page 373 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] igmp-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable IGMP Snooping globally. <SwitchB> system-view [SwitchB] igmp-snooping [SwitchB-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable IGMP Snooping in the VLAN.
Page 374 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Attribute: Host Port Host port(s):total 1 port.
Page 375: Igmp Snooping Querier Configuration
IGMP Snooping Querier Configuration Network requirements As shown in Figure 2-5, in a Layer 2–only network environment, two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, Host A and Host C are receivers of multicast group 224.1.1.1, while Host B and Host D are receivers of multicast group 225.1.1.1.
Page 376 # Enable the IGMP-Snooping querier function in VLAN 100 [SwitchA-vlan100] igmp-snooping querier # Set the source IP address of IGMP general queries and group-specific queries to 192.168.1.1 in VLAN 100. [SwitchA-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [SwitchA-vlan100] igmp-snooping special-query source-ip 192.168.1.1 [SwitchA-vlan100] quit Configure Switch B # Enable IGMP Snooping globally.
Page 377: Troubleshooting Igmp Snooping Configuration
Troubleshooting IGMP Snooping Configuration Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding. Analysis IGMP Snooping is not enabled. Solution Enter the display current-configuration command to view the running status of IGMP Snooping. If IGMP Snooping is not enabled, use the igmp-snooping command to enable IGMP Snooping globally, and then use igmp-snooping enable command to enable IGMP Snooping in VLAN view.
Page 378: Multicast Vlan Configuration
Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Examples Introduction to Multicast VLAN As shown in Figure...
Page 379 Figure 3-2 Sub-VLAN-based multicast VLAN Multicast packets VLAN 10 (Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Router A Switch A Source IGMP querier VLAN 4 Receiver Host C After the configuration, IGMP Snooping manages router ports in the multicast VLAN and member ports in the sub-VLANs.
Page 380: Multicast Vlan Configuration Task List
For information about IGMP Snooping, router ports, and member ports, refer to IGMP Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. Multicast VLAN Configuration Task List Complete the following tasks to configure multicast VLAN: Task Remarks Configuring Sub-VLAN-Based Multicast VLAN...
Page 381: Configuring Port-Based Multicast Vlan
The VLAN to be configured as a multicast VLAN must exist. The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of another multicast VLAN. The total number of sub-VLANs of a multicast VLAN must not exceed 63. Configuring Port-Based Multicast VLAN When configuring port-based multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the multicast VLAN.
Page 382: Configuring Multicast Vlan Ports
Follow these steps to configure user port attributes: To do... Use the command... Remarks Enter system view — system-view interface interface-type interface-number Required Enter port view or port group port-group { manual view Use either command port-group-name | aggregation agg-id } Required Configure the user port link port link-type hybrid...
Page 383: Displaying And Maintaining Multicast Vlan
Configuring multicast VLAN ports in port view or port group view Follow these steps to configure multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view — system-view Required Configure the specified VLAN as a multicast VLAN and enter Not a multicast VLAN by multicast-vlan vlan-id...
Page 384 Configure the sub-VLAN-based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Network diagram Figure 3-4 Network diagram for sub-VLAN-based multicast VLAN configuration Source IGMP querier Router A...
Page 385 [SwitchA-vlan2] port gigabitethernet 1/0/2 [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable IGMP Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] igmp-snooping enable [SwitchA-vlan10] quit...
Page 386 Vlan(id):3. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 1 port.
Page 387: Port-Based Multicast Vlan Configuration
Port-Based Multicast VLAN Configuration Network requirements As shown in Figure 3-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/1, and to Switch A through GigabitEthernet 1/0/2. IGMPv2 is required on Router A. IGMPv2 Snooping is required on Switch A. Router A acts as the IGMP querier.
Page 388 [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface gigabitethernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable IGMP Snooping in this VLAN.
Page 389 Total 1 multicast-vlan(s) Multicast vlan 10 subvlan list: no subvlan port list: GE1/0/2 GE1/0/3 GE1/0/4 # View the IGMP Snooping multicast group information on Switch A. [SwitchA] display igmp-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.
Page 390: Mld Snooping Configuration
MLD Snooping Configuration When configuring MLD Snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups.
Page 391: Basic Concepts In Mld Snooping
Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in MLD Snooping MLD Snooping related ports As shown in Figure 4-2, Router A connects to the multicast source, MLD Snooping runs on Switch A and Switch B, Host A and Host C are receiver hosts (namely, IPv6 multicast group members).
Page 392: How Mld Snooping Works
Whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. On an MLD Snooping-enabled switch, the ports that received MLD general queries with the source address other than 0::0 or IPv6 PIM hello messages are dynamic router ports.
Page 393 General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet. Upon receiving an MLD general query, the switch forwards it through all ports in the VLAN except the port on which it received the MLD query and performs the following: If the port on which it the switch received the MLD query is a dynamic router port in its router port list, the switch resets the aging timer for this dynamic router port.
Page 394: Protocols And Standards
If the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the MLD done message instead of forwarding it to any port. If the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the MLD done message to all router ports in the native VLAN.
Page 395: Configuring Basic Functions Of Mld Snooping
Task Remarks Configuring an IPv6 Multicast Group Filter Optional Configuring IPv6 Multicast Source Port Filtering Optional Configuring an MLD Configuring MLD Report Suppression Optional Snooping Policy Configuring Maximum Multicast Groups that Can Be Optional Joined on a Port Configuring IPv6 Multicast Group Replacement Optional Configurations made in MLD Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN.
Page 396: Configuring The Version Of Mld Snooping
To do... Use the command... Remarks Enter VLAN view — vlan vlan-id Required Enable MLD Snooping in the mld-snooping enable VLAN Disabled by default MLD Snooping must be enabled globally before it can be enabled in a VLAN. When you enable MLD Snooping in a specified VLAN, this function takes effect for ports in this VLAN only.
Page 397: Configuring Aging Timers For Dynamic Ports
Configure the corresponding port groups Before configuring MLD Snooping port functions, prepare the following data: Aging time of dynamic router ports, Aging timer of dynamic member ports, and IPv6 multicast group and IPv6 multicast source addresses Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires.
Page 398: Configuring Simulated Joining
Follow these steps to configure static ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping static-group Required ipv6-group-address Configure the port(s) as static...
Page 399: Configuring Fast Leave Processing
Follow these steps to configure simulated joining: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number aggregate port view or port Use either approach group view port-group manual port-group-name mld-snooping host-join Required Configure simulated joining ipv6-group-address [ source-ip...
Page 400: Configuring Mld Snooping Querier
Configuring fast leave processing on a port or a group of ports Follow these steps to configure fast leave processing on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2 Required interface-number...
Page 401: Configuring Mld Queries And Responses
To do... Use the command... Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Required Enable the MLD Snooping mld-snooping querier querier Disabled by default It is meaningless to configure an MLD Snooping querier in an IPv6 multicast network running MLD. Although an MLD Snooping querier does not take part in MLD querier elections, it may affect MLD querier elections because it sends MLD general queries with a low source IPv6 address.
Page 402: Configuring Source Ipv6 Addresses Of Mld Queries
Configuring MLD queries and responses in a VLAN Follow these steps to configure MLD queries and responses in a VLAN To do... Use the command... Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Optional mld-snooping query-interval Configure MLD query interval 125 seconds by default interval...
Page 403: Configuring An Mld Snooping Policy
Configuring an MLD Snooping Policy Configuration Prerequisites Before configuring an MLD Snooping policy, complete the following tasks: Enable MLD Snooping in the VLAN Before configuring an MLD Snooping policy, prepare the following data: IPv6 ACL rule for IPv6 multicast group filtering The maximum number of IPv6 multicast groups that can pass the ports Configuring an IPv6 Multicast Group Filter On a MLD Snooping–enabled switch, the configuration of an IPv6 multicast group filter allows the...
Page 404: Configuring Ipv6 Multicast Source Port Filtering
To do... Use the command... Remarks Required By default, no group filter is Configure an IPv6 multicast configured on the current mld-snooping group-policy group filter acl6-number [ vlan vlan-list ] port, that is, hosts on this port can join any valid IPv6 multicast group.
Page 405: Configuring Mld Report Suppression
Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device, the Layer 3 device directly connected with it will receive duplicate MLD reports from these members.
Page 406: Configuring Ipv6 Multicast Group Replacement
When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD Snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again.
Page 407: Displaying And Maintaining Mld Snooping
Configuring IPv6 multicast group replacement on a port or a group of ports Follow these steps to configure IPv6 multicast group replacement on a port or a group of ports: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port/Layer 2...
Page 408: Mld Snooping Configuration Examples
MLD Snooping Configuration Examples Configuring IPv6 Group Policy and Simulated Joining Network requirements As shown in Figure 4-3, Router A connects to the IPv6 multicast source through GigabitEthernet 1/0/2 and to Switch A through GigabitEthernet 1/0/1. Router A is the MLD querier on the subnet. MLDv1 is required on Router A, MLD Snooping version 1 is required on Switch A, and Router A will act as the MLD querier on the subnet.
Page 409 [RouterA-GigabitEthernet1/0/2] pim ipv6 dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable MLD Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 [SwitchA-vlan100] mld-snooping enable...
Page 410: Static Port Configuration
IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 2 port. GE1/0/3 (D) ( 00:03:23 ) GE1/0/4 (D) ( 00:04:10 ) MAC group(s): MAC group address:3333-0000-1001 Host port(s):total 2 port. GE1/0/3 GE1/0/4 As shown above, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 of Switch A have joined IPv6 multicast group FF1E::101.
Page 411 Network diagram Figure 4-4 Network diagram for static port configuration Source Switch A GE1/0/2 GE1/0/1 1::2/64 2001::1/64 GE1/0/1 Router A 1::1/64 MLD querier Switch C GE1/0/5 GE1/0/2 GE1/0/2 Host C Switch B Receiver Host B Host A Receiver Configuration procedure Enable IPv6 forwarding and configure IPv6 addresses Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure...
Page 412 [SwitchA-vlan100] quit # Configure GigabitEthernet 1/0/3 to be a static router port. [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] mld-snooping static-router-port vlan 100 [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # Enable MLD Snooping globally. <SwitchB> system-view [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to this VLAN, and enable MLD Snooping in the VLAN.
Page 413 Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. GE1/0/1 (D) ( 00:01:30 ) GE1/0/3 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute: Host Port Host port(s):total 1 port.
Page 414: Mld Snooping Querier Configuration
MLD Snooping Querier Configuration Network requirements As shown in Figure 4-5, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.
Page 415: Troubleshooting Mld Snooping
[SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable the MLD Snooping feature in VLAN 100. [SwitchB-vlan100] mld-snooping enable [SwitchB-vlan100] quit Configurations of Switch C and Switch D are similar to the configuration of Switch B.
Page 416: Configured Ipv6 Multicast Group Policy Fails To Take Effect
Configured IPv6 Multicast Group Policy Fails to Take Effect Symptom Although an IPv6 multicast group policy has been configured to allow hosts to join specific IPv6 multicast groups, the hosts can still receive IPv6 multicast data addressed to other groups. Analysis The IPv6 ACL rule is incorrectly configured.
Page 417: Ipv6 Multicast Vlan Configuration
IPv6 Multicast VLAN Configuration When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN Multicast VLAN Configuration Task List Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN Configuring Port-Based IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...
Page 418 Figure 5-2 Sub-VLAN-based IPv6 multicast VLAN IPv6 Multicast packets VLAN 10 (IPv6 Multicast VLAN) VLAN 2 VLAN 2 Receiver VLAN 3 Host A VLAN 4 VLAN 3 Receiver Host B Router A Switch A Source MLD querier VLAN 4 Receiver Host C After the configuration, MLD snooping manages router ports in the IPv6 multicast VLAN and member ports in the sub-VLANs.
Page 419: Ipv6 Multicast Vlan Configuration Task List
For information about MLD Snooping, router ports, and member ports, refer to MLD Snooping Configuration in the IP Multicast Volume. For information about VLAN tags, refer to VLAN Configuration in the Access Volume. IPv6 Multicast VLAN Configuration Task List Complete the following tasks to configure IPv6 multicast VLAN: Configuration task Remarks Configuring IPv6 Sub-VLAN-Based IPv6 Multicast VLAN...
Page 420: Configuring Port-Based Ipv6 Multicast Vlan
To do… Use the command… Remarks Required Configure the specified VLAN(s) as sub-VLAN(s) of the By default, an IPv6 multicast subvlan vlan-list IPv6 multicast VLAN VLAN has no sub-VLANs. The VLAN to be configured as an IPv6 multicast VLAN must exist. The VLANs to be configured as the sub-VLANs of the IPv6 multicast VLAN must exist and must not be sub-VLANs of another IPv6 multicast VLAN.
Page 421: Configuring Ipv6 Multicast Vlan Ports
To do... Use the command... Remarks Enter system view — system-view interface interface-type Required interface-number Enter port view or port group view Use either approach. port-group manual port-group-name Required Configue the user port link type port link-type hybrid as hybrid Access by default Specify the user VLAN that Required...
Page 422: Displaying And Maintaining Ipv6 Multicast Vlan
Configure IPv6 multicast VLAN ports in terface view or port group view Follow these steps to configure IPv6 multicast VLAN ports in port view or port group view: To do… Use this command… Remarks Enter system view — system-view Configure the specified Required VLAN as an IPv6 multicast Not an IPv6 multicast...
Page 423 Configure the sub-VLAN-based IPv6 multicast VLAN feature so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forwards the traffic to the receivers that belong to different user VLANs. Figure 5-4 Network diagram for sub-VLAN-based IPv6 multicast VLAN configuration Source MLD querier Router A...
Page 424 The configuration for VLAN 3 and VLAN 4 is similar to the configuration for VLAN 2. # Create VLAN 10, assign GigabitEthernet 1/0/1 to this VLAN and enable MLD Snooping in the VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Configure VLAN 10 as an IPv6 multicast VLAN and configure VLAN 2 through VLAN 4 as its...
Page 425: Port-Based Multicast Vlan Configuration Example
IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port. GE1/0/3 MAC group(s): MAC group address:3333-0000-0101 Host port(s):total 1 port. GE1/0/3 Vlan(id):4. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port.
Page 426 Switch A’s GigabitEthernet 1/0/1 belongs to VLAN 10, GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 belong to VLAN 2 through VLAN 4 respectively, and Host A through Host C are attached to GigabitEthernet 1/0/2 through GigabitEthernet 1/0/4 of Switch A. The IPv6 multicast source sends IPv6 multicast data to IPv6 multicast group FF1E::101. Host A, Host B, and Host C are receivers of the IPv6 multicast group.
Page 427 # Create VLAN 10, assign GigabitEthernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port gigabitethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable [SwitchA-vlan10] quit # Create VLAN 2 and enable MLD Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] mld-snooping enable [SwitchA-vlan2] quit...
Page 428 Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 3 port.
Page 429 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Introduction to QoS Service Models ·······································································································1-1 Best-Effort Service Model················································································································1-1 IntServ Service Model ·····················································································································1-1 DiffServ Service Model ····················································································································1-2 QoS Techniques Overview ·····················································································································1-2 Positions of the QoS Techniques in a Network···············································································1-2 2 QoS Configuration Approaches···············································································································2-1 QoS Configuration Approach Overview ··································································································2-1 Non Policy-Based Configuration ·····································································································2-1...
Page 430 Configuration Procedure··················································································································4-6 Configuration Example ····················································································································4-6 Configuring the Line Rate ·······················································································································4-7 Configuration Procedure··················································································································4-7 Configuration Example ····················································································································4-7 Displaying and Maintaining Traffic Policing, GTS, and Line Rate ··························································4-7 5 Congestion Management Configuration ·································································································5-1 Congestion Management Overview········································································································5-1 Causes, Impacts, and Countermeasures of Congestion·································································5-1 Congestion Management Policies···································································································5-1 Congestion Management Configuration Approaches ·············································································5-4 Configuring Congestion Management ····································································································5-5 Configuring SP Queuing··················································································································5-5...
Page 431 Class-Based Accounting Configuration Example··········································································10-2 11 User Profile Configuration····················································································································11-1 User Profile Overview ···························································································································11-1 User Profile Configuration·····················································································································11-1 User Profile Configuration Task List······························································································11-1 Creating a User Profile ··················································································································11-2 Applying a QoS Policy to User Profile ···························································································11-2 Enabling a User Profile··················································································································11-3 Displaying and Maintaining User Profile ·······························································································11-3 12 Appendix ················································································································································12-3 Appendix A Acronym·····························································································································12-4 Appendix B Default Priority Mapping Tables ························································································12-5...
Page 432: Qos Overview
QoS Overview This chapter covers the following topics: Introduction to QoS Introduction to QoS Service Models QoS Techniques Overview Introduction to QoS For network traffic, the Quality of Service (QoS) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the QoS by guaranteeing the bandwidth, and reducing the delay, jitter, and packet loss rate.
Page 433: Diffserv Service Model
requested, reserved, and pre-purchased resources. The Inter-Serv model can definitely identify and guarantee QoS for each data flow, and provides the most granularly differentiated QoS. However, the Inter-Serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing capabilities of devices.
Page 434 Congestion management provides a resource scheduling policy to arrange the forwarding sequence of packets when congestion occurs. Congestion management is usually applied to the outgoing traffic of a port. Congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port.
Page 435: Qos Configuration Approaches
QoS Configuration Approaches This chapter covers the following topics: QoS Configuration Approach Overview Configuring a QoS Policy QoS Configuration Approach Overview Two approaches are available for you to configure QoS: policy-based and non policy-based. Some QoS features can be configured in either approach while some can be configured only in one approach.
Page 436: Configuring A Qos Policy
Configuring a QoS Policy Figure 2-1 shows how to configure a QoS policy. Figure 2-1 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy Apply the Apply the Apply the Apply the policy to policy to a policy policy to an...
Page 437 Even though you can provide up to eight space-separated CoS values for this argument, the Switch 4210G series switches support only one CoS value in a rule. If you configure multiple CoS values in a rule, the rule cannot be issued.
Page 438: Defining A Traffic Behavior
Even though you can provide up to eight space-separated CoS values for this argument, the Switch 4210G series switches support only one CoS value in a rule. If you configure multiple CoS values in a rule, the rule cannot be issued.
Page 439: Defining A Policy
Defining a Policy In a policy, you can define multiple class-behavior associations. A behavior is performed for the associated class of packets. In this way, various QoS features can be implemented. Follow these steps to associate a class with a behavior in a policy: To do…...
Page 440 You cannot modify the classification rules, traffic behaviors, and classifier-behavior associations in a QoS policy already applied. To check whether a QoS policy has been applied successfully, use the display qos policy global command and the display qos policy interface command. The switch may save the applications of some QoS policies that have failed to be applied due to insufficient hardware resources in the configuration file.
Page 441 To do… Use the command… Remarks Required The configuration made in user profile view takes effect when the user-profile is activated and there are online Enter user profile view user-profile profile-name dot1x users. Refer to User Profile Configuration in the QoS Volume for more information about user profiles.
Page 442: Displaying And Maintaining Qos Policies
QoS policies cannot be applied to dynamic VLANs, for example, VLANs created by GVRP. Do not apply a QoS policy to a VLAN and the ports in the VLAN at the same time. A QoS policy containing any of the nest, remark customer-vlan-id, and remark service-vlan-id actions cannot be applied to a VLAN.
Page 443 To do… Use the command… Remarks Clear the statistics of a global reset qos policy global Available in user view QoS policy [ inbound ] Clear the statistics of QoS reset qos vlan-policy [ vlan Available in user view policies applied to VLANs vlan-id ] [ inbound ]...
Page 444: Priority Mapping Configuration
Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Priority Mapping Configuration Tasks Configuring Priority Mapping Displaying and Maintaining Priority Mapping Priority Mapping Configuration Examples Priority Mapping Overview Introduction to Priority Mapping The priorities of a packet determine its transmission priority.
Page 445: Priority Trust Mode On A Port
The priority trust mode on a port decides which priority is used for priority mapping table lookup. For the priority mapping purpose, port priority was introduced so that you can use it for priority mapping in addition to priority fields carried in packets. There are three priority trust modes on Switch 4210G series : dot1p: Uses the 802.1p priority carried in packets for priority mapping.
Page 446: Priority Mapping Configuration Tasks
Figure 3-1 Priority mapping procedure for an Ethernet packet Receive a packet on a port Which priority is 802.1p trusted on the Port priority in packets port? Use the port priority as the Use the port priority DSCP 802.1p priority for Is the packet as the 802.1p priority in packets...
Page 447: Configuring Priority Mapping
Task Remarks Configuring a Priority Mapping Table Optional Configuring the Priority Trust Mode on a Port Optional Configuring the Port Priority of a Port Optional Configuring Priority Mapping Configuring a Priority Mapping Table Follow these steps to configure an uncolored priority mapping table: To do…...
Page 448: Configuring The Port Priority Of A Port
To do… Use the command… Remarks Trust the undo qos trust port priority Display the priority trust Optional display qos trust interface mode configuration on [ interface-type interface-number ] Available in any view the port Configuring the Port Priority of a Port You can change the port priority of a port used for priority mapping.
Page 449 Network requirements As shown in Figure 3-2, the enterprise network of a company interconnects all departments through Device. The network is described as follows: The marketing department connects to GigabitEthernet 1/0/1 of Device, which sets the 802.1p priority of traffic from the marketing department to 3. The R&D department connects to GigabitEthernet 1/0/2 of Device, which sets the 802.1p priority of traffic from the R&D department to 4.
Page 450 Figure 3-2 Network diagram for priority mapping table and priority marking configuration Internet Host Host Server Server GE1/0/5 GE1/0/2 GE1/0/3 Management department R&D department GE1/0/4 GE1/0/1 Device Host Server Public servers Marketing department Configuration procedure Configure trusting port priority # Set the port priority of GigabitEthernet 1/0/1 to 3. <Device>...
Page 451 Configure priority marking # Mark the HTTP traffic of the management department, marketing department, and R&D department to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated traffic treatment.
Page 452: Traffic Policing, Traffic Shaping, And Line Rate Overview
Traffic Policing, Traffic Shaping, and Line Rate Configuration When configuring traffic classification, traffic policing, and traffic shaping, go to these sections for information you are interested in: Traffic Policing, Traffic Shaping, and Line Rate Overview Configuring Traffic Policing Configuring GTS Configuring the Line Rate Displaying and Maintaining Traffic Policing, GTS, and Line Rate Traffic Policing, Traffic Shaping, and Line Rate Overview...
Page 453: Traffic Policing
One evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, it means that too many tokens have been used and the traffic is excessive.
Page 454: Traffic Shaping
Traffic policing is widely used in policing traffic entering the networks of internet service providers (ISPs). It can classify the policed traffic and perform pre-defined policing actions based on different evaluation results. These actions include: Forwarding the traffic if the evaluation result is “conforming.” Dropping the traffic if the evaluation result is “excess.”...
Page 455: Line Rate
Figure 4-3 GTS application You can perform traffic shaping for the packets on the outgoing interface of Switch A to avoid unnecessary packet loss. Packets exceeding the limit are cached in Switch A. Once resources are released, traffic shaping takes out the cached packets and sends them out. In this way, all the traffic sent to Switch B conforms to the traffic specification defined in Switch B.
Page 456: Configuring Traffic Policing
the required number of tokens are generated in the token bucket. Thus, traffic rate is restricted to the rate for generating tokens, thus limiting traffic rate and allowing bursty traffic. Line rate can only limit the total traffic rate on a physical port, while traffic policing can limit the rate of a flow on a port.
Page 457 [Sysname-GigabitEthernet1/0/1] qos apply policy http inbound Configuring GTS Configuration Procedure On the Switch 4210G series, traffic shaping is implemented as queue-based GTS, that is, configuring GTS parameters for packets of a certain queue. Follow these steps to configure queue-based GTS: To do…...
Page 458: Configuring The Line Rate
[Sysname-GigabitEthernet1/0/1] qos lr outbound cir 512 Displaying and Maintaining Traffic Policing, GTS, and Line Rate On the Switch 4210G series, you can configure traffic policing in policy-based approach. For related displaying and maintaining commands, refer to Displaying and Maintaining QoS Policies.
Page 460: Congestion Management Configuration
Congestion Management Configuration When configuring hardware congestion management, go to these sections for information you are interested in: Congestion Management Overview Congestion Management Configuration Approaches Configuring Congestion Management Displaying and Maintaining Congestion Management Congestion Management Overview Causes, Impacts, and Countermeasures of Congestion Network congestion is a major factor contributed to service quality degrading on a traditional network.
Page 461 Each queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. The Switch 4210G series support the following four queue scheduling methods: Scheduling all queues with the strict priority (SP) algorithm.
Page 462 Figure 5-3 Schematic diagram for WRR queuing Assume there are eight output queues on a port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue.
Page 463: Congestion Management Configuration Approaches
Short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with FQ, WFQ takes weights into account when determining the queue scheduling order. Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic.
Page 464: Configuring Congestion Management
Task Remarks Configure WRR Queuing Optional Configuring WFQ Queuing Optional Configuring SP+WRR Queues Optional Configuring Congestion Management Configuring SP Queuing Configuration procedure Follow these steps to configure SP queuing: To do… Use the command… Remarks Enter system view — system-view Enter Use either command interface interface-type...
Page 465: Configuring Wfq Queuing
To do… Use the command… Remarks Enter Use either command interface interface-type interface Enter Settings in interface view take interface-number view interface effect on the current interface; view or port settings in port group view take Enter port group view port-group manual effect on all ports in the port group view...
Page 466: Configuring Sp+Wrr Queues
To do… Use the command… Remarks group view settings in port group view take Enter port port-group manual effect on all ports in the port group view port-group-name group. Required By default, all the ports adopt the WRR queue scheduling Enable WFQ queuing algorithm, with the weight qos wfq...
Page 467: Configuration Example
To do… Use the command… Remarks Enter Use either command Enter interface interface-type interface view interface interface-number Settings in interface view take effect view or on the current interface; settings in Enter port port group port-group manual port group view take effect on all ports group view view port-group-name...
Page 468: Displaying And Maintaining Congestion Management
Displaying and Maintaining Congestion Management To do… Use the command… Remarks Display WRR queue display qos wrr interface [ interface-type configuration information interface-number ] Display SP queue display qos sp interface [ interface-type Available in any configuration information interface-number ] view Display WFQ queue display qos wfq interface [ interface-type...
Page 469: Traffic Filtering Configuration
Traffic Filtering Configuration When configuring traffic filtering, go to these sections for information you are interested in: Traffic Filtering Overview Configuring Traffic Filtering Traffic Filtering Configuration Example Traffic Filtering Overview You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For example, you can filter packets sourced from a specific IP address according to network status.
Page 470: Traffic Filtering Configuration Example
To do… Use the command… Remarks Globally Applying the QoS policy globally — Optional Display the traffic filtering display traffic behavior configuration user-defined [ behavior-name ] Available in any view With filter deny configured for a traffic behavior, the other actions (except class-based accounting) in the traffic behavior do not take effect.
Page 471 [DeviceA-qospolicy-policy] quit # Apply the policy named policy to the incoming traffic of GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy policy inbound...
Page 472: Priority Marking Configuration
Priority Marking Configuration When configuring priority marking, go to these sections for information you are interested in: Priority Marking Overview Configuring Priority Marking Priority Marking Configuration Example Priority Marking Overview Priority marking can be used together with priority mapping. For details, refer to Priority Mapping Table and Priority Marking Configuration Example.
Page 473: Priority Marking Configuration Example
To do… Use the command… Remarks Set the IP precedence for remark ip-precedence Optional packets ip-precedence-value Set the local precedence remark local-precedence Optional for packets local-precedence Exit behavior view — quit Create a policy and enter — qos policy policy-name policy view Associate the class with classifier tcl-name behavior...
Page 474 Figure 7-1 Network diagram for priority marking configuration Internet Data server Host A 192.168.0.1/24 GE1/0/1 GE1/0/2 Mail server 192.168.0.2/24 Host B Device File server 192.168.0.3/24 Configuration procedure # Create advanced ACL 3000, and configure a rule to match packets with destination IP address 192.168.0.1.
Page 475 [Device] traffic behavior behavior_dbserver [Device-behavior-behavior_dbserver] remark local-precedence 4 [Device-behavior-behavior_dbserver] quit # Create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [Device] traffic behavior behavior_mserver [Device-behavior-behavior_mserver] remark local-precedence 3 [Device-behavior-behavior_mserver] quit # Create a behavior named behavior_fserver, and configure the action of setting the local precedence value to 2 for the behavior.
Page 476: Traffic Redirecting Configuration
Traffic Redirecting Configuration When configuring traffic redirecting, go to these sections for information you are interested in: Traffic Redirecting Overview Configuring Traffic Redirecting Traffic Redirecting Overview Traffic Redirecting Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a certain location for processing.
Page 477 To do… Use the command… Remarks Globally Applying the QoS policy globally — Generally, the action of redirecting traffic to the CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. You can use the display traffic behavior command to view the traffic redirecting configuration.
Page 478: Traffic Mirroring Configuration
Traffic Mirroring Configuration When configuring traffic mirroring, go to these sections for information you are interested in: Traffic Mirroring Overview Configuring Traffic Mirroring Displaying and Maintaining Traffic Mirroring Traffic Mirroring Configuration Examples Traffic Mirroring Overview Traffic mirroring is the action of copying the specified packets to the specified destination for packet analyzing and monitoring.
Page 479: Mirroring Traffic To The Cpu
To do… Use the command… Remarks Specify the destination mirror-to interface interface-type Required interface for traffic mirroring interface-number Exit behavior view — quit Create a policy and enter — qos policy policy-name policy view Associate the class with the classifier tcl-name behavior traffic behavior in the QoS —...
Page 480: Displaying And Maintaining Traffic Mirroring
Displaying and Maintaining Traffic Mirroring To do… Use the command… Remarks display traffic behavior Display traffic behavior Available in any view user-defined configuration information [ behavior-name ] display qos policy Display QoS policy user-defined [ policy-name Available in any view configuration information [ classifier tcl-name ] ] Traffic Mirroring Configuration Examples...
Page 481 [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface GigabitEthernet 1/0/2 [Sysname-behavior-1] quit # Create QoS policy 1 and associate traffic behavior 1 with class 1 in the QoS policy. [Sysname] qos policy 1 [Sysname-policy-1] classifier 1 behavior 1 [Sysname-policy-1] quit # Apply the QoS policy to the incoming traffic of GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos apply policy 1 inbound After the configurations, you can monitor all packets sent from Host A on the data monitoring device.
Page 482: Class-Based Accounting Configuration
Create a behavior and enter Required traffic behavior behavior-name behavior view Optional The class-based accounting Configure the accounting function on Switch 4210G accounting action series counts traffic in the number of packets. Exit behavior view — quit Create a policy and enter —...
Page 483: Displaying And Maintaining Traffic Accounting
Displaying and Maintaining Traffic Accounting After completing the configuration above, you can verify the configuration with the display qos policy global, display qos policy interface, or display qos vlan-policy command depending on the occasion where the QoS policy is applied. Class-Based Accounting Configuration Example Class-Based Accounting Configuration Example Network requirements...
Page 484 [DeviceA-GigabitEthernet1/0/1] quit # Display traffic statistics to verify the configuration. [DeviceA] display qos policy interface gigabitethernet 1/0/1 Interface: GigabitEthernet1/0/1 Direction: Inbound Policy: policy Classifier: classifier_1 Operator: AND Rule(s) : If-match acl 2000 Behavior: behavior_1 Accounting Enable: 28529 (Packets) 10-3...
Page 485: User Profile Configuration
User Profile Configuration When configuring user profile, go to these sections for information you are interested in: User Profile Overview User Profile Configuration Displaying and Maintaining User Profile User Profile Overview User profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.
Page 486: Creating A User Profile
Creating a User Profile Configuration Prerequisites Before creating a user profile, you need to configure authentication parameters. User profile supports 802.1X authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and binding between a user profile and user) on the client, the device and authentication server.
Page 487: Enabling A User Profile
When a user profile is active, you cannot configure or remove the QoS policy applied to it. The QoS policies applied in user profile view support only the remark, car, and filter actions. Do not apply an empty QoS policy in user profile view, because even if you can do that, the user profile cannot be activated.
Page 488: Appendix A Acronym
Appendix A Acronym Table 12-1 Appendix A Acronym Acronym Full spelling Assured Forwarding Best Effort Committed Access Rate Committed Burst Size CBWFQ Class Based Weighted Fair Queuing Customer Edge Committed Information Rate Custom Queuing Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codepoint EACL...
Page 489: Appendix B Default Priority Mapping Tables
Acronym Full spelling Service Level Agreement Traffic Engineering Type of Service Traffic Policing Traffic Shaping VoIP Voice over IP Virtual Private Network Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For the default dscp-dscp priority mapping table, an input value yields a target value that is equal to it.
Page 490: Appendix C Introduction To Packet Precedences
Table 12-3 The default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables Input priority value dscp-dp mapping dscp-dot1p mapping DSCP Drop precedence (dp) 802.1p priority (dot1p) 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63...
Page 491: 802.1P Priority
IP precedence (decimal) IP precedence (binary) Description network Table 12-5 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description 101110 001010 af11 001100 af12 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100...
Page 492 As shown in Figure 12-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 12-3 presents the format of the 802.1Q tag header. The Priority field in the 802.1Q tag header is called the 802.1p priority, because its use is defined in IEEE 802.1p.
Page 493 12-1...
Page 494 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-7 Differences Between HWTACACS and RADIUS············································································1-8 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
Page 495: Configuration Procedure
Specifying the HWTACACS Authorization Servers·······································································1-32 Specifying the HWTACACS Accounting Servers··········································································1-32 Setting the Shared Key for HWTACACS Packets·········································································1-33 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-33 Setting Timers Regarding HWTACACS Servers ··········································································1-34 Displaying and Maintaining HWTACACS······················································································1-35 AAA Configuration Examples················································································································1-35 AAA for Telnet Users by a HWTACACS Server ···········································································1-35 AAA for Telnet Users by Separate Servers···················································································1-37 AAA for SSH Users by a RADIUS Server ·····················································································1-38...
Page 496 Configuring HABP ···································································································································4-2 Configuring the HABP Server··········································································································4-2 Configuring an HABP Client ············································································································4-3 Displaying and Maintaining HABP ··········································································································4-3 HABP Configuration Example·················································································································4-3 5 MAC Authentication Configuration··········································································································5-1 MAC Authentication Overview ················································································································5-1 RADIUS-Based MAC Authentication·······························································································5-1 Local MAC Authentication ···············································································································5-1 Related Concepts····································································································································5-2 MAC Authentication Timers·············································································································5-2 Quiet MAC Address·························································································································5-2 VLAN Assigning·······························································································································5-2 ACL Assigning ·································································································································5-2...
Page 497 Configuring the macAddressElseUserLoginSecure Mode ····························································6-17 Troubleshooting Port Security···············································································································6-19 Cannot Set the Port Security Mode·······························································································6-19 Cannot Configure Secure MAC Addresses···················································································6-20 Cannot Change Port Security Mode When a User Is Online ························································6-20 7 IP Source Guard Configuration················································································································7-1 IP Source Guard Overview ·····················································································································7-1 Configuring a Static Binding Entry ··········································································································7-1 Configuring Dynamic Binding Function···································································································7-2 Displaying and Maintaining IP Source Guard ·························································································7-3...
Page 498 Establishing a Connection to the SFTP Server···············································································9-2 Working with the SFTP Directories ·································································································9-3 Working with SFTP Files ·················································································································9-4 Displaying Help Information ············································································································9-4 Terminating the Connection to the Remote SFTP Server·······························································9-5 SFTP Client Configuration Example ·······································································································9-5 SFTP Server Configuration Example······································································································9-9 10 PKI Configuration ··································································································································10-1 Introduction to PKI·································································································································10-1 PKI Overview·································································································································10-1 PKI Terms······································································································································10-1...
Page 499 Troubleshooting SSL·····························································································································11-6 SSL Handshake Failure·················································································································11-6 12 Public Key Configuration······················································································································12-1 Asymmetric Key Algorithm Overview····································································································12-1 Basic Concepts······························································································································12-1 Key Algorithm Types ·····················································································································12-1 Asymmetric Key Algorithm Applications························································································12-2 Configuring the Local Asymmetric Key Pair··························································································12-2 Creating an Asymmetric Key Pair ·································································································12-2 Displaying or Exporting the Local RSA or DSA Host Public Key ··················································12-3 Destroying an Asymmetric Key Pair······························································································12-3 Configuring the Public Key of a Peer ····································································································12-3 Displaying and Maintaining Public Keys ·······························································································12-4...
Page 500 Configuration Prerequisites ···········································································································14-6 Configuration Procedure················································································································14-6 Configuration Example ··················································································································14-7 Copying an IPv4 ACL····························································································································14-7 Configuration Prerequisites ···········································································································14-7 Configuration Procedure················································································································14-7 Displaying and Maintaining IPv4 ACLs ·································································································14-8 IPv4 ACL Configuration Example ·········································································································14-8 Network Requirements ··················································································································14-8 Configuration Procedure················································································································14-9 15 IPv6 ACL Configuration ························································································································15-1 Creating a Time Range ·························································································································15-1 Configuring a Basic IPv6 ACL···············································································································15-1 Configuration Prerequisites ···········································································································15-1 Configuration Procedure················································································································15-1...
Page 501: Aaa Configuration
AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS Configuring HWTACACS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring...
Page 502: Introduction To Radius
requirements. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server.
Page 503: Security And Authentication Mechanisms
Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.
Page 504: Radius Packet Format
The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
Page 505 Code Packet type Description From the server to the client. If all the attribute values carried in Access-Accept the Access-Request are acceptable, that is, the authentication succeeds, the server sends an Access-Accept response. From the server to the client. If any attribute value carried in the Access-Reject Access-Request is unacceptable, the server rejects the user and sends an Access-Reject response.
Page 506 Attribute Attribute Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data...
Page 507: Extended Radius Attributes
Attribute Attribute Acct-Session-Id Tunnel-Server-Auth-id The attribute types listed in Table 1-2 are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2568. Extended RADIUS Attributes The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide.
Page 508: Differences Between Hwtacacs And Radius
Differences Between HWTACACS and RADIUS HWTACACS and RADIUS have many common features, like implementing AAA, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in Table 1-3.
Page 509 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...
Page 510: Protocols And Standards
13) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 14) The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 15) Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the NAS to the user.
Page 511: Radius Configuration Task List
AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional Required For local authentication, refer to Configuring Local User Attributes. Configuring AAA Authentication Methods for an For RADIUS authentication, refer to Configuring ISP Domain RADIUS.
Page 512: Hwtacacs Configuration Task List
HWTACACS Configuration Task List Task Remarks Creating a HWTACACS scheme Required Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Server Optional Setting Timers Regarding HWTACACS Servers Optional...
Page 513: Configuring Isp Domain Attributes
For the NAS, each user belongs to an ISP domain. Up to 16 ISP domains can be configured on a NAS. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain.
Page 514: Configuring Aaa Authentication Methods For An Isp Domain
A self-service RADIUS server, for example, iMC, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Configuring AAA Authentication Methods for an ISP Domain In AAA, authentication, authorization, and accounting are separate processes.
Page 515: Configuring Aaa Authorization Methods For An Isp Domain
To do… Use the command… Remarks authentication default { hwtacacs-scheme Specify the default Optional hwtacacs-scheme-name authentication method for all [ local ] | local | none | local by default types of users radius-scheme radius-scheme-name [ local ] } Optional authentication lan-access Specify the authentication { local | none | radius-scheme...
Page 516 response after successful authentication. You can configure local authorization or no authorization as the backup method in case the remote server is not available. By default, an ISP domain uses the local authorization method. If the no authorization method (none) is configured, the users are not required to be authorized, in which case an authenticated user has the default right.
Page 517: Configuring Aaa Accounting Methods For An Isp Domain
The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RADIUS authentication scheme.
Page 518 To do… Use the command… Remarks Enter system view — system-view Create an ISP domain and Required domain isp-name enter ISP domain view Optional Enable the accounting optional accounting optional feature Disabled by default accounting default { hwtacacs-scheme Optional Specify the default accounting hwtacacs-scheme-name method for all types of users [ local ] | local | none |...
Page 519: Configuring Local User Attributes
Configuring Local User Attributes For local authentication, you need to create local users and configure user attributes on the device as needed. A local user represents a set of user attributes configured on a device, and such a user set is uniquely identified by the username.
Page 520: Configuring User Group Attributes
To do… Use the command… Remarks bind-attribute { call-number Optional call-number [ : subcall-number ] Configure the binding attributes | ip ip-address | location port By default, no binding for the local user attribute is configured for a slot-number subslot-number port-number | mac mac-address local user.
Page 521: Tearing Down User Connections Forcibly
management of user attributes for the local users in the group. Currently, you can configure password control attributes and authorization attributes for a user group. By default, every newly added local user belongs to the user group of system and bears all attributes of the group.
Page 522: Configuring Radius
To do… Use the command… Remarks display local-user [ idle-cut { disable | enable } | service-type Display information about { ftp | lan-access | ssh | telnet | Available in any view specified or all local users terminal } | state { active | block } | user-name user-name | vlan vlan-id ] [ slot slot-number ] Display configuration...
Page 523: Specifying The Radius Authentication/Authorization Servers
Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view Not defined by default radius-scheme-name Specify the primary RADIUS Required...
Page 524: Setting The Shared Key For Radius Packets
To do… Use the command… Remarks Set the maximum number of Optional retry stop-accounting stop-accounting request 500 by default retry-times transmission attempts Set the maximum number of Optional retry realtime-accounting accounting request 5 by default retry-times transmission attempts It is recommended to specify only the primary RADIUS accounting server if backup is not required.
Page 525: Setting The Upper Limit Of Radius Request Retransmission Attempts
The shared key configured on the device must be the same as that configured on the RADIUS server. Setting the Upper Limit of RADIUS Request Retransmission Attempts Because RADIUS uses UDP packets to carry data, the communication process is not reliable. If a NAS receives no response from the RADIUS server before the response timeout timer expires, it is required to retransmit the RADIUS request.
Page 526: Setting The Status Of Radius Servers
If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. When a third-party RADIUS is used, you can configure the RADIUS server to standard or extended. When iMC server is used, you must configure the RADIUS server to extended. Setting the Status of RADIUS Servers When a primary server fails, the device automatically tries to communicate with the secondary server.
Page 527: Configuring Attributes Related To Data To Be Sent To The Radius Server
If both the primary server and the secondary server are in the blocked state, it is necessary to manually turn the secondary server to the active state so that the secondary server can perform authentication. If the secondary server is still in the blocked state, the primary/secondary switchover cannot take place.
Page 528: Setting Timers Regarding Radius Servers
Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name. In this case, the device must remove the domain name before sending a username including a domain name. You can configure the user-name-format without-domain command on the device for this purpose.
Page 529: Specifying A Security Policy Server
To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting interval 12 minutes by default minutes The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS server response timeout period cannot be greater than 75. This product is also the upper limit of the timeout time of different access modules.
Page 530: Enabling The Listening Port Of The Radius Client
You can specify up to eight security policy servers for a RADIUS scheme. Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client: To do… Use the command… Remarks Enter system view —...
Page 531: Creating A Hwtacacs Scheme
Creating a HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis. Before performing other HWTACACS configurations, follow these steps to create a HWTACACS scheme and enter HWTACACS scheme view: To do… Use the command… Remarks Enter system view —...
Page 532: Specifying The Hwtacacs Authorization Servers
Specifying the HWTACACS Authorization Servers Follow these steps to specify the HWTACACS authorization servers: To do… Use the command… Remarks Enter system view — system-view Create a HWTACACS scheme Required hwtacacs scheme and enter HWTACACS Not defined by default hwtacacs-scheme-name scheme view Specify the primary Required...
Page 533: Setting The Shared Key For Hwtacacs Packets
It is recommended to specify only the primary HWTACACS accounting server if backup is not required. If both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary accounting servers cannot be the same. Otherwise, the configuration fails.
Page 534: Setting Timers Regarding Hwtacacs Servers
To do… Use the command… Remarks data-flow-format { data Optional { byte | giga-byte | kilo-byte Specify the unit for data flows or The defaults are as follows: | mega-byte } | packet packets to be sent to a { giga-packet | kilo-packet | byte for data flows, and HWTACACS server mega-packet |...
Page 535: Aaa Configuration Examples
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly The real-time accounting interval must be a multiple of 3.
Page 536 Figure 1-7 Configure AAA for Telnet users by a HWTACACS server Authentication/Accounting server 10.1.1.1/24 Internet Telnet user Switch Configuration procedure # Configure the IP addresses of the interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.
Page 537: Aaa For Telnet Users By Separate Servers
AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1-8, configure the switch to provide local authentication, HWTACACS authorization, and RADIUS accounting services to Telnet users. The user name and the password for Telnet users are both hello. The HWTACACS server is used for authorization.
Page 538: Aaa For Ssh Users By A Radius Server
[Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit...
Page 539 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select 3Com as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
Page 540 Figure 1-10 Add an access device # Add a user for device management Log into the iMC management platform, select the User tab, and select Access User View > Device Mgmt User from the navigation tree to enter the Device Management User page. Then, click Add to enter the Add Device Management User window and perform the following configurations: Add a user named hello@bbb and specify the password Select SSH as the service type...
Page 541 Figure 1-11 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.
Page 542: Troubleshooting Aaa
[Switch-ui-vty0-4] quit # Configure the RADIUS scheme. [Switch] radius scheme rad [Switch-radius-rad] primary authentication 10.1.1.1 1812 [Switch-radius-rad] primary accounting 10.1.1.1 1813 [Switch-radius-rad] key authentication expert [Switch-radius-rad] key accounting expert [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Configure the AAA methods for the domain. [Switch] domain bbb [Switch-isp-bbb] authentication login radius-scheme rad [Switch-isp-bbb] authorization login radius-scheme rad...
Page 543: Troubleshooting Hwtacacs
11) The communication link between the NAS and the RADIUS server is down (at the physical layer and data link layer). 12) The NAS is not configured with the IP address of the RADIUS server. 13) The UDP ports for authentication/authorization and accounting are not correct. 14) The port numbers of the RADIUS server for authentication, authorization and accounting are being used by other applications.
Page 544: X Configuration
802.1X Configuration When configuring 802.1X, go to these sections for information you are interested in: 802.1X Overview Configuring 802.1X Configuring an 802.1X Port-based Guest VLAN 802.1X Configuration Example Guest VLAN and VLAN Assignment Configuration Example ACL Assignment Configuration Example 802.1X Overview The 802.1X protocol was proposed by IEEE802 LAN/WAN committee for security of wireless LANs (WLAN).
Page 545: Authentication Modes Of 802.1X
Figure 2-1 Architecture of 802.1X Client: An entity to be authenticated by the device residing on the same LAN. A client is usually a user-end device and initiates 802.1X authentication through 802.1X client software supporting the EAP over LANs (EAPOL) protocol. Device: The entity that authenticates connected clients residing on the same LAN.
Page 546: Eap Over Lans
Figure 2-2 Authorized/unauthorized status of a controlled port You can set the access control mode of a specified port to control the authorization status. The access control modes include: authorized-force: Places the port in the authorized state, allowing users of the ports to access the network without authentication.
Page 547 Figure 2-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E. Protocol version: Version of the EAPOL protocol supported by the EAPOL frame sender. Type: Type of the EAPOL frame. Table 2-1 lists the types that the device currently supports. Table 2-1 Types of EAPOL frames Type Description...
Page 548: Eap Over Radius
the packet is for querying the identity of the client. A value of 4 represents MD5-Challenge, which corresponds closely to the PPP CHAP protocol. Figure 2-5 Format of the Data field in an EAP request/response packet Identifier: Allows matching of responses with requests. Length: Length of the EAP packet, including the Code, Identifier, Length, and Data fields, in bytes.
Page 549: Authentication Process Of 802.1X
Unsolicited triggering of a client A client initiates authentication by sending an EAPOL-Start frame to the device. The destination address of the frame is 01-80-C2-00-00-03, the multicast address specified by the IEEE 802.1X protocol. Some devices in the network may not support multicast packets with the above destination address, causing the authentication device unable to receive the authentication request of the client.
Page 550 Figure 2-8 Message exchange in EAP relay mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity RADIUS Access-Request (EAP-Response / Identity) RADIUS Access-Challenge (EAP-Request / MD5 challenge) EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (EAP-Response / MD5 challenge) RADIUS Access-Accept (EAP-Success)
Page 551 10) When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a RADIUS Access-Accept packet.
Page 552: X Timers
Figure 2-9 Message exchange in EAP termination mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [ EAP-Request / Identity ]...
Page 553: Extensions To 802.1X
Handshake timer (handshake-period): After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers that the client is offline.
Page 554 The assigned VLAN neither changes nor affects the configuration of a port. However, as the assigned VLAN has higher priority than the initial VLAN of the port, it is the assigned VLAN that takes effect after a user passes authentication. After the user goes offline, the port returns to the initial VLAN of the port. For details about VLAN configuration, refer to VLAN Configuration in the Access Volume.
Page 555: Configuring 802.1X
the handshake packet for the maximum number of times, which is set by the dot1x retry command, the device will set the user state to offline. The online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device.
Page 556 To do… Use the command… Remarks Set the port dot1x port-control access control Optional { authorized-force | auto | mode for unauthorized-force } auto by default specified or all [ interface interface-list ] ports Set the port access control dot1x port-method Optional Set the port method for...
Page 557: Configuring 802.1X For A Port
Configuring 802.1X for a Port Enabling 802.1X for a port Follow these steps to enable 802.1X for a port: To do… Use the command… Remarks Enter system view — system-view In system view dot1x interface interface-list Enable Required 802.1X for interface interface-type Use either approach.
Page 558: Configuring An 802.1X Port-Based Guest Vlan
information about the user-name-format command, refer to AAA Commands in the Security Volume. If the username of a client contains the version number or one or more blank spaces, you can neither retrieve information nor disconnect the client by using the username. However, you can use items such as IP address and connection index number to do so.
Page 559: X Configuration Example
If the data flows from a user-side device carry VLAN tags, and 802.1X and guest VLAN are enabled on the access port, you are recommended to configure different VLAN IDs for the voice VLAN, the default port VLAN, and the guest VLAN of 802.1X. Displaying and Maintaining 802.1X To do…...
Page 560 Figure 2-10 Network diagram for 802.1X configuration Configuration procedure The following configuration procedure covers most AAA/RADIUS configuration commands for the device, while configuration on the 802.1X client and RADIUS server are omitted. For information about AAA/RADIUS configuration commands, refer to AAA Configuration in the Security Volume. # Configure the IP addresses for each interface.
Page 561: Guest Vlan And Vlan Assignment Configuration Example
# Set the interval for the device to retransmit packets to the RADIUS server and the maximum number of transmission attempts. [Device-radius-radius1] timer response-timeout 5 [Device-radius-radius1] retry 5 # Set the interval for the device to send real time accounting packets to the RADIUS server. [Device-radius-radius1] timer realtime-accounting 15 # Specify the device to remove the domain name of any username before passing the username to the RADIUS server.
Page 562 As shown in Figure 2-12: On port GigabitEthernet 1/0/2, enable 802.1X and set VLAN 10 as the guest VLAN of the port. If the device sends an EAP-Request/Identity packet from the port for the maximum number of times but still receives no response, the device adds the port to its guest VLAN. In this case, the host and the update server are both in VLAN 10, so that the host can access the update server and download the 802.1X client.
Page 563 Figure 2-13 Network diagram when the client passes authentication Configuration procedure The following configuration procedure uses many AAA/RADIUS commands. For detailed configuration of these commands, refer to AAA Configuration in the Security Volume. Configurations on the 802.1X client and RADIUS server are omitted. # Configure RADIUS scheme 2000.
Page 564: Acl Assignment Configuration Example
[Device] interface GigabitEthernet 1/0/2 [Device-GigabitEthernet1/0/2] dot1x # Set the port access control method to portbased. [Device-GigabitEthernet1/0/2] dot1x port-method portbased # Set the port access control mode to auto. [Device-GigabitEthernet1/0/2] dot1x port-control auto [Device-GigabitEthernet1/0/2] quit # Create VLAN 10. [Device] vlan 10 [Device-vlan10] quit # Specify port GigabitEthernet 1/0/2 to use VLAN 10 as its guest VLAN.
Page 565 Configuration procedure # Configure the IP addresses of the interfaces. (Omitted) # Configure the RADIUS scheme. <Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit # Create an ISP domain and specify the AAA schemes.
Page 566: Ead Fast Deployment Configuration
EAD Fast Deployment Configuration When configuring EAD fast deployment, go to these sections for information you are interested in: EAD Fast Deployment Overview Configuring EAD Fast Deployment Displaying and Maintaining EAD Fast Deployment EAD Fast Deployment Configuration Example Troubleshooting EAD Fast Deployment EAD Fast Deployment Overview Overview Endpoint Admission Defense (EAD) is an integrated endpoint access control solution.
Page 567: Configuring Ead Fast Deployment
Configuring EAD Fast Deployment Currently, MAC authentication and port security cannot work together with EAD fast deployment. Once MAC authentication or port security is enabled globally, the EAD fast deployment is disabled automatically. Configuration Prerequisites Enable 802.1X globally. Enable 802.1X on the specified port, and set the access control mode to auto. Configuration Procedure Configuring a freely accessible network segment A freely accessible network segment, also called a free IP, is a network segment that users can access...
Page 568: Displaying And Maintaining Ead Fast Deployment
Configuring the IE redirect URL Follow these steps to configure the IE redirect URL: To do… Use the command… Remarks Enter system view — system-view Required Configure the IE redirect URL dot1x url url-string No redirect URL is configured by default. The redirect URL and the freely accessible network segment must belong to the same network segment.
Page 569: Ead Fast Deployment Configuration Example
EAD Fast Deployment Configuration Example Network requirements As shown in Figure 3-1, the host is connected to the device, and the device is connected to the freely accessible network segment and outside network. It is required that: Before successful 802.1 authentication, the host using IE to access outside network will be redirected to the WEB server, and it can download and install 802.1X client software.
Page 570: Troubleshooting Ead Fast Deployment
C:\>ping 192.168.2.3 Pinging 192.168.2.3 with 32 bytes of data: Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Reply from 192.168.2.3: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.2.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Besides, if the user uses IE to access any external website, the user will be taken to the WEB server,...
Page 571: Introduction To Habp
HABP Configuration When configuring HABP, go to these sections for the information you are interested in: Introduction to HABP Configuring HABP Displaying and Maintaining HABP HABP Configuration Example Introduction to HABP The HW Authentication Bypass Protocol (HABP) is used to enable the downstream network devices of an 802.1X or MAC authentication enabled access device to bypass 802.1X authentication and MAC authentication.
Page 572: Configuring Habp
Figure 4-1 Network diagram for HABP application Internet Switch A Authentication server Authenticator Switch B Switch C Switch D Switch E Supplicant Supplicant Supplicant HABP is a link layer protocol that works above the MAC layer. It is built on the client-server model. Generally, the HABP server is assumed by the management device (such as Switch A in the above example), and the attached switches function as the HABP clients, such as Switch B through Switch E in the example.
Page 573: Displaying And Maintaining Habp
To do… Use the command… Remarks Required Configure HABP to work habp server vlan vlan-id in server mode HABP works in client mode by default. Optional Set the interval to send habp timer interval HABP requests 20 seconds by default Configuring an HABP Client Configure the HABP client function on each device that is attached to the administrative device and needs to be managed.
Page 574 Figure 4-2 Network diagram for HABP configuration Configuration procedure Configure Switch A # Enable HABP. <SwitchA> system-view [SwitchA] habp enable # Configure HABP to work in server mode, allowing HABP packets to be transmitted in VLAN 2. [SwitchA] habp server vlan 2 # Set the interval to send HABP request packets to 50 seconds.
Page 575: Mac Authentication Configuration
MAC Authentication Configuration When configuring MAC authentication, go to these sections for information you are interested in: MAC Authentication Overview Related Concepts Configuring MAC Authentication Displaying and Maintaining MAC Authentication MAC Authentication Configuration Examples MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses. Once detecting a new MAC address, the device initiates the authentication process.
Page 576: Related Concepts
Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the device logs the user out and sends to the RADIUS server a stop accounting request.
Page 577 For RADIUS authentication, ensure that a route is available between the device and the RADIUS server, and add the usernames and passwords on the server. When adding usernames and passwords on the device or server, ensure that: The type of username and password must be consistent with that used for MAC authentication. All the letters in the MAC address to be used as the username and password must be in lower case.
Page 578: Displaying And Maintaining Mac Authentication
You can configure MAC authentication for ports first. However, the configuration takes effect only after you enable MAC authentication globally. Enabling MAC authentication on a port is mutually exclusive with adding the port to an aggregation group. For details about the default ISP domain, refer to AAA Configuration in the Security Volume. Displaying and Maintaining MAC Authentication To do…...
Page 579 [Device-luser-00-e0-fc-12-34-56] service-type lan-access [Device-luser-00-e0-fc-12-34-56] quit # Configure ISP domain aabbcc.net, and specify that the users in the domain use local authentication. [Device] domain aabbcc.net [Device-isp-aabbcc.net] authentication lan-access local [Device-isp-aabbcc.net] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication.
Page 580: Radius-Based Mac Authentication Configuration Example
RADIUS-Based MAC Authentication Configuration Example Network requirements As illustrated in Figure 5-2, a host is connected to the device through port GigabitEthernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the RADIUS server. MAC authentication is required on every port to control user access to the Internet. Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
Page 581: Network Requirements
[Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit # Enable MAC authentication globally. [Device] mac-authentication # Enable MAC authentication for port GigabitEthernet 1/0/1. [Device] mac-authentication interface GigabitEthernet 1/0/1 # Specify the ISP domain for MAC authentication. [Device] mac-authentication domain 2000 # Set the MAC authentication timers. [Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180 # Specify to use the username aaa and password 123456 for MAC authentication of all users.
Page 582 On port GigabitEthernet 1/0/1 of the switch, enable MAC authentication and configure ACL 3000. After the host passes MAC authentication, the RADIUS server assigns ACL 3000 to port GigabitEthernet 1/0/1 of the switch. As a result, the host can access the Internet but cannot access the FTP server, whose IP address is 10.0.0.1.
Page 583 [Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Sysname-acl-adv-3000] quit # Enable MAC authentication globally. [Sysname] mac-authentication # Specify the ISP domain for MAC authentication users. [Sysname] mac-authentication domain 2000 # Specify the MAC authentication username type as MAC address, that is, using the MAC address of a user as the username and password for MAC authentication of the user.
Page 584: Port Security Configuration
Port Security Configuration When configuring port security, go to these sections for information you are interested in: Introduction to Port Security Port Security Configuration Task List Displaying and Maintaining Port Security Port Security Configuration Examples Troubleshooting Port Security Introduction to Port Security Port Security Overview Port security is a MAC address-based security mechanism for network access controlling.
Page 585: Port Security Features
Port Security Features The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames.
Page 586 Security mode Description Features In this mode, a port performs 802.1X authentication of users in portbased mode and userLoginSecure services only one user passing 802.1X authentication. Similar to the userLoginSecure mode, a port in this mode performs 802.1X authentication of users and services only one user passing 802.1X authentication.
Page 587: Port Security Configuration Task List
Currently, port security supports two authentication methods: 802.1X and MAC authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. The maximum number of users a port supports is the lesser of the maximum number of secure MAC addresses or the maximum number of authenticated users the security mode supports.
Page 588: Enabling Port Security
Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1X and MAC authentication globally. Configuration Procedure Follow these steps to enable port security: To do… Use the command… Remarks Enter system view — system-view Required Enable port security port-security enable Disabled by default Note that:...
Page 589: Setting The Port Security Mode
Follow these steps to set the maximum number of secure MAC addresses allowed on a port: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Set the maximum number of Required port-security max-mac-count secure MAC addresses...
Page 590: Configuring Port Security Features
Configuring Procedure Follow these steps to enable any other port security mode: To do… Use the command… Remarks Enter system view — system-view Optional Set an OUI value for Not configured by default. port-security oui oui-value index user authentication index-value The command is required for the userlogin-withoui mode.
Page 591: Configuring Intrusion Protection
ntk-withmulticasts: Forwards only frames destined for authenticated MAC addresses, multicast addresses, or the broadcast address. By default, NTK is disabled on a port and the port forwards all frames. With NTK configured, a port will discard any unicast packet with an unknown MAC address no matter in which mode it operates. Follow these steps to configure the NTK feature: To do…...
Page 592: Configuring Secure Mac Addresses
port operating either macAddressElseUserLoginSecure mode macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail. Configuring Trapping The trapping feature enables a device to send trap information in response to four types of events: addresslearned: A port learns a new address.
Page 593: Displaying And Maintaining Port Security
To do… Use the command… Remarks Enter system view — system-view port-security mac-address security In system Required mac-address interface interface-type view Configure a Use either approach interface-number vlan vlan-id secure MAC No secure MAC interface interface-type interface-number address In interface address is configured by default.
Page 594: Port Security Configuration Examples
To do… Use the command… Remarks display port-security mac-address block Display information about Available in any [ interface interface-type interface-number ] blocked MAC addresses view [ vlan vlan-id ] [ count ] Port Security Configuration Examples Configuring the autoLearn Mode Network requirements Restrict port GigabitEthernet 1/0/1 of the switch as follows: Allow up to 64 users to access the port without authentication and permit the port to learn and add...
Page 595 Equipment port-security is enabled Intrusion trap is enabled Disableport Timeout: 30s OUI value: GigabitEthernet1/0/1 is link-up Port mode is autoLearn NeedToKnow mode is disabled Intrusion Protection mode is DisablePortTemporarily Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted As shown in the output, the maximum number of secure MAC addresses allowed on the port is 64, the port security mode is autoLearn, the intrusion protection trap is enabled, and the intrusion protection...
Page 596: Configuring The Userloginwithoui Mode
GigabitEthernet1/0/1 current state: Port Security Disabled IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..The port should be re-enabled 30 seconds later. [Switch-GigabitEthernet1/0/1] display interface gigabitethernet 1/0/1 GigabitEthernet1/0/1 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558 Description: GigabitEthernet1/0/1 Interface ..
Page 597 Configuration procedure The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume. Configurations on the host and RADIUS servers are omitted. Configure the RADIUS protocol # Configure a RADIUS scheme named radsun. <Switch>...
Page 598 [Switch] interface gigabitethernet 1/0/1 # Set the port security mode to userLoginWithOUI. [Switch-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui Verify the configuration After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named radsun: <Switch>...
Page 599 Index is 5, OUI value is 123405 GigabitEthernet1/0/1 is link-up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X users: <Switch>...
Page 600: Configuring The Macaddresselseuserloginsecure Mode
Controlled User(s) amount to 1 In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. You can use the following command to view the related information: <Switch> display mac-address interface gigabitethernet 1/0/1 MAC ADDR VLAN ID STATE...
Page 601 [Switch] dot1x authentication-method chap # Set the maximum number of secure MAC addresses allowed on the port to 64. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port-security max-mac-count 64 # Set the port security mode to macAddressElseUserLoginSecure. [Switch-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure # Set the NTK mode of the port to ntkonly. [Switch-GigabitEthernet1/0/1] port-security ntk-mode ntkonly Verify the configuration After completing the above configurations, you can use the following command to view the port...
Page 602: Troubleshooting Port Security
The maximal retransmitting times EAD quick deploy configuration: EAD timeout: Total maximum 802.1X user resource number is 1024 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled...
Page 603: Cannot Change Port Security Mode When A User Is Online
Solution Set the port security mode to noRestrictions first. [Switch-GigabitEthernet1/0/1] undo port-security port-mode [Switch-GigabitEthernet1/0/1] port-security port-mode autolearn Cannot Configure Secure MAC Addresses Symptom Cannot configure secure MAC addresses. [Switch-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1 Error:Can not operate security MAC address for current port mode is not autoLearn! Analysis No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
Page 604: Ip Source Guard Configuration
IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through,...
Page 605: Configuring Dynamic Binding Function
To do… Use the command… Remarks user-bind { ip-address ip-address | Required ip-address ip-address mac-address Configure a static binding entry No static binding entry mac-address | mac-address exists by default. mac-address } [ vlan vlan-id ] The system does not support repeatedly binding a binding entry to one port. For products supporting multi-port binding, a binding entry can be configured to multiple ports;...
Page 606: Ip Source Guard Configuration Examples
Displaying and Maintaining IP Source Guard To do… Use the command… Remarks display user-bind [ interface Display information about static interface-type interface-number | Available in any binding entries ip-address ip-address | mac-address view mac-address ] display ip check source [ interface Display information about interface-type interface-number | Available in any...
Page 607: Dynamic Binding Function Configuration Example
[SwitchA-GigabitEthernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [SwitchA-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406 Configure Switch B # Configure the IP addresses of various interfaces (omitted).
Page 608 For detailed configuration of a DHCP server, refer to DHCP Configuration in the IP Service Volume. Network diagram Figure 7-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A # Configure dynamic binding function on port GigabitEthernet 1/0/1. <SwitchA>...
Page 609: Troubleshooting Ip Source Guard
[SwitchA-GigabitEthernet1/0/1] display dhcp-snooping DHCP Snooping is enabled. The client binding table for all untrusted ports. Type : D--Dynamic , S--Static Type IP Address MAC Address Lease VLAN Interface ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function.
Page 610: Ssh2.0 Configuration
SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to securely logging into a remote device.
Page 611 Stages Description After passing authentication, the client sends a session request Session request to the server. After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server.
Page 612 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.
Page 613: Configuring The Device As An Ssh Server
Session request After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client.
Page 614: Enabling Ssh Server
To do… Use the command… Remarks Enter system view — system-view Required Generate the local DSA or public-key local create { dsa | By default, there is neither DSA RSA key pair rsa } key pair nor RSA key pair. For details about the public-key local create command, refer to Public Key Commands in the Security Volume.
Page 615: Configuring A Client Public Key
To do… Use the command… Remarks Enter system view — system-view Enter user interface view of user-interface vty number — one or more user interfaces [ ending-number ] Required Set the login authentication authentication-mode scheme By default, the authentication mode to scheme [ command-authorization ] mode is password.
Page 616: Configuring An Ssh User
You are recommended to configure a client public key by importing it from a public key file. You can configure at most 20 client pubic keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...
Page 617: Setting The Ssh Management Parameters
To do… Use the command… Remarks Enter system view — system-view ssh user username service-type stelnet For Stelnet authentication-type { password | { any | Create an users password-publickey | publickey } assign SSH user, publickey keyname } Required and specify the service Use either ssh user username service-type { all | sftp }...
Page 618: Configuring The Device As An Ssh Client
Enabling the SSH server to be compatible with SSH1 client Setting the server key pair update interval, applicable to users using SSH1 client Setting the SSH user authentication timeout period Setting the maximum number of SSH authentication attempts Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.
Page 619: Configuring Whether First-Time Authentication Is Supported
To do… Use the command… Remarks Enter system view — system-view Specify a source ssh client source { ip ip-address | Required IPv4 address or Specify a interface interface-type interface for the By default, the source IP interface-number } SSH client address of the address or interface decided...
Page 620: Displaying And Maintaining Ssh
To do... Use the command… Remarks Required The method of configuring Refer to Configuring a Client Configure the server public key server public key on the client Public Key is similar to that of configuring client public key on the server. ssh client authentication Specify the host public key Required...
Page 621: Ssh Server Configuration Examples
To do… Use the command… Remarks Display the public keys of the display public-key local { dsa Available in any view local key pairs | rsa } public Display the public keys of the display public-key peer Available in any view SSH peers [ brief | name publickey-name ] For information about the display public-key local and display public-key peer commands, refer to...
Page 622 [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as Stelnet, and the authentication mode as password. This step is optional.
Page 623: When Switch Acts As Server For Publickey Authentication
Figure 8-2 SSH client configuration interface In the window shown in Figure 8-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
Page 624 [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
Page 625 Figure 8-4 Generate a client key pair 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 8-5. Otherwise, the process bar stops moving and the key pair generating process will be stopped.
Page 626 Figure 8-5 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 8-6 Generate a client key pair 3) 8-17...
Page 627 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the key (private in this case). Figure 8-7 Generate a client key pair 4) After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of...
Page 628: Ssh Client Configuration Examples
Select Connection/SSH/Auth from the navigation tree. The following window appears. Click Browse… to bring up the file selection window, navigate to the private key file and click OK. Figure 8-9 SSH client configuration interface 2) In the window shown in Figure 8-9, click Open.
Page 629 # Create RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection.
Page 630 After you enter the correct username, you can log into Switch B successfully. If the client does not support first-time authentication, you need to perform the following configurations. # Disable first-time authentication. [SwitchA] undo ssh client first-time # Configure the host public key of the SSH server. You can get the server host public key by using the display public-key local dsa public command on the server.
Page 631: When Switch Acts As Client For Publickey Authentication
When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 8-11, Switch A (the SSH client) needs to log into Switch B (the SSH server) through the SSH protocol. Publickey authentication is used, and the public key algorithm is DSA. Figure 8-11 Switch acts as client for publickey authentication Configuration procedure Configure the SSH server...
Page 632 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Configure an IP address for Vlan interface 1. <SwitchA>...
Page 633: Sftp Configuration
SFTP Configuration When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.
Page 634: Configuring An Sftp Client
When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.
Page 635: Working With The Sftp Directories
To do… Use the command… Remarks sftp server [ port-number ] [ identity-key Establish a { dsa | rsa } | prefer-ctos-cipher { aes128 | connection to des } | prefer-ctos-hmac { md5 | md5-96 | the remote sha1 | sha1-96 } | prefer-kex IPv4 SFTP { dh-group-exchange | dh-group1 | server and...
Page 636: Working With Sftp Files
To do… Use the command… Remarks Create a new directory on the Optional mkdir remote-path remote SFTP server Delete a directory from the Optional rmdir remote-path&<1-10> SFTP server Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files...
Page 637: Terminating The Connection To The Remote Sftp Server
Follow these steps to display a list of all commands or the help information of an SFTP client command: To do… Use the command… Remarks sftp [ ipv6 ] server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { aes128 | des } | Required prefer-ctos-hmac { md5 | md5-96 | sha1 |...
Page 638 Configuration procedure Configure the SFTP server (Switch B) # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server. [SwitchB] sftp server enable # Configure an IP address for VLAN interface 1, which the SSH client uses as the destination for SSH connection.
Page 639 # Export the host public key to file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit After generating key pairs on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client.
Page 640 sftp-client> mkdir new1 New directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup...
Page 641: Sftp Server Configuration Example
SFTP Server Configuration Example Network requirements As shown in Figure 9-2, an SSH connection is established between the host and the switch. The host, an SFTP client, logs into the switch for file management and file transfer. An SSH user uses password authentication with the username being client002 and the password being aabbcc.
Page 642 There are many kinds of SSH client software. The following takes the PSFTP of Putty Version 0.58 as an example. The PSFTP supports only password authentication. # Establish a connection with the remote SFTP server. Run the psftp.exe to launch the client interface as shown in Figure 9-3, and enter the following command:...
Page 643: Pki Configuration
PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...
Page 644: Architecture Of Pki
top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level. An existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business.
Page 645 A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.
Page 646: Pki Configuration Task List
The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
Page 647 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...
Page 648: Configuring A Pki Domain
Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.
Page 649: Submitting A Pki Certificate Request
To do… Use the command… Remarks Required Specify the entity for certificate No entity is specified by certificate request entity request default. entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.
Page 650: Submitting A Certificate Request In Auto Mode
Submitting a Certificate Request in Auto Mode In auto mode, an entity automatically requests a certificate through the SCEP protocol when it has no local certificate or the present certificate is about to expire. Follow these steps to configure an entity to submit a certificate request in auto mode: To do…...
Page 651: Retrieving A Certificate Manually
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key local create command, refer to Public Key Commands in the Security Volume.
Page 652: Configuring Pki Certificate Verification
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.
Page 653: Destroying A Local Rsa Key Pair
To do… Use the command… Remarks Enter system view — system-view Enter PKI domain view — pki domain domain-name Required Disable CRL checking crl check disable Enabled by default Return to system view — quit Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually...
Page 654: Configuring An Access Control Policy
To do… Use the command… Remarks Enter system view — system-view pki delete-certificate { ca | local } domain Delete certificates Required domain-name Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.
Page 655: Pki Configuration Examples
To do… Use the command… Remarks Display information about one display pki certificate or all certificate attribute-based Available in any view access-control-policy access control policies { policy-name | all } PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA.
Page 656 Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values. # Configure extended attributes. After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server.
Page 657 Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
Page 658: Requesting A Certificate From A Ca Running Windows 2003 Server
Not After : Jan 8 09:26:53 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F...
Page 659 Figure 10-3 Request a certificate from a CA running Windows 2003 server Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the switch can register and obtain its certificate automatically.
Page 660 # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. [Switch-pki-domain-torsa] certificate request http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Set the registration authority to RA. [Switch-pki-domain-torsa] certificate request from ra # Specify the entity for certificate request as aaa.
Page 661 Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA server Validity Not Before: Nov 21 12:32:16 2007 GMT Not After : Nov 21 12:42:16 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE...
Page 662: Configuring A Certificate Attribute-Based Access Control Policy
Configuring a Certificate Attribute-Based Access Control Policy Network requirements The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol. SSL is configured to ensure that only legal clients log into the HTTPS server. Create a certificate attribute-based access control policy to control access to the HTTPS server. Figure 10-4 Configure a certificate attribute-based access control policy Configuration procedure For detailed information about SSL configuration, refer to SSL Configuration in the Security...
Page 663: Troubleshooting Pki
# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc. [Switch] pki certificate attribute-group mygroup2 [Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple [Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc...
Page 664: Failed To Request A Local Certificate
Failed to Request a Local Certificate Symptom Failed to request a local certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved. The current key pair has been bound to a certificate.
Page 665: Ssl Configuration
SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.
Page 666: Ssl Configuration Task List
For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 11-2, the SSL protocol consists of two layers of protocols: the SSL record protocol...
Page 667: Configuring An Ssl Server Policy
Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.
Page 668: Ssl Server Policy Configuration Example
If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
Page 669: Configuring An Ssl Client Policy
[Device] pki domain 1 [Device-pki-domain-1] ca identifier ca1 [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate. [Device] pki retrieval-certificate ca domain 1 # Request a local certificate.
Page 670: Displaying And Maintaining Ssl
Configuration Prerequisites If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client. Therefore, before configuring an SSL client policy, you must configure a PKI domain. For details about PKI domain configuration, refer to PKI Configuration in the Security Volume.
Page 671 Analysis SSL handshake failure may result from the following causes: No SSL server certificate exists, or the certificate is not trusted. The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted. The cipher suites used by the server and the client do not match.
Page 672: Public Key Configuration
Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Asymmetric Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Asymmetric Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.
Page 673: Configuring The Local Asymmetric Key Pair
Asymmetric Key Algorithm Applications Asymmetric key algorithms can be used for encryption/decryption and digital signature: Encryption/decryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.
Page 674: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key
Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.
Page 675: Displaying And Maintaining Public Keys
Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP. If you choose to input the public key, the public key must be in a correct format.
Page 676: Public Key Configuration Examples
Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.
Page 677: Importing The Public Key Of A Peer From A Public Key File
===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A.
Page 678 The host public key of Device A is imported from the public key file to Device B. Figure 12-3 Network diagram for importing the public key of a peer from a public key file Configurtion procedure Create key pairs on Device A and export the host public key # Create RSA key pairs on Device A.
Page 679 [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB> system-view [DeviceB] ftp server enable [DeviceB] local-user ftp [DeviceB-luser-ftp] password simple 123 [DeviceB-luser-ftp] service-type ftp...
Page 680: Acl Overview
ACL Overview In order to filter traffic, network devices use sets of rules, called access control lists (ACLs), to identify and handle packets. When configuring ACLs, go to these chapters for information you are interested in: ACL Overview IPv4 ACL Configuration IPv6 ACL Configuration ACL Application for Packet Filtering Unless otherwise stated, ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document.
Page 681: Introduction To Ipv4 Acl
Software-based application: An ACL is referenced by a piece of upper layer software. For example, an ACL can be referenced to configure login user control behavior, thus controlling Telnet, SNMP and Web users. Note that when an ACL is reference by the upper layer software, actions to be taken on packets matching the ACL depend on those defined by the ACL rules.
Page 682: Ipv4 Acl Match Order
The name of an IPv4 ACL must be unique among IPv4 ACLs. However, an IPv4 ACL and an IPv6 ACL can share the same name. IPv4 ACL Match Order An ACL may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts.
Page 683: Ipv4 Acl Step
Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask. If two rules are present with the same number of ones in their source MAC address masks, look at the destination MAC address masks.
Page 684: Introduction To Ipv6 Acl
Introduction to IPv6 ACL This section covers these topics: IPv6 ACL Classification IPv6 ACL Naming IPv6 ACL Match Order IPv6 ACL Step Effective Period of an IPv6 ACL IPv6 ACL Classification IPv6 ACLs, identified by ACL numbers, fall into three categories, as shown in Table 13-2.
Page 685: Ipv6 Acl Step
Sort rules by source IPv6 address prefix first and compare packets against the rule configured with a longer prefix for the source IPv6 address. In case of a tie, compare packets against the rule configured first. Depth-first match for an advanced IPv6 ACL The following shows how your device performs depth-first match in an advanced IPv6 ACL: Look at the protocol type field in the rules first.
Page 686: Ipv4 Acl Configuration
IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs IPv4 ACL Configuration Example Creating a Time Range...
Page 687: Configuring A Basic Ipv4 Acl
recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.
Page 688 Configuration Procedure Follow these steps to configure a basic IPv4 ACL: To do… Use the command… Remarks Enter system view –– system-view Required The default match order is config. acl number acl-number Create a basic IPv4 ACL [ name acl-name ] If you specify a name for an IPv4 ACL and enter its view [ match-order { auto |...
Page 689: Configuring An Advanced Ipv4 Acl
<Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # Verify the configuration. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, named -none-, 1 rule, ACL's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) Configuring an Advanced IPv4 ACL Advanced IPv4 ACLs match packets based on source IP address, destination IP address, protocol carried over IP, and other protocol header fields, such as the TCP/UDP source port number, TCP/UDP...
Page 690 To do… Use the command… Remarks rule [ rule-id ] { deny | permit } protocol [ { established | { ack ack-value | fin fin-value | psh Required psh-value | rst rst-value | syn To create or modify multiple rules, syn-value | urg urg-value } * } | repeat this step.
Page 691: Configuring An Ethernet Frame Header Acl
<Sysname> system-view [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Verify the configuration. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, named -none-, 1 rule, ACL's step is 5 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq www (5 times matched) Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source...
Page 692: Copying An Ipv4 Acl
Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
Page 693: Displaying And Maintaining Ipv4 Acls
To do… Use the command… Remarks Copy an existing IPv4 ACL to acl copy { source-acl-number | name generate a new one of the source-acl-name } to { dest-acl-number Required same type | name dest-acl-name } The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL.
Page 694 Figure 14-1 Network diagram for IPv4 ACL configuration President`s office 192.168.1.0/24 Salary query server 192.168.4.1 GE1/0/1 GE1/0/4 GE1/0/2 GE1/0/3 Switch R&D department Marketing department 192.168.2.0/24 192.168.3.0/24 Configuration Procedure Create a time range for office hours # Create a periodic time range spanning 8:00 to 18:00 in working days. <Switch>...
Page 695 [Switch-classifier-c_market] if-match acl 3001 [Switch-classifier-c_market] quit # Configure traffic behavior b_ market to deny matching packets. [Switch] traffic behavior b_market [Switch-behavior-b_market] filter deny [Switch-behavior-b_market] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd. [Switch] qos policy p_rd [Switch-qospolicy-p_rd] classifier c_rd behavior b_rd [Switch-qospolicy-p_rd] quit # Configure QoS policy p_market to use traffic behavior b_market for class c_market.
Page 696: Ipv6 Acl Configuration
IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Copying an IPv6 ACL Displaying and Maintaining IPv6 ACLs IPv6 ACL Configuration Example Creating a Time Range Refer to...
Page 697: Configuring An Advanced Ipv6 Acl
To do… Use the command… Remarks Optional Configure a description By default, a basic IPv6 ACL has no ACL description text for the basic IPv6 ACL description. Optional Configure a rule By default, an IPv6 ACL rule has no rule rule rule-id comment text description description.
Page 698 Advanced IPv6 ACLs are numbered in the range 3000 to 3999. Compared with basic IPv6 ACLs, they allow of more flexible and accurate filtering. Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an advanced IPv6 ACL: To do…...
Page 699: Copying An Ipv6 Acl
When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the IDs of the rules still remain the same. You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name acl6-name ] match-order { auto | config } command, but only when the ACL does not contain any rules.
Page 700: Displaying And Maintaining Ipv6 Acls
The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL. Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one or all display acl ipv6 { acl6-number | all | Available in any IPv6 ACLs...
Page 701 [Switch] traffic classifier c_rd [Switch-classifier-c_rd] if-match acl ipv6 2000 [Switch-classifier-c_rd] quit # Configure traffic behavior b_rd to deny matching packets. [Switch] traffic behavior b_rd [Switch-behavior-b_rd] filter deny [Switch-behavior-b_rd] quit # Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd. [Switch] qos policy p_rd [Switch-qospolicy-p_rd] classifier c_rd behavior b_rd [Switch-qospolicy-p_rd] quit...
Page 702: Acl Application For Packet Filtering
ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering Ethernet Frames Filtering IPv4 Packets Filtering IPv6 Packets Configuring Packet Filtering Statistics Function ACL Application Examples You can apply an ACL to the inbound or outbound direction of an ethernet interface or VLAN interface to filter received or sent packets such as Ethernet frames, IPv4 packets, and IPv6 packets.
Page 703: Filtering Ipv6 Packets
Configuring Packet Filtering Statistics Function The Switch 4210G series switches provide the packet filtering statistics function so that the device can output packet filtering statistics information at a specified interval. With the output, you are able to know how many packets are filtered by which ACL rules.
Page 704: Acl Application Examples
If you execute the display acl command to display the information about the ACLs, the device outputs packet filtering statistics except those that have been displayed by the command during that interval. ACL Application Examples ACL Application to an Ethernet Interface Network requirements As shown in Figure...
Page 705: Acl Application To A Vlan Interface
[DeviceA] info-center source default channel 0 log level informational ACL Application to a VLAN Interface Network requirements As shown in Figure 16-2, apply an ACL to the inbound direction of interface VLAN-interface 100 on Device A so that the interface denies IPv4 packets sourced from Host A from 14:00 to 18:00 of the working days, and allows packets traveling between Host A and Host B.
Page 706 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Terminology·····································································································································1-2 How Smart Link Works ····················································································································1-3 Smart Link Configuration Task List ·········································································································1-4 Configuring a Smart Link Device ············································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring Protected VLANs for a Smart Link Group····································································1-5 Configuring Member Ports for a Smart Link Group·········································································1-5 Configuring Role Preemption for a Smart Link Group·····································································1-6 Enabling the Sending of Flush Messages ·······················································································1-6...
Page 707 Configuring RRPP Ports················································································································3-12 Configuring RRPP Nodes··············································································································3-13 Activating an RRPP Domain ·················································································································3-15 Configuring RRPP Timers·····················································································································3-15 Configuring an RRPP Ring Group ········································································································3-16 Displaying and Maintaining RRPP ········································································································3-17 RRPP Configuration Examples·············································································································3-17 Single Ring Configuration Example·······························································································3-17 Intersecting Ring Configuration Example ······················································································3-19 Intersecting-Ring Load Balancing Configuration Example····························································3-24 Troubleshooting ····································································································································3-34 4 DLDP Configuration ··································································································································4-1 Overview ·················································································································································4-1...
Page 708 Basic Concepts in CFD ···················································································································6-1 Basic Functions of CFD···················································································································6-4 Protocols and Standards ·················································································································6-5 CFD Configuration Task List···················································································································6-5 Basic Configuration Tasks ······················································································································6-5 Configuring Service Instance ··········································································································6-6 Configuring MEP ·····························································································································6-6 Configuring MIP Generation Rules··································································································6-7 Configuring CC on MEPs························································································································6-8 Configuration Prerequisites ·············································································································6-8 Configuring Procedure·····················································································································6-8 Configuring LB on MEPs·························································································································6-8 Configuration Prerequisites ·············································································································6-9 Configuration Procedure··················································································································6-9...
Page 709: Smart Link Configuration
Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview To avoid single-point failures and guarantee network reliability, downstream devices are usually dual uplinked to upstream devices.
Page 710: Terminology
convergence speed, but it involves complicated networking and configurations and therefore is mainly used in ring-shaped networks. For more information about STP and RRPP, refer to MSTP Configuration in the Access Volume and RRPP Configuration in the High Availability Volume. Smart Link is a feature developed to address the slow convergence issue with STP.
Page 711: How Smart Link Works
Receive control VLAN The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Device A, Device B, and Device E in Figure 1-1) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries.
Page 712: Smart Link Configuration Task List
Load sharing mechanism A ring network may carry traffic of multiple VLANs. Smart link can forward traffic of different VLANs in different smart link groups, thus implementing load sharing. To implement load sharing, you can assign a port to multiple smart link groups (each configured with different protected VLANs), making sure that the state of the port is different in these smart link groups.
Page 713: Configuring Protected Vlans For A Smart Link Group
Configuring Protected VLANs for a Smart Link Group Follow these steps to configure the protected VLANs for a smart link group: To do… Use the command… Remarks — Enter system view system-view Create a smart link group and enter — smart-link group group-id smart link group view Required...
Page 714: Configuring Role Preemption For A Smart Link Group
To do… Use the command… Remarks Configure member ports for a smart port smart-link group group-id Required link group { master | slave } Configuring Role Preemption for a Smart Link Group Follow these steps to configure role preemption for a smart link group: To do…...
Page 715: Smart Link Device Configuration Example
The control VLAN configured for a smart link group must be different from that configured for any other smart link group. Make sure that the configured control VLAN already exists, and assign the smart link group member ports to the control VLAN. Do not remove the control VLAN.
Page 716: Associated Device Configuration Example
To do… Use the command… Remarks — Enter system view system-view Enter Ethernet interface view or interface interface-type — Layer 2 aggregate interface view interface-number Required Configure the control VLANs for By default, no control smart-link flush enable receiving flush messages [ control-vlan vlan-id-list ] VLAN exists for receiving flush messages.
Page 717: Smart Link Configuration Examples
To do... Use the command… Remarks Clear the statistics about flush Available in user view reset smart-link statistics messages Smart Link Configuration Examples Single Smart Link Group Configuration Example Network requirements As shown in Figure 1-2: Map VLANs 1 through 10, VLANs 11 through 20, and VLANs 21 through 30 to MSTI 0, MSTI 1, and MSTI 2 respectively.
Page 718 [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 2 as the protected VLANs.
Page 719 # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 2 as the protected VLANs. [DeviceD] smart-link group 1 [DeviceD-smlk-group1] protected-vlan reference-instance 0 to 2 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port for smart link group 1.
Page 720 [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/2] smart-link flush enable [DeviceE-GigabitEthernet1/0/2] quit [DeviceE] interface gigabitethernet 1/0/3 [DeviceE-GigabitEthernet1/0/3] port link-type trunk [DeviceE-GigabitEthernet1/0/3] port trunk permit vlan 1 to 30 [DeviceE-GigabitEthernet1/0/3] smart-link flush enable [DeviceE-GigabitEthernet1/0/3] quit Configuration on Device A # Create VLANs 1 through 30.
Page 721: Multiple Smart Link Groups Load Sharing Configuration Example
Device ID of the last flush packet : 000f-e23d-5af0 Control VLAN of the last flush packet Multiple Smart Link Groups Load Sharing Configuration Example Network requirements As shown in Figure 1-3: Traffic of VLANs 1 through 200 on Device C are dually uplinked to Device A by Device B and Device D.
Page 722 [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] port link-type trunk [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 1 to 200 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1, and configure all VLANs mapped to MSTI 0 as the protected VLANs for smart link group 1.
Page 723 [DeviceB-GigabitEthernet1/0/2] port link-type trunk [DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 1 to 200 [DeviceB-GigabitEthernet1/0/2] smart-link flush enable control-vlan 10 101 [DeviceB-GigabitEthernet1/0/2] quit Configuration on Device D # Create VLAN 1 through VLAN 200. <DeviceD> system-view [DeviceD] vlan 1 to 200 # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports and assign them to VLANs 1 through 200;...
Page 724 Preemption mode: ROLE Control VLAN: 10 Protected VLAN: Reference Instance 0 Member Role State Flush-count Last-flush-time ------------------------------------------------------------------------------- GigabitEthernet1/0/1 MASTER ACTVIE 16:37:20 2009/02/21 GigabitEthernet1/0/2 SLAVE STANDBY 1 17:45:20 2009/02/21 Smart link group 2 information: Device ID: 000f-e23d-5af0 Preemption mode: ROLE Control VLAN: 101 Protected VLAN: Reference Instance 2 Member Role...
Page 725: Monitor Link Configuration
Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function. Monitor link is usually used in conjunction with Layer 2 topology protocols.
Page 726: Configuring Monitor Link
Configuring Monitor Link Configuration Prerequisites Before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group. Configuration Procedure Follow these steps to configure monitor link: To do… Use the command… Remarks Enter system view —...
Page 727: Monitor Link Configuration Example
Displaying and Maintaining Monitor Link To do… Use the command… Remarks Display monitor link group display monitor-link group Available in any view information { group-id | all } Monitor Link Configuration Example Network requirements As shown in Figure 2-1: Device C is dually uplinked to Device A through a smart link group. It is required that when GigabitEthernet1/0/1 or GigabitEthernet1/0/2 of Device A fails, Device C can sense the link failure and perform link switchover in the smart link group.
Page 728 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure the smart link group to protect all the VLANs mapped to MSTIs 0 through 15 for smart link group 1. [DeviceC] smart-link group 1 [DeviceC-smlk-group1] protected-vlan reference-instance 0 to 15 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port for smart link group 1.
Page 729 # Enable flush message receiving on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 separately. [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] smart-link flush enable [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] smart-link flush enable...
Page 730: Rrpp Configuration
RRPP Configuration When configuring RRPP, go to these sections for information you are interested in: RRPP Overview RRPP Configuration Task List Creating an RRPP Domain Configuring Control VLANs Configuring Protected VLANs Configuring RRPP Rings Activating an RRPP Domain Configuring RRPP Timers Configuring an RRPP Ring Group Displaying and Maintaining RRPP RRPP Configuration Examples...
Page 731: Basic Concepts In Rrpp
Basic Concepts in RRPP Figure 3-1 RRPP networking diagram RRPP domain The interconnected devices with the same domain ID and control VLANs constitute an RRPP domain. An RRPP domain contains the following elements: primary ring, subring, control VLAN, master node, transit node, primary port, secondary port, common port, and edge port.
Page 732 IP address configuration is prohibited on the control VLAN interfaces. Data VLAN A data VLAN is a VLAN dedicated to transferring data packets. Both RRPP ports and non-RRPP ports can be assigned to a data VLAN. Node Each device on an RRPP ring is referred to as a node. The role of a node is configurable. There are the following node roles: Master node: Each ring has one and only one master node.
Page 733: Rrppdus
Common port and edge port The ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in Figure 3-1, Device B and Device C lie on Ring 1 and Ring 2.
Page 734: Rrpp Timers
RRPP Timers When RRPP checks the link state of an Ethernet ring, the master node sends Hello packets out the primary port according to the Hello timer and determines whether its secondary port receives the Hello packets based on the Fail timer. The Hello timer specifies the interval at which the master node sends Hello packets out the primary port.
Page 735: Typical Rrpp Networking
Ring recovery The master node may find the ring is restored after a period of time after the ports belonging to the RRPP domain on the transit nodes, the edge nodes, or the assistant-edge nodes are brought up again. A temporary loop may arise in the data VLAN during this period. As a result, broadcast storm occurs. To prevent temporary loops, non-master nodes block them immediately (and permit only the packets of the control VLAN to pass through) when they find their ports accessing the ring are brought up again.
Page 736 Single ring As shown in Figure 3-2, there is only a single ring in the network topology. In this case, you only need to define an RRPP domain. Figure 3-2 Schematic diagram for a single-ring network Tangent rings As shown in Figure 3-3, there are two or more rings in the network topology and only one common node between rings.
Page 737 Figure 3-4 Schematic diagram for an intersecting-ring network Dual homed rings As shown in Figure 3-5, there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an RRPP domain, and configure one ring as the primary ring and the other rings as subrings.
Page 738: Protocols And Standards
Figure 3-6 Schematic diagram for a single-ring load balancing network Device A Device B Domain 1 Ring 1 Domain 2 Device D Device C Intersecting-ring load balancing In an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in Figure 3-7, Ring 1 is the primary ring and Ring 2 is the subring in both Domain 1 and...
Page 739: Creating An Rrpp Domain
Complete the following tasks to configure RRPP: Task Remarks Required Creating an RRPP Domain Perform this task on all nodes in the RRPP domain. Required Configuring Control VLANs Perform this task on all nodes in the RRPP domain. Required Configuring Protected VLANs Perform this task on all nodes in the RRPP domain.
Page 740 Configuring Control VLANs Before configuring RRPP rings in an RRPP domain, configure the same control VLANs for all nodes in the RRPP domain first. Perform this configuration on all nodes in the RRPP domain to be configured. Follow these steps to configure control VLANs: To do…...
Page 741: Configuring Rrpp Ports
Configuring RRPP Rings When configuring an RRPP ring, you must make some configurations on the ports connecting each node to the RRPP ring before configuring the nodes. RRPP ports, that is, ports connecting devices to an RRPP ring, must be Layer-2 GE ports, Layer-2 XGE ports, or Layer-2 aggregate interfaces and cannot be member ports of any aggregation group, or smart link group.
Page 742: Configuring Rrpp Nodes
For detailed information about the port link-type trunk command and port trunk permit vlan { vlan-id-list | all } command, refer to VLAN Commands in the Access Volume. For detailed information about the undo stp enable command, refer to MSTP Commands in the Access Volume.
Page 743 To do… Use the command… Remarks Enter system view — system-view Enter RRPP domain view — rrpp domain domain-id ring ring-id node-mode transit Specify the current device as a [ primary-port interface-type transit node of the ring, and interface-number ] [ secondary-port Required specify the primary port and interface-type interface-number ] level...
Page 744: Activating An Rrpp Domain
Activating an RRPP Domain To activate an RRPP domain on the current device, enable the RRPP protocol and RRPP rings for the RRPP domain on the current device. Perform this operation on all nodes in the RRPP domain. Follow these steps to activate an RRPP domain: To do…...
Page 745: Configuring An Rrpp Ring Group
The Fail timer value must be equal to or greater than three times the Hello timer value. To avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the Fail timer value on the master node of the subring and that on the master node of the primary ring is greater than twice the Hello timer value of the master node of the subring.
Page 746: Displaying And Maintaining Rrpp
Displaying and Maintaining RRPP To do… Use the command… Remarks Display brief RRPP information display rrpp brief Display RRPP group display rrpp ring-group configuration information [ ring-group-id ] Available in any view Display detailed RRPP display rrpp verbose domain information domain-id [ ring ring-id ] display rrpp statistics domain Display RRPP statistics...
Page 747 <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] link-delay 0 [DeviceA-GigabitEthernet1/0/1] undo stp enable [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] link-delay 0 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceA-GigabitEthernet1/0/2] qos trust dot1p...
Page 748: Intersecting Ring Configuration Example
[DeviceB-GigabitEthernet1/0/2] qos trust dot1p [DeviceB-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure the VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1. [DeviceB] rrpp domain 1 [DeviceB-rrpp-domain1] control-vlan 4092 [DeviceB-rrpp-domain1] protected-vlan reference-instance 0 to 16...
Page 749 Figure 3-9 Network diagram for intersecting rings configuration Configuration procedure Configuration on Device A # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
Page 750: Received Packets
[DeviceA-rrpp-domain1] quit # Enable RRPP. [DeviceA] rrpp enable Configuration on Device B # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as zero, disable STP, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
Page 751 # Enable RRPP. [DeviceB] rrpp enable Configuration on Device C # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as zero, disable STP, configure the ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets.
Page 752 [DeviceC] rrpp enable Configuration on Device D # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, and assign them to all VLANs, and configure them to trust the 802.1p precedence of the received packets. <DeviceD>...
Page 753: Intersecting-Ring Load Balancing Configuration Example
[DeviceE] interface gigabitethernet 1/0/2 [DeviceE-GigabitEthernet1/0/2] link-delay 0 [DeviceE-GigabitEthernet1/0/2] undo stp enable [DeviceE-GigabitEthernet1/0/2] port link-type trunk [DeviceE-GigabitEthernet1/0/2] port trunk permit vlan all [DeviceE-GigabitEthernet1/0/2] qos trust dot1p [DeviceE-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 4092 as the primary control VLAN of RRPP domain 1, and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1.
Page 754 Figure 3-10 Network diagram for intersecting-ring load balancing configuration Configuration procedure Configuration on Device A # Create VLANs 10 and 20, map VLAN 10 to MSTI 1 and VLAN 20 to MSTI 2, and activate MST region configuration. <DeviceA> system-view [DeviceA] vlan 10 [DeviceA-vlan10] quit [DeviceA] vlan 20...
Page 755 [DeviceA-GigabitEthernet1/0/2] link-delay 0 [DeviceA-GigabitEthernet1/0/2] undo stp enable [DeviceA-GigabitEthernet1/0/2] port link-type trunk [DeviceA-GigabitEthernet1/0/2] undo port trunk permit vlan 1 [DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 10 20 [DeviceA-GigabitEthernet1/0/1] qos trust dot1p [DeviceA-GigabitEthernet1/0/2] quit # Create RRPP domain 1, configure VLAN 100 as the primary control VLAN of RRPP domain 1, and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1.
Page 756 # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
Page 757 [DeviceB-rrpp-domain1] protected-vlan reference-instance 1 # Configure Device B as a transit node of primary ring 1 in RRPP domain 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceB-rrpp-domain1] ring node-mode transit primary-port...
Page 758 VLAN 1, and assign them to VLAN 10 and VLAN 20, and configure them to trust the 802.1p precedence of the received packets. [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] link-delay 0 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] port link-type trunk [DeviceC-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceC-GigabitEthernet1/0/1] qos trust dot1p [DeviceC-GigabitEthernet1/0/1] quit...
Page 759 # Configure Device C as the transit node of primary ring 1 in RRPP domain 1, with GigabitEthernet 1/0/1 as the primary port and GigabitEthernet 1/0/2 as the secondary port, and enable ring 1. [DeviceC-rrpp-domain1] ring node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0 [DeviceC-rrpp-domain1] ring 1 enable...
Page 760 [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] link-delay 0 [DeviceD-GigabitEthernet1/0/1] undo stp enable [DeviceD-GigabitEthernet1/0/1] port link-type trunk [DeviceD-GigabitEthernet1/0/1] undo port trunk permit vlan 1 [DeviceD-GigabitEthernet1/0/1] port trunk permit vlan 10 20 [DeviceD-GigabitEthernet1/0/1] qos trust dot1p [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] link-delay 0 [DeviceD-GigabitEthernet1/0/2] undo stp enable [DeviceD-GigabitEthernet1/0/2] port link-type trunk [DeviceD-GigabitEthernet1/0/2] undo port trunk permit vlan 1...
Page 761 [DeviceE-vlan20] quit [DeviceE] stp region-configuration [DeviceE-mst-region] instance 2 vlan 20 [DeviceE-mst-region] active region-configuration [DeviceE-mst-region] quit # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 20, and configure them to trust the 802.1p precedence of the received packets.
Page 762 [DeviceF-mst-region] active region-configuration [DeviceF-mst-region] quit # Configure the suppression time of physical-link-state changes on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as zero, disable STP, configure the two ports as trunk ports, remove them from VLAN 1, and assign them to VLAN 10, and configure them to trust the 802.1p precedence of the received packets.
Page 763: Troubleshooting
Verification After the configuration, you can use the display command to view RRPP configuration and operational information on each device. Troubleshooting Symptom: When the link state is normal, the master node cannot receive Hello packets, and the master node unblocks the secondary port. Analysis: The reasons may be: RRPP is not enabled on some nodes in the RRPP ring.
Page 764: Dldp Configuration
DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...
Page 765: How Dldp Works
Figure 4-2 Unidirectional fiber link: a fiber not connected or disconnected Device A GE1/0/50 GE1/0/51 GE1/0/50 GE1/0/51 Device B The Device Link Detection Protocol (DLDP) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, DLDP, as configured, can shut down the related port automatically or prompt users to take actions to avoid network problems.
Page 766 State Indicates… A port enters this state when: A unidirectional link is detected. Disable The contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than DLDPDUs. A port in the Active, Advertisement, or Probe DLDP link state transits to this state rather than removes the corresponding DelayDown neighbor entry and transits to the Inactive state when it detects a...
Page 767 DLDP timer Description A device in the Active, Advertisement, or Probe DLDP link state transits to DelayDown state rather than removes the corresponding neighbor entry and transits to the Inactive state when it detects a port-down event. When a device transits to this state, the DelayDown timer is triggered. DelayDown timer A device in DelayDown state only responds to port-up events.
Page 768 In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 4-1 can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 4-1). The other refers to fiber pairs with one fiber not connected or disconnected (as shown in Figure 4-2).
Page 769 When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets. A received DLDP packet is processed as follows. In any of the three authentication modes, the packet is dropped if it fails to pass the authentication. The packet is dropped if the setting of the interval for sending Advertisement packets it carries conflicts with the corresponding local setting.
Page 770 Packet type Processing procedure Check to see if the If not, no process is performed. local port is in RecoverProbe Disable or packet If yes, returns RecoverEcho packets. Advertisement state. If not, no process is performed. Check to see if the RecoverEcho If yes, the local port transits to Active state if the neighbor local port is in...
Page 771: Dldp Configuration Task List
Table 4-7 Description on DLDP neighbor states DLDP neighbor state Description A neighbor is in this state when it is just detected and is being probed. No information indicating the state of the neighbor is received. A Unknown neighbor is in this state only when it is being probed. It transits to Two way state or Unidirectional state after the probe operation finishes.
Page 772: Setting Dldp Mode
Follow these steps to enable DLDP: To do… Use the command… Remarks Enter system view — system-view Required Enable DLDP globally dldp enable Globally disabled by default Enter Either of the two is required. Enter interface interface-type Ethernet port Ethernet Configurations made in Ethernet port interface-number view...
Page 773: Setting The Delaydown Timer
To do… Use the command… Remarks Set the interval for Optional sending Advertisement dldp interval time 5 seconds by default packets The interval for sending Advertisement packets applies to all DLDP-enabled ports. Set the interval for sending Advertisement packets to a value no longer than one-third of the STP convergence time.
Page 774: Configuring Dldp Authentication
links. In this mode, DLDP only detects unidirectional links and generates log and traps. The operations to shut down unidirectional link ports are accomplished by the administrator. Auto mode. In this mode, when a unidirectional link is detected, DLDP transits to Disable state, generates log and traps, and set the port as DLDP Down.
Page 775: Displaying And Maintaining Dldp
If the port is shut down with the shutdown command manually, use the undo shutdown command on the port. If the port is shut down by DLDP automatically, use the dldp reset command on the port. Alternatively, you can leave the work to DLDP, which can enable the port automatically upon detecting that the link has been restored to bidirectional.
Page 776: Dldp Configuration Example
DLDP Configuration Example Network requirements Device A and Device B are connected through two fiber pairs, in which two fibers are cross-connected, as shown in Figure 4-4. It is desired that the unidirectional links can be disconnected on being detected; and the ports shut down by DLDP can be restored after the fiber connections are corrected.
Page 777 Configure Device B as you configure Device A. Verifying the configurations You can use the display dldp command to display the DLDP configuration information on ports. # Display the DLDP configuration information on all the DLDP-enabled ports of Device A. [DeviceA] display dldp DLDP global status : enable DLDP interval : 6s...
Page 778 Neighbor aged time : 11 Interface GigabitEthernet1/0/51 DLDP port state : advertisement DLDP link state : up The neighbor number of the port is 1. Neighbor mac address : 0000-0000-0102 Neighbor port index : 59 Neighbor state : two way Neighbor aged time : 11 The output information indicates that both GigabitEthernet 1/0/50 and GigabitEthernet 1/0/51 are in Advertisement state and the links are up, which means unidirectional links are not detected and the...
Page 779: Ethernet Oam Configuration
Ethernet OAM Configuration When configuring the Ethernet OAM function, go to these sections for information you are interested Ethernet OAM Overview Ethernet OAM Configuration Task List Configuring Basic Ethernet OAM Functions Configuring Link Monitoring Enabling OAM Remote Loopback Displaying and Maintaining Ethernet OAM Configuration Ethernet OAM Configuration Example Ethernet OAM Overview Background...
Page 780 Figure 5-1 Formats of different types of Ethernet OAMPDUs The fields in an OAMPDU are described as follows: Table 5-1 Description of the fields in an OAMPDU Field Description Destination MAC address of the Ethernet OAMPDU. It is a slow protocol multicast address 0180c2000002. As slow Dest addr protocol packet cannot be forwarded by bridges, Ethernet OAMPDUs cannot be forwarded.
Page 781: How Ethernet Oam Works
Table 5-2 Functions of different types of OAMPDUs OAMPDU type Function Used for transmitting state information of an Ethernet OAM entity (including the Information information about the local device and remote devices, and customized OAMPDU information) to the remote Ethernet OAM entity and maintaining OAM connections Event Used by link monitoring to notify the remote OAM entity when it detects...
Page 782 OAM connections can be initiated only by OAM entities operating in active OAM mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. No OAM connection can be established between OAM entities operating in passive OAM mode. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs periodically to keep the Ethernet OAM connection valid.
Page 783: Standards And Protocols
The system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this formula: the maximum number of frames = interface bandwidth (bps) ×...
Page 784: Configuring Link Monitoring
Task Remarks Configuring Basic Ethernet OAM Functions Required Configuring Errored Symbol Event Detection Optional Configuring Errored Frame Event Detection Optional Configuring Link Monitoring Configuring Errored Frame Period Event Detection Optional Configuring Errored Frame Seconds Event Detection Optional Enabling OAM Remote Loopback Optional Configuring Basic Ethernet OAM Functions As for Ethernet OAM connection establishment, a device can operate in active mode or passive mode.
Page 785: Configuring Errored Symbol Event Detection
Configuring Errored Symbol Event Detection An errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold. Follow these steps to configure errored symbol event detection: To do… Use the command… Remarks Enter system view —...
Page 786: Enabling Oam Remote Loopback
Follow these steps to configure errored frame seconds event detection: To do… Use the command… Remarks Enter system view — system-view Configure the errored Optional oam errored-frame-seconds period frame seconds event 60 second by default period-value detection interval Configure the errored Optional oam errored-frame-seconds frame seconds event...
Page 787: Displaying And Maintaining Ethernet Oam Configuration
Ethernet OAM remote loopback is available only after the Ethernet OAM connection is established and can be performed only by the Ethernet OAM entities operating in active Ethernet OAM mode. Remote loopback is available only on full-duplex links that support remote loopback at both ends. Ethernet OAM remote loopback needs the support of the peer hardware.
Page 788 Figure 5-2 Network diagram for Ethernet OAM configuration Configuration procedure Configure Device A # Configure GigabitEthernet 1/0/1 to operate in passive Ethernet OAM mode and enable Ethernet OAM for it. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] oam mode passivez [DeviceA-GigabitEthernet1/0/1] oam enable [DeviceA-GigabitEthernet1/0/1] quit # Set the errored frame detection interval to 20 seconds and set the errored frame event triggering...
Page 789 You can use the display oam link-event command to display the statistics about Ethernet OAM link events and use the display oam critical-event command to display the Ethernet OAM configuration information. For example: # Display the statistics of Ethernet OAM critical link events on all the ports of Device A. [DeviceA] display oam critical-event Port : GigabitEthernet1/0/1...
Page 790: Connectivity Fault Detection Configuration
Connectivity Fault Detection Configuration When configuring CFD, go to these sections for information you are interested in: Overview CFD Configuration Task List Basic Configuration Tasks Configuring CC on MEPs Configuring LB on MEPs Configuring LT on MEPs Displaying and Maintaining CFD CFD Configuration Examples Overview Connectivity Fault Detection (CFD) is an end-to-end per-VLAN link layer Operations, Administration...
Page 791 Figure 6-1 Two nested MDs CFD exchanges messages and performs operations on a per-domain basis. By planning MDs properly in a network, you can use CFD to locate failure points rapidly. Maintenance association A maintenance association (MA) is a set of maintenance points (MPs) in a MD. An MA is identified by the “MD name + MA name”.
Page 792 Figure 6-2 Outward-facing MEP Figure 6-3 Inward-facing MEP A MIP is internal to an MD. It cannot send CFD packets actively; however, it can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received.
Page 793: Basic Functions Of Cfd
Figure 6-4 Levels of MPs Basic Functions of CFD CFD works effectively only in properly-configured networks. Its functions, which are implemented through the MPs, include: Continuity check (CC); Loopback (LB) Linktrace (LT) Continuity check Continuity check is responsible for checking the connectivity between MEPs. Connectivity faults are usually caused by device faults or configuration errors.
Page 794: Basic Configuration Tasks
the source MEP can identify the path to the destination MEP. Note that LTMs are multicast frames while LTRs are unicast frames. Protocols and Standards The CFD function is implemented in accordance with IEEE P802.1ag. CFD Configuration Task List For CFD to work effectively, you should first design the network by performing the following tasks: Grade the MDs in the entire network, and define the boundary of each MD.
Page 795 Based on the network design, you should configure MEPs or the rules for generating MIPs on each device. However, before doing this you must first configure the service instance. Configuring Service Instance A service instance is indicated by an integer to represent an MA in an MD. The MD and MA define the level and VLAN attribute of the messages handled by the MPs in a service instance.
Page 796: Configuring Mip Generation Rules
To do... Use the command... Remarks cfd remote-mep Required Configure a remote MEP for a remote-mep-id MEP in the same service No remote MEP is configured service-instance instance-id instance for a MEP by default. mep mep-id cfd mep service-instance Required Enable the MEP instance-id mep mep-id Disabled by default...
Page 797: Configuring Cc On Meps
Configuring CC on MEPs After the CC function is configured, MEPs can send CCMs mutually to check the connectivity between them. Configuration Prerequisites Before configuring this function, you should first complete the MEP configuration. Configuring Procedure Follow these steps to configure CC on a MEP: To do...
Page 798: Configuring Lt On Meps
Configuration Prerequisites Before configuring this function, you should first complete the MEP and MIP configuration tasks. Configuration Procedure Follow these steps to configure LB on MEP: To do... Use the command... Remarks Enter system view — system-view Required cfd loopback service-instance instance-id mep Enable LB mep-id { target-mep target-mep-id | target-mac Disabled by...
Page 799: Displaying And Maintaining Cfd
Displaying and Maintaining CFD To do... Use the command... Remarks Display CFD status Available in any view display cfd status Display MD configuration Available in any view display cfd md information Display MA configuration display cfd ma [ [ ma-name ] Available in any view information md md-name ]...
Page 800: Configuring Mep And Enabling Cc On It
Figure 6-5 Network diagram for MD configuration Configuration procedure Configuration on Device A (configuration on Device E is the same as that on Device A) <DeviceA> system-view [DeviceA] cfd enable [DeviceA] cfd md MD_A level 5 [DeviceA] cfd ma MA_MD_A md MD_A vlan 100 [DeviceA] cfd service-instance 1 md MD_A ma MA_MD_A Configuration on Device C <DeviceC>...
Page 801 Decide the remote MEP for each MEP, and enable these MEPs. According to the network diagram as shown in Figure 6-6, perform the following configurations: In MD_A, there are three edge ports: GigabitEthernet 1/0/1 on Device A, GigabitEthernet 1/0/3 on Device D and GigabitEthernet 1/0/4 on Device E.
Page 802: Configuring The Rules For Generating Mips
[DeviceD-GigabitEthernet1/0/3] cfd remote-mep 1001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd remote-mep 5001 service-instance 1 mep 4002 [DeviceD-GigabitEthernet1/0/3] cfd mep service-instance 1 mep 4002 enable [DeviceD-GigabitEthernet1/0/3] cfd cc service-instance 1 mep 4002 enable On Device E <DeviceE> system-view [DeviceE] interface gigabitethernet 1/0/4 [DeviceE-GigabitEthernet1/0/4] cfd mep 5001 service-instance 1 inbound [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [DeviceE-GigabitEthernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001...
Page 803: Configuring Lb On Meps
Configuration procedure Configure Device B <DeviceB> system-view [DeviceB] cfd mip-rule explicit service-instance 1 Configure Device C <DeviceC> system-view [DeviceC] cfd mip-rule default service-instance 2 After the above operation, you can use the display cfd mp command to verify your configuration. Configuring LB on MEPs Network requirements Use the LB function to trace the fault source after CC detects a link fault.
Page 804: Track Overview
Track Configuration When configuring Track, go to these sections for information you are interested in: Track Overview Track Configuration Task List Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules Displaying and Maintaining Track Object(s) Track Configuration Examples Track Overview...
Page 805: Track Configuration Task List
If the probe fails, the status of the corresponding Track object is Negative. At present, the detection modules that can collaborate with the Track module is the Network Quality Analyzer (NQA). Refer to NQA Configuration in the System Volume for details of NQA. Collaboration Between the Track Module and the Application Modules You can establish the collaboration between the Track module and the application modules through configuration.
Page 806: Configuring Collaboration Between The Track Module And The Application Modules
Configuring Collaboration Between the Track Module and the Application Modules Configuring Track-Static Routing Collaboration You can check the validity of a static route in real time by establishing collaboration between Track and static routing. If you specify the next hop but not the egress interface when configuring a static route, you can associate the static route with a Track object and thus check the validity of the static route according to the status of the Track object.
Page 807: Displaying And Maintaining Track Object(S)
Displaying and Maintaining Track Object(s) To do… Use the command… Remarks Display information about the display track specified Track object or all Available in any view { track-entry-number | all } Track objects Track Configuration Examples Static Routing-Track-NQA Collaboration Configuration Example Network requirements The next hop of the static route from Switch A to Switch C is Switch B.
Page 808 [SwitchA-nqa-admin-test-icmp-echo] frequency 100 # Configure Reaction entry 1, specifying that five consecutive probe failures trigger the Static Routing-Track-NQA collaboration. [SwitchA-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [SwitchA-nqa-admin-test-icmp-echo] quit # Start NQA probes. [SwitchA] nqa schedule admin test start-time now lifetime forever Configure a Track object on Switch A.
Page 809 NQA entry: admin test Reaction: 1 # Display the routing table of Switch A. [SwitchA] display ip routing-table Routing Tables: Public Destinations : 4 Routes : 4 Destination/Mask Proto Pre Cost NextHop Interface 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.2/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8...
Page 810 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1 Console Port Login Configuration ···········································································································2-3...
Page 811 Configuration procedure ··················································································································4-3 Command Accounting Configuration Example ·······················································································4-4 Network diagram ·····························································································································4-4 Configuration procedure ··················································································································4-4 5 Logging in Through Web-based Network Management System ··························································5-1 Introduction ·············································································································································5-1 Web Server Configuration·······················································································································5-1 Displaying Web Users·····························································································································5-2 Configuration Example····························································································································5-2 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Specifying Source for Telnet Packets ·····································································································7-1 Introduction ·············································································································································7-1...
Page 812 Introduction to CLI ·························································································································9-15 Online Help with Command Lines ·································································································9-16 Synchronous Information Output···································································································9-17 Undo Form of a Command············································································································9-17 Editing Features ····························································································································9-17 CLI Display ····································································································································9-18 Saving History Commands············································································································9-21 Command Line Error Information ··································································································9-22 10 Device Management ······························································································································10-1 Device Management Overview ·············································································································10-1 Device Management Configuration Task List ·······················································································10-1 Configuring the Exception Handling Method ························································································10-1 Rebooting a Device·······························································································································10-2...
Page 813 Displaying and Maintaining Device Configuration ··············································································11-17 12 FTP Configuration ·································································································································12-1 FTP Overview ·······································································································································12-1 Introduction to FTP ························································································································12-1 Operation of FTP ···························································································································12-1 Configuring the FTP Client····················································································································12-3 Establishing an FTP Connection ···································································································12-3 Configuring the FTP Client ············································································································12-4 FTP Client Configuration Example········································································································12-6 Single Device Upgrade··················································································································12-6 IRF System Upgrade ·····················································································································12-7 Configuring the FTP Server ··················································································································12-9 Configuring FTP Server Operating Parameters ············································································12-9...
Page 814 16 SNMP Configuration······························································································································16-1 SNMP Overview····································································································································16-1 SNMP Mechanism·························································································································16-1 SNMP Protocol Version·················································································································16-2 MIB Overview ································································································································16-2 SNMP Configuration ·····························································································································16-3 Configuring SNMP Logging ··················································································································16-5 Introduction to SNMP Logging ······································································································16-5 Enabling SNMP Logging ···············································································································16-5 SNMP Trap Configuration·····················································································································16-6 Enabling the Trap Function ···········································································································16-6 Configuring Trap Parameters ········································································································16-7 Displaying and Maintaining SNMP········································································································16-8 SNMP Configuration Example ··············································································································16-9 SNMP Logging Configuration Example ······························································································16-10...
Page 815 Configuring MAC Information Mode ······························································································20-2 Configuring the Interval for Sending Syslog or Trap Messages····················································20-2 Configuring the MAC Information Queue Length ··········································································20-2 MAC Information Configuration Example······························································································20-3 MAC Information Configuration Example ······················································································20-3 21 System Maintenance and Debugging··································································································21-1 System Maintenance and Debugging ···································································································21-1 Ping ·······················································································································································21-1 Introduction····································································································································21-1 Configuring Ping ····························································································································21-1...
Page 816 Loading a Patch File······················································································································23-6 Activating Patches ·························································································································23-7 Confirm Running Patches ·············································································································23-7 One-Step Patch Uninstallation··············································································································23-8 Step-by-Step Patch Uninstallation ········································································································23-8 Step-by-Step Patch Uninstallation Task List ·················································································23-8 Stop Running Patches···················································································································23-8 Deleting Patches ···························································································································23-8 Displaying and Maintaining Hotfix·········································································································23-9 Hotfix Configuration Examples··············································································································23-9 Hotfix Configuration Example (Single Device) ··············································································23-9 Hotfix Configuration Example (IRF Device)·················································································23-10 24 NQA Configuration ································································································································23-1 NQA Overview ······································································································································23-1...
Page 817 Voice Test Configuration Example ······························································································23-34 DLSw Test Configuration Example ·····························································································23-37 NQA Collaboration Configuration Example ·················································································23-38 25 NTP Configuration ·································································································································25-1 NTP Overview ·······································································································································25-1 Applications of NTP ·······················································································································25-1 Advantages of NTP ·······················································································································25-1 How NTP Works ····························································································································25-2 NTP Message Format ···················································································································25-3 Operation Modes of NTP···············································································································25-4 Multiple Instances of NTP ·············································································································25-6 NTP Configuration Task List ·················································································································25-6 Configuring the Operation Modes of NTP·····························································································25-7...
Page 818 Enabling the Cluster Function ·····································································································26-10 Establishing a Cluster··················································································································26-10 Enabling Management VLAN Auto-negotiation···········································································26-11 Configuring Communication Between the Management Device and the Member Devices Within a Cluster ·········································································································································26-11 Configuring Cluster Management Protocol Packets ···································································26-11 Cluster Member Management·····································································································26-12 Configuring the Member Devices········································································································26-13 Enabling NDP ······························································································································26-13 Enabling NTDP····························································································································26-13 Manually Collecting Topology Information ··················································································26-13 Enabling the Cluster Function ·····································································································26-13...
Page 819 Introduction to IPC·························································································································28-1 Enabling IPC Performance Statistics ····································································································28-2 Displaying and Maintaining IPC ············································································································28-3 29 PoE Configuration ·································································································································29-1 PoE Overview ·······································································································································29-1 Introduction to PoE ························································································································29-1 Protocol Specification ····················································································································29-2 PoE Configuration Task List ·················································································································29-2 Configuring the PoE Interface···············································································································29-2 Configuring a PoE Interface through the Command Line ·····························································29-3 Configuring PoE Interfaces Through a PoE Configuration File·····················································29-3 Configuring PoE Power Management···································································································29-4 Configuring PD Power Management·····························································································29-4...
Page 820: Logging In To An Ethernet Switch
Ethernet port users up to five VTY users. As the AUX port and the Console port of a 3Com Switch 4210G family are the same one, you will be in the AUX user interface if you log in through this port.
Page 821: Users And User Interfaces
Users and User Interfaces A device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
Page 822 To do… Use the command… Remarks Display the information about You can execute this command the current user interface/all display users [ all ] in any view. user interfaces Display the physical attributes and configuration of the display user-interface [ type You can execute this command current/a specified user number | number ] [ summary ]...
Page 823: Logging In Through The Console Port
To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an 3Com Switch 4210G family through its Console port only.
Page 824 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created.
Page 825: Console Port Login Configuration
Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <4210G>) appears after the user presses the Enter key.
Page 826 Configuration Description configuration Optional By default, the check mode of parity { even | mark | Check mode the Console port is set to none | odd | space } “none”, which means no check bit. Optional Stop bits stopbits { 1 | 1.5 | 2 } The default stop bits of a Console port is 1.
Page 827: Console Port Login Configurations For Different Authentication Modes
Console Port Login Configurations for Different Authentication Modes Table 2-3 lists Console port login configurations for different authentication modes. Table 2-3 Console port login configurations for different authentication modes Authenticati Configuration Description on mode Refer to Console Port Login None Configure not to authenticate users Configuration with Authentication Mode Being None...
Page 828: Configuration Example
Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.
Page 829: Console Port Login Configuration With Authentication Mode Being Password
[Sysname-ui-aux0] idle-timeout 6 After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
Page 830 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).
Page 831: Console Port Login Configuration With Authentication Mode Being Scheme
Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 —...
Page 832: Configuration Example
Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
Page 833: Configuring Command Authorization
# Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.
Page 834: Configuring Command Accounting
To do… Use the command… Remarks Enter AUX user interface view — user-interface aux Required Disabled by default, that is, Enable command authorization command authorization users can execute commands without authorization. Configuring Command Accounting Command accounting allows the HWTACACS server to record all commands executed on the device regardless of the command execution result.
Page 835: Logging In Through Telnet/Ssh
Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Common Configuration Telnet Login Configuration with Authentication Mode Being None Telnet Login Configuration with Authentication Mode Being Password Telnet Login Configuration with Authentication Mode Being Scheme Introduction You can telnet to a remote switch to manage and maintain the switch.
Page 836 Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <4210G>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Page 837 Step 4: Enter the password. If the password is correct, the CLI prompt (such as <4210G>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Page 838: Telnet Login Configuration Task List
Table 3-2 Common Telnet configuration Configuration Remarks Enter system view — system-view By default, a switch does Make the switch to operate as a Telnet not operate as a Telnet telnet server enable Server server user-interface vty Enter one or more VTY user interface —...
Page 839: Telnet Login Configuration With Authentication Mode Being None
Table 3-3 Telnet login configuration tasks when different authentication modes are adopted Task Description Telnet Login Configuration with Authentication Configure not to authenticate users logging in user Mode Being None interfaces Configure to authenticate users logging in to user Telnet Login Configuration with Authentication interfaces using a local password and configure Mode Being Password the local password...
Page 840: Telnet Login Configuration With Authentication Mode Being Password
Figure 3-4 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
Page 841 Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Authenticate users logging in to VTY 0 using the local password. Set the local password to 123456 (in plain text). Commands of level 2 are available to users logging in to VTY 0.
Page 842: Telnet Login Configuration With Authentication Mode Being Scheme
Telnet Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view — system-view Enter one or more VTY user-interface vty —...
Page 843 For more information about AAA, RADIUS, and HWTACACS, see AAA Configuration in the Security Volume. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Configure the name of the local user to be “guest”.
Page 844: Logging In Through Ssh
# Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
Page 845: Configuring Command Accounting
Configuring Command Accounting Command accounting allows the HWTACACS server to record all commands executed on the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command will be recorded on the HWTACACS server.
Page 846: User Interface Configuration Examples
User Interface Configuration Examples User Authentication Configuration Example Network diagram As shown in Figure 4-1, command levels should be configured for different users to secure Device: The device administrator accesses Device through the console port on Host A. When the administrator logs in to the device, username and password are not required.
Page 847: Command Authorization Configuration Example
[Device-ui-vty0-4] quit # Create a RADIUS scheme and configure the IP address and UDP port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the RADIUS server. Set the shared key for authentication packets to expert for the scheme and the RADIUS server type of the scheme to extended.
Page 848 Configuration procedure # Assign an IP address to Device to make Device be reachable from Host A and HWTACACS server respectively. The configuration is omitted. # Enable the telnet service on Device. <Device> system-view [Device] telnet server enable # Set to use username and password authentication when users use VTY 0 to log in to Device. The command that the user can execute depends on the authentication result.
Page 849: Command Accounting Configuration Example
Command Accounting Configuration Example Network diagram As shown in Figure 4-3, configure the commands that the login users execute to be recorded on the HWTACACS server to control and monitor user operations. Figure 4-3 Network diagram for configuring command accounting HWTACAS server 192.168.2.20/24 Console Connection...
Page 850 [Device-radius-rad] quit # Create ISP domain system, and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users [Device] domain system [Device-isp-system] accounting command hwtacacs-scheme tac [Device-isp-system] quit...
Page 851: Web Server Configuration
Management System Introduction An switch 4210G has a built-in Web server. You can log in to an switch 4210G through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server. To log in to an switch 4210G through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
Page 852: Displaying Web Users
To do… Use the command… Remarks Optional Configure the authorization By default, no authorization authorization-attribute level attributes for the local user attribute is configured for a level local user. Optional Specify the service types for By default, no service is service-type telnet the local user authorized to a user.
Page 853 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...
Page 854: Connection Establishment Using Nms
Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.
Page 855: Specifying Source For Telnet Packets
Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.
Page 856: Displaying The Source Ip Address/Interface Specified For Telnet Packets
To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.
Page 857: Controlling Telnet Users
Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 8-1.
Page 858: Controlling Telnet Users By Source And Destination Ip Addresses
To do… Use the command… Remarks rule [ rule-id ] { permit | deny } [ source { sour-addr Define rules for the ACL sour-wildcard | any } | Required time-range time-name | fragment | logging ]* Quit to system view —...
Page 859: Controlling Telnet Users By Source Mac Addresses
Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume. Follow these steps to control Telnet users by source MAC addresses: To do…...
Page 860: Controlling Network Management Users By Source Ip Addresses
[Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a 3Com Switch 4210G family through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
Page 861 # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read 3com acl 2000 [Sysname] snmp-agent group v2c 3comgroup acl 2000 [Sysname] snmp-agent usm-user v2c 3comuser 3comgroup acl 2000...
Page 862: Controlling Web Users By Source Ip Addresses
Controlling Web Users by Source IP Addresses The switch 4210G support Web-based remote management, which allows Web users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you can control the access of Web users to the switches.
Page 863 Figure 8-3 Configure an ACL to control the access of HTTP users to the switch 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Create a basic ACL. <Sysname> system-view [Sysname] acl number 2030 match-order config [Sysname-acl-basic-2030] rule 1 permit source 10.110.100.52 0 # Reference the ACL to allow only Web users using IP address 10.110.100.52 to access the switch.
Page 864: Configuration Display
Basic System Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Basic Configurations CLI Features Configuration Display To avoid duplicate configuration, you can use the display commands to view the current configuration of the device before configuring the device.
Page 865: Entering/Exiting System View
Enter system view — system-view Optional Configure the device name The device name is “4210G” by sysname sysname default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time.
Page 866 To do… Use the command… Remarks Optional Set time and date clock datetime time date Available in user view. Enter system view — system-view clock timezone zone-name { add | minus } Set the time zone Optional zone-offset clock summer-time zone-name one-off Optional start-time start-date end-time end-date add-time Set a daylight saving...
Page 867 System clock displayed by the Configuration Example display clock command If the original system clock is in the Configure: clock summer-time ss one-off daylight saving time range, the 00:30 2005/1/1 1:00 2005/8/8 2 original system clock + Display: 03:00:00 ss Sat 01/01/2005 summer-offset is displayed.
Page 868: Enabling/Disabling The Display Of Copyright Information
The display format of copyright information is as shown below: ****************************************************************************** * Copyright (c) 2004-2009 3Com Corp. and its licensors. All rights reserved. * * This software is protected by copyright law and international treaties. * Without the prior written permission of 3Com Corporation and its licensors,* * any reproduction republication, redistribution, decompiling, reverse * engineering is strictly prohibited.
Page 869: Configuring A Banner
Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner, displayed when a non TTY Modem user enters user view.
Page 870: Configuring Cli Hotkeys
To do… Use the command… Remarks Configure the banner to be displayed when a user Optional header shell text enters user view (non Modem login users) Configure the banner to be displayed before login Optional header motd text Configuring CLI Hotkeys Follow these steps to configure CLI hotkeys: To do…...
Page 871: Configuring Command Aliases
Hotkey Function Deletes all the characters to the left of the cursor. Ctrl+X Deletes all the characters to the right of the cursor. Ctrl+Y Exits to user view. Ctrl+Z Terminates an incoming connection or a redirect connection. Ctrl+] Moves the cursor to the leading character of the continuous string to the Esc+B left.
Page 872: Configuring User Privilege Levels And Command Levels
To do… Use the command… Remarks Enter system view — system-view Required Enable the command alias Disabled by default, that is, you command-alias enable function cannot configure command aliases. Required command-alias mapping Configure command aliases Not configured by default. cmdkey alias Configuring User Privilege Levels and Command Levels Introduction To restrict the different users’...
Page 873 Follow these steps to configure user privilege level by using AAA authentication parameters: To do… Use the command… Remarks Enter system view — system-view user-interface [ type ] Enter user interface view — first-number [ last-number ] Required Configure the authentication By default, the authentication authentication-mode scheme mode for logging in to the user...
Page 874 [Sysname-luser-test] password cipher 123 [Sysname-luser-test] service-type telnet After the above configuration, when users telnet to the device through VTY 1, they need to input username test and password 123. After passing the authentication, users can only use the commands of level 0. If the users need to use commands of levels 0, 1, 2 and 3, the following configuration is required: [Sysname-luser-test] authorization-attribute level 3 Configure the user privilege level under a user interface...
Page 875 To do… Use the command… Remarks Optional By default, the user privilege Configure the privilege level of level for users logging in from the user logging in from the user privilege level level the console user interface is 3, current user interface and that for users logging from the other user interfaces is 0.
Page 876 undo Cancel current setting Authenticate the usesr logging in to the device through Telnet, verify their passwords, and specify the user privilege levels as 2. <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode password [Sysname-ui-vty0-4] set authentication password cipher 123 [Sysname-ui-vty0-4] user privilege level 2 By default, when users log in to the device through Telnet, they can use the commands of level 0 after passing the authentication.
Page 877: Displaying And Maintaining Basic Configurations
When you configure the password for switching user privilege level with the super password command, the user privilege level is 3 if no user privilege level is specified. The password for switching user privilege level can be displayed in both cipher text and simple text.
Page 878: Cli Features
During daily maintenance or when the system is operating abnormally, you need to view each module’s running status to find the problem. Therefore, you are required to execute the corresponding display commands one by one. To collect more information one time, you can execute the display diagnostic-information command in any view to display or save statistics of each module’s running status.
Page 879: Online Help With Command Lines
file for next startup, you need to input st s at least; to enter system view, you need to input sy at least. You can press Tab to complement the command, or you can input the complete command. Online Help with Command Lines The following are the types of online help available with the CLI: Full help Fuzzy help...
Page 880: Synchronous Information Output
Enter a command followed by a character string and a ?. All the keywords starting with this string are listed. <Sysname> display ver? version Press Tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in this command.
Page 881: Cli Display
Function Pressing Tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line; when there are several matches, if you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles.
Page 882 Character Meaning Remarks For example, regular expression "user$” Ending sign, string appears only at the only matches a string ending with string$ end of a line. “user”, not “userA”. Full stop, a wildcard used in place of any For example, “.l” can match “vlan” or character, including single character, “mpls”.
Page 883 Character Meaning Remarks Used to match a character string starting For example, “\<do” can match word \<string with string. “domain” or string “doa”. Used to match a character string ending For example, “do\>” can match word string\> with string. “undo” or string “abcdo”. Used to match character1character2.
Page 884: Saving History Commands
Table 9-6 Display functions Action Function Continues to display information of the next Press Space when information display pauses screen page. Press Enter when information display pauses Continues to display information of the next line. Press Ctrl+C when information display pauses Stops the display and the command execution.
Page 885: Command Line Error Information
Command Line Error Information The commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 9-7 lists some common errors. Table 9-7 Common command line errors Error information Cause The command was not found. The keyword was not found.
Page 886: Device Management
Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Disabling Boot ROM Access Configuring a Detection Interval Clearing the 16-bit Interface Indexes Not Used in the Current System...
Page 887: Rebooting A Device
maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.
Page 888: Configuring The Scheduled Automatic Execution Function
Use the save command to save the current configuration before you reboot the device to avoid configuration lost. (For details of the save command, refer to File System Management Configuration in the System Volume.) Use the display startup command and the display boot-loader command to verify the configuration files and the startup file to be used at the next system startup before you reboot the device.
Page 889: Upgrading Device Software
After the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug. The system does not require any interactive information when it is executing the specified command.
Page 890: Upgrading The Boot Rom Program Through Command Lines
The Boot ROM program and system boot file can both be upgraded through the Boot ROM menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the Boot ROM menu, refer to the installation menu of your device.
Page 891: Disabling Boot Rom Access
When multiple Boot ROM files are available on the storage media, you can specify a file for the next device boot by executing the following command. A main boot file is used to boot a device and a backup boot file is used to boot a device only when a main boot file is unavailable. Follow the step below to upgrade the boot file: To do…...
Page 892: Clearing The 16-Bit Interface Indexes Not Used In The Current System
To do… Use the command… Remarks Enter system view — system-view Optional Configure a detection interval The detection interval is 30 shutdown-interval time seconds by default. Clearing the 16-bit Interface Indexes Not Used in the Current System In practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index.
Page 893: Identifying Pluggable Transceivers
Table 10-1 Commonly used pluggable transceivers Application Whether can be an Whether can be an Transceiver type environment optical transceiver electrical transceiver Generally used for SFP (Small 100M/1000M Ethernet Form-factor interfaces or POS Pluggable) 155M/622M/2.5G interfaces SFP+(Enhanced 8.5 Generally used for and 10 Gigabit Small 10G Ethernet Form-factor...
Page 894: Displaying And Maintaining Device Management Configuration
Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by H3C also support the digital diagnosis function, which monitors the key parameters of a transceiver, such as temperature, voltage, laser bias current, TX power, and RX power.
Page 895: Device Management Configuration Examples
To do… Use the command… Remarks Display detailed configurations Available in any of the scheduled automatic display schedule job view execution function Display the exception handling Available in any display system-failure methods view Device Management Configuration Examples Remote Scheduled Automatic Upgrade Configuration Example (Centralized Device) Network requirement As shown in Figure...
Page 896: Remote Scheduled Automatic Upgrade Configuration Example (Centralized Irf Device)
Use text editor on the FTP server to edit batch file auto-update.txt. The following is the content of the batch file: return startup saved-configuration new-config.cfg boot-loader file soft-version2.bin main reboot Configuration on Device # Log in to the FTP server (note that the prompt may vary with servers.) <Device>...
Page 897 Obtain the boot file and configuration file through legitimate channels, such as the official website of 3COM, agents, and technical staff. Save these files under the working path of the TFTP server for the access of the TFTP clients.
Page 898 Please wait ... Setting the master board ..Done! Setting the slave board ... Slot 2: Set next configuration file successfully # Specify file soft-version2.bin as the boot file for the next boot for all members. <IRF> boot-loader file soft-version2.bin slot all main This command will set the boot file of the specified board.
Page 899: File System Management
File System Management Configuration When configuring file system management, go to these sections for information you are interested in: File System Management Configuration File Management Displaying and Maintaining Device Configuration File System Management This section covers these topics: File System Overview Filename Formats Directory Operations File Operations...
Page 900: Directory Operations
Format Description Length Example Specifies a file in the specified folder under the current test/a.txt: Indicates that a file working directory. path 1 to 135 named a.txt is in the test folder represents the folder name. path/file-name characters under the current working You can specify multiple directory.
Page 901: File Operations
Changing the current working directory To do… Use the command… Remarks Required Change the current working cd { directory | .. | / } directory Available in user view Creating a directory To do… Use the command… Remarks Required Create a directory mkdir directory Available in user view Removing a directory...
Page 902 Displaying file information To do… Use the command… Remarks Required Display file or directory dir [ /all ] [ file-url ] information Available in user view Displaying the contents of a file To do… Use the command… Remarks Required Display the contents of Currently only a .txt file can be displayed.
Page 903: Batch Operations
The files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storage space.
Page 904: Storage Medium Operations
Execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system will skip the command to the next one. Storage Medium Operations Managing space of the storage medium When some space of a storage medium becomes inaccessible due to abnormal operations for...
Page 905: Configuration File Management
File System Operations Example # Display the files and the subdirectories under the current directory. <Sysname> dir Directory of flash:/ -rw- 10197108 Jul 17 2007 18:30:04 4210G.bin -rw- 478164 Apr 26 2007 14:40:07 4210G_505.btm -rw- 1586 Aug 24 2007 12:00:03 startup.cfg...
Page 906: Configuration File Overview
Saving the Current Configuration Setting Configuration Rollback Specifying a Startup Configuration File for the Next System Startup Backing Up the Startup Configuration File Deleting the Startup Configuration File for the Next Startup Restoring the Startup Configuration File Displaying and Maintaining Device Configuration Configuration File Overview A configuration file saves the device configurations in command lines in text format.
Page 907: Saving The Current Configuration
At a moment, there are at most one main startup configuration file and one backup startup configuration file. You can specify neither of the two files (displayed as NULL), or specify the two files as the same configuration file. You can specify the main and backup startup configuration files for the next boot of the device in the following two methods: Specify them when saving the current configuration.
Page 908 To do… Use the command… Remarks Enter system view — system-view Optional Enable configuration file slave auto-update config auto-save Enabled by default. Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process.
Page 909: Setting Configuration Rollback
Setting Configuration Rollback Configuration rollback allows you to revert to a previous configuration state based on a specified configuration file. The specified configuration file must be a valid .cfg file, namely, it can be generated by using either the backup function (manually or automatically) or the save command, and even the compatible configuration file of another device.
Page 910 Configuration task list Complete these tasks to configure the configuration rollback: Task Remarks Configuring parameters for saving the current running configuration Required Saving the current running configuration automatically Required Use at least one approach Saving the current running configuration manually Setting configuration rollback Required Configuring parameters for saving the current running configuration...
Page 911 The saving and rollback operations are executed only on the master. To make the configuration rollback take effect on the new master after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file on both the master and slaves.
Page 912 Saving the current running configuration manually Automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automatic saving of the current running configuration and save it manually.
Page 913: Specifying A Startup Configuration File For The Next System Startup
Specifying a Startup Configuration File for the Next System Startup A startup configuration file is the configuration file to be used at the next system startup. You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two ways: Use the save command.
Page 914: Deleting The Startup Configuration File For The Next Startup
Before the backup operation, you should: Ensure that the server is reachable, the server is enabled with TFTP service, and the client has permission to read and write. Use the display startup command (in user view) to see whether you have set the startup configuration file, and use the dir command to see whether this file exists.
Page 915: Displaying And Maintaining Device Configuration
To do… Use the command… Remarks Restore the startup Required restore startup-configuration configuration file to be used at Available in user view from src-addr src-filename the next system startup The restore operation restores the main startup configuration file. Before restoring a configuration file, you should ensure that the server is reachable, the server is enabled with TFTP service, and the client has read and write permission.
Page 916: Ftp Configuration
FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
Page 917 Table 12-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the device can Use the ftp command to establish the log in to it directly; if not, the Device (FTP client) connection to the remote FTP server device must obtain the FTP...
Page 918: Configuring The Ftp Client
Configuring the FTP Client Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in FTP client view.
Page 919 If no primary IP address is configured on the specified source interface, no FTP connection can be established. If you use the ftp client source command to first configure the source interface and then the source IP address of the transmitted packets, the newly configured source IP address will take effect instead of the current source interface, and vice versa.
Page 920 To do… Use the command… Remarks View the detailed information of the dir [ remotefile [ localfile ] ] Optional files/directories on the FTP server View the names of the files/directories on ls [ remotefile [ localfile ] ] Optional the FTP server Download a file from the FTP server get remotefile [ localfile ]...
Page 921: Ftp Client Configuration Example
FTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 12-2, use Device as an FTP client and PC as the FTP server. Their IP addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device and PC.
Page 922 [ftp] ascii [ftp] put config.cfg back-config.cfg 227 Entering Passive Mode (10,1,1,1,4,2). 125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # Specify newest.bin as the main startup file to be used at the next startup. <Sysname>...
Page 923 Configuration procedure If the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # Log in to the server through FTP.
Page 924: Configuring The Ftp Server
<Sysname> reboot The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume.
Page 925: Configuring Authentication And Authorization On The Ftp Server
To do… Use the command… Remarks Manually release the FTP Optional connection established with the free ftp user username Available in user view specified username Configuring Authentication and Authorization on the FTP Server To allow an FTP user to access certain directories on the FTP server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account.
Page 926: Ftp Server Configuration Example
more information about local-user, password, service-type ftp, authorization-attribute commands, refer to AAA Command in the Security Volume. When the device serves as the FTP server, if the client is to perform the write operations (upload, delete, create, and delete for example) on the device’s file system, the FTP login users must be level 3 users;...
Page 927 # Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. <Sysname> dir Directory of flash:/ -rw- 10471471 Sep 18 2008 02:45:15 4210G-d501.bin -rw- 9989823 Jul 14 2008 19:30:46 4210G_b57.bin -rw-...
Page 928 <Sysname> boot-loader file newest.bin main # Reboot the device and the startup file is updated at the system reboot. <Sysname> reboot The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium.
Page 929 # Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. <Sysname> dir Directory of flash:/ -rw- 10471471 Sep 18 2008 02:45:15 4210G-d501.bin -rw- 9989823 Jul 14 2008 19:30:46 4210G_b57.bin -rw-...
Page 930: Displaying And Maintaining Ftp
You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration file with FTP, put the new file under the root directory of the storage medium. After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom update command to upgrade the Boot ROM.
Page 931: Tftp Configuration
TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example TFTP Overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.
Page 932: Configuring The Tftp Client
When the device serves as the TFTP client, you need to perform the following configuration: Table 13-1 Configuration when the device serves as the TFTP client Device Configuration Remarks Configure the IP address and routing function, and ensure that the route between the device and the TFTP server is available.
Page 933: Displaying And Maintaining The Tftp Client
Follow these steps to configure the TFTP client: To do… Use the command… Remarks Enter system view — system-view Optional Control the access to the TFTP tftp-server [ ipv6 ] acl By default, the access to the servers from the device TFTP servers from the device acl-number through ACL...
Page 934: Tftp Client Configuration Example
TFTP Client Configuration Example Single Device Upgrade Network requirements As shown in Figure 13-2, use a PC as the TFTP server and Device as the TFTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC.
Page 935 The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume. IRF System Upgrade Network requirements As shown in...
Page 936 Download application file newest.bin from PC to the root directory of the storage medium on the master. <Sysname> tftp 1.2.1.1 get newest.bin Download application file newest.bin from PC to the root directory of the storage medium on a slave (with the member ID 2). <Sysname>...
Page 937: Http Configuration
HTTP Configuration When configuring HTTP, go to these sections for information you are interested in: HTTP Overview Enabling the HTTP Service HTTP Configuration Associating the HTTP Service with an ACL Displaying and Maintaining HTTP HTTP Overview The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.
Page 938: Configuring The Port Number Of The Http Service
Follow these steps to enable the HTTP service: To do… Use the command… Remarks Enter system view — system-view Enable the HTTP service Required ip http enable Configuring the Port Number of the HTTP Service Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.
Page 939: Https Configuration
HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...
Page 940: Associating The Https Service With An Ssl Server Policy
Configuration task Remarks Configuring the Port Number of the HTTPS Service Optional Associating the HTTPS Service with an ACL Optional Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service.
Page 941: Associating The Https Service With A Certificate Attribute Access Control Policy
After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally.
Page 942: Associating The Https Service With An Acl
To do… Use the command… Remarks Enter system view — system-view Optional Configure the port number of By default, the port number of ip https port port-number the HTTPS service the HTTPS service is 443. If you execute the ip https port command for multiple times, the last configured port number is used. Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
Page 943 Figure 15-1 Network diagram for HTTPS configuration Configuration procedure Perform the following configurations on Device: Apply for a certificate for Device # Configure a PKI entity. <Device> system-view [Device] pki entity en [Device-pki-entity-en] common-name http-server1 [Device-pki-entity-en] fqdn ssl.security.com [Device-pki-entity-en] quit # Configure a PKI domain.
Page 944 # Configure certificate access control policy myacp and create a control rule. [Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 permit mygroup1 [Device-pki-cert-acp-myacp] quit Reference an SSL server policy # Associate the HTTPS service with the SSL server policy myssl. [Device] ip https ssl-server-policy myssl Associate the HTTPS service with a certificate attribute access control policy # Associate the HTTPS service with certificate attribute access control policy myacp.
Page 945: Snmp Configuration
SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Configuration Configuring SNMP Logging SNMP Trap Configuration Displaying and Maintaining SNMP SNMP Configuration Example SNMP Logging Configuration Example SNMP Overview Simple Network Management Protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite.
Page 946: Snmp Protocol Version
SNMP Protocol Version Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c. SNMPv1 uses community name for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded.
Page 947 The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | 3Com Corporation. for contact, information location sys-location | version Marlborough, MA 01752 USA { all | { v1 | v2c | v3 }* } } for location, and SNMP v3 for the version.
Page 948 The defaults are as follows: snmp-agent sys-info Configure SNMP agent system { contact sys-contact | 3Com Corporation. for contact, information location sys-location | version Marlborough, MA 01752 USA { { v1 | v2c | v3 }* | all } } for location and SNMP v3 for the version.
Page 949: Configuring Snmp Logging
To do… Use the command… Remarks snmp-agent mib-view Optional Create or update MIB view { excluded | included } content for an SNMP agent view-name oid-tree [ mask ViewDefault by default mask-value ] The validity of a USM user depends on the engine ID of the SNMP agent. If the engine ID when the USM user is created is not identical to the current engine ID, the USM user is invalid.
Page 950: Snmp Trap Configuration
Logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging. The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes; otherwise, the exceeded part will not be output.
Page 951: Configuring Trap Parameters
To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.
Page 952: Displaying And Maintaining Snmp
To do… Use the command… Remarks Optional Configure the holding time of snmp-agent trap life seconds the traps in the queue 120 seconds by default An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps.
Page 953: Snmp Configuration Example
SNMP Configuration Example Network requirements The NMS connects to the agent, a switch, through an Ethernet. The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on the switch is 1.1.1.1/24. The NMS monitors and manages the agent using SNMPv2c. The agent reports errors or faults to the NMS.
Page 954: Snmp Logging Configuration Example
With SNMPv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the NMS. The configurations on the agent and the NMS must match. SNMP Logging Configuration Example Network requirements The NMS and the agent are connected through an Ethernet...
Page 955 # Enable SNMP logging on the agent to log the GET and SET operations of the NMS. [Sysname] snmp-agent log get-operation [Sysname] snmp-agent log set-operation The following log information is displayed on the terminal when the NMS performs the GET operation to the agent.
Page 956: Mib Style Configuration
MIB style, the device sysOID is under the 3Com’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011. In the 3Com new MIB style, both the device sysOID and the private MIB are under the 3Com’s enterprise ID 25506. These two styles of MIBs implement the same management function except for their root nodes.
Page 957: Rmon Configuration
RMON Configuration When configuring RMON, go to these sections for information you are interested in: RMON Overview Configuring RMON Displaying and Maintaining RMON RMON Configuration Example RMON Overview This section covers these topics: Introduction RMON Groups Introduction Remote Monitoring (RMON) is implemented based on the Simple Network Management Protocol (SNMP) and is fully compatible with the existing SNMP framework without the need of any modification on SNMP.
Page 958: Rmon Groups
Among the ten RMON groups defined by RMON specifications (RFC 1757), the device supports the event group, alarm group, history group and statistics group. Besides, 3Com also defines and implements the private alarm group, which enhances the functions of the alarm group. This section describes the five kinds of groups in general.
Page 959: Configuring Rmon
If the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group The history group periodically collects statistics on data at interfaces and saves the statistics in the history record table for query convenience.
Page 960 To do… Use the command… Remarks rmon alarm entry-number alarm-variable sampling-interval { absolute | delta } Create an entry in the alarm table Optional rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ] rmon prialarm entry-number prialarm-formula prialarm-des sampling-interval { absolute | changeratio | Create an entry in the private delta } rising-threshold threshold-value1 Optional...
Page 961: Displaying And Maintaining Rmon
Displaying and Maintaining RMON To do… Use the command… Remarks display rmon statistics Display RMON statistics Available in any view [ interface-type interface-number ] Display the RMON history display rmon history control entry and history Available in any view [ interface-type interface-number ] sampling information Display RMON alarm display rmon alarm...
Page 962 etherStatsBroadcastPkts : 56 , etherStatsMulticastPkts : 34 etherStatsUndersizePkts : 0 , etherStatsOversizePkts : 0 etherStatsFragments , etherStatsJabbers etherStatsCRCAlignErrors : 0 , etherStatsCollisions etherStatsDropEvents (insufficient resources): 0 Packets received according to length: : 235 , 65-127 : 67 , 128-255 : 4 256-511: 1 , 512-1023: 0 , 1024-1518: 0...
Page 963: Mac Address Table Management Configuration
MAC Address Table Management Configuration When configuring MAC address table management, go to these sections for information you are interested in: Introduction to MAC Address Table Configuring MAC Address Table Management MAC Address Table Management Configuration Example MAC Information Configuration MAC Information Configuration Example Interfaces that MAC address table management involves can only be Layer 2 Ethernet ports.
Page 964: Types Of Mac Address Table Entries
If no entry is found, add an entry for the MAC address to indicate from which port the frame is received. When receiving a frame destined for MAC-SOURCE, the device then looks up the MAC address table and forwards it from Port 1. To adapt to network changes, MAC address table entries need to be constantly updated.
Page 965: Configuring Mac Address Table Management
Figure 19-1 Forward frames using the MAC address table Configuring MAC Address Table Management The MAC address table management configuration tasks include: Configuring MAC Address Table Entries Disabling MAC Address Learning on a VLAN Configuring the Aging Timer for Dynamic MAC Address Entries Configuring the MAC Learning Limit These configuration tasks are all optional and randomly sorted.
Page 966: Configuring The Aging Timer For Dynamic Mac Address Entries
Follow these steps to disable MAC address learning on a VLAN: To do… Use the command… Remarks Enter system view — system-view Enter VLAN view — vlan vlan-id Required Disable MAC address learning mac-address mac-learning on the VLAN Enabled by default disable Once MAC learning is disabled in a VLAN, all MAC address entries learnt in the VLAN are removed.
Page 967: Displaying And Maintaining Mac Address Table Management
To do… Use the command… Remarks Required Enter Ethernet Use any of these three interface interface-type interface view commands. interface-number Enter The configuration you make in Ethernet Ethernet interface view takes interface effect on the current interface view, port only; the configuration you group view Enter port group port-group manual...
Page 968 000f-e235-dc71 Config static GigabitEthernet 1/0/1 NOAGED --- 1 mac address(es) found --- 19-6...
Page 969: Mac Information Configuration
MAC Information Configuration When configuring MAC Information, go to these sections for information you are interested in: Overview Configuring MAC Information MAC Information Configuration Example Overview Introduction to MAC Information To monitor a network, you need to monitor users joining and leaving the network. Because a MAC address uniquely identifies a network user, you can monitor users joining and leaving a network by monitoring their MAC addresses.
Page 970: Enabling Mac Information On An Interface
Enabling MAC Information on an Interface Follow these steps to enable MAC Information on an interface: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter interface view — interface-number Required Enable MAC Information on mac-address information enable the interface { added | deleted } Disabled by default...
Page 971 To do… Use the command… Remarks Enter system view — system-view Configure the MAC Optional mac-address information Information queue 50 by default queue-length value length Setting the MAC Information queue length to 0 indicates that the device sends a Syslog or Trap message to the network management device as soon as a new MAC address is learned or an existing MAC address is deleted.
Page 972 [Device] mac-address information mode syslog # Enable MAC Information on GigabitEthernet 1/0/1 [Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] mac-address information enable added [Device-GigabitEthernet1/0/1] mac-address information enable deleted [Device-GigabitEthernet1/0/1] quit # Set the MAC Information queue length to 100. [Device] mac-address information queue-length 100 # Set the interval for sending Syslog or Trap messages to 20 seconds.
Page 973: System Maintenance And Debugging
System Maintenance and Debugging When maintaining and debugging the system, go to these sections for information you are interested System Maintenance and Debugging Ping Tracert System Debugging Ping and Tracert Configuration Example System Maintenance and Debugging You can use the ping command and the tracert command to verify the current network connectivity, and use the debug command to enable debugging and thus to diagnose system faults based on the debugging information.
Page 974: Ping Configuration Example
For a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. Only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument Ping Configuration Example Network requirements...
Page 975 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=53 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2...
Page 976: Configuring Tracert
Upon receiving the reply, the source device adds the IP address (1.1.1.1) of its inbound interface to the RR option. Finally, you can get the detailed information of routes from Device A to Device C: 1.1.1.1 <-> {1.1.1.2; 1.1.2.1} <-> 1.1.2.2. Tracert Introduction By using the tracert command, you can trace the Layer 3 devices involved in delivering an IP packet...
Page 977: System Debugging
To do… Use the command… Remarks Enable sending of Required ICMP timeout ip ttl-expires enable Disabled by default. packets Enable sending of Required ICMP destination ip unreachables enable Disabled by default. unreachable packets tracert [ -a source-ip | -f first-ttl | -m max-ttl | Required -p port | -q packet-number | -vpn-instance Use either approach...
Page 978: Ping And Tracert Configuration Example
Configuring System Debugging Output of the debugging information may reduce system efficiency. The debugging commands are usually used by administrators in diagnosing network failure. After completing the debugging, disable the corresponding debugging function, or use the undo debugging all command to disable all the debugging functions.
Page 979 Figure 21-4 Ping and tracert network diagram Configuration procedure # Use the ping command to display whether an available route exists between Device A and Device C. <DeviceA> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out...
Page 980: Information Center Configuration
Information Center Configuration When configuring information center, go to these sections for information you are interested in: Information Center Configuration Configuring Information Center Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information, offering a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
Page 981 Eight levels of system information The information is classified into eight levels by severity. The severity levels in the descending order are emergency, alert, critical, error, warning, notice, informational and debug. When the system information is output by level, the information with severity level higher than or equal to the specified level is output.
Page 982 Information channel Default channel name Default output destination number Log buffer (Receives log and debugging logbuffer information, a buffer inside the router for recording information.) snmpagent SNMP module (Receives trap information) Not specified (Receives log, trap, and debugging channel6 information) Not specified (Receives log, trap, and debugging channel7 information)
Page 983: System Information Format
Table 22-3 Default output rules for different output destinations TRAP DEBUG Output Modules destinati allowed Enabled/ Enabled/ Enabled/ Severity Severity Severity disabled disabled disabled default Console Enabled Warning Enabled Debug Enabled Debug (all modules) default Monitor (all Enabled Warning Enabled Debug Enabled Debug...
Page 984 What follows is a detailed explanation of the fields involved: Int_16 (priority) The priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges from local0 to local7 (16 to 23 in decimal integers) and defaults to local7.
Page 985: Configuring Information Center
If the timestamp starts with a %, the information is log information If the timestamp starts with a #, the information is trap information If the timestamp starts with a *, the information is debugging information source This field indicates the source of the information, such as the IRF member ID, or the source IP address of the log sender.
Page 986: Outputting System Information To A Monitor Terminal
To do… Use the command… Remarks info-center source { module-name | default } channel { channel-number | Optional channel-name } [ debug { level Configure the output rules of Refer to Default output rules of system information severity | state state } * | log system information.
Page 987: Outputting System Information To A Log Host
To do… Use the command… Remarks Optional Configure the channel through By default, system information info-center monitor channel which system information can { channel-number | is output to the monitor terminal be output to a monitor terminal channel-name } through channel 1 (known as monitor).
Page 988: Outputting System Information To The Trap Buffer
To do… Use the command… Remarks Required By default, the system does not Specify a log host and info-center loghost host-ip output information to a log host. configure the parameters when [ channel { channel-number | If you specify to output system system information is output to channel-name } | facility information to a log host, the...
Page 989: Outputting System Information To The Log Buffer
To do… Use the command… Remarks info-center source { module-name | default } channel { channel-number | Optional channel-name } [ debug { level Configure the output rules of Refer to Default output rules of the system information severity | state state } * | log system information.
Page 990: Outputting System Information To The Snmp Module
Outputting System Information to the SNMP Module The SNMP module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the SNMP module. To monitor the device running status, trap information is usually sent to the SNMP network management station (NMS).
Page 991: Disabling A Port From Generating Link Up/Down Logging Information
Follow these steps to enable synchronous information output: To do… Use the command… Remarks Enter system view — system-view Required Enable synchronous info-center synchronous information output Disabled by default If system information, such as log information, is output before you input any information under the current command line prompt, the system will not display the command line prompt after the system information output.
Page 992: Displaying And Maintaining Information Center
Displaying and Maintaining Information Center To do… Use the command… Remarks display channel Display information about [ channel-number | Available in any view information channels channel-name ] Display the information of each Available in any view display info-center output destination display logbuffer [ reverse ] Display the state of the log [ level severity | size buffersize...
Page 993 [Sysname] info-center enable # Specify the host with IP address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [Sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # Disable the output of log, trap, and debugging information of all modules on channel loghost.
Page 994: Outputting Log Information To A Linux Log Host
Be aware of the following issues while editing file /etc/syslog.conf: Comments must be on a separate line and begin with the # sign. No redundant spaces are allowed after the file name. The logging facility name and the information level specified in the /etc/syslog.conf file must be identical to those configured on the device using the info-center loghost and info-center source commands;...
Page 995 [Sysname] info-center source default channel loghost debug state off log state off trap state As the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost in this example) first and then configure the output rule as needed so that unnecessary information will not be output.
Page 996: Outputting Log Information To The Console
# syslogd -r & Ensure that the syslogd process is started with the -r option on a Linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting Log Information to the Console Network requirements Log information with a severity higher than informational will be output to the console;...
Page 997 [Sysname] quit # Enable the display of log information on a terminal. (Optional, this function is enabled by default.) <Sysname> terminal monitor % Current terminal monitor is on <Sysname> terminal logging % Current terminal logging is on After the above configuration takes effect, if the specified module generates log information, the information center automatically sends the log information to the console, which then displays the information.
Page 998: Hotfix Configuration
Hotfix Configuration When configuring hotfix, go to these sections for information you are interested in: Hotfix Overview Hotfix Configuration Task List Displaying and Maintaining Hotfix Hotfix Configuration Examples Hotfix Overview Hotfix is a fast and cost-effective method to repair software defects of a device. Compared with another method, software version upgrade, hotfix can upgrade the software without interrupting the running services of the device, that is, it can repair the software defects of the current version without rebooting the device.
Page 999 install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the DEACTIVE state, the patches turn to the ACTIVE state.
Page 1000 Figure 23-2 Patches are not loaded to the memory patch area Currently, the system patch area supports up to 200 patches. DEACTIVE state Patches in the DEACTIVE state have been loaded to the memory patch area but have not run in the system yet.
Page 1001: Hotfix Configuration Task List
Figure 23-4 Patches are activated RUNNING state After you confirm the running of the ACTIVE patches, the state of the patches will become RUNNING and will be in the RUNNING state after system reboot. For the five patches in Figure 23-4, if you confirm the running the first three patches, their states will change from ACTIVE to RUNNING.

This manual is also suitable for:

4210g nt 4210g pwr

3Com 4210G Series Configuration Manual

Table of Contents

1 Product Features

2 Features

Table of Contents

1 Ethernet Port Configuration

2 Link Aggregation Configuration

3 Port Isolation Configuration

4 MSTP Configuration

5 LLDP Configuration

6 VLAN Configuration

7 Isolate-User-VLAN Configuration

8 Voice VLAN Configuration

9 GVRP Configuration

10 Qinq Configuration

11 BPDU Tunneling Configuration

12 Port Mirroring Configuration

Table of Contents

1 IP Addressing Configuration

2 ARP Configuration

3 Proxy ARP Configuration

4 ARP Attack Defense Configuration

5 DHCP Overview

6 DHCP Relay Agent Configuration

7 DHCP Client Configuration

8 DHCP Snooping Configuration

9 BOOTP Client Configuration

10 DNS Configuration

11 IP Performance Optimization Configuration

12 UDP Helper Configuration

13 Ipv6 Basics Configuration

14 Dual Stack Configuration

15 Sflow Configuration

Quick Links

Configuration Guide

Chapters

Troubleshooting

Related Manuals for 3Com 4210G Series

Summary of Contents for 3Com 4210G Series