Page 1 H3C S5600 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20080724-C-1.01 Product Version: Release 1602...
Page 2 Copyright © 2007-2008, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
Page 3: Table Of Contents
About This Manual Organization H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 is organized as follows: Part Contents Introduces the characteristics and 0 Product Overview implementations of the Ethernet switch. Introduces the command hierarchy, 1 CLI command view and CLI features of the Ethernet switch.
Page 4 Part Contents Introduces the routing protocol-related configurations, including static route configuration, RIP configuration, OSPF 16 Routing Protocol configuration, BGP configuration, IP routing policy configuration and Route Capacity Configuration. Introduces the configuration of IGMP 17 Multicast Snooping, IGMP, PIM-DM, PIM-SM, and MSDP.
Page 5 Part Contents Introduces basic configuration for FTP , 36 FTP-SFTP-TFTP SFTP and TFTP, and the applications. Introduces the configuration to analyze and 37 Information Center diagnose networks using the information center. Introduces daily system maintenance and 38 System Maintenance and Debugging debugging.
Page 6 Caution data loss or damage to equipment. Note Means a complementary description. Related Documentation In addition to this manual, each H3C S5600 Series Ethernet Switches documentation set includes the following: Manual Description H3C S5600 Series Ethernet Switches It is used for assisting the users in using Command Manual-Release 1602 various commands.
Page 7 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies.
Page 8: Product Overview
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Obtaining the Documentation ..................1-1 1.1 CD-ROM ..........................1-1 1.2 H3C Website........................1-1 1.3 Software Release Notes ....................1-2 Chapter 2 Correspondence Between Documentation and Software ........2-1 2.1 Software Version........................
Page 9: Chapter 1 Obtaining The Documentation
Software release notes 1.1 CD-ROM H3C delivers a CD-ROM together with each device. The CD-ROM contains a complete set of electronic documents of the product, including operation manuals and command manuals. After installing the reader program provided by the CD-ROM, you can search for the desired contents in a convenient way through the reader interface.
Page 10: Software Release Notes
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 1 Obtaining the Documentation 1.3 Software Release Notes With software upgrade, new software features may be added. You can acquire the information about the newly added software features through software release notes.
Page 11: Login
Chapter 2 Correspondence Between Documentation and Software 2.1 Software Version H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 and H3C S5600 Series Ethernet Switches Command Manual-Release 1602 are for the software version of Release1602 of the S5600 series products. Compared with Release 1510, many new features are added in Release 1602. For...
Page 12 Operation Manual – Product Overview Chapter 2 Correspondence Between Documentation H3C S5600 Series Ethernet Switches and Software Added feature in Release 1602 Manual Management Configuring the MAC address of an Ethernet port STP maintainability 15-MSTP 802.1d-compliant traps Configuration of the Type-7 LSAs converter features in...
Page 13 Operation Manual – Product Overview Chapter 2 Correspondence Between Documentation H3C S5600 Series Ethernet Switches and Software Added feature in Release 1602 Manual Proxy ARP Configuration of the TFTP server address and bootfile name for DHCP clients that support auto-configuration...
Page 14: Manual List
Sequence of selecting Web files 35-File System Management Keywords of five commands 22-VRRP 2.2 Manual List Manual name H3C S5600 Series Ethernet Switches Installation Manual H3C S5600 Series Ethernet Switches Operation Manual-Release 1602 H3C S5600 Series Ethernet Switches Command Manual-Release 1602...
Page 15: Switch Models
Chapter 3 Product Overview Chapter 3 Product Overview 3.1 Preface H3C S5600 Series Ethernet Switches (hereinafter referred to as the S5600 series) provide multi-layer switching capabilities, and support rich Layer 3 features and enhanced extended functions. They are intelligent network-manageable switches designed for network environments that require high performance, high port density and easy-to-install characteristics.
Page 16: Configuration File Management
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 3 Product Overview Available Power Ports on Combo Console ports on Model supply front panel ports port front panel AC/DC input 48 x 4 x 1000 external 10/100/100 Mbps SFP...
Page 17: Gvrp
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 3 Product Overview Part Features GARP VLAN Registration Protocol 7 GVRP (GVRP) Configuring port auto-negotiation rate Limiting traffic on a port Setting broadcast storm suppression 8 Port Basic Configuration...
Page 18 Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 3 Product Overview Part Features 802.1X authentication Guest VLAN Quick deployment of EAD 18 802.1x and System Guard Huawei Authentication Bypass Protocol (HABP) System guard Authentication, Authorization, Accounting (AAA)
Page 19 Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 3 Product Overview Part Features IRF Fabric 28 IRF Fabric Peer end detection for stack ports Huawei Group Management Protocol (HGMP) v2 29 Cluster Neighbor Discovery Protocol (NDP) Neighbor Topology Discovery Protocol...
Page 20 Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 3 Product Overview Part Features 42 DNS IPv4 Domain Name System (DNS) Smart Link 43-Smart Link-Monitor Link Monitor Link Configuring the access IP address pool based 44 Access Management...
Page 21: Chapter 4 Networking Applications
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 4 Networking Applications Chapter 4 Networking Applications The S5600 series support flexible networking. They can be used as broadband access devices, as well as networking devices in enterprise networks. The following describes several typical networking methods for the S5600 series.
Page 22: Application In Large-Scaled/Campus Networks
Operation Manual – Product Overview H3C S5600 Series Ethernet Switches Chapter 4 Networking Applications 4.2 Application in Large-Scaled/Campus Networks The S5600 series can also be used as distribution devices in large-scaled enterprise networks and campus networks, where each of them can be connected with multiple Layer 2/3 downstream Ethernet switches (for example, S3600 series switches), and connected to Layer 3 core upstream switches through the GE expansion module slot.
Page 23 Operation Manual – CLI H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 CLI Configuration ......................1-1 1.1 Introduction to the CLI ....................... 1-1 1.2 Command Hierarchy......................1-2 1.2.1 Command Level and User Privilege Level.............. 1-2 1.2.2 Modifying the Command Level................
Page 24: Introduction To The Cli
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Chapter 1 CLI Configuration When configuring CLI, go to these sections for information you are interested in: Introduction to the CLI Command Hierarchy CLI Views CLI Features...
Page 25: Command Hierarchy
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Partial matching of commands: The system will use partially matching method to search for commands. This allows users to execute a command by entering partially-spelled command keywords as long as the keywords entered can be uniquely identified by the system.
Page 26: Modifying The Command Level
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Note: If a user logs in using AAA authentication, the user privilege level depends on the configuration of the AAA scheme. For details, refer to AAA Operation.
Page 27: Switching User Level
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration [Sysname] command-privilege level view shell tftp 192.168.0.1 bootrom.btm After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.
Page 28 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration To do… Use the command… Remarks super Super password authentication-mode authentication super-password super HWTACACS authentication-mode authentication scheme Optional Super password Specify the By default, authentication authenticat super...
Page 29 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Follow these steps to set a password for use level switching: To do… Use the command… Remarks Enter system view system-view — Required Set the super super password [ level...
Page 30 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration IV. Switching to a specific user level Follow these steps to switch to a specific user level: To do… Use the command… Remarks Required Switch to a specified...
Page 31: Cli Views
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration # Configure a HWTACACS authentication scheme named acs, and specify the user name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.
Page 32 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Available Prompt Quit View Enter method operation example method Execute the Execute the quit or Configure system-view return System view system [Sysname] command in command to parameters user view.
Page 33 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Available Prompt Quit View Enter method operation example method Execute the Configure user User interface [Sysname-ui-a user-interface interface view ux0] command in parameters system view. Configure FTP...
Page 34 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Available Prompt Quit View Enter method operation example method Execute the pim command in system view. If multicast routing is not Configure PIM [Sysname-pim PIM view enabled, you...
Page 35 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Available Prompt Quit View Enter method operation example method Execute the Execute the Routing policy Configure [Sysname-rou route-policy quit view routing policy te-policy] command in command to system view.
Page 36: Cli Features
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Available Prompt Quit View Enter method operation example method Execute the Configure [Sysname-ms msdp MSDP view MSDP command in parameters system view. Execute the Configure PoE [Sysname-po...
Page 37 Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration I. Complete online help Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.
Page 38: Command History
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal.
Page 39: Error Prompts
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration Purpose Operation Remarks Display the latest Execute the display This command displays executed history history-command the command history. commands command This operation recalls the Recall the previous...
Page 40: Command Edit
Operation Manual – CLI H3C S5600 Series Ethernet Switches Chapter 1 CLI Configuration 1.4.5 Command Edit The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 254. Table 1-4 lists the CLI edit operations.
Page 41 Operation Manual – Login H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Logging In to an Ethernet Switch ................1-1 1.1 Logging In to an Ethernet Switch..................1-1 1.2 Introduction to the User Interface ..................1-1 1.2.1 Supported User Interfaces ..................
Page 42 Operation Manual – Login H3C S5600 Series Ethernet Switches Table of Contents Chapter 4 Logging In Using a Modem..................4-1 4.1 Introduction ........................4-1 4.2 Configuration on the Switch Side..................4-1 4.2.1 Modem Configuration....................4-1 4.2.2 Switch Configuration ....................4-2 4.3 Modem Connection Establishment ..................
Page 43: Logging In To An Ethernet Switch
1.2.1 Supported User Interfaces Note: The auxiliary (AUX) port and the console port of an H3C low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.
Page 44: User Interface Index
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 1 Logging In to an Ethernet Switch AUX user interface: A view when you log in through the AUX port. AUX port is a line device port. Virtual type terminal (VTY) user interface: A view when you log in through VTY.
Page 45 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 1 Logging In to an Ethernet Switch To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default.
Page 46: Logging In Through The Console Port
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port Chapter 2 Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port...
Page 47 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port Figure 2-1 Diagram for connecting to the console port of a switch If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows...
Page 48 Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.
Page 49: Console Port Login Configuration
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port 2.3 Console Port Login Configuration 2.3.1 Common Configuration Table 2-2 Common configuration of console port login Configuration Remarks Optional Baud rate The default baud rate is 9,600 bps.
Page 50: Console Port Login Configurations For Different Authentication Modes
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port Caution: The change to console port configuration takes effect immediately, so the connection may be disconnected when you log in through a console port and then configure this console port.
Page 51: Console Port Login Configuration With Authentication Mode Being None
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port Authentication Console port login configuration Remarks mode Specify to Optional AAA configuration perform local specifies whether to Local authentication authenticatio perform local is performed by...
Page 52 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required By default, users logging in Configure not to authentication-mode through the console port (AUX authenticate users...
Page 53: Configuration Example
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10...
Page 54: Console Port Login Configuration With Authentication Mode Being Password
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port III. Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.
Page 55 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required Configure to By default, users logging in to a authenticate users authentication-mod switch through the console port...
Page 56 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10...
Page 57 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port III. Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password.
Page 58: Console Port Login Configuration With Authentication Mode Being Scheme
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port 2.6 Console Port Login Configuration with Authentication Mode Being Scheme 2.6.1 Configuration Procedure Follow these steps to configure console port login with the authentication mode being scheme: To do…...
Page 59 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required The specified AAA scheme determines whether to authentication-mode authenticate users locally or Configure to authenticate remotely.
Page 60 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default history Set history command history-command command buffer size is 10. buffer size max-size value...
Page 61 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port II. Network diagram GE1/0/1 Ethernet 配置交换机的PC机运行Telnet Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme) III. Configuration procedure # Enter system view.
Page 62 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 2 Logging In Through the Console Port [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 log in to the switch successfully.
Page 63: Chapter 3 Logging In Through Telnet
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet Chapter 3 Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password 3.1 Introduction...
Page 64: Telnet Configurations For Different Authentication Modes
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet 3.1.1 Common Configuration Table 3-2 Common Telnet configuration Configuration Description Optional Configure the command level available to users By default, commands of level 0 are...
Page 65 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet Authentication Telnet configuration Description mode Specify to AAA configuration Optional perform local specifies whether Local authentication is authentication to perform local performed by default. or remote...
Page 66: Telnet Configuration With Authentication Mode Being None
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet 3.2 Telnet Configuration with Authentication Mode Being None 3.2.1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none: To do…...
Page 67 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Optional The default history Set the history command history-command command buffer size is 10. buffer size max-size value That is, a history command buffer can store up to 10 commands by default.
Page 68: Telnet Configuration With Authentication Mode Being Password
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet III. Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
Page 69 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Configure the Optional command level user privilege level By default, commands of level available to users level 0 are available to users logging logging in to the user in to VTY user interface.
Page 70 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet 3.3.2 Configuration Example I. Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet.
Page 71: Telnet Configuration With Authentication Mode Being Scheme
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 3.4 Telnet Configuration with Authentication Mode Being Scheme 3.4.1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do…...
Page 72 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Required The specified AAA scheme Configure to authentication-mode determines whether to authenticate users scheme [ command- authenticate users locally or...
Page 73 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet Note that if you configure to authenticate the users in the scheme mode, the command level available to the users logging in to the switch depends on the user privilege level...
Page 74 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet Scenario Command Authenticati level User type Command on mode The user privilege level level command is not executed, and the service-type command does Level 0 not specify the available command level.
Page 75: Telnetting To A Switch
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet II. Network diagram Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme) III. Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view.
Page 76 XP) on the PC terminal, with the baud rate set to 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown in the following figure.
Page 77 VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.
Page 78: Telnetting To Another Switch From The Current Switch
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 3 Logging In Through Telnet Note: A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session. By default, commands of level 0 are available to Telnet users authenticated by password.
Page 79: Configuration On The Switch Side
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System Chapter 4 Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment 4.1 Introduction...
Page 80: Switch Configuration
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System AT&K0 ----------------------- Disable flow control AT&R1 ----------------------- Ignore RTS signal AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the Modem from returning command response and the result, save the changes You can verify your configuration by executing the AT&V command.
Page 81: Modem Connection Establishment
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System 4.3 Modem Connection Establishment Before using Modem to log in the switch, perform corresponding configuration for different authentication modes on the switch. Refer to...
Page 82 Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System Figure 4-2 Create a connection Figure 4-3 Set the telephone number Figure 4-4 Call the modem...
Page 83 Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears.
Page 84: Establishing An Http Connection
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System Chapter 5 Logging In Through the Web-based Network Management System Go to these sections for information you are interested in: Introduction...
Page 85: Configuring The Login Banner
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System Configure the user name and the password on the switch for the Web network management user to log in. # Create a Web user account, setting both the user name and the password to admin and the user level to 3.
Page 86 Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System enter the user login authentication page, and enter the main page of the Web-based network management system after passing the authentication. If no login banner is configured by the header command, a user logging in through Web directly enters the user login authentication page.
Page 87: Enabling/Disabling The Web Server
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S5600 Series Ethernet Switches Network Management System Figure 5-4 Banner page displayed when a user logs in to the switch through Web Click <Continue> to enter user login authentication page. You will enter the main page of the Web-based network management system if the authentication succeeds.
Page 88: Connection Establishment Using Nms
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 6 Logging In Through NMS Chapter 6 Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS 6.1 Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch.
Page 89: Configuring Source Ip Address For Telnet Service Packets
Operation Manual – Login Chapter 7 Configuring Source IP Address for Telnet H3C S5600 Series Ethernet Switches Service Packets Chapter 7 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview...
Page 90: Displaying Source Ip Address Configuration
Operation Manual – Login Chapter 7 Configuring Source IP Address for Telnet H3C S5600 Series Ethernet Switches Service Packets To do… Use the command… Remarks telnet { hostname | ip-address } [ service-port ] Specify a source { source-ip ip-address | source-interface...
Page 91: Chapter 8 User Control
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control Chapter 8 User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Note: Refer to the ACL part for information about ACL.
Page 92: Controlling Telnet Users
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control 8.2 Controlling Telnet Users 8.2.1 Prerequisites The controlling policy against Telnet users is determined, including the source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying).
Page 93: Controlling Telnet Users By Source Mac Addresses
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control To do… Use the command… Remarks Enter system view system-view — As for the acl number Create an advanced acl number acl-number command, the config ACL or enter...
Page 94: Controlling Network Management Users By Source Ip Addresses
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control To do… Use the command… Remarks Apply the ACL to Required control Telnet users by acl acl-number inbound By default, no ACL is specified source MAC applied for Telnet users.
Page 95 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control You need to perform the following two operations to control network management users by source IP addresses. Defining an ACL Applying the ACL to control users accessing the switch through SNMP 8.3.1 Prerequisites...
Page 96 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control To do… Use the command… Remarks Apply the ACL while snmp-agent community { read | configuring the write } community-name [ acl SNMP community acl-number | mib-view view-name ]*...
Page 97: Controlling Web Users By Source Ip Address
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control III. Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.
Page 98: Disconnecting A Web User By Force
Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control To do… Use the command… Remarks Optional Apply the ACL to ip http acl acl-number By default, no ACL is control Web users applied for Web users.
Page 99 Operation Manual – Login H3C S5600 Series Ethernet Switches Chapter 8 User Control # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
Page 100 Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Configuration File Management ................. 1-1 1.1 Introduction to Configuration File..................1-1 1.2 Configuration Task List ...................... 1-2 1.2.1 Saving the Current Configuration................1-3 1.2.2 Erasing the Startup Configuration File ..............
Page 101: Introduction To Configuration File
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management Chapter 1 Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List 1.1 Introduction to Configuration File...
Page 102: Configuration Task List
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management can be used instead. This increases the safety and reliability of the file system compared with the switch that only support one configuration file. You can configure a file to have both main and backup attribute, but only one file of either main or backup attribute is allowed on a switch.
Page 103: Saving The Current Configuration
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management 1.2.1 Saving the Current Configuration You can modify the configuration on your switch at the command line interface (CLI). To use the modified configuration for your subsequent startups, you must save it (using the save command) as a configuration file.
Page 104: Erasing The Startup Configuration File
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management Backup attribute. When you use the save [ safely ] backup command to save the current configuration, the configuration file you get has backup attribute. If this configuration file already exists and has main attribute, the file will have both main and backup attributes after execution of this command.
Page 105: Specifying A Configuration File For Next Startup
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management While the reset saved-configuration backup command erases the configuration file with backup attribute, it only erases the backup attribute of a configuration file having both main and backup attribute.
Page 106: Displaying Switch Configuration
Operation Manual – Configuration File Management H3C S5600 Series Ethernet Switches Chapter 1 Configuration File Management 1.2.4 Displaying Switch Configuration To do… Use the command… Remarks Display the initial display saved-configuration [ unit configuration file saved in unit-id ] [ by-linenum ]...
Page 107 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 VLAN Overview ......................1-1 1.1 VLAN Overview........................1-1 1.1.1 Introduction to VLAN ....................1-1 1.1.2 Advantages of VLANs ..................... 1-2 1.1.3 VLAN Fundamentals ....................1-2 1.1.4 VLAN Interface ......................
Page 108: Vlan Overview
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview Chapter 1 VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN 1.1 VLAN Overview 1.1.1 Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches.
Page 109: Vlan Fundamentals
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview communicate with each other directly but need the help of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation 1.1.2 Advantages of VLANs...
Page 110 The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100. The 3-bit priority field indicates the 802.1p priority of the frame. Refer to the “QoS-QoS profile”...
Page 111: Vlan Interface
VLAN only, and packets received on a port of a VLAN are forwarded according to the VLAN’s own MAC address forwarding table. Currently, the H3C S5600 series Ethernet switches adopt the IVL mode only. For more information about the MAC address forwarding table, refer to the “MAC Address Forwarding Table Management”...
Page 112: Port-Based Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview At present, the S5600 series switches support the port-based and protocol-based VLANs. 1.2 Port-Based VLAN Port-based VLAN technology introduces the simplest way to classify VLANs. You can assign the ports on the device to different VLANs.
Page 113: Configuring The Default Vlan Id For A Port
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview Note: Before assigning an access or hybrid port to a VLAN, create the VLAN first. 1.2.3 Configuring the Default VLAN ID for a Port An access port can belong to only one VLAN. Therefore, the VLAN an access port belongs to is also the default VLAN of the access port.
Page 114: Protocol-Based Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview Table 1-3 Packet processing of a hybrid port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already...
Page 115 Note: The H3C S5600 series switches recognize packets with the value of the type field being in the range 0x05DD to 0x05FF as 802.2/802.3 encapsulated packets. II. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packets have the following three extended encapsulation formats:...
Page 116 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview Figure 1-7 802.2 LLC encapsulation format The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer protocol. For example, if the two fields are both 0xE0, the upper layer protocol is IPX protocol.
Page 117: Procedure For The Switch To Judge Packet Protocol
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview 1.3.3 Procedure for the Switch to Judge Packet Protocol Receive packets Ethernet II Type(Length) 0x0600~0xFFFF Encapsulation field 0x0000 to 0x05FF Match the 802.2/802.3 type value Encapsulation 802.3 raw...
Page 118: Implementation Of Protocol-Based Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 1 VLAN Overview Table 1-4 Encapsulation formats Encapsulatio n (left) Ethernet II 802.3 raw 802.2 LLC 802.2 SNAP Protocol (down) IP (0x0800) Supported Not supported Not supported Supported IPX (0x8137)
Page 119: Vlan Configuration
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration Chapter 2 VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN 2.1 VLAN Configuration...
Page 120: Basic Vlan Interface Configuration
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration Caution: VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP.
Page 121: Displaying Vlan Configuration
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration Note: The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. 2.1.4 Displaying VLAN Configuration To do...
Page 122: Assigning An Ethernet Port To A Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration Note: To change the link type of a port from trunk to hybrid or vice versa, you need to set the link type to access first. 2.2.3 Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view.
Page 123: Configuring The Default Vlan For A Port
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration 2.2.4 Configuring the Default VLAN for a Port Because an access port can belong to its default VLAN only, there is no need for you to configure the default VLAN for an access port.
Page 124 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration To isolate data between different departments, PC 1 and Server 1 are assigned to VLAN 100 with the descriptive string being Dept1; PC 2 and Server 2 are assigned to VLAN 200 with the descriptive string being Dept2.
Page 125 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration [SwitchA-Vlan-interface200] ip address 192.168.2.1 24 Configure Switch B. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/13 to VLAN 100. <SwitchB> system-view...
Page 126: Configuring A Protocol-Based Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration 2.3 Configuring a Protocol-Based VLAN 2.3.1 Protocol-Based VLAN Configuration Task List Complete these tasks to configure protocol-based VLAN: Task Remarks Configuring a Protocol Template for a Protocol-Based VLAN...
Page 127: Associating A Port With A Protocol-Based Vlan
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration Caution: Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.
Page 128: Displaying Protocol-Based Vlan Configuration
Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration To do... Use the command... Remarks Required Associate the port with port hybrid protocol-vlan By default, a port is not the specified vlan vlan-id { protocol-index associated with any...
Page 129 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration II. Network diagram IP Server AppleTalk Server GE1/0/11 GE1/0/12 GE1/0/10 IP Host AppleTalk Host Workroom Figure 2-2 Network diagram for protocol-based VLAN configuration III. Configuration procedure # Create VLAN 100 and VLAN 200, and add GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively.
Page 130 Operation Manual – VLAN H3C S5600 Series Ethernet Switches Chapter 2 VLAN Configuration ethernetii etype 0x0806 VLAN ID: 200 VLAN Type: Protocol-based VLAN Protocol Index Protocol Type # Configure GigabitEthernet 1/0/10 as a hybrid port, which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets.
Page 131 Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 IP Addressing Configuration ..................1-1 1.1 IP Addressing Overview ....................1-1 1.1.1 IP Address Classes....................1-1 1.1.2 Special Case IP Addresses..................1-2 1.1.3 Subnetting and Masking..................
Page 132: Ip Addressing Overview
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration Chapter 1 IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested IP Addressing Overview Configuring IP Addresses...
Page 133: Special Case Ip Addresses
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address.
Page 134: Configuring Ip Addresses
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration Figure 1-2 shows how a Class B network is subnetted. Figure 1-2 Subnet a Class B network While allowing you to create multiple logical networks within a single Class A, B, or C network, subnetting is transparent to the rest of the Internet.
Page 135: Displaying Ip Addressing Configuration
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration Note: This chapter only covers how to assign an IP address manually. For the other two approaches to IP address assignment, refer to the part discussing DHCP in this manual.
Page 136: Ip Address Configuration Examples
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration 1.4 IP Address Configuration Examples 1.4.1 IP Address Configuration Example I I. Network requirement Assign IP address 129.2.2.1 with mask 255.255.255.0 to VLAN-interface 1 of the switch.
Page 137 Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration II. Network diagram Figure 1-4 Network diagram for IP address configuration III. Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1.
Page 138 Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 1 IP Addressing Configuration The output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from the switch to check the connectivity.
Page 139: Ip Performance Overview
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration Chapter 2 IP Performance Configuration When configuring IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance...
Page 140: Configuring Tcp Attributes
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration Task Remarks Disabling ICMP to Send Error Packets Optional 2.2.2 Configuring TCP Attributes TCP optional parameters that can be configured include: synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packets are received before the synwait timer times out, the TCP connection is not successfully created.
Page 141: Disabling Icmp To Send Error Packets
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified server. Using the Wake on LAN function to forward directed broadcasts to a host on the remote network.
Page 142: Displaying And Maintaining Ip Performance Configuration
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration To do… Use the command… Remarks Disable sending ICMP Required undo icmp unreach destination unreachable send Enabled by default. packets 2.3 Displaying and Maintaining IP Performance Configuration To do…...
Page 143: Ip Performance Configuration Example
Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration 2.4 IP Performance Configuration Example 2.4.1 Enabling the Reception of Directed Broadcasts to a Directly Connected Network I. Network requirements As shown in Figure 2-1, the host’s interface and VLAN-interface 3 of Switch A are on...
Page 144 Operation Manual – IP Address and Performance H3C S5600 Series Ethernet Switches Chapter 2 IP Performance Configuration [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 2.2.2.1 24 After the above configurations, if you ping the subnet broadcast address 2.2.2.255 on Host, the ping packets can be received by VLAN-interface 2 of Switch B. However, if you disable the ip forward-broadcast command, the ping packets cannot be received by the VLAN-interface 2 of Switch B.
Page 145 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Voice VLAN Configuration..................1-1 1.1 Voice VLAN Overview ....................... 1-1 1.1.1 How an IP Phone Works ..................1-1 1.1.2 How S5600 Series Switches Identify Voice Traffic ..........1-3 1.1.3 Setting the Voice Traffic Transmission Priority ............
Page 146: Voice Vlan Overview
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration Chapter 1 Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example 1.1 Voice VLAN Overview...
Page 147 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration Note: Refer to DHCP Operation for information about the Option184 field. Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones...
Page 148: How S5600 Series Switches Identify Voice Traffic
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration If DHCP Server 1 supports Option 184, it returns the IP address assigned to the IP phone, the IP address of the NCP, the voice VLAN ID, and so on.
Page 149: Setting The Voice Traffic Transmission Priority
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration The following table lists the five default OUI addresses on S5600 series switches. Table 1-1 Default OUI addresses pre-defined on the switch Number OUI address...
Page 150: Support For Voice Vlan On Various Ports
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration Caution: If the voice traffic transmitted by an IP voice device carries VLAN tags, and 802.1x authentication and guest VLAN is enabled on the port which the IP voice device is connected to, assign different VLAN IDs for the voice VLAN, the default VLAN of the port, and the 802.1x guest VLAN to ensure the effective operation of these...
Page 151 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice Port assignment traffic...
Page 152: Voice Vlan Configuration
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration IP phones acquiring IP address and voice VLAN through manual configuration can forward only tagged traffic, so the matching relationship is relatively simple, as shown in...
Page 153: Configuring The Voice Vlan To Operate In Automatic Voice Vlan Assignment Mode
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration 1.2.2 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in automatic voice VLAN assignment mode: To do…...
Page 154: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration Caution: A port working in automatic voice VLAN assignment mode cannot be assigned to the voice VLAN manually. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN function cannot be bound with the port.
Page 155 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration To do… Use the command… Remarks Enable the voice VLAN function voice vlan vlan-id Required globally enable interface interface-type Enter port view Required interface-number Required...
Page 156: Displaying And Maintaining Voice Vlan
VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between H3C device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
Page 157: Voice Vlan Configuration Example (Automatic Voice Vlan Assignment Mode)
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration 1.4 Voice VLAN Configuration Example 1.4.1 Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) I. Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.
Page 158: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)
Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration # Add a user-defined OUI address 0011-2200-000 and set the description string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globally.
Page 159 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration II. Network diagram Figure 1-3 Network diagram for voice VLAN configuration (manual voice VLAN assignment mode) III. Configuration procedure # Enable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice packets only.
Page 160 Operation Manual – Voice VLAN H3C S5600 Series Ethernet Switches Chapter 1 Voice VLAN Configuration IV. Verification # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports. <DeviceA> display voice vlan oui...
Page 161 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 GVRP Configuration ....................1-1 1.1 Introduction to GVRP......................1-1 1.1.1 GARP ........................1-1 1.1.2 GVRP ........................1-4 1.1.3 Protocol Specifications.................... 1-5 1.2 GVRP Configuration ......................1-5 1.2.1 GVRP Configuration Tasks ..................
Page 162: Chapter 1 Gvrp Configuration
Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration Chapter 1 GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example 1.1 Introduction to GVRP...
Page 163 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration messages deregister all the attributes, through which the attribute information of the entity can be registered again on the other GARP entities. Leave messages, LeaveAll messages, together with Join messages ensure attribute information can be deregistered and re-registered.
Page 164 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration workstation or a bridge; it instructs other GARP members to register/deregister its attribute information by declaration/recant, and register/deregister other GARP member's attribute information according to other member's declaration/recant. When a port receives an attribute declaration, the port will register this attribute.
Page 165 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration Field Description Value Each general attribute consists of three parts: Attribute Length, Attribute Event, and Attribute Value. Attribute — Each LeaveAll attribute consists of two parts: Attribute Length and LeaveAll Event.
Page 166: Protocol Specifications
Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration Normal. A port in this mode can dynamically register/deregister VLANs and propagate dynamic/static VLAN information. Fixed. A port in this mode cannot register/deregister VLANs dynamically. It only propagates static VLAN information.
Page 167: Configuring Gvrp Timers
Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration To do ... Use the command ... Remarks Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port. Notes After you enable GVRP on a trunk port, you cannot change the port to a different type.
Page 168: Configuring Gvrp Port Registration Mode
Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout Hold 10 centiseconds time of the Join timer.
Page 169: Displaying And Maintaining Gvrp
Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration To do ... Use the command ... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure GVRP port gvrp registration { fixed | By default, GVRP port...
Page 170 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration II. Network diagram Figure 1-2 Network diagram for GVRP configuration III. Configuration procedure Configure Switch A # Enable GVRP globally. <SwitchA> system-view [SwitchA] gvrp # Configure GigabitEthernet1/0/1 to be a trunk port and to permit the packets of all the VLANs.
Page 171 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration [SwitchA-GigabitEthernet1/0/3] gvrp [SwitchA-GigabitEthernet1/0/3] quit Configure Switch B # The configuration procedure of Switch B is similar to that of Switch A and is thus omitted. Configure Switch C # Enable GVRP on Switch C, which is similar to that of Switch A and is thus omitted.
Page 172 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registered on Switch A, Switch B, and Switch E.
Page 173 Operation Manual – GVRP H3C S5600 Series Ethernet Switches Chapter 1 GVRP Configuration [SwitchE] display vlan dynamic No dynamic vlans exist! 1-12...
Page 174 Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Port Basic Configuration .................... 1-1 1.1 Ethernet Port Configuration ....................1-1 1.1.1 Initially Configuring a Port ..................1-1 1.1.2 Configuring Port Auto-Negotiation Speed............... 1-2 1.1.3 Limiting Traffic on individual Ports ................
Page 175: Ethernet Port Configuration
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration Chapter 1 Port Basic Configuration Note: The auto-negotiation speed configuration on a port is added to this manual. For details, refer to section Configuring Port Auto-Negotiation Speed.
Page 176: Configuring Port Auto-Negotiation Speed
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration To do... Use the command... Remarks Optional Set the speed of the speed { speed-value | By default, the speed of the port Ethernet port auto } is auto (auto-negotiation).
Page 177: Limiting Traffic On Individual Ports
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration Note: Only combo optical ports on the front panel of the device support the auto-negotiation speed configuration feature. And ports on the extended interface card do not support this feature currently.
Page 178: Enabling Flow Control On A Port
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration 1.1.4 Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: The local switch sends a message to notify the peer switch of stopping sending packets to itself temporarily.
Page 179: Configuring Loopback Detection For An Ethernet Port
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration Follow these steps to copy the configuration of a port to other ports: To do... Use the command... Remarks Enter system view system-view —...
Page 180: Enabling Loopback Test
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration To do... Use the command... Remarks Enter Ethernet port interface interface-type — view interface-number Required Enable loopback loopback-detection detection on a By default, port loopback...
Page 181: Enabling The System To Test Connected Cable
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration Note: external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch (for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).
Page 182: Configuring The Interval To Perform Statistical Analysis On Port Traffic
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration 1.1.9 Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.
Page 183: Configuring Storm Control On A Port
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration You can limit the amount of the log information sent to the log server by disabling the Up/Down log output function on Ethernet ports.
Page 184 Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration To do... Use the command... Remarks Set the upper and lower storm-constrain thresholds of { broadcast | multicast | broadcast/multicast/unica Required unicast } max-packets...
Page 185: Setting The Port State Change Delay
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration 1.1.13 Setting the Port State Change Delay During a short period after you connect your switch to another device, the connecting port may go up and down frequently due to hardware compatibility, resulting in service interruption.
Page 186: Ethernet Port Configuration Example
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration To do... Use the command... Remarks Display the information about the ports with the Available in any display link-delay link-delay command view configured display brief interface...
Page 187: Troubleshooting Ethernet Port Configuration
Operation Manual – Port Basic Configuration H3C S5600 Series Ethernet Switches Chapter 1 Port Basic Configuration II. Network diagram Figure 1-1 Network diagram for Ethernet port configuration III. Configuration procedure Note: Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A.
Page 188 Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Link Aggregation Configuration ................1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to Link Aggregation ................1-1 1.1.2 Introduction to LACP ....................1-1 1.1.3 Requirements on Ports for Link Aggregation ............
Page 189: Introduction To Link Aggregation
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration Chapter 1 Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories...
Page 190: Link Aggregation Classification
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration 1.1.3 Requirements on Ports for Link Aggregation To achieve load sharing in an aggregation group, the member ports to perform load balancing must have the same speed, duplex mode, and basic configurations, which...
Page 191: Static Lacp Aggregation Group
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration II. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.
Page 192: Dynamic Lacp Aggregation Group
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration Only the selected ports can transceive service packets; the unselected ports cannot. In a static aggregation group, the system sets the ports to selected or unselected state according to the following rules.
Page 193: Aggregation Group Categories
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration In a dynamic aggregation group, the selected port with the smallest port number serves as the master port of the group, and other selected ports serve as member ports of the group.
Page 194 Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration In general, the system only provides limited load-sharing aggregation resources, so the system needs to reasonably allocate the resources among different aggregation groups. The system always allocates hardware aggregation resources to the aggregation groups with higher priorities.
Page 195: Link Aggregation Configuration
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration 1.4 Link Aggregation Configuration Caution: The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time.
Page 196: Configuring A Static Lacp Aggregation Group
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual link-aggregation group agg-id mode...
Page 197: Configuring A Dynamic Lacp Aggregation Group
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration To do… Use the command… Remarks Enter system view system-view — Create a static link-aggregation group agg-id Required aggregation group mode static interface interface-type Enter Ethernet port view —...
Page 198: Configuring A Description For An Aggregation Group
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable LACP on the port lacp enable By default, LACP is disabled on a port.
Page 199: Displaying And Maintaining Link Aggregation Configuration
Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration 1.5 Displaying and Maintaining Link Aggregation Configuration To do… Use the command… Remarks Display summary information display link-aggregation of all aggregation groups summary Display detailed information of...
Page 200 Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration III. Configuration procedure Note: The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation.
Page 201 Operation Manual – Link Aggregation H3C S5600 Series Ethernet Switches Chapter 1 Link Aggregation Configuration [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] lacp enable [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] lacp enable Caution: The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
Page 202 Operation Manual – Port Isolation H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Port Isolation Configuration ..................1-1 1.1 Port Isolation Overview...................... 1-1 1.2 Port Isolation Configuration ....................1-1 1.3 Displaying and Maintaining Port Isolation Configuration ........... 1-2...
Page 203: Port Isolation Overview
Operation Manual – Port Isolation H3C S5600 Series Ethernet Switches Chapter 1 Port Isolation Configuration Chapter 1 Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example 1.1 Port Isolation Overview...
Page 204: Port Isolation Configuration Example
Operation Manual – Port Isolation H3C S5600 Series Ethernet Switches Chapter 1 Port Isolation Configuration Note: When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local unit will join/leave the isolation group at the same time.
Page 205 Operation Manual – Port Isolation H3C S5600 Series Ethernet Switches Chapter 1 Port Isolation Configuration II. Network diagram Internet GE1/0/1 Switch Figure 1-1 Network diagram for port isolation configuration III. Configuration procedure # Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group.
Page 206 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Port Security Configuration..................1-1 1.1 Port Security Overview ...................... 1-1 1.1.1 Introduction......................1-1 1.1.2 Port Security Features .................... 1-1 1.1.3 Port Security Modes....................1-2 1.2 Port Security Configuration Task List ................
Page 207: Port Security Overview
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Chapter 1 Port Security Configuration When configuring port security, go to these sections for information you are interested Port Security Overview Port Security Configuration Task List...
Page 208: Port Security Modes
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on the port, intrusion protection detects illegal packets or events and takes a pre-set action accordingly.
Page 209 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Security mode Description Feature MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the...
Page 210 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Security mode Description Feature This mode is similar to the macAddressOrU macAddressOrUserLoginSecure serLoginSecure mode, except that there can be more than one 802.1x-authenticated user on the port.
Page 211: Port Security Configuration Task List
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration 1.2 Port Security Configuration Task List Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresses Allowed on a...
Page 212: Setting The Maximum Number Of Mac Addresses Allowed On A Port
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Caution: Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control...
Page 213: Setting The Port Security Mode
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration To do... Use the command... Remarks Set the maximum number port-security Required of MAC addresses max-mac-count Not limited by default allowed on the port count-value 1.2.3 Setting the Port Security Mode...
Page 214: Configuring Port Security Features
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration Note: Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command.
Page 215 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration II. Configuring intrusion protection Follow these steps to configure the intrusion protection feature: To do... Use the command... Remarks Enter system view system-view —...
Page 216: Ignoring The Authorization Information From The Radius Server
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration III. Configuring the Trap feature Follow these steps to configure port security trapping: To do... Use the command... Remarks Enter system view system-view —...
Page 217: Displaying And Maintaining Port Security Configuration
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;...
Page 218: Port Security Configuration Example
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration 1.4 Port Security Configuration Example 1.4.1 Port Security Configuration Example I. Network requirements Implement access user restrictions through the following configuration on GigabitEthernet 1/0/1 of the switch.
Page 219 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 1 Port Security Configuration [Switch-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-GigabitEthernet1/0/1] quit [Switch] port-security timer disableport 30 1-13...
Page 220: Port Binding Overview
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 2 Port Binding Configuration Chapter 2 Port Binding Configuration When configuring port binding, go to these sections for information you are interested Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example 2.1 Port Binding Overview...
Page 221: Displaying And Maintaining Port Binding Configuration
Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 2 Port Binding Configuration 2.2 Displaying and Maintaining Port Binding Configuration To do... Use the command... Remarks Display port display am user-bind [ interface Available in binding interface-type interface-number | ip-addr...
Page 222 Operation Manual – Port Security-Port Binding H3C S5600 Series Ethernet Switches Chapter 2 Port Binding Configuration [SwitchA-GigabitEthernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1...
Page 223 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 DLDP Configuration ....................1-1 1.1 Overview ..........................1-1 1.1.1 Introduction......................1-1 1.2 DLDP Fundamentals ......................1-2 1.2.1 DLDP Implementation ..................... 1-2 1.2.2 DLDP Status......................1-6 1.2.3 DLDP Timers......................
Page 224: Chapter 1 Dldp Configuration
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration Chapter 1 DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example 1.1 Overview 1.1.1 Introduction A special kind of links, namely, unidirectional links, may occur in a network.
Page 225: Dldp Fundamentals
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration G E 1/0/5 1 G E 1 /0 /50 S w itchA S w itchA S w itchA S w itchA G E 1/0 /50 G E 1 /0 /51...
Page 226 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration Table 1-1 DLDP packet types DLDP packet type Function Notifies the neighbor devices of the existence of the local device. An advertisement packet carries only the local...
Page 227 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration DLDP packet type Function Linkdown packets are used to notify unidirectional link emergencies (a unidirectional link emergency occurs when the local port is down and the peer port is up).
Page 228 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration DLDP state Type of the DLDP packets sent Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.
Page 229: Dldp Status
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration Table 1-4 Processing procedure when no echo packet is received from the neighbor No echo packet received from Processing procedure the neighbor In normal mode, no echo packet is...
Page 230: Dldp Timers
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration 1.2.3 DLDP Timers Table 1-6 DLDP timers Timer Description Interval between sending advertisement packets, which Advertisement sending can be configured on a command line interface. timer By default, the timer length is 5 seconds.
Page 231: Dldp Operating Mode
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration Timer Description When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first.
Page 232: Dldp Configuration
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration Table 1-8 Description on the two DLDP neighbor states DLDP neighbor state Description two way The link to the neighbor operates properly. The device is detecting the neighbor and the unknown neighbor state is unknown.
Page 233 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration To do … Use the command … Remarks Enter system view system-view — Enable DLDP globally dldp enable Required. Enter interface interface-type Enable Ethernet By default, Enable...
Page 234: Resetting Dldp State
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration DLDP does not process any LACP event, and treats each link in the aggregation group as independent. When connecting two DLDP-enabled devices, make sure the software running on them is of the same version.
Page 235: Displaying And Maintaining Dldp
Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration 1.3.3 Displaying and Maintaining DLDP To do … Use the command … Remarks Display the DLDP display dldp { unit-id | configuration of a unit or a interface-type Available in any view.
Page 236 Operation Manual – DLDP H3C S5600 Series Ethernet Switches Chapter 1 DLDP Configuration [SwitchA-GigabitEthernet1/0/51] speed 1000 [SwitchA-GigabitEthernet1/0/51] quit # Enable DLDP globally [SwitchA] dldp enable # Set the interval between sending DLDP packets to 15 seconds. [SwitchA] dldp interval 15...
Page 237: Mac Address Table Management
Operation Manual – MAC Address Table Management H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 MAC Address Table Management................1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to MAC Address Table ................ 1-1 1.1.2 Introduction to MAC Address Learning ..............1-2 1.1.3 Managing MAC Address Table ................
Page 238: Introduction To Mac Address Table
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management Chapter 1 MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in:...
Page 239: Introduction To Mac Address Learning
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management Broadcast forwarding: If the destination MAC address carried in the packet is not included in the MAC address table, the switch broadcasts the packet to all ports except the one receiving the packet.
Page 240 Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management After learning the MAC address of User A, the switch starts to forward the packet. Because there is no MAC address and port information of User B in the existing MAC address table, the switch forwards the packet to all ports except GigabitEthernet 1/0/1 to ensure that User B can receive the packet.
Page 241: Managing Mac Address Table
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet, the switch unicasts the packet instead of broadcasting it to User A through GigabitEthernet 1/0/1, because MAC-A is already in the MAC address table.
Page 242: Configuring Mac Address Table Management
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management II. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry.
Page 243: Configuring A Mac Address Entry
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management 1.2.2 Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries).
Page 244: Setting The Mac Address Aging Timer
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management Caution: When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added.
Page 245: Enabling Destination Mac Address Triggered Update
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management for these MAC addresses through the hardware, improving the forwarding efficiency. A MAC address table too big in size may prolong the time for searching MAC address entries, thus decreasing the forwarding performance of the switch.
Page 246: Assigning Mac Addresses For Ethernet Ports
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management Follow these steps to enable destination MAC address triggered update: To do… Use the command… Remarks Enter system view system-view — Required...
Page 247: Displaying Mac Address Table Information
Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management DLDP Port MAC address configuration does not affect service packet forwarding. 1.3 Displaying MAC Address Table Information To do… Use the command…...
Page 248 Chapter 1 Operation Manual – MAC Address Table Management MAC Address Table H3C S5600 Series Ethernet Switches Management 000f-e20f-f116 Learned GigabitEthernet1/0/2 AGING 4 mac address(es) found on port GigabitEthernet1/0/2 --- 1-11...
Page 249: Auto Detect
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Auto Detect Configuration ..................1-1 1.1 Introduction to the Auto Detect Function ................1-1 1.2 Auto Detect Configuration....................1-1 1.2.1 Auto Detect Basic Configuration ................1-2 1.2.2 Auto Detect Implementation in Static Routing ............
Page 250: Introduction To The Auto Detect Function
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration Chapter 1 Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function...
Page 251: Auto Detect Basic Configuration
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration Task Remarks Auto Detect Implementation in VRRP Optional Auto Detect Implementation in VLAN Interface Backup Optional 1.2.1 Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do…...
Page 252: Auto Detect Implementation In Static Routing
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration 1.2.2 Auto Detect Implementation in Static Routing You can bind a static route with a detected group. The Auto Detect function will then detect the reachability of the static route through the path specified in the detected group.
Page 253: Auto Detect Implementation In Vlan Interface Backup
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan-id — vrrp vrid virtual-router-id track Enable the auto detect...
Page 254: Auto Detect Configuration Examples
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration To do… Use the command… Remarks Required Enable the auto detect standby detect-group This operation is only function to implement group-number needed on the secondary VLAN interface backup VLAN interface.
Page 255: Configuration Example For Auto Detect Implementation In Vrrp
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration # Enable the static route when the detected group is reachable. The static route is invalid when the detected group is unreachable. [SwitchA] ip route-static 10.1.1.4 24 192.168.1.2 detect-group 8 Configure Switch C.
Page 256: Configuration Example For Auto Detect Implementation In Vlan Interface Backup
Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration <SwitchA> system-view [SwitchA] detect-group 9 # Specify to detect the reachability of the IP address 10.1.1.4/24, setting the detect number to 1. [SwitchA-detect-group-9] detect-list 1 ip address 10.1.1.4...
Page 257 Operation Manual – Auto Detect H3C S5600 Series Ethernet Switches Chapter 1 Auto Detect Configuration II. Network diagram Figure 1-3 Network diagram for VLAN interface backup III. Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3.
Page 258: Mstp
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 MSTP Configuration ....................1-1 1.1 STP Overview ........................1-1 1.2 MSTP Overview ....................... 1-11 1.2.1 Background of MSTP .................... 1-11 1.2.2 Basic MSTP Terminologies................... 1-12 1.2.3 Principle of MSTP....................
Page 259 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Table of Contents 1.6 Configuring Guard Functions................... 1-43 1.6.1 Introduction......................1-43 1.6.2 Configuration Prerequisites................... 1-45 1.6.3 Configuring BPDU Guard..................1-45 1.6.4 Configuring Root Guard ..................1-45 1.6.5 Configuring Loop Guard..................1-46 1.6.6 Configuring TC-BPDU Attack Guard..............
Page 260: Stp Overview
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Chapter 1 MSTP Configuration Go to these sections for information you are interested in: MSTP Overview Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions...
Page 261 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration II. Protocol packets of STP STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol packets. STP identifies the network topology by transmitting BPDUs between STP compliant network devices.
Page 262 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Figure 1-1 shows designated bridges and designated ports. In the figure, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device B, and Device C respectively.
Page 263 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Root path cost, the cost of the shortest path to the root bridge. Designated bridge ID, designated bridge priority plus MAC address. Designated port ID, designated port priority plus port name.
Page 264 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than...
Page 265 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Table 1-3 Selection of the root port and designated ports Step Description A non-root-bridge device takes the port on which the optimum configuration BPDU was received as the root port.
Page 266 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Figure 1-2 Network diagram for STP algorithm Initial state of each device The following table shows the initial state of each device. Table 1-4 Initial state of each device...
Page 267 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Table 1-5 Comparison process and result on each device BPDU of port Device Comparison process after comparison Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the...
Page 268 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the...
Page 269 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Figure 1-3 The final calculated spanning tree Note: To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated.
Page 270: Mstp Overview
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration root port and designated port begin to forward data as soon as they are elected, a temporary loop may occur. STP timers The following three time parameters are important for STP calculation: Forward delay, the period a device waits before state transition.
Page 271: Basic Mstp Terminologies
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Note: In RSTP, the state of a root port can transit fast under the following conditions: the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
Page 272 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Region A0: VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU BPDU Region B0: VLAN 1 mapped to MSTI 1...
Page 273 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration III. VLAN-to-MSTI mapping table A VLAN-to-MSTI mapping table is maintained for each MST region. The table is a collection of mappings between VLANs and MSTIs. For example, in...
Page 274 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration A designated port is used to forward packets to a downstream network segment or switch. A master port connects an MST region to the common root. The path from the master port to the common root is the shortest path between the MST region and the common root.
Page 275 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Connecting to the common root bridge Region boundary ports Port 2 MST region Port 1 Master port Alternate port Port 6 Port 5 Backup port Designated port...
Page 276: Principle Of Mstp
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.2.3 Principle of MSTP MSTP divides a Layer 2 network into multiple MST regions. The CSTs are generated between these MST regions, and multiple spanning trees (also called MSTIs) can be generated in each MST region.
Page 277: Mstp Implementation On Switches
MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches.
Page 278: Configuring Root Bridge
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.3 Configuring Root Bridge Complete the following tasks to configure the root bridge: Task Remarks Required To prevent network topology jitter caused Enabling MSTP by other related configurations, you are recommended to enable MSTP after other related configurations are performed.
Page 279: Configuring An Mst Region
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Note: In a network containing switches with both GVRP and MSTP enabled, GVRP messages travel along the CIST. If you want to advertise a VLAN through GVRP, be sure to map the VLAN to the CIST (MSTI 0) when configuring the VLAN-to-MSTI mapping table.
Page 280 (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-MSTI mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
Page 281: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Region name :info Revision level Instance Vlans Mapped 1, 11 to 19, 31 to 4094 2 to 10 20 to 30 1.3.3 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge MSTP can automatically choose a switch as a root bridge through calculation.
Page 282: Configuring The Bridge Priority Of The Current Switch
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration same MSTI, a switch cannot be the root bridge and the secondary root bridge simultaneously. When the root bridge fails or is turned off, the secondary root bridge becomes the root bridge if no new root bridge is configured.
Page 283 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view system-view — Required stp [ instance Set the bridge priority for instance-id ] priority The default bridge priority...
Page 284 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration The port recognizes and sends MSTP packets in legacy format. In this case, the port can only communicate with the peer through packets in legacy format. If packets in dot1s format are received, the port turns to discarding state to prevent network storm.
Page 285: Configuring The Maximum Hop Count Of An Mst Region
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp compliance dot1s # Restore the default mode for GigabitEthernet 1/0/1 to recognize/send MSTP packets. [Sysname-GigabitEthernet1/0/1] undo stp compliance 1.3.6 Configuring the MSTP Operation Mode...
Page 286: Configuring The Network Diameter Of The Switched Network
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration configuration BPDU. And a switch discards the configuration BPDUs whose remaining hops are 0. After a configuration BPDU reaches a root bridge of a spanning tree in an MST region, the value of the remaining hops field in the configuration BPDU is decreased by 1 every time the configuration BPDU passes one switch.
Page 287: Configuring The Mstp Time-Related Parameters
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view system-view — Required Configure the network stp bridge-diameter diameter of the switched The default network bridgenumber network diameter of a network is 7.
Page 288 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Required The max age parameter Configure the max age stp timer max-age defaults to 2,000 parameter centiseconds centiseconds (namely, 20 seconds).
Page 289: Configuring The Timeout Time Factor
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration II. Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge).
Page 290 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration parameter. It depends on the physical state of the port and network structure. You can configure this parameter according to the network. I. Configure the maximum transmitting rate for specified ports in system view...
Page 291: Configuring The Current Port As An Edge Port
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.3.12 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects to other switches through network segments. After a port is configured as an edge port, the rapid transition mechanism is applicable to the port.
Page 292: Specifying Whether The Link Connected To A Port Is Point-To-Point Link
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Note: You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network.
Page 293: Enabling Mstp
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration II. Specify whether the link connected to a port is point-to-point link in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do...
Page 294 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Use the To do... Remarks command... Enter system view — system-view Required Enable MSTP stp enable MSTP is disabled by default. Optional By default, MSTP is enabled on all ports after you enable MSTP in system view.
Page 295: Configuring Leaf Nodes
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration <Sysname> system-view [Sysname] stp enable [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp disable 1.4 Configuring Leaf Nodes Complete the following tasks to configure leaf nodes: Task Remarks Required...
Page 296: Configuring The Mst Region
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.4.2 Configuring the MST Region Refer to Configuring an MST Region. 1.4.3 Configuring How a Port Recognizes and Sends MSTP Packets Refer to Configuring How a Port Recognizes and Sends MSTP Packets.
Page 297 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Follow these steps to specify the standard for calculating path costs: To do... Use the command... Remarks Enter system view system-view — Optional Specify the standard for...
Page 298 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Where, “link transmission rate” is the sum of the rates of all the unblocked ports on the aggregated link measured in 100 Kbps. II. Configure the path cost for specific ports Follow these steps to configure the path cost for specified ports in system view: To do...
Page 299: Configuring Port Priority
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration IV. Configuration example (B) # Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.
Page 300: Performing Mcheck Operation
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Required. stp [ instance Configure port priority for instance-id ] port priority The default port priority is the port priority 128.
Page 301: Configuration Prerequisites
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Similarly, a port on an RSTP-enabled switch operating as an upstream switch turns to the STP-compatible mode when it has an STP-enabled switch connected to it. When the STP enabled downstream switch is then replaced by an MSTP-enabled switch, the port cannot automatically transit to the MSTP-compatible mode.
Page 302: Configuring Guard Functions
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp mcheck 1.6 Configuring Guard Functions 1.6.1 Introduction The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop guard, TC-BPDU attack guard, and BPDU drop.
Page 303 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration from the upstream switch for certain period, the switch selects a new root port; the original root port becomes a designated port; and the blocked ports turns to the forwarding state.
Page 304: Configuring Bpdu Guard
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration repeatedly, which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets. In order to avoid this problem, you can enable BPDU dropping on Ethernet ports. Once the function is enabled on a port, the port will not receive or forward any BPDU packets.
Page 305: Configuring Loop Guard
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view system-view — Interface interface-type Enter Ethernet port view — interface-number Required Enable the root guard function on the current...
Page 306: Configuring Tc-Bpdu Attack Guard
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.6.6 Configuring TC-BPDU Attack Guard I. Configuration prerequisites MSTP runs normally on the switch. II. Configuration procedure Follow these steps to configure the TC-BPDU attack guard function: To do...
Page 307: Configuring Digest Snooping
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration <Sysname>system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] bpdu-drop any 1.7 Configuring Digest Snooping 1.7.1 Introduction According to IEEE 802.1s, two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration.
Page 308 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration I. Configuration prerequisites The switch to be configured is connected to another manufacturer's switch adopting a proprietary spanning tree protocol. MSTP and the network operate normally. II. Configuration procedure Follow these steps to configure digest snooping: To do...
Page 309: Configuring Rapid Transition
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Note: When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port.
Page 310 RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operating as the upstream switch connects with a H3C series switch running MSTP, the upstream designated port fails to change its state rapidly.
Page 311 H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.
Page 312: Configuring Vlan-Vpn Tunnel
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Follow these steps to configure the rapid transition feature in Ethernet port view: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...
Page 313 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Service provider network Packet input/output Packet input/output device device Network Customer networks Network A Network B Figure 1-9 VLAN-VPN tunnel network hierarchy 1.9.2 Configuring VLAN-VPN tunnel Follow these steps to configure VLAN-VPN tunnel: To do...
Page 314: Stp Maintenance Configuration
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration 1.10 STP Maintenance Configuration 1.10.1 Introduction In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently. In this case, maintenance personnel may expect that log/trap information is output to the log host when particular ports fail, so that they can check the status changes of those ports through alarm information.
Page 315: Displaying And Maintaining Mstp
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view system-view — Enable trap messages stp [ instance instance-id ] conforming to 802.1d dot1d-trap [ newroot | Required...
Page 316 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively. In this network, Switch A and Switch B operate on the convergence layer; Switch C and Switch D operate on the access layer.
Page 317 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view...
Page 318: Vlan-Vpn Tunnel Configuration Example
Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] instance 4 vlan 40 [Sysname-mst-region] revision-level 0 # Activate the settings of the MST region manually.
Page 319 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration # Enable MSTP. <Sysname> system-view [Sysname] stp enable # Add Ethernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port Ethernet 1/0/1 Configure Switch C # Enable MSTP.
Page 320 Operation Manual – MSTP H3C S5600 Series Ethernet Switches Chapter 1 MSTP Configuration [Sysname-GigabitEthernet1/0/2] port access vlan 10 [Sysname-GigabitEthernet1/0/2] stp disable [Sysname-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/1 as a trunk port. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk # Add the trunk port to all VLANs.
Page 321: Routing Protocol
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 IP Routing Protocol Overview ..................1-1 1.1 Introduction to IP Route and Routing Table ..............1-1 1.1.1 IP Route ........................1-1 1.1.2 Routing Table ......................1-1 1.2 Routing Protocol Overview ....................
Page 322 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Table of Contents 3.8 Troubleshooting RIP Configuration.................. 3-13 3.8.1 Failed to Receive RIP Updates ................3-13 Chapter 4 OSPF Configuration ....................4-1 4.1 OSPF Overview ......................... 4-1 4.1.1 Introduction to OSPF....................4-1 4.1.2 OSPF Route Calculation ..................
Page 323: Multicast
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Table of Contents 4.9 OSPF Configuration Examples..................4-31 4.9.1 Configuring DR/BDR Election ................4-31 4.9.2 Configuring OSPF Virtual Link ................4-33 4.10 Troubleshooting OSPF Configuration................4-35 4.10.1 Unable to Establish a Neighbor Relationship between Routers ......4-35 4.10.2 Unable to Learn a Complete Network Topology ..........
Page 324 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Table of Contents 5.8.2 Resetting BGP Connections ................. 5-36 5.8.3 Clearing BGP Information ..................5-37 5.9 BGP Configuration Examples ..................5-37 5.9.1 Configuring BGP Confederation Attribute ............. 5-37 5.9.2 Configuring BGP RR ..................... 5-39 5.9.3 Configuring BGP Path Selection ................
Page 325: Introduction To Ip Route And Routing Table
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview Chapter 1 IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview...
Page 326 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview Destination: It identifies the address of the destination host or network of an IP packet. Mask: Along with the destination address, it identifies the address of the network segment where the destination host or router resides.
Page 327: Routing Protocol Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview Destination Network Nexthop Interface 11.0.0.0 14.0.0.1 12.0.0.0 14.0.0.1 13.0.0.0 16.0.0.1 14.0.0.0 14.0.0.3 15.0.0.0 17.0.0.2 16.0.0.0 16.0.0.2 17.0.0.0 17.0.0.1 Figure 1-1 Routing table 1.2 Routing Protocol Overview 1.2.1 Static Routing and Dynamic Routing...
Page 328: Routing Protocols And Routing Priority
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview I. Operational scope Interior Gateway Protocols (IGPs): Work within an autonomous system, typically including RIP, OSPF, and IS-IS. Exterior Gateway Protocols (EGPs): Work between autonomous systems. The most popular one is BGP.
Page 329: Load Sharing And Route Backup
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview Routing approach Priority STATIC OSPF ASE OSPF NSSA UNKNOWN Note: The smaller the priority value, the higher the priority. The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured.
Page 330: Displaying And Maintaining A Routing Table
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 1 IP Routing Protocol Overview required for routing protocols to share their routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism.
Page 331: Introduction To Static Route
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 2 Static Route Configuration Chapter 2 Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration...
Page 332: Default Route
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 2 Static Route Configuration Blackhole route: route with blackhole attribute. If a static route destined for a destination has the blackhole attribute, the outgoing interface of this route is the Null 0 interface regardless of the next hop address, and all the IP packets addressed to this destination will be dropped without notifying the source hosts.
Page 333: Displaying And Maintaining Static Routes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 2 Static Route Configuration Note: Use the ip route-static command to configure a default route by setting the destination IP address and the mask to 0.0.0.0. Avoid configuring the next hop address of a static route to the address of an interface on the local switch.
Page 334 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 2 Static Route Configuration Host A 1.1.5.2/24 1.1.5.1/24 1.1.2.2/24 1.1.3.1/24 Switch C 1.1.2.1/24 1.1.3.2/24 1.1.1.1/24 1.1.4.1/24 Switch A Switch B 1.1.1.2/24 1.1.4.2/24 Host C Host B Figure 2-1 Network diagram for static route configuration III.
Page 335: Troubleshooting A Static Route
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 2 Static Route Configuration [SwitchB] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 # Configure static routes on Switch C. <SwitchC> system-view [SwitchC] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [SwitchC] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 Perform the following configurations on the host.
Page 336: Rip Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Chapter 3 RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example...
Page 337: Rip Startup And Operation
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Next hop: IP address of an interface on the adjacent router that IP packets should pass through to reach the destination. Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination.
Page 338: Rip Configuration Task List
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration By default, RIP sends its routing table to its neighbors every 30 seconds. Upon receiving the packets, the neighbors maintain their own routing tables and select optimal routes, and then advertise update information to their respective neighbors so as to make the updated routes known globally.
Page 339: Configuring Basic Rip Functions
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Configuring the network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer 3.3.2 Configuring Basic RIP Functions I. Enabling RIP on the interfaces attached to a specified network segment...
Page 340: Rip Route Control
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration III. Specifying the RIP version on an interface Follow these steps to specify the RIP version on an interface: To do... Use the command... Remarks Enter system view system-view —...
Page 341 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Set the additional routing Optional metric to be added for incoming...
Page 342 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Follow these steps to disable the router from receiving host routes: To do... Use the command... Remarks Enter system view system-view — Enter RIP view —...
Page 343 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Note: The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors.
Page 344: Rip Network Adjustment And Optimization
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration To do... Use the command... Remarks Required import-route protocol Configure RIP to By default, RIP does [ process-id | allow-ibgp ] redistribute routes from not redistribute any...
Page 345 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Note: When configuring the values of RIP timers, you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation.
Page 346: Displaying And Maintaining Rip Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration IV. Setting RIP-2 packet authentication mode RIP-2 supports two authentication modes: simple authentication and message digest 5 (MD5) authentication. Simple authentication cannot provide complete security, because the authentication keys sent along with packets that are not encrypted.
Page 347: Rip Configuration Example
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration To do... Use the command... Remarks Display RIP routing information display rip routing Reset the system configuration related Available in reset to RIP RIP view 3.7 RIP Configuration Example I.
Page 348: Troubleshooting Rip Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 3 RIP Configuration Configure Switch A: # Configure RIP. <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.2.0 [SwitchA-rip] network 155.10.1.0 Configure Switch B: # Configure RIP. <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 196.38.165.0...
Page 349: Ospf Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Chapter 4 OSPF Configuration When configuring OSPF, go to these sections for information you are interested in: OSPF Overview OSPF Configuration Task List Displaying and Maintaining OSPF Configuration...
Page 350: Ospf Route Calculation
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Authentication: OSPF supports interface-based packet authentication to guarantee the security of route calculation. Multicast transmission: OSPF supports transmitting protocol packets in multicast mode. 4.1.2 OSPF Route Calculation...
Page 351 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration II. Router ID To run OSPF, a router must have a router ID. A router ID can be configured manually. If no router ID is configured, the system will automatically select an IP address from the IP addresses of the interfaces as the router ID.
Page 352 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration IV. LSA Types Five basic LSA types As described in the preceding sections, LSAs are the primary source for OSPF to calculate and maintain routes. RFC 2328 defines five types of LSAs: Router-LSA: Type-1 LSAs, generated by every router to describe the router's link states and costs, and advertised only in the originating area.
Page 353: Ospf Area Partition And Route Summarization
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.1.4 OSPF Area Partition and Route Summarization I. Area partition If all the routers on an ever-growing large network run OSPF, the large number of routers will result in an enormous LSDB, which will consume an enormous storage space, complicate the running of SPF algorithm, and increase CPU load.
Page 354 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Area border router (ABR) An area border router belongs to more than two areas, one of which must be the backbone area. It connects the backbone area to a non-backbone area. The connection between an area border router and the backbone area can be physical or logical.
Page 355 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration III. Backbone area and virtual link Backbone area With OSPF area partition, not all areas are equal. One of the areas is different from any other area. Its area ID is 0 and it is usually called the backbone area. Routing information between non-backbone areas must be forwarded by the backbone area.
Page 356 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration The virtual link between the two ABRs acts as a point-to-point connection. Therefore, you can configure interface parameters such as hello packet interval on the virtual link as they are configured on physical interfaces.
Page 357 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Figure 4-5 NSSA area VI. Route summarization Route summarization: An ABR or ASBR summarizes routes with the same prefix with a single route and distribute it to other areas.
Page 358: Ospf Network Type
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration If this feature is configured on an ABR, the ABR will summarize Type-5 LSAs translated from Type-7 LSAs. VII. Route types OSPF prioritizes routes into four levels:...
Page 359 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Point-to-point (P2P): If PPP or HDLC is adopted, OSPF defaults the network type to P2P. In a P2P network, protocol packets are sent in multicast (224.0.0.5).
Page 360 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration segment, and routing information is also exchanged between them. Once the DR becomes invalid, the BDR becomes a DR. Since no re-election is needed and the adjacencies already exist, the switchover process is very short.
Page 361: Ospf Configuration Task List
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration The priority of a router affects the DR and BDR election. However, it has no effect on the election after the DR and BDR election ends. A new priority assigned to the router takes effect at the time of next DR and BDR election.
Page 362: Basic Ospf Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Task Remarks Configuring OSPF Route Optional Summarization Configuring OSPF to Filter Received Optional Routes Configuring the OSPF Cost on an Optional Interface OSPF Route Control Configuring OSPF Route Priority...
Page 363 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Configuring router ID To ensure stable OSPF operation, you should determine the division of router IDs and manually configure them when implementing network planning. When you configure router IDs manually, make sure each router ID is uniquely used by one router in the AS.
Page 364: Ospf Area Attribute Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Note: In router ID selection, the priorities of the router IDs configured with the ospf [ process-id [ router-id router-id ] ] command, the router id command, and the priorities of the router IDs automatically selected are in a descending order.
Page 365: Ospf Network Type Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration To do... Use the command... Remarks Enter system view system-view — ospf [ process-id Enter OSPF view — [ router-id router-id ] ] Enter OSPF area view —...
Page 366: Configuring The Network Type Of An Ospf Interface
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Configure the network type of an interface as P2MP if not all the routers are directly accessible on an NBMA network. You can also configure the network type of an interface to P2P if the router has only one peer on the NBMA network.
Page 367: Configuring An Nbma/P2Mp Neighbor
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.5.3 Configuring an NBMA/P2MP Neighbor When the network type of an interface on the router is one of the following types, you need to specify the IP address of the neighbor router:...
Page 368: Ospf Route Control
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Note: The DR priorities configured by the ospf dr-priority command and the peer command have different purposes: The priority set with the ospf dr-priority command is used for actual DR election.
Page 369: Configuring Ospf To Filter Received Routes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration To do... Use the command... Remarks Required This command takes abr-summary ip-address Enable ABR route effect only when it is mask [ advertise | summarization configured on an ABR. By...
Page 370: Configuring The Ospf Cost On An Interface
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.6.4 Configuring the OSPF Cost on an Interface Follow these steps to configure the OSPF cost on an interface: To do... Use the command... Remarks Enter system view system-view —...
Page 371: Configuring Ospf To Redistribute External Routes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration To do... Use the command... Remarks Configure the maximum Optional number of OSPF ECMP multi-path-number value 4 by default routes 4.6.7 Configuring OSPF to Redistribute External Routes Follow these steps to configure OSPF to redistribute external routes: To do...
Page 372: Ospf Network Adjustment And Optimization
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration Note: The import-route command cannot import the default route. To import the default route, you must use the default-route-advertise command. The filtering of advertised routes by OSPF means that OSPF only converts the external routes meeting the filter criteria into Type-5 or Type-7 LSAs and advertises them.
Page 373 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration neighbor within the retransmission interval, it retransmits the LSA to the neighbor. Follow these steps to configure OSPF timers: To do... Use the command... Remarks Enter system view system-view —...
Page 374: Configuring The Lsa Transmission Delay
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.7.3 Configuring the LSA transmission delay Follow these steps to configure the LSA transmission delay: To do... Use the command... Remarks Enter system view system-view —...
Page 375: Configuring Ospf Authentication
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration To do... Use the command... Remarks Enter system view system-view — ospf [ process-id [ router-id Enter OSPF view — router-id ] ] Required Disable OSPF packet...
Page 376: Configuring The Mtu Field In Dd Packets
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration To do... Use the command... Remarks Optional Configure the ospf authentication-mode By default, OSPF authentication mode of the { simple password | md5 packets are not...
Page 377: Enabling Ospf Logging Of Neighbor State Changes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.7.8 Enabling OSPF Logging of Neighbor State Changes Follow these steps to enable OSPF logging of neighbor state changes: To do... Use the command... Remarks Enter system view system-view —...
Page 378: Displaying And Maintaining Ospf Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.8 Displaying and Maintaining OSPF Configuration To do... Use the command... Remarks Display the router ID display router id Display brief information about display ospf [ process-id ] brief...
Page 379: Ospf Configuration Examples
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration 4.9 OSPF Configuration Examples 4.9.1 Configuring DR/BDR Election I. Network requirements Use OSPF to realize interconnection between devices in a broadcast network. Devices with higher performance should become the DR and BDR to improve network performance.
Page 380 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration [SwitchB-Vlan-interface1] ip address 196.1.1.2 255.255.255.0 [SwitchB-Vlan-interface1] ospf dr-priority 0 [SwitchB-Vlan-interface1] quit [SwitchB] router id 2.2.2.2 [SwitchB] ospf [SwitchB-ospf-1] area 0 [SwitchB-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch C.
Page 381: Configuring Ospf Virtual Link
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration display ospf peer command on Switch D to display its neighbors. Note that the original BDR (Switch C) becomes the DR and Switch B becomes BDR now.
Page 382 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration III. Configuration procedure # Configure Switch A. <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 [SwitchA-Vlan-interface1] quit [SwitchA] router id 1.1.1.1 [SwitchA] ospf [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255...
Page 383: Troubleshooting Ospf Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration [SwitchC-ospf-1-area-0.0.0.2] network 152.1.1.0 0.0.0.255 4.10 Troubleshooting OSPF Configuration 4.10.1 Unable to Establish a Neighbor Relationship between Routers I. Symptom No neighbor relationship can be established between neighboring routers.
Page 384 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 4 OSPF Configuration If multiple areas are configured on the router, check that one is specified as the backbone area. Check that the backbone area is fully meshed. Check that the backbone area is not configured as a Stub area or NSSA area.
Page 385: Bgp Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Chapter 5 BGP Configuration When configuring BGP, go to these sections for information you are interested in: BGP Overview BGP Configuration Task List Displaying and Maintaining BGP Configuration...
Page 386: Bgp Message Type
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration The AS path information used in BGP eliminates route loops thoroughly. In BGP, multiple routing policies are available for filtering and choosing routes in a flexible way.
Page 387 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Type: 1 byte in length. This field indicates the type of a BGP packet. Its value ranges from 1 to 5, which represent Open, Update, Notification, Keepalive, and Route-refresh packets.
Page 388 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Figure 5-3 BGP Update message format An Update message can advertise a group of reachable routes with the same path attribute. These routes are set in the NLRI (network layer reachability information) field.
Page 389: Bgp Route Attributes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Data: Used to further determine the cause of errors. Its content is the error data which depends on the specific error code and error subcode. Its length is unfixed.
Page 390 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Table 5-1 BGP route attributes and the corresponding categories BGP route attribute Category ORIGIN Well-known mandatory AS_PATH Well-known mandatory NEXT_HOP Well-known mandatory LOCAL_PREF Well-known discretionary ATOMIC_AGGREGATE...
Page 391 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 8.0.0.0 AS 10 D=8.0.0.0 D=8.0.0.0 (10) (10) AS 40 AS 20 D=8.0.0.0 D=8.0.0.0 (40,10) (20,10) D=8.0.0.0 (30,20,10) AS 30 AS 50 Figure 5-6 AS_PATH attribute Normally, a router with BGP employed discards the routes that contain local AS number in the AS_PATH attribute.
Page 392 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration When a BGP speaker advertises a route generated by itself to all its neighbors, it sets the NEXT_HOP attribute of the routing information to the address of its own interface connecting to the peer.
Page 393 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration MED=0 Router B 2.1.1.1 D=9.0.0.0 IBGP NEXT_HOP=2.1.1.1 9.0.0.0 MED=0 EBGP Router D Router A IBGP EBGP D=9.0.0.0 IBGP NEXT_HOP=3.1.1.1 MED=100 3.1.1.1 AS 10 Router C AS 20...
Page 394: Bgp Routing Policy
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration LOCAL_PREF=100 Router B 2.1.1.1 EBGP IBGP 8.0.0.0 NEXT_HOP=2.1.1.1 LOCAL_PREF=100 Router A Router D IBGP EBGP D=8.0.0.0 NEXT_HOP=3.1.1.1 IBGP LOCAL_PREF=200 AS 10 3.1.1.1 AS 20 Router C...
Page 395: Problems In Large-Scale Bgp Networks
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Prefers the route with the shortest AS path. Chooses routes in the order of the route ORIGIN type, that is, the order of IGP, EGP, and Incomplete.
Page 396 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration In most cases, BGP is applied in complicated networks where route changes are frequent. In order to avoid the unfavorable affection caused by route flaps, BGP uses route dampening to suppress the instable routes.
Page 397 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Caution: If a BGP peer and the peer group containing the BGP peer are configured differently, the last configuration takes effect. IV. Community Different form peer group, you can apply the same policy to BGP routers residing in different ASs through community.
Page 398 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Figure 5-11 Diagram for the route reflector An RR and all its clients form a cluster. To ensure network reliability and avoid single-point failure, you can configure more than one RR in a cluster. In this case, make sure all the RRs in the cluster are configured with the same cluster ID to avoid routing loops.
Page 399 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration VI. Confederation Confederation is another way to limit the number of IBGP connections in an AS. It divides an AS into multiple sub-ASs. The IBGP peers in each sub-AS are fully connected.
Page 400: Protocol Standard
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration MP-BGP is backward compatible. It enables communications to routers with BGP-4 employed. II. Extended attribute of MP-BGP Of different types of BGP-4 packets, all the information concerning to IPv4 are carried by Update packets.
Page 401: Bgp Configuration Task List
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.2 BGP Configuration Task List Complete the following tasks to configure BGP: Task Remarks Basic BGP Configuration Required Importing Routes Optional Configuring BGP Route Optional Enabling Default Route Advertising...
Page 402: Configuring Bgp Multicast Address Family
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Before performing basic BGP configuration, make sure the following are available. Local AS number IPv4 address and AS number of the peers Source interface of update packets (optional).
Page 403 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Optional Activate a specified BGP peer { group-name | By default, a BGP peer is peer ip-address } enable active.
Page 404: Configuring The Way To Advertise/Receive Routing Information
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration You can specify a router ID manually. If not, the system selects an IP address as the router ID. The selection sequence is: If loopback interface addresses are available, the last configured loopback interface IP address is used as the router ID;...
Page 405: Configuring Bgp Route Summarization
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Enable route redistribution import-route protocol Required from another routing [ process-id ] [ med protocol or another med-value | route-policy...
Page 406: Enabling Default Route Advertising
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration The routes injected with the network command cannot be summarized in the automatic mode. Manual summary routes enjoy higher priority than automatic ones. Follow these steps to configure BGP route summarization: To do...
Page 407: Configuring Bgp Route Reception Filtering Policies
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Enter system view system-view — Enter BGP view bgp as-number — filter-policy { acl-number | Required ip-prefix ip-prefix-name } Filter the advertised routes...
Page 408: Disable Bgp-Igp Route Synchronization
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks filter-policy Required { acl-number | gateway By default, the Filter the received global routing ip-prefix-name | received routing information ip-prefix ip-prefix-name...
Page 409: Configuring Bgp Route Dampening
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Required Disable BGP-IGP route By default, BGP routes undo synchronization synchronization and IGP routes are not synchronized. Caution: BGP-IGP route synchronization is not supported on the switches.
Page 410: Configuring Bgp Route Attributes
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.5 Configuring BGP Route Attributes 5.5.1 Configuration Prerequisites Before configuring BGP routing policy, enable basic BGP functions. Before configuring BGP routing policy, make sure the following information is available.
Page 411 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Required In some network, to ensure an IBGP neighbor locates the Configure the local address correct next hop, you can...
Page 412: Tuning And Optimizing A Bgp Network
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Caution: Using routing policy, you can configure the preference for the routes that match the filtering conditions. As for the unmatched routes, the default preference is adopted.
Page 413 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration the BGP route-refresh function. With route-refresh function enabled on all the routers, if BGP routing policy changes, the local router sends refresh messages to its peers.
Page 414 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Optional By default, the interval at which a peer group Configure the interval at which peer group-name sends the same route...
Page 415: Configuring A Large-Scale Bgp Network
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.7 Configuring a Large-Scale BGP Network In large-scale network, there are large quantities of peers. Configuring and maintaining the peer becomes a big problem. Using peer group can ease the management and improve the routes sending efficiency.
Page 416 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Create an IBGP group group-name Optional peer group [ internal ] If the command is executed without the internal or...
Page 417: Configuring Bgp Community
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.7.3 Configuring BGP Community Follow these steps to configure BGP community: To do... Use the command... Remarks Enter system view system-view — Enter BGP view bgp as-number —...
Page 418: Configuring Bgp Confederation
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Optional Configure cluster ID of an reflector cluster-id By default, an RR uses its cluster-id own router ID as the cluster ID.
Page 419: Displaying And Maintaining Bgp Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration Caution: A confederation can include up to 32 sub-ASs. The AS number used by a sub-AS which is configured to belong to a confederation is only valid inside the confederation.
Page 420: Resetting Bgp Connections
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration To do... Use the command... Remarks Display routes with different display bgp [ multicast ] routing source ASs different-origin-as display bgp routing flap-info [ regular-expression Display statistic information as-regular-expression | as-path-acl about route flaps.
Page 421: Bgp Configuration Examples
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.8.3 Clearing BGP Information To do... Use the command... Remarks Clear the route dampening reset bgp dampening information and release the [ network-address [ mask ] ]...
Page 422 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration III. Configuration plan Split AS 100 into three sub-ASs: AS 1001, AS 1002, and AS 1003. Run EBGP between AS 1001, AS 1002, and AS 1003.
Page 423 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration 5.9.2 Configuring BGP RR I. Network requirements BGP runs in a large AS of a company. As the number of IBGP peers increases rapidly in the AS, more network resources for BGP communication are occupied. The customer hopes to reduce IBGP peers to minimize the CPU and network resources consumption by BGP without affecting device performance.
Page 424 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration [SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 1.1.1.1 255.0.0.0 [SwitchA-Vlan-interface100] quit [SwitchA] bgp 100 [SwitchA-bgp] group ex external [SwitchA-bgp] peer 192.1.1.2 group ex as-number 200 [SwitchA-bgp] network 1.0.0.0 255.0.0.0 Configure Switch B.
Page 425: Configuring Bgp Path Selection
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration [SwitchD] interface vlan-interface 4 [SwitchD-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [SwitchD-Vlan-interface4] quit # Configure a BGP peer. [SwitchD] bgp 200 [SwitchD-bgp] group in internal [SwitchD-bgp] peer 194.1.1.1 group in Use the display bgp routing command to display the BGP routing table on Switch B.
Page 426 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration II. Network diagram Figure 5-16 shows the network diagram. Device Interface IP address Switch A Vlan-int 101 1.1.1.1/8 Vlan-int 2 192.1.1.1/24 Vlan-int 3 193.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24...
Page 427 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration [SwitchA-Vlan-interface3] quit # Enable BGP. [SwitchA] bgp 100 # Inject network 1.0.0.0/8. [SwitchA-bgp] network 1.0.0.0 # Configure BGP peers. [SwitchA-bgp] group ex192 external [SwitchA-bgp] peer 192.1.1.2 group ex192 as-number 200 [SwitchA-bgp] group ex193 external [SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200...
Page 428: Configure Ospf
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration <SwitchB> system-view [SwitchB] interface vlan 2 [SwitchB-Vlan-interface2] ip address 192.1.1.2 255.255.255.0 [SwitchB-Vlan-interface2] quit [SwitchB] interface Vlan-interface 4 [SwitchB-Vlan-interface4] ip address 194.1.1.2 255.255.255.0 [SwitchB-Vlan-interface4] quit # Configure OSPF.
Page 429 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration [SwitchC-bgp] undo synchronization [SwitchC-bgp] group ex external [SwitchC-bgp] peer 193.1.1.1 group ex as-number 100 [SwitchC-bgp] group in internal [SwitchC-bgp] peer 195.1.1.1 group in [SwitchC-bgp] peer 194.1.1.2 group in Configure Switch D.
Page 430: Troubleshooting Bgp Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration [SwitchC-acl-basic-2000] quit # Create a routing policy named localpref, and specify node 10 with the permit matching mode for the routing policy. Set the local preference value of the route...
Page 431 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 5 BGP Configuration If a loopback interface is used, check whether the peer connect-interface command is configured. If the neighbor is not physically directed, check whether the peer ebgp-max-hop command is configured.
Page 432: Ip Routing Policy Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration Chapter 6 IP Routing Policy Configuration When configuring an IP routing policy, go to these sections for information you are interested in: IP Routing Policy Overview...
Page 433 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration 6.1.2 Filters A routing protocol can reference an ACL, IP-prefix, as-path, community-list, or routing policy to filter routing information. The following sections describe these filters.
Page 434: Ip Routing Policy Configuration Task List
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration comprises a set of if-match and apply clauses. The if-match clauses define the matching rules. The matching objects are some attributes of routing information. The relationship among the if-match clauses for a node is “AND”.
Page 435: Defining A Routing Policy
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration Configuring a filtering list, Configuring a routing protocol Prepare the following data before the configuration: Routing policy name and node number Match conditions Route attributes to be changed 6.3.2 Defining a Routing Policy...
Page 436: Defining If-Match Clauses And Apply Clauses
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration 6.3.3 Defining if-match Clauses and apply Clauses Follow these steps to define if-match clauses and apply clauses: To do... Use the command... Remarks Enter system view system-view —...
Page 437 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration To do... Use the command... Remarks apply community Configure { { aa:nn&<1-13> | COMMUNITY no-export-subconfed | Optional attributes for BGP no-export | routing information...
Page 438: Ip-Prefix Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration Note: A routing policy comprises multiple nodes. There is an OR relationship between the nodes in a routing policy. As a result, the system examines the nodes in sequence, and once the route matches a node in the routing policy, it will pass the matching test of the routing policy without entering the test of the next node.
Page 439: As Path List Configuration
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration To do... Use the command... Remarks Enter system view system-view — ip ip-prefix ip-prefix-name [ index Required Configure an IPv4 index-number ] { permit | deny } network...
Page 440: Displaying Ip Routing Policy
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration 99, and the latter one’s ranges from 100 to 199. Follow these steps to configure a community list: To do... Use the command... Remarks...
Page 441 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration II. Network diagram Static 20.0.0.0/8 Area 0 30.0.0.0/8 40.0.0.0/8 Vlan-Int 200 12.0.0.1/8 10.0.0.2/8 10.0.0.1/8 Vlan-Int 100 Switch A Switch B Router ID: 2.2.2.2 Router ID: 1.1.1.1...
Page 442 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration [SwitchA-acl-basic-2000] quit # Configure a routing policy. [SwitchA] route-policy ospf permit node 10 [SwitchA-route-policy] if-match acl 2000 [SwitchA-route-policy] quit # Apply routing policy when the static routes are imported.
Page 443: Controlling Rip Packet Cost To Implement Dynamic Route Backup
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration 6.8.2 Controlling RIP Packet Cost to Implement Dynamic Route Backup I. Network requirements The required speed of convergence in the small network of a company is not high.
Page 444 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C.
Page 445 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration [SwitchC-route-policy] if-match ip-prefix 1 [SwitchC-route-policy] apply cost 5 [SwitchC-route-policy] quit # Create node 20 with the matching mode being permit in the routing policy. Define if-match clauses.
Page 446 Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration V. Configuration verification Display data forwarding paths when the main link of the OA server between Switch A and Switch C works normally. <SwitchC> display ip routing-table...
Page 447: Troubleshooting Ip Routing Policy
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 6 IP Routing Policy Configuration If the cost of a received RIP route is equal to 16, the cost specified by the apply cost command in a routing policy will not be applied to the route, that is, the cost of the route is equal to 16.
Page 448: Route Capacity Configuration Overview
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 7 Route Capacity Configuration Chapter 7 Route Capacity Configuration When configuring route capacity, go to these sections for information you are interested in: Route Capacity Configuration Overview Route Capacity Limitation Configuration...
Page 449: Route Capacity Limitation
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 7 Route Capacity Configuration 7.1.2 Route Capacity Limitation Huge routing tables are usually caused by OSPF route entries and BGP route entries. Therefore, the route capacity limitation of a switch applies only to OSPF routes and BGP routes, instead of static routes and RIP routes.
Page 450: Enabling/Disabling Automatic Protocol Recovery
Operation Manual – Routing Protocol H3C S5600 Series Ethernet Switches Chapter 7 Route Capacity Configuration 7.2.2 Enabling/Disabling Automatic Protocol Recovery Follow these steps to enable automatic protocol recovery: To do... Use the command... Remarks Enter system view system-view — Optional...
Page 451 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Multicast Overview ...................... 1-1 1.1 Multicast Overview......................1-1 1.1.1 Information Transmission in the Unicast Mode............1-1 1.1.2 Information Transmission in the Broadcast Mode........... 1-2 1.1.3 Information Transmission in the Multicast Mode.............
Page 452 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Table of Contents 3.2.6 Configuring a Multicast Group Filter................ 3-9 3.2.7 Configuring Simulated Joining ................3-10 3.2.8 Configuring IGMP Proxy ..................3-12 3.2.9 Removing Joined IGMP Groups from an Interface ..........3-12 3.3 Displaying and Maintaining IGMP..................
Page 453 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Table of Contents 5.3.4 Configuring MSDP Peer Connection Control............5-11 5.4 Configuring SA Message Transmission ................5-12 5.4.1 Configuration Prerequisites................... 5-13 5.4.2 Configuring RP Address in SA Messages ............5-13 5.4.3 Configuring SA Message Cache ................5-14 5.4.4 Configuring the Transmission and Filtering of SA Request Messages....
Page 454: Multicast Overview
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Chapter 1 Multicast Overview Note: In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
Page 455: Information Transmission In The Broadcast Mode
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Figure 1-1 Information transmission in the unicast mode Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted...
Page 456: Information Transmission In The Multicast Mode
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Figure 1-2 Information transmission in the broadcast mode Assume that Hosts B, D, and E need the information. The source server broadcasts this information through routers, and Hosts A and C on the network also receive this information.
Page 457: Roles In Multicast
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Figure 1-3 Information transmission in the multicast mode Assume that Hosts B, D and E need the information.
Page 458: Advantages And Applications Of Multicast
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.
Page 459: Multicast Models
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Multicast provides the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing. Communication for training and cooperative operations, such as remote education.
Page 460: Multicast Architecture
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview 1.3 Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers.
Page 461 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview packets. Class D address must not appear in the IP address field of a source IP address of IP packets. Class E IP addresses are reserved for future use.
Page 462 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview Table 1-3 Reserved IP multicast addresses Class D address range Description 224.0.0.1 Address of all hosts 224.0.0.2 Address of all multicast routers 224.0.0.3 Unassigned Distance Vector Multicast Routing Protocol 224.0.0.4...
Page 463: Multicast Protocols
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview II. Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members.
Page 464 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview I. Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols. Figure 1-5 describes where these multicast protocols are in a network.
Page 465: Multicast Packet Forwarding Mechanism
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP). For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes.
Page 466: Implementation Of The Rpf Mechanism
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface. The result of the RPF check determines whether the packet will be forwarded or discarded.
Page 467 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 1 Multicast Overview unicast routing information in creating multicast routing entries. When performing an RPF check, a router searches its unicast routing table. The specific process is as follows: The router automatically chooses an optimal unicast route by searching its unicast routing table, using the IP address of the “packet source”...
Page 468: Common Multicast Configuration
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Chapter 2 Common Multicast Configuration Note: In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
Page 469: Enabling Multicast Routing
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Follow these steps to enable multicast packet buffering: To do... Use the command... Remarks Enter system view system-view — Optional Enable multicast packet multicast By default, this function is...
Page 470: Configuring Limit On The Number Of Route Entries
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Caution: IGMP, PIM and MSDP configurations can be performed or can take effect only if multicast routing has been enabled. 2.1.3 Configuring Limit on the Number of Route Entries Too many multicast routing entries can exhaust the router’s memory and thus result in...
Page 471: Configuring A Multicast Mac Address Entry
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast Multicast source port multicast-source-deny...
Page 472: Configuring Dropping Unknown Multicast Packets
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Follow these steps to configure a multicast MAC address entry in system view: To do... Use the command... Remarks Enter system view system-view — Required mac-address multicast...
Page 473: Tracing A Multicast Path
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Follow these steps to configure dropping unknown multicast packet: To do... Use the command... Remarks Enter system view system-view — Required Configure dropping unknown-multicast By default, the function of...
Page 474 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 2 Common Multicast Configuration Follow these commands to display common multicast configuration: To do... Use the command... Remarks Display the statistics display multicast-source-deny information about Available in [ interface interface-type...
Page 475: Igmp Overview
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration Chapter 3 IGMP Configuration Note: In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
Page 476 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration In IGMPv1, the designated router (DR) elected by a multicast routing protocol (such as PIM) serves as the IGMP querier. For more information about a DR, refer to election.
Page 477: Enhancements Provided By Igmpv
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration Through the above-mentioned query/report process, the IGMP routers learn that members of G1 and G2 are attached to the local subnet, and generate (*, G1) and (*, G2) multicast forwarding entries, which will be the basis for subsequent multicast forwarding, where * represents any multicast source.
Page 478: Igmp Proxy
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration This host sends a Leave Group message (often referred to as leave message) to all routers (the destination address is 224.0.0.2) on the local subnet. Upon receiving the leave message, the querier sends a configurable number of group-specific queries to the group being left.
Page 479: Configuring Igmp
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration Figure 3-2 shows an IGMP Proxy diagram for a stub network. The upstream interface, VLAN-interface 1 of Switch B is the proxy interface for the downstream interface VLAN-interface 2.
Page 480: Configuring Igmp Version
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration 3.2.2 Enabling IGMP First, IGMP must be enabled on the interface on which the multicast group memberships are to be established and maintained. Follow these steps to enable IGMP: To do...
Page 481: Configuring Options Related To Igmp Query Messages
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration 3.2.4 Configuring Options Related to IGMP Query Messages I. IGMP general query An IGMP router sends IGMP general query messages to the local subnet periodically, and multicast receiver hosts send IGMP reports in response to IGMP queries. Thus the router learns which multicast groups on the subnet have active members.
Page 482: Configuring The Maximum Allowed Number Of Multicast Groups
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration command, the current IGMP querier is considered to be down. In this case, a new IGMP querier election process takes place. IV. The maximum response time of IGMP general query messages When the host receives a general query message, it will set a timer for each of its multicast groups.
Page 483: Configuring A Multicast Group Filter
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration Follow these steps to configure the maximum number of multicast groups allowed on an interface: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter interface view —...
Page 484: Configuring Simulated Joining
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number In VLAN igmp group-policy interface acl-number [ 1 | 2 |...
Page 485 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration When receiving an IGMP general query, the simulated host responds with an IGMP report. Meanwhile, the simulated host sends the same IGMP report to itself to ensure that the IGMP entry does not age out.
Page 486: Configuring Igmp Proxy
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration 3.2.8 Configuring IGMP Proxy Follow these steps to configure IGMP proxy: To do... Use the command... Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view —...
Page 487: Displaying And Maintaining Igmp
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 3 IGMP Configuration Caution: After a multicast group is removed from an interface, the multicast group can join the group again. 3.3 Displaying and Maintaining IGMP To do... Use the command...
Page 488: Chapter 4 Pim Configuration
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Chapter 4 PIM Configuration When configuring PIM, go to these sections for information you are interested in: PIM Overview Configuring PIM-DM Configuring PIM-SM Configuring Common PIM Parameters...
Page 489: Introduction To Pim-Dm
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Note: To facilitate description, a network comprising PIM-capable routers is referred to as a “PIM domain” in this document. 4.1.1 Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members.
Page 490 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Note: Every activated interface on a router sends hello messages periodically, and thus learns the PIM neighboring information pertinent to the interface. II. SPT building The process of building an SPT is the process of “flood and prune”.
Page 491 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Figure 4-1 SPT building The “flood and prune” process takes place periodically. A pruned state timeout mechanism is provided. A pruned branch restarts multicast forwarding when the pruned state times out and then is pruned again when it no longer has any multicast receiver.
Page 492: Introduction To Pim-Sm
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration IV. Assert If multiple multicast routers exist on a multi-access subnet, duplicate packets may flow to the same subnet. To shutoff duplicate flows, the assert mechanism is used for election of a single multicast forwarder on a multi-access network.
Page 493: How Pim-Sm Works
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration multicast forwarding, and is suitable for large- and medium-sized networks with sparsely and widely distributed multicast group members. The basic implementation of PIM-SM is as follows: PIM-SM assumes that no hosts need to receive multicast data. In the PIM-SM mode, routers must specifically request a particular multicast stream before the data is forwarded to them.
Page 494 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration I. Neighbor discovery PIM-SM uses exactly the same neighbor discovery mechanism as PIM-DM does. Refer Neighbor discovery. II. DR election PIM-SM also uses hello messages to elect a designated router (DR) for a multi-access network.
Page 495 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Routers on the multi-access network send hello messages to one another. The hello messages contain the router priority for DR election. The router with the highest DR priority will become the DR.
Page 496 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Figure 4-4 BSR and C-RPs IV. RPT building Figure 4-5 Building an RPT in PIM-SM As shown in Figure 4-5, the process of building an RPT is as follows: When a receiver joins a multicast group G, it uses an IGMP message to inform the directly connected DR.
Page 497 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration The multicast data addressed to the multicast group G flows through the RP, reaches the corresponding DR along the established RPT, and finally is delivered to the receiver.
Page 498: Configuring Pim-Dm
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration When the RP receives the register message, on one hand, it extracts the multicast packet from the register message and forwards the multicast packet down the RPT, and, on the other hand, it sends an (S, G) join message hop by hop toward the multicast source.
Page 499: Configuring Pim-Sm
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration To do... Use the command... Remarks Enter system view system-view — Required multicast Enable multicast routing routing-enable Disabled by default interface interface-type Enter interface view — interface-number...
Page 500: Configuring An Rp
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration 4.3.2 Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job. Generally, static RP configuration is just a backup means for the dynamic RP election mechanism to enhance the robustness and operation manageability of a multicast network.
Page 501: Configuring A Bsr
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration To do... Use the command... Remarks Optional c-rp interface-type Configure interface-number By default, candidate RPs are not candidate RPs [ group-policy acl-number set for the switch and the value of | priority priority ]* priority is 0.
Page 502 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration the PIM-SM domain. The following are typical BSR spoofing cases and the corresponding preventive measures: Some maliciously configured hosts can forge bootstrap messages to fool routers and change RP mappings. Such attacks often occur on border routers. Because a...
Page 503: Filtering The Registration Packets From Dr To Rp
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration II. Configuring a PIM-SM domain border As the administrative core of a PIM-SM domain, the BSR sends the collected RP-Set information in the form of bootstrap messages to all routers in the PIM-SM domain.
Page 504: Disabling Rpt-To-Spt Switchover
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration To do... Use the command... Remarks Required Configure to filter the register-policy By default, the switch does registration packets acl-number not filter the registration from RP to DR packets from DR.
Page 505: Configuring A Multicast Data Filter
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Task Remarks Configuring a Multicast Data Filter Optional Configuring the Hello Interval Optional Configuring PIM Neighbors Optional Configuring Multicast Source Lifetime Optional Clearing the Related PIM Entries Optional 4.4.1 Configuring a Multicast Data Filter...
Page 506: Configuring Pim Neighbors
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Follow these steps to configure the Hello interval: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required...
Page 507: Configuring Multicast Source Lifetime
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Caution: If the number of existing PIM neighbors exceeds the user-defined limit, the existing PIM neighbors will not be deleted. 4.4.4 Configuring Multicast Source Lifetime Initially, some data is lost when multicast receivers receive multicast data from a multicast source.
Page 508: Displaying And Maintaining Pim
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Follow these steps to clear the related PIM entries: To do... Use the command... Remarks reset pim routing-table { all | { group-address [ mask { mask-length | mask } ] | source-address...
Page 509 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Switch D connects to the network that comprises the multicast source (Source) through VLAN-interface 300. Switch A connects to stub network N1 through VLAN-interface 100, and to Switch D through VLAN-interface 103.
Page 510 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration and Switch D in the PIM-DM domain and enable dynamic update of routing information among the switches through a unicast routing protocol. Detailed configuration steps are omitted here.
Page 511: Pim-Sm Configuration Example
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration 192.168.3.1 Vlan-interface1 00:49:08 00:01:34 Use the display pim routing-table command to view the PIM routing table information on each switch. For example: # View the PIM routing table information on Switch A.
Page 512 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Switch D connects to the network that comprises the multicast source (Source) through VLAN-interface 300. Switch A connects to stub network N1 through VLAN-interface 100, and to Switch D and Switch E through VLAN-interface 101 and VLAN-interface 102 respectively.
Page 513 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration III. Configuration procedure Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 4-8.
Page 514 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration IV. Verifying the configuration # Display PIM neighboring relationships on Switch E. <SwitchE> display pim neighbor Neighbor's Address Interface Name Uptime Expires 192.168.9.1 Vlan-interface102 02:47:04 00:01:42 192.168.2.1...
Page 515 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout Matched 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry The displayed information of Switch B and Switch C is similar to that of Switch A.
Page 516: Troubleshooting Pim
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 4 PIM Configuration 4.7 Troubleshooting PIM Symptom: The router cannot set up multicast routing tables correctly. Solution: You can troubleshoot PIM according to the following procedure. Make sure that the unicast routing is correct before troubleshooting PIM.
Page 517: Chapter 5 Msdp Configuration
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Chapter 5 MSDP Configuration When configuring MSDP, go to these sections for information you are interested in: MSDP Overview Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers...
Page 518: How Msdp Works
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration MSDP achieves this objective. By establishing MSDP peer relationships among RPs of different PIM-SM domains, source active (SA) messages can be forwarded among domains and the multicast source information can be shared.
Page 519 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration multicast source information out of the PIM-SM domain. Receiver-side MSDP peer: the MSDP peer nearest to the receivers, typically the source-side RP, like RP 3. Upon receiving an SA message, the receiver-side MSDP peer resolves the multicast source information carried in the message and joins the SPT rooted at the source across the PIM-SM domain.
Page 520 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Receiver DR 2 MSDP peers Multicast packets SA message RP 2 Join message PIM-SM 2 Register message DR 1 Source PIM-SM 4 RP 1 RP 3 PIM-SM 1...
Page 521 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration If so, the RPT for the multicast group G is maintained between RP 2 and the receivers. RP 2 creates an (S, G) entry, and sends an (S, G) join message hop by hop towards DR 1 at the multicast source side, so that it can directly join the SPT rooted at the source over other PIM-SM domains.
Page 522 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Source RP 1 RP 5 RP 9 RP 8 AS 1 AS 5 Mesh group AS 3 RP 2 RP 3 AS 2 MSDP peers RP 4...
Page 523 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration An EBGP route exists between two MSDP peers in different ASs. Because the SA message is from an MSDP peer (RP 7) in a different AS, and the MSDP peer is the next hop on the EBGP route to the source-side RP, RP 8 accepts the message and forwards it to its other peer (RP 9).
Page 524: Protocols And Standards
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration The multicast source registers with the nearest RP. In this example, Source registers with RP 1, with its multicast data encapsulated in the register message. When the register message arrives to RP 1, RP 1 decapsulates the message.
Page 525: Configuring Msdp Basic Functions
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.2 Configuring MSDP Basic Functions A route is required between two routers that are MSDP peers to each other. Through this route, the two routers can transfer SA messages between PIM-SM domains. For an area containing only one MSDP peer, known as a stub area, the route is not compulsory.
Page 526: Configuring Connection Between Msdp Peers
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration To do... Use the command... Remarks Required peer peer-address Create an MSDP peer connect-interface No MSDP peer connection interface-type connection is created by interface-number default. Optional static-rpf-peer...
Page 527: Configuring Description Information For Msdp Peers
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.3.2 Configuring Description Information for MSDP Peers You can configure description information for each MSDP peer to manage and memorize the MSDP peers. Follow these steps to configure description information for an MSDP peer: To do...
Page 528: Configuring Sa Message Transmission
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration SA messages cannot be transmitted between these two peers. On the other hand, when resetting an MSDP peering relationship between faulty MSDP peers or bringing faulty MSDP peers back to work, you can adjust the retry interval of establishing a peering relationship through the following configuration.
Page 529: Configuration Prerequisites
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.4.1 Configuration Prerequisites Before you configure SA message transmission, perform the following tasks: Configuring a unicast routing protocol. Configuring basic IP multicast functions. Configuring basic PIM-SM functions.
Page 530: Configuring Sa Message Cache
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Note: In Anycast RP application, a C-BSR and a C-RP must be configured on different devices or ports. 5.4.3 Configuring SA Message Cache With the SA message caching mechanism enabled on the router, the group that a new...
Page 531: Configuring A Rule For Filtering The Multicast Sources Of Sa Messages
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Follow these steps to configure the transmission and filtering of SA request messages: To do... Use the command... Remarks Enter system view system-view — Enter MSDP view msdp —...
Page 532: Configuring A Rule For Filtering Received And Forwarded Sa Messages
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.4.6 Configuring a Rule for Filtering Received and Forwarded SA Messages Besides the creation of source information, controlling multicast source information allows you to control the forwarding and reception of source information. You can control the reception of SA messages using the MSDP inbound filter (corresponding to the import keyword);...
Page 533: Displaying And Maintaining Msdp
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.5 Displaying and Maintaining MSDP I. Displaying and maintaining MSDP To do... Use the command... Remarks Display the brief information of Available in any display msdp brief...
Page 534: Msdp Configuration Example
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.6 MSDP Configuration Example 5.6.1 Anycast RP Configuration I. Network requirements The PIM-SM domain has multiple multicast sources and receivers. OSPF runs within the domain to provide unicast routes.
Page 535 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration III. Configuration procedure Configure the interface IP addresses and unicast routing protocol for each switch Configure the IP address and subnet mask for each interface as per Figure 5-5.
Page 536 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration [SwitchB-pim] quit The configuration on Switch D is similar to the configuration on Switch B. Configure MSDP peers # Configure an MSDP peer on Loopback 0 of Switch B.
Page 537: Troubleshooting Msdp Configuration
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x4: SPT Uptime: 00:03:08, Timeout in 206 sec Upstream interface: Vlan-interface103, RPF neighbor: NULL...
Page 538: No Sa Entry In The Sa Cache Of The Router
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 5 MSDP Configuration 5.7.2 No SA Entry in the SA Cache of the Router I. Symptom An MSDP fails to send (S, G) forwarding entries through an SA message. II. Analysis You can use the import-source command to send the (S, G) entries of the local multicast domain to the neighboring MSDP peer through SA messages.
Page 539: Chapter 6 Igmp Snooping Configuration
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Chapter 6 IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping...
Page 540: Basic Concepts In Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A...
Page 541: Work Mechanism Of Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the Ethernet switch. In the figure, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Page 542 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration II. When receiving a membership report A host sends an IGMP report to the multicast router in the following circumstances: Upon receiving an IGMP query, a multicast group member host responds with an IGMP report.
Page 543: Configuring Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave message.
Page 544: Enabling Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Task Remarks Configuring a Static Router Port Optional Configuring a Port as a Simulated Group Member Optional Configuring a VLAN Tag for Query Message Optional Configuring Multicast VLAN Optional 6.2.1 Enabling IGMP Snooping...
Page 545: Configuring Timers
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Working with PIM-SSM, IGMPv3 enables hosts to join specific multicast sources and groups directly, greatly simplifying multicast routing protocols and optimizing the network topology. Follow these steps to configure the version of IGMP Snooping: To do...
Page 546: Configuring Fast Leave Processing
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration 6.2.4 Configuring Fast Leave Processing With fast leave processing enabled, when the switch receives an IGMP leave message on a port, the switch directly removes that port from the forwarding table entry for the specific group.
Page 547: Configuring A Multicast Group Filter
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Note: The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified;...
Page 548: Configuring The Maximum Number Of Multicast Groups On A Port
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration II. Configuring a multicast group filter in Ethernet port view Follow these steps to configure a multicast group filter in Ethernet port view: To do... Use the command...
Page 549: Configuring Igmp Snooping Querier
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration To do... Use the command... Remarks Required igmp-snooping Limit the number of group-limit limit [ vlan The maximum number of multicast groups on a port vlan-list...
Page 550: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration To do... Use the command... Remarks Required Enable IGMP igmp-snooping enable By default, IGMP Snooping Snooping is disabled. Required Enable IGMP igmp-snooping querier By default, IGMP Snooping Snooping querier querier is disabled.
Page 551: Configuring Static Member Port For A Multicast Group
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Note: If the function of dropping unknown multicast packets or the IRF fabric function is enabled, you cannot enable unknown multicast flooding suppression. Unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time.
Page 552: Configuring A Static Router Port
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Caution: You can configure up to 200 static member ports on an S5600 series switch. If a port has been configured as an IRF fabric port or a reflect port, it cannot be configured as a static member port.
Page 553: Configuring A Vlan Tag For Query Messages
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration I. Enabling simulated joining in VLAN interface view Follow these steps to enable simulated joining in VLAN interface view: To do… Use the command… Remarks Enter system view system-view —...
Page 554: Configuring Multicast Vlan
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration To do... Use the command... Remarks Enter system view system-view — Required igmp-snooping By default, the VLAN tag Configure a VLAN tag for vlan-mapping vlan in IGMP general and...
Page 555 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration To do... Use the command... Remarks Enter Ethernet port view interface interface-type for the Layer 2 switch to — interface-number be configured Define the port as a trunk...
Page 556: Displaying And Maintaining Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration To do... Use the command... Remarks Required The multicast VLAN must port hybrid vlan Specify the VLANs to be be included, and the port vlan-id-list { tagged |...
Page 557: Igmp Snooping Configuration Examples
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration 6.4 IGMP Snooping Configuration Examples 6.4.1 Configuring IGMP Snooping I. Network requirements To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches.
Page 558 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration [RouterA-GigabitEthernet1/0/1] igmp enable [RouterA-GigabitEthernet1/0/1] pim dm [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface GigabitEthernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok.
Page 559: Configuring Multicast Vlan
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration 6.4.2 Configuring Multicast VLAN I. Network requirements As shown in Figure 6-4, Workstation is a multicast source. Switch A forwards multicast data from the multicast source. A Layer 2 switch, Switch B forwards the multicast data to the end users Host A and Host B.
Page 560 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration II. Network diagram Figure 6-4 Network diagram for multicast VLAN configuration III. Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured.
Page 561: Troubleshooting Igmp Snooping
Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration [SwitchA-Vlan-interface10] pim dm Configure Switch B: # Enable the IGMP Snooping feature on Switch B. <SwitchB> system-view [SwitchB] igmp-snooping enable # Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it.
Page 562 Operation Manual – Multicast H3C S5600 Series Ethernet Switches Chapter 6 IGMP Snooping Configuration Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN.
Page 563 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 802.1x Configuration ....................1-1 1.1 Introduction to 802.1x ......................1-1 1.1.1 Architecture of 802.1x Authentication ..............1-2 1.1.2 The Mechanism of an 802.1x Authentication System..........1-3 1.1.3 Encapsulation of EAPoL Messages ................
Page 564 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Table of Contents 3.4 Displaying and Maintaining HABP Configuration .............. 3-2 Chapter 4 System Guard Configuration..................4-1 4.1 System Guard Overview....................4-1 4.1.1 Guard Against IP Attacks ..................4-1 4.1.2 Guard Against TCN Attacks ..................
Page 565: Chapter 1 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration Note: The online user handshaking function is added. See Configuring Basic 802.1x Functions. The configuration of 802.1x re-authentication is added. See Configuring 802.1x...
Page 566: Architecture Of 802.1X Authentication
The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.
Page 567: The Mechanism Of An 802.1X Authentication System
By default, a controlled port is a unidirectional port. IV. The way a port is controlled A port of a H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
Page 568: Encapsulation Of Eapol Messages
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Figure 1-2 The mechanism of an 802.1x authentication system EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets.
Page 569 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration 00: Indicates that the packet is an EAP-packet, which carries authentication information. 01: Indicates that the packet is an EAPoL-start packet, which initiates the authentication.
Page 570 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Figure 1-5 shows the format of the Data field of a Request packet or a Response packet. Figure 1-5 The format of the Data field of a Request packet or a Response packet The Type field indicates the EAP authentication type.
Page 571: Authentication Procedure
H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration 1.1.4 802.1x Authentication Procedure A H3C S5600 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. I. EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server.
Page 572 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity)
Page 573 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
Page 574: Timers Used In 802.1X
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request...
Page 575: Implementation On An S5600 Series Switch
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration response packets after the maximum number of handshake request transmission attempts is reached. Quiet-period timer (quiet-period). This timer sets the quiet-period. When a supplicant system fails to pass the authentication, the switch quiets for the set period (set by the quiet-period timer) before it processes another authentication request re-initiated by the supplicant system.
Page 576 Chapter 1 802.1x Configuration Note: H3C's CAMS Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as switches) in the network, a CAMS server can implement the AAA functions and rights management.
Page 577 Note: The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. III. The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
Page 578 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration to the user. To connect to the switch again, the user needs to initiate 802.1x authentication with the client software again. Note: When re-authenticating a user, a switch goes through the complete authentication process.
Page 579: Introduction To 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Note: 802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting.
Page 580: Basic 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration 1.3 Basic 802.1x Configuration 1.3.1 Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme.
Page 581 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration To do… Use the command… Remarks dot1x port-method { macbased | portbased } quit Optional Set authentication dot1x By default, a switch performs method for 802.1x...
Page 582: Timer And Maximum User Number Configuration
With the support of the H3C proprietary client, handshake packets are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshake acknowledgement packets from them in handshaking periods.
Page 583 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration To do… Use the command... Remarks Optional By default, the maximum retry times to send a Set the maximum retry request packet is 2. That...
Page 584: Advanced 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Note: As for the dot1x max-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view.
Page 585: Configuring Client Version Checking
Remarks quit Note: The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.
Page 586: Enabling Dhcp-Triggered Authentication
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Note: As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view.
Page 587: Configuring 802.1X Re-Authentication
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Caution: The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch.
Page 588: Displaying And Maintaining 802.1X Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration The switch uses the value of the Session-timeout attribute field of the Access-Accept packet sent by the RADIUS server as the re-authentication interval. The switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users.
Page 589 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration All supplicant systems that pass the authentication belong to the default domain named “aabbcc.net”. The domain can accommodate up to 30 users. As for authentication, a supplicant system is authenticated locally if the RADIUS server fails.
Page 590 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration Note: Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation for the information about these commands. Configuration on the client and the RADIUS servers is omitted.
Page 591 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 1 802.1x Configuration # Configure to send the user name to the RADIUS server with the domain name truncated. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create the domain named “aabbcc.net” and enter its view.
Page 592: Chapter 2 Quick Ead Deployment Configuration
In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S5600 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.
Page 593: Configuring Quick Ead Deployment
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration Note: The quick EAD deployment feature takes effect only when the access control mode of an 802.1x-enabled port is set to auto.
Page 594 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration Caution: You must configure the URL for HTTP redirection before configuring a free IP range. A URL must start with http:// and the segment where the URL resides must be in the free IP range.
Page 595: Displaying And Maintaining Quick Ead Deployment
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration 2.2.3 Displaying and Maintaining Quick EAD Deployment To do... Use the command... Remarks Display configuration display dot1x [ sessions information about quick...
Page 596: Troubleshooting
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.
Page 597: Chapter 3 Habp Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 3 HABP Configuration Chapter 3 HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration 3.1 Introduction to HABP...
Page 598: Habp Client Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 3 HABP Configuration To do... Use the command... Remarks Optional Enable HABP habp enable By default, HABP is enabled. Required By default, a switch operates as an HABP...
Page 599 Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 3 HABP Configuration To do... Use the command... Remarks Display statistics on HABP Available in any view display habp traffic packets...
Page 600: Chapter 4 System Guard Configuration
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 4 System Guard Configuration Chapter 4 System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration 4.1 System Guard Overview...
Page 601: Configuring System Guard Against Tcn Attacks
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 4 System Guard Configuration Configuring parameters related to MAC address learning Follow these steps to configure System Guard against IP attacks: To do... Use the command... Remarks...
Page 602: Enabling Layer 3 Error Control
Operation Manual – 802.1x and System Guard H3C S5600 Series Ethernet Switches Chapter 4 System Guard Configuration To do... Use the command... Remarks Required Enable System Guard system-guard tcn against TCN attacks enable Disabled by default Set the threshold of...
Page 603 Operation Manual – AAA H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 AAA Overview ......................1-1 1.1 Introduction to AAA ......................1-1 1.1.1 Authentication......................1-1 1.1.2 Authorization ......................1-2 1.1.3 Accounting....................... 1-2 1.1.4 Introduction to ISP Domain ..................1-2 1.2 Introduction to AAA Services .....................
Page 604 Operation Manual – AAA H3C S5600 Series Ethernet Switches Table of Contents 2.4 Displaying and Maintaining AAA Configuration ............... 2-32 2.4.1 Displaying and Maintaining AAA Configuration ............ 2-32 2.4.2 Displaying and Maintaining RADIUS Protocol Configuration........ 2-32 2.4.3 Displaying and Maintaining HWTACACS Protocol Configuration......2-33 2.5 AAA Configuration Examples ..................
Page 605: Chapter 1 Aaa Overview
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview Chapter 1 AAA Overview Note: The configuration of ISP domain delimiter is added. See Creating an ISP Domain and Configuring Its Attributes. The configuration of HWTACACS authentication scheme for user level switching is added.
Page 606: Authorization
Chapter 1 AAA Overview Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.
Page 607: Introduction To Aaa Services
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview 1.2 Introduction to AAA Services 1.2.1 Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for AAA is RADIUS.
Page 608 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. II. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
Page 609 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources. The RADIUS client sends a stop-accounting request (Accounting-Request, with the Status-Type attribute value = stop) to the RADIUS server.
Page 610 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview Code Message type Message description Direction: server->client. The server transmits this message to the Access-Reject client if any attribute value carried in the Access-Request message is unacceptable (that is, the user fails the authentication).
Page 611 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview Table 1-2 RADIUS attributes Type field Type field Attribute type Attribute type value value User-Name Framed-IPX-Network User-Password State CHAP-Password Class NAS-IP-Address Vendor-Specific NAS-Port Session-Timeout Service-Type Idle-Timeout Framed-Protocol...
Page 612: Introduction To Hwtacacs
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview Type Length Vendor-ID Vendor-ID Type (specified) Length (specified) Specified attribute value…… …… Figure 1-4 Vendor-specific attribute format 1.2.2 Introduction to HWTACACS I. What is HWTACACS Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492).
Page 613 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview HWTACACS server HWTACACS client Host HWTACACS server Figure 1-5 Network diagram for a typical HWTACACS application II. Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user.
Page 614 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server.
Page 615 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 1 AAA Overview After receiving the password, the TACACS client sends an authentication continuance message carrying the password to the TACACS server. The TACACS server returns an authentication response, indicating that the user has passed the authentication.
Page 616: Chapter 2 Aaa Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Chapter 2 AAA Configuration 2.1 AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior.
Page 617: Creating An Isp Domain And Configuring Its Attributes
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Task Remarks Creating an ISP Domain and Required Configuring Its Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting schemes Configuring an AAA Scheme for an respectively.
Page 618 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Optional By default, an ISP domain Set the status of the ISP is in the active state, that state { active | block }...
Page 619: Configuring An Aaa Scheme For An Isp Domain
Note: H3C's CAMS Server is a service management system used to manage networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
Page 620 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Caution: You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented.
Page 621 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter domain isp-name Required the view of an existing ISP...
Page 622: Configuring Dynamic Vlan Assignment
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration III. Configuration guidelines Suppose a combined AAA scheme is available. The system selects AAA schemes according to the following principles: If authentication, authorization, accounting each have a separate scheme, the separate schemes are used.
Page 623: Configuring The Attributes Of A Local User
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Create an ISP domain domain isp-name — and enter its view Optional Set the VLAN vlan-assignment-mode...
Page 624 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Optional By default, the password display mode of all access local-user Set the password display users is auto, indicating...
Page 625: Cutting Down User Connections Forcibly
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Caution: The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
Page 626: Radius Configuration Task List
2.2 RADIUS Configuration Task List H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS...
Page 627 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Complete the following tasks to configure RADIUS (the switch functions as a local RADIUS server): Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Required Authentication/Authorization Servers...
Page 628: Creating A Radius Scheme
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Note: Actually, the RADIUS service configuration only defines the parameters for information exchange between switch and RADIUS server. To make these parameters take effect, you must reference the RADIUS scheme configured with these parameters in an ISP domain view (refer to Configuration).
Page 629: Configuring Radius Accounting Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set the IP address and By default, the IP address port number of the and UDP port number of primary authentication...
Page 630 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Optional Set the IP address By default, the IP address and and port number of secondary UDP port number of the...
Page 631: Configuring Shared Keys For Radius Messages
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Note: In an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two RADIUS servers as the primary and secondary accounting servers respectively.
Page 632: Configuring The Maximum Number Of Radius Request Transmission Attempts
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set a shared key for RADIUS accounting key accounting string By default, no shared key messages is created. Caution: The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
Page 633: Configuring The Status Of Radius Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Required By default, a RADIUS Create a RADIUS scheme radius scheme scheme named "system" and enter its view...
Page 634: Configuring The Attributes Of Data To Be Sent To Radius Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Follow these steps to set the status of RADIUS servers: To do… Use the command… Remarks Enter system view system-view — Required By default, a RADIUS Create a RADIUS scheme radius scheme scheme named "system"...
Page 635 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Optional data-flow-format data By default, in a RADIUS { byte | giga-byte | scheme, the data unit and Set the units of data flows...
Page 636: Configuring The Local Radius Server
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Note: Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to.
Page 637: Configuring Timers For Radius Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Follow these steps to configure the local RADIUS server function: To do… Use the command… Remarks Enter system view system-view — Optional Enable UDP ports for By default, the UDP ports...
Page 638: Enabling Sending Trap Message When A Radius Server Goes Down
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme: When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server.
Page 639: Enabling The User Re-Authentication At Restart Function
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Optional Enable the sending of radius trap By default, the switch trap message when a { authentication-server-do...
Page 640 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration Once the CAMS receives the Accounting-On message, it sends a response to the switch. At the same time it finds and deletes the original online information of the...
Page 641: Hwtacacs Configuration Task List
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration 2.3 HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers...
Page 642: Configuring Tacacs Authentication Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration 2.3.2 Configuring TACACS Authentication Servers Follow these steps to configure TACACS authentication servers: To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS...
Page 643: Configuring Tacacs Accounting Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set the IP address and By default, the IP address port number of the primary authorization of the primary primary TACACS...
Page 644: Configuring Shared Keys For Hwtacacs Messages
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Optional Enable the By default, the stop-accounting message stop-accounting retransmission function retry stop-accounting messages retransmission and set the maximum retry-times function is enabled and...
Page 645: Configuring The Attributes Of Data To Be Sent To Tacacs Servers
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration 2.3.6 Configuring the Attributes of Data to be Sent to TACACS Servers Follow these steps to configure the attributes for data to be sent to TACACS servers: To do…...
Page 646 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS hwtacacs scheme By default, no scheme and enter its view hwtacacs-scheme-name HWTACACS scheme exists.
Page 647: Displaying And Maintaining Aaa Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration 2.4 Displaying and Maintaining AAA Configuration 2.4.1 Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one display domain [ isp-name ]...
Page 648: Displaying And Maintaining Hwtacacs Protocol Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration To do… Use the command… Remarks reset stop-accounting-buffer Delete buffered { radius-scheme non-response radius-scheme-name | session-id Available in stop-accounting requests session-id | time-range start-time user view stop-time | user-name user-name }...
Page 649 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration I. Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server.
Page 650: Local Authentication Of Ftp/Telnet Users
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration [Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] key authentication aabbcc [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius-cams] quit # Associate the ISP domain with the RADIUS scheme.
Page 651: Hwtacacs Authentication And Authorization Of Telnet Users
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Create and configure a local user named telnet.
Page 652: Troubleshooting Aaa
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration II. Network diagram Authentication server 10.110.91.164/16 Internet Telnet user Figure 2-3 Remote HWTACACS authentication and authorization of Telnet users III. Configuration procedure # Add a Telnet user.
Page 653: Troubleshooting Hwtacacs Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 2 AAA Configuration The user is not configured in the database of the RADIUS server — Check the database of the RADIUS server, make sure that the configuration information about the user exists.
Page 654: Chapter 3 Ead Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 3 EAD Configuration Chapter 3 EAD Configuration 3.1 Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints.
Page 655: Ead Configuration
Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 3 EAD Configuration After a client passes the authentication, the security Client (software installed on the client PC) interacts with the security policy server to check the security status of the client.
Page 656 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 3 EAD Configuration A user is connected to GigabitEthernet 1/0/1 on the switch. The user adopts 802.1x client supporting EAD extended function. You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users.
Page 657 Operation Manual – AAA H3C S5600 Series Ethernet Switches Chapter 3 EAD Configuration [Sysname-radius-cams] server-type extended # Configure the IP address of the security policy server. [Sysname-radius-cams] security-policy-server 10.110.91.166 # Associate the domain with the RADIUS scheme. [Sysname-radius-cams] quit [Sysname] domain system...
Page 658: Web Authentication
Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Web Authentication Configuration ................1-1 1.1 Introduction to Web Authentication..................1-1 1.2 Web Authentication Configuration ..................1-1 1.2.1 Configuration Prerequisites..................1-1 1.2.2 Configuring Web Authentication................1-1 1.3 Displaying and Maintaining Web Authentication ...............
Page 659: Web Authentication Configuration
Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Chapter 1 Web Authentication Configuration Chapter 1 Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: Introduction to Web Authentication Web Authentication Configuration...
Page 660 Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Chapter 1 Web Authentication Configuration To do… Use the command… Remarks Enter system view system-view — Required If no port number is Set the IP address and web-authentication specified, port 80 will be...
Page 661: Displaying And Maintaining Web Authentication
Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Chapter 1 Web Authentication Configuration Caution: Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port...
Page 662 Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Chapter 1 Web Authentication Configuration Configure a free IP address range, which can be accessed by the user before it passes the Web authentication. II. Network diagram Figure 1-1 Web authentication for user III.
Page 663 Operation Manual – Web Authentication H3C S5600 Series Ethernet Switches Chapter 1 Web Authentication Configuration # Set the password that will be used to encrypt the messages exchanged between the switch and the RADIUS authentication server. [Sysname -radius-radius1] key authentication expert # Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server.
Page 664 Operation Manual – MAC Address Authentication H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 MAC Address Authentication Configuration ............1-1 1.1 MAC Address Authentication Overview................1-1 1.1.1 Performing MAC Address Authentication on a RADIUS Server ......1-2 1.1.2 Performing MAC Address Authentication Locally ...........
Page 665: Chapter 1 Mac Address Authentication Configuration
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration Chapter 1 MAC Address Authentication Configuration Note: The configuration of fixed password when setting the user name in MAC address mode for MAC address authentication is added. See...
Page 666: Performing Mac Address Authentication On A Radius Server
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration 1.1.1 Performing MAC Address Authentication on a RADIUS Server When authentications are performed on a RADIUS server, the switch serves as a RADIUS client and completes MAC address authentication in combination of the RADIUS server.
Page 667: Quiet Mac Address
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration 1.2.2 Quiet MAC Address When a user fails MAC address authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires.
Page 668 Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration To do... Use the command... Remarks Set the user name in fixed mac-authentication mode for MAC authmode address usernamefixed Optional authentication Set the user name...
Page 669: Mac Address Authentication Enhanced Function Configuration
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration 1.4 MAC Address Authentication Enhanced Function Configuration 1.4.1 MAC Address Authentication Enhanced Function Configuration Task List Complete the following tasks to configure MAC address authentication enhanced...
Page 670 Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically.
Page 671: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration Caution: If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port.
Page 672: Displaying And Maintaining Mac Address Authentication Configuration
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration Caution: If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
Page 673 Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S5600 Series Ethernet Switches Configuration III. Configuration Procedure # Enable MAC address authentication on port GigabitEthernet 1/0/2. <Sysname> system-view [Sysname] mac-authentication interface GigabitEthernet 1/0/2 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
Page 674 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 VRRP Configuration ....................1-1 1.1 VRRP Overview ......................... 1-1 1.1.1 Introduction to VRRP Group ................... 1-2 1.1.2 Virtual Router Overview ..................1-4 1.1.3 VRRP Timer ......................1-6 1.1.4 VRRP Tracking......................
Page 675: Chapter 1 Vrrp Configuration
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration Chapter 1 VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: VRRP Overview VRRP Configuration Displaying and Maintaining VRRP VRRP Configuration Examples...
Page 676: Introduction To Vrrp Group
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration Network Switch 10.100.10.1/24 Ethernet 10.100.10.7/24 10.100.10.8/24 10.100.10.9/24 Host 1 Host 2 Host 3 Figure 1-1 LAN networking The networking illustrated in Figure 1-1 requires high stability of the default gateway.
Page 677 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration As shown in Figure 1-2, a VRRP group has the following features: The virtual router (the VRRP group) has its own IP address (10.100.10.1 in the above figure).
Page 678: Virtual Router Overview
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration You can also set the preemption delay for an S5600 switch. Setting a delay period aims at: In an unstable network, backups in a VRRP group possibly cannot receive VRRP advertisements from the master in time due to network congestions.
Page 679 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration The virtual router IP address and the IP addresses used by the member switches in the VRRP group must belong to the same network segment. If not, the VRRP group will be in the initial state (the state before you configure the VRRP on the switches of the group).
Page 680: Vrrp Timer
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration Virtual router IP address-to-real MAC address mapping. When there is an IP address owner in the VRRP group, a virtual router IP address may correspond to two MAC addresses, a real MAC address of the IP address owner and a virtual MAC address created by default.
Page 681: Vrrp Tracking
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration 1.1.4 VRRP Tracking Note: If an IP address owner exists in a VRRP group, you can configure a priority for the IP address owner. However your configuration will not take effect and the IP address owner will still be the master of the VRRP group because the system considers the priority of the IP address owner to be 255 always.
Page 682: Periodical Sending Of Arp Packets In A Vrrp Group
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration A backup starts the advertisement interval timer after it receives the advertisement to wait for the next one from the master. If the backup does not receive VRRP...
Page 683: Configuring Advanced Vrrp Functions
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration To do… Use the command… Remarks — This operation creates the VLAN to which the VRRP Create a VLAN vlan vlan-id group corresponds. The vlan-id argument is the ID of the VLAN.
Page 684 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration To do… Use the command… Remarks Configure a virtual router vrrp vrid virtual-router-id Required IP address virtual-ip virtual-address Required Configure the preemptive vrrp vrid virtual-router-id By default, preemptive...
Page 685: Displaying And Maintaining Vrrp
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration IV. Configuring VRRP Tracking Follow these steps to configure VRRP tracking: To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface Enter VLAN interface view —...
Page 686: Vrrp Configuration Examples
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration 1.4 VRRP Configuration Examples 1.4.1 Single-VRRP Group Configuration I. Network requirements Host A uses the VRRP virtual router comprising switch A and switch B as its default gateway to visit host B on the Internet.
Page 687 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration II. Network diagram Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.3/24 10.100.10.2/24 LSW A LSW B Vlan-int2 Vlan-int2 Virtual IP address 202.38.160.1/24 202.38.160.111/24 202.38.160.2/24 202.38.160.3/24 Host A Figure 1-3 Network diagram for single-VRRP group configuration III.
Page 688 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration # Create a VRRP group. [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority for Switch A in the VRRP group. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 110 # Configure the preemptive mode for the VRRP group.
Page 689: Vrrp Tracking Interface Configuration
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration Normally, Switch A functions as the gateway, but when Switch A is turned off or fails, Switch B will function as the gateway instead. Configure Switch A to operate in preemptive mode, so that it can resume its gateway function as the master after recovery.
Page 690: Configure Vlan
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration [LSW-A] interface Vlan-interface 3 [LSW-A-Vlan-interface3] ip address 10.100.10.2 255.255.255.0 [LSW-A-Vlan-interface3] quit # Configure VLAN 2. [LSW-A] vlan 2 [LSW-A-vlan2] port GigabitEthernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface Vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0...
Page 691: Multiple-Vrrp Group Configuration
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit # Configure that the virtual router can be pinged through. [LSW-B] vrrp ping-enable # Create a VRRP group. [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111...
Page 692 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration II. Network diagram Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.2/24 10.100.10.3/24 Switch A Switch B Vlan-int2 VLAN-int2 202.38.160.1/24 202.38.160.2/24 VRRP group 2 VRRP group 1 Virtual IP address 202.38.160.112/24 Virtual IP address 202.38.160.111/24...
Page 693: Port Tracking Configuration Examples
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration # Set the priority for VRRP group 1. [LSW-A-Vlan-interface2] vrrp vrid 1 priority 150 # Create VRRP group 2. [LSW-A-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 Configure Switch B.
Page 694 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration The master is connected to the upstream network through its GigabitEthernet 1/0/1 port. The backup is connected to the upstream network through its GigabitEthernet 1/0/2 port. The virtual router IP address of the VRRP group is 10.100.10.1.
Page 695: Troubleshooting Vrrp
Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration [Sysname-vlan2] port GigabitEthernet1/0/2 [Sysname-vlan2] quit # Configure VLAN-interface 2. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [Sysname-Vlan-interface2] quit # Create a VRRP group. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111...
Page 696 Operation Manual – VRRP H3C S5600 Series Ethernet Switches Chapter 1 VRRP Configuration III. Symptom 3: VRRP state of a switch changing repeatedly Such problems occur when the VRRP group timer interval is too short. They can be solved through prolonging the interval or configuring the preemption delay period.
Page 697 Operation Manual – ARP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 ARP Configuration....................... 1-1 1.1 Introduction to ARP......................1-1 1.1.1 ARP Function ......................1-1 1.1.2 ARP Message Format..................... 1-2 1.1.3 ARP Table ....................... 1-3 1.1.4 ARP Process ......................
Page 698: Chapter 1 Arp Configuration
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration Chapter 1 ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP...
Page 699: Arp Message Format
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration 1.1.2 ARP Message Format ARP messages are classified as ARP request messages and ARP reply messages. Figure 1-1 illustrates the format of these two types of ARP messages.
Page 700: Arp Table
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration Field Description For an ARP request packet, this field is null. Hardware address of the receiver For an ARP reply packet, this field carries the hardware address of the receiver.
Page 701: Arp Process
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration 1.1.4 ARP Process Figure 1-2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows: Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B.
Page 702: Dhcp
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration is not the real one. This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible. Figure 1-3, Host A communicates with Host C through a switch. To intercept the...
Page 703: Introduction To Arp Packet Rate Limit
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration With trusted ports configured, ARP packets coming from the trusted ports will not be checked, while those from other ports will be checked through the DHCP snooping table or the manually configured IP binding table.
Page 704: Configuring Arp
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet exists in the cache.
Page 705: Configuring Arp Attack Detection
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration Caution: Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.
Page 706: Configuring The Arp Packet Rate Limit Function
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration To do… Use the command… Remarks Enter VLAN view vlan vlan-id — Optional Disabled by default. Enable ARP restricted restricted-forwarding The device forwards legal forwarding enable ARP packets through all its ports.
Page 707: Configuring Gratuitous Arp
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration To do… Use the command… Remarks Optional Enable the port state arp protective-down auto-recovery function recover enable Disabled by default. Optional By default, when the port Configure the port state...
Page 708: Displaying And Debugging Arp
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration Note: The sending of gratuitous ARP packets is enabled as long as an S5600 switch operates. No command is needed for enabling this function. That is, the device...
Page 709: Arp Attack Detection And Packet Rate Limit Configuration Example
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration Disable VLAN-interface 1 of the switch from sending gratuitous ARP packets periodically. Set the aging time for dynamic ARP entries to 10 minutes. Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being GigabitEthernet 1/0/10 of VLAN 1.
Page 710 Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration II. Network diagram Figure 1-4 ARP attack detection and packet rate limit configuration III. Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
Page 711 Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 1 ARP Configuration [SwitchA-GigabitEthernet1/0/3] arp rate-limit 50 [SwitchA-GigabitEthernet1/0/3] quit # Configure the port state auto recovery function, and set the recovery interval to 200 seconds. [SwitchA] arp protective-down recover enable...
Page 712: Chapter 2 Proxy Arp Configuration
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration Chapter 2 Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Configuring Proxy ARP Proxy ARP Configuration Examples 2.1 Proxy ARP Overview...
Page 713: Configuring Proxy Arp
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration With proxy ARP enabled on the switch, when VLAN-interface 3 receives the ARP request, if the switch finds a route to the destination IP address (encapsulated in...
Page 714 Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration II. Network diagram Figure 2-2 Network diagram for proxy ARP III. Configuration procedure # Configure the IP address of VLAN-interface 3 to be 192.168.0.27/24. <Switch> system-view [Switch] interface Vlan-interface 3 [Switch-Vlan-interface3] ip address 192.168.0.27 24...
Page 715: Proxy Arp Configuration In Port Isolation Application
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration 2.3.2 Proxy ARP Configuration in Port Isolation Application I. Network requirements Switch A (a S5600 series Ethernet switch) is connected to Switch B through GigabitEthernet 1/0/1.
Page 716 Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 2 Proxy ARP Configuration [SwitchA-Vlan-interface1] quit...
Page 717: Chapter 3 Resilient Arp Configuration
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 3 Resilient ARP Configuration Chapter 3 Resilient ARP Configuration When configuring resilient ARP, go to these sections for information you are interested Introduction to Resilient ARP Configuring Resilient ARP Resilient ARP Configuration Example 3.1 Introduction to Resilient ARP...
Page 718: Resilient Arp Configuration Example
Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 3 Resilient ARP Configuration Follow these steps to configure the Resilient ARP function: To do… Use the command… Remarks — Enter system view system-view Required Enable the Resilient ARP resilient-arp enable function Enabled by default.
Page 719 Operation Manual – ARP H3C S5600 Series Ethernet Switches Chapter 3 Resilient ARP Configuration III. Configuration procedure # Enable the Resilient ARP function. <Sysname> system-view [Sysname] resilient-arp enable # Configure the Resilient ARP packets to be sent through the VLAN-interface 2.
Page 720 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 DHCP Overview......................1-1 1.1 Introduction to DHCP......................1-1 1.2 DHCP IP Address Assignment ..................1-2 1.2.1 IP Address Assignment Policy ................1-2 1.2.2 Obtaining IP Addresses Dynamically ..............1-2 1.2.3 Updating IP Address Lease ..................
Page 721 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Table of Contents 2.5.8 Configuring Option 184 Parameters for the Client with Voice Service ....2-27 2.5.9 Configuring the TFTP Server and Bootfile Name for the DHCP Client....2-28 2.5.10 Configuring a Self-Defined DHCP Option ............2-29 2.6 Configuring DHCP Server Security Functions..............
Page 722 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Table of Contents 4.3.1 DHCP-Snooping Option 82 Support Configuration Example........ 4-12 4.3.2 IP Filtering Configuration Example................ 4-14 4.4 Displaying DHCP Snooping Configuration ..............4-15 Chapter 5 DHCP Packet Rate Limit Configuration..............5-1 5.1 Introduction to DHCP Packet Rate Limit ................
Page 723: Chapter 1 Dhcp Overview
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 1 DHCP Overview Chapter 1 DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format...
Page 724: Dhcp Ip Address Assignment
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 1 DHCP Overview Figure 1-1 Typical DHCP application 1.2 DHCP IP Address Assignment 1.2.1 IP Address Assignment Policy Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: Manual assignment.
Page 725: Updating Ip Address Lease
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 1 DHCP Overview only accepts the DHCP-OFFER packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP address carried in the DHCP-OFFER packet. Acknowledge: In this phase, the DHCP servers acknowledge the IP address.
Page 726: Dhcp Packet Format
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 1 DHCP Overview 1.3 DHCP Packet Format DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different. The DHCP packet format is based on that of the BOOTP packets.
Page 727: Protocol Specification
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 1 DHCP Overview file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.
Page 728: Chapter 2 Dhcp Server Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Chapter 2 DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List...
Page 729: Dhcp Address Pool
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.1.2 DHCP Address Pool A DHCP address pool holds the IP addresses to be assigned to DHCP clients. When a DHCP server receives a DHCP request from a DHCP client, it selects an address pool...
Page 730: Dhcp Ip Address Preferences
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Note: The IP address lease does not enjoy the inheritance attribute. III. Principles of address pool selection The DHCP server observes the following principles to select an address pool to assign...
Page 731: Irf Support
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration The IP address designated by the Option 50 field in a DHCP-DISCOVER message The first assignable IP address found in a proper DHCP address pool If no IP address is available, the DHCP server queries lease-expired and conflicted IP addresses.
Page 732: Dhcp Server Configuration Task List
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Caution: When you merge two or more IRF systems into one IRF system, a new master unit is elected, and the new IRF system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost.
Page 733: Configuring The Global Address Pool Based Dhcp Server
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Enter system view system-view — Optional Enable DHCP dhcp enable By default, DHCP is enabled. Note: To improve security and avoid malicious attacks to unused sockets, S5600 Ethernet...
Page 734: Enabling The Global Address Pool Mode On Interface(S)
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Task Remarks Configuring Gateways for the DHCP Client Optional Configuring BIMS Server Information for the DHCP Client Optional Configuring Option 184 Parameters for the Client with...
Page 735: Configuring An Address Allocation Mode For The Global Address Pool
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.4.4 Configuring an Address Allocation Mode for the Global Address Pool Note: You can configure either the static IP address allocation mode or the dynamic IP address allocation mode for a global address pool, and only one mode can be configured for one DHCP global address pool.
Page 736 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Configure the MAC One of these two Bind an IP static-bind address to which options is required address to mac-address...
Page 737 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration II. Configuring the dynamic IP address allocation mode IP addresses dynamically assigned to DHCP clients (including those that are permanently leased and those that are temporarily leased) belong to addresses segments that are previously specified.
Page 738: Configuring A Domain Name Suffix For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Note: In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.
Page 739: Configuring Wins Servers For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Follow these steps to configure DNS servers for the DHCP client: To do… Use the command… Remarks Enter system view system-view — Enter DHCP address pool dhcp server ip-pool —...
Page 740: Configuring Gateways For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Follow these steps to configure WINS servers for the DHCP client: To do… Use the command… Remarks Enter system view system-view — Enter DHCP address pool dhcp server ip-pool —...
Page 741: Configuring Bims Server Information For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.4.9 Configuring BIMS Server Information for the DHCP Client A DHCP client performs regular software update and backup using configuration files obtained from a branch intelligent management system (BIMS) server. Therefore, the DHCP server needs to offer DHCP clients the BIMS server IP address, port number, shared key from the DHCP address pool.
Page 742 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration II. Meanings of the sub-options for Option 184 Table 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server...
Page 743 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Sub-option Feature Function Note The fail-over call routing sub-option carries the IP address for fail-over call When the NCP routing and the server is associated dial unreachable, a number.
Page 744: Configuring The Tftp Server And Bootfile Name For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Note: Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184, does the DHCP server add Option 184 in the response packet sent to the client.
Page 745: Configuring A Self-Defined Dhcp Option
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration DHCP server parameters such as the IP address and name of a TFTP server, and bootfile name. After getting related parameters, the DHCP client will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization.
Page 746: Configuring The Interface Address Pool Based Dhcp Server
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Enter system view system-view — Enter DHCP address pool dhcp server ip-pool — view pool-name option code { ascii ascii-string | hex...
Page 747: Enabling The Interface Address Pool Mode On Interface(S)
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration addresses contained in it belong to the network segment where the interface resides in and are available to the interface only. You can perform certain configurations for DHCP address pools of an interface or multiple interfaces within specified interface ranges.
Page 748: Configuring An Address Allocation Mode For An Interface Address Pool
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Follow these steps to configure interface address pool mode on interface(s): To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number On the...
Page 749 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration corresponding to the MAC address of the DHCP client, and then assigns the IP address to the DHCP client. When some DHCP clients send DHCP-DISCOVER packets to the DHCP server to apply for IP addresses, they construct client IDs and add them in the DHCP-DISCOVER packets.
Page 750 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices (such as gateways and FTP servers).
Page 751: Configuring A Domain Name Suffix For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.5.4 Configuring a Domain Name Suffix for the DHCP Client You can configure a suffix for the domain name in each DHCP interface address pool on the DHCP server. The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client.
Page 752: Configuring Wins Servers For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list Configure interface ip-address&<1-8> Required quit server...
Page 753: Configuring Bims Server Information For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration H-node. Nodes of this type are b-nodes mixed with peer-to-peer features (The character h stands for the word hybrid), that is to say, this type of nodes obtain mappings by sending unicast packets to WINS servers first.
Page 754: Configuring Option 184 Parameters For The Client With Voice Service
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Enter system view system-view — dhcp server bims-server ip ip-address [ port Required Configure the BIMS port-number ] sharekey server information to be...
Page 755: Configuring The Tftp Server And Bootfile Name For The Dhcp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks dhcp server voice-config Specify the ncp-ip ip-address { all | Required primary interface interface-type network Not specified by interface-number [ to calling default.
Page 756: Configuring A Self-Defined Dhcp Option
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration To do… Use the command… Remarks Enter system view system-view — Enter interface interface-type — interface Specify interface-number view the IP address Specify the dhcp server tftp-server...
Page 757: Configuring Dhcp Server Security Functions
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Follow these steps to customize the DHCP service: To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the dhcp server option code { ascii current ascii-string | hex hex-string&<1-10>...
Page 758: Configuring Ip Address Detecting
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration Follow these steps to enable unauthorized DHCP server detection: To do… Use the command… Remarks Enter system view system-view — Enable the unauthorized Required DHCP server detecting dhcp server detect Disabled by default.
Page 759: Configuring Dhcp Accounting Functions
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.7 Configuring DHCP Accounting Functions 2.7.1 Introduction to DHCP Accounting DHCP accounting allows a DHCP server to notify the RADIUS server of the start/end of accounting when it assigns/releases a lease. The cooperation of DHCP server and RADIUS server implements the network accounting function and ensures network security at the same time.
Page 760: Enabling The Dhcp Server To Process Option 82
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration The network operates properly. II. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do… Use the command… Remarks Enter system view system-view —...
Page 761: Displaying And Maintaining The Dhcp Server
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration 2.9 Displaying and Maintaining the DHCP Server To do… Use the command… Remarks Display the statistics on IP display dhcp server conflict { all | address conflicts...
Page 762: Dhcp Server Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration to communicate with the server directly. The other is to deploy the DHCP server and DHCP clients in different network segments. In this case, IP address assigning is carried out through DHCP relay agent.
Page 763 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration II. Network diagram Figure 2-1 Network diagram for DHCP configuration III. Configuration procedure Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted).
Page 764: Dhcp Server With Option 184 Support Configuration Example
A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. An H3C series switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool. The sub-options of Option 184 are as follows: NCP-IP: 3.3.3.3...
Page 765: Dhcp Accounting Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration <Sysname> system-view # Add GigabitEthernet 1/0/1 to VLAN 2 and configure the IP address of VLAN 2 interface to be 10.1.1.1/24. [Sysname] vlan 2 [Sysname-vlan2] port GigabitEthernet 1/0/1...
Page 766 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration II. Network diagram Vlan-int2 Vlan-int3 10.1.1.1/24 10.1.2.1/24 GE1/0/1 GE1/0/2 DHCP Client DHCP Server RADIUS Server IP:10.1.2.2/24 Figure 2-3 Network diagram for DHCP accounting configuration III. Configuration procedure # Enter system view.
Page 767: Troubleshooting A Dhcp Server
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 2 DHCP Server Configuration [Sysname] radius scheme 123 [Sysname-radius-123] primary authentication 10.1.2.2 [Sysname-radius-123] primary accounting 10.1.2.2 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server.
Page 768: Chapter 3 Dhcp Relay Agent Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Chapter 3 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent...
Page 769: Option 82 Support On Dhcp Relay Agent
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Figure 3-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent.
Page 770 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration sub-options of Option 82 are padded as follows, as shown in Figure 3-2 Figure 3-3. (The content in brackets is the fixed value of each field.) sub-option 1: Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request.
Page 771: Configuring The Dhcp Relay Agent
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Note: Request packets sent by a DHCP client fall into two categories: DHCP-DISCOVER packets and DHCP-REQUEST packets. As DHCP servers coming from different manufacturers process DHCP request packets in different ways (that is, some DHCP...
Page 772: Correlating A Dhcp Server Group With A Relay Agent Interface
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Enabled by default. 3.2.3 Correlating a DHCP Server Group with a Relay Agent Interface To enhance reliability, you can set multiple DHCP servers on the same network.
Page 773: Configuring Dhcp Relay Agent Security Functions
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Note: You can configure up to eight DHCP server IP addresses in a DHCP server group. You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group.
Page 774 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Note: The address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands (such as the command to enable DHCP) are used.
Page 775: Configuring The Dhcp Relay Agent To Support Option 82
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Note: Currently, the DHCP relay agent handshake function on a S5600 series switch can only interoperate with a Windows 2000 DHCP server. III. Enabling unauthorized DHCP server detection...
Page 776: Displaying And Maintaining Dhcp Relay Agent Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration II. Enabling Option 82 support on a DHCP relay agent Follow these steps to enable Option 82 support on a DHCP relay agent: To do…...
Page 777: Dhcp Relay Agent Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration 3.4 DHCP Relay Agent Configuration Example I. Network requirements VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is 10.1.1.2/24 that communicates with the DHCP server...
Page 778: Troubleshooting Dhcp Relay Agent Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 3 DHCP Relay Agent Configuration Note: You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations vary with different DHCP server devices, so the configurations are omitted.
Page 779: Chapter 4 Dhcp Snooping Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Chapter 4 DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping DHCP Snooping Configuration Examples Displaying DHCP Snooping Configuration 4.1 DHCP Snooping Overview...
Page 780: Introduction To Dhcp-Snooping Option 82
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration DHCP Server DHCP Client DHCP Client Internet GE1/0/1 GE1/0/2 Switch A Switch B (DHCP Snooping) (DHCP Relay) DHCP Client DHCP Client Figure 4-1 Typical network diagram for DHCP snooping application...
Page 781 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration The remote ID type field and circuit ID type field are determined by the option storage format. They are both set to 0 in the case of HEX format and to 1 in the case of ASCII format.
Page 782 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Table 4-1 Ways of handling a DHCP packet with Option 82 Sub-option Handling policy The DHCP Snooping device will… configuration Drop — Drop the packet. Forward the packet without Keep —...
Page 783: Introduction To Ip Filtering
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Note: The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously or separately, are independent of each other in terms of configuration sequence.
Page 784: Configuring Dhcp Snooping
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration III. IP filtering The switch can filter IP packets in the following two modes: Filtering the source IP address in a packet. If the source IP address and the...
Page 785: Configuring Dhcp Snooping To Support Option 82
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Note: If an S5600 Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
Page 786 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP-snooping dhcp-snooping Option 82 support information enable Disabled by default. II. Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do…...
Page 787 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration To do… Use the command… Remarks Enter system view system-view — Optional Configure a storage dhcp-snooping format for the Option 82 information format { hex By default, the format is...
Page 788 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Note: If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN;...
Page 789: Configuring Ip Filtering
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration Note: If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured.
Page 790: Dhcp Snooping Configuration Examples
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration To do… Use the command… Remarks Optional ip source static binding Create a static ip-address ip-address By default, no static binding [ mac-address mac-address ] binding entry is created.
Page 791 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration II. Network diagram DHCP Server GE1/0/5 Switch DHCP Snooping GE1/0/1 GE1/0/3 GE1/0/2 Client C Client A Client B Figure 4-6 Network diagram for DHCP-snooping Option 82 support configuration III.
Page 792: Ip Filtering Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration 4.3.2 IP Filtering Configuration Example I. Network requirements As shown in Figure 4-7, GigabitEthernet 1/0/1 of the S5600 switch is connected to the DHCP server and GigabitEthernet 1/0/2 is connected to Host A. The IP address and MAC address of Host A are 1.1.1.1 and 0001-0001-0001 respectively.
Page 793: Displaying Dhcp Snooping Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 4 DHCP Snooping Configuration # Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses. [Switch] interface GigabitEthernet1/0/2 [Switch-GigabitEthernet1/0/2] ip check source ip-address mac-address...
Page 794: Chapter 5 Dhcp Packet Rate Limit Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 5 DHCP Packet Rate Limit Configuration Chapter 5 DHCP Packet Rate Limit Configuration When configuring the DHCP packet rate limit function, go to these sections for information you are interested in:...
Page 795: Configuring Port State Auto Recovery
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 5 DHCP Packet Rate Limit Configuration To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter port view — interface-number Required Enable the DHCP packet dhcp rate-limit enable...
Page 796: Rate Limit Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 5 DHCP Packet Rate Limit Configuration 5.3 Rate Limit Configuration Example I. Network requirements As shown in Figure 5-1, GigabitEthernet 1/0/1 of the S5600 switch is connected to the DHCP server. GigabitEthernet 1/0/2 is connected to client B and GigabitEthernet 1/0/11 is connected to client A.
Page 797 Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 5 DHCP Packet Rate Limit Configuration [Sysname] interface GigabitEthernet 1/0/11 # Enable DHCP packet rate limit on GigabitEthernet 1/0/11. [Sysname-GigabitEthernet1/0/11] dhcp rate-limit enable # Set the maximum DHCP packet rate allowed on GigabitEthernet 1/0/11 to 100 pps.
Page 798: Chapter 6 Dhcp/Bootp Client Configuration
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 6 DHCP/BOOTP Client Configuration Chapter 6 DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client...
Page 799: Configuring A Dhcp/Bootp Client
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 6 DHCP/BOOTP Client Configuration Note: Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client, without needing to configure any BOOTP server.
Page 800: Dhcp Client Configuration Example
Operation Manual – DHCP H3C S5600 Series Ethernet Switches Chapter 6 DHCP/BOOTP Client Configuration 6.3.1 DHCP Client Configuration Example I. Network requirements Using DHCP, VLAN-interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server.
Page 801 Operation Manual – ACL H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 ACL Configuration....................... 1-1 1.1 ACL Overview ........................1-1 1.1.1 ACL Matching Order ....................1-2 1.1.2 Ways to Apply an ACL on a Switch................. 1-3 1.1.3 Types of ACLs Supported by S5600 Series Ethernet Switches ......
Page 802: Chapter 1 Acl Configuration
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration Chapter 1 ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration...
Page 803: Acl Matching Order
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so User-defined ACL.
Page 804: Ways To Apply An Acl On A Switch
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration The smaller the weighting value left, which is a fixed weighting value minus the weighting value of every parameter of the rule, the higher the match priority.
Page 805: Types Of Acls Supported By S5600 Series Ethernet Switches
Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur. Note: An absolute time range on an H3C S5600 Series Ethernet Switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
Page 806 Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration I. Configuration procedure Follow these steps to configure a time range: To do... Use the command... Remarks Enter system view system-view — time-range time-name { start-time to...
Page 807: Configuring Basic Acl
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 1.2.2 Configuring Basic ACL...
Page 808: Configuring Advanced Acl
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule. The content of a modified or created rule cannot be identical with the content of any existing rule;...
Page 809 Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration II. Configuration procedure Follow these steps to define an advanced ACL rule: To do... Use the command... Remarks Enter system view system-view — Create an advanced acl number acl-number...
Page 810: Configuring Layer 2 Acl
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration [Sysname-acl-adv-3000] rule permit source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # Display the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 1 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0...
Page 811: Configuring User-Defined Acl
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0;...
Page 812 Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration To do... Use the command... Remarks Required rule [ rule-id ] { permit | deny } [ rule-string For information about Define an ACL rule rule-mask offset ] &<1-8>...
Page 813: Applying Acls On Ports
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration Acl's step is 1 rule 0 deny 06 ff 31 1.2.6 Applying ACLs on Ports By applying ACLs on ports, you can filter the packets on the corresponding ports.
Page 814: Displaying And Maintaining Acl Configuration
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration To do... Use the command... Remarks — Enter system view system-view Required Apply ACL rules to a packet-filter vlan vlan-id For information about acl-rule, VLAN inbound acl-rule refer to ACL Commands.
Page 815: Example For Controlling Web Login Users By Source Ip
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration II. Network diagram Internet Switch 10.110.100.52 Figure 1-1 Network diagram for controlling Telnet login users by source IP III. Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0...
Page 816: Examples For Applying Acls To Hardware
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 1.5 Examples for Applying ACLs to Hardware...
Page 817: Advanced Acl Configuration Example
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration 1.5.2 Advanced ACL Configuration Example I. Network requirements Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to GigabitEthernet 1/0/1 of the switch.
Page 818: User-Defined Acl Configuration Example
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration II. Network diagram Figure 1-5 Network diagram for Layer 2 ACL III. Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday.
Page 819: Example For Applying An Acl To A Vlan
Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration II. Network diagram Figure 1-6 Network diagram for user-defined ACL III. Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday.
Page 820 Operation Manual – ACL H3C S5600 Series Ethernet Switches Chapter 1 ACL Configuration II. Network diagram Database server 192.168.1.2 GE1/0/1 GE1/0/3 GE1/0/2 VLAN 10 PC 1 PC 2 PC 3 Figure 1-7 Network diagram for applying an ACL to a VLAN III.
Page 821: Qos-Qos Profile
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 QoS Configuration....................... 1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to QoS ....................1-1 1.1.2 Traditional Packet Forwarding Service ..............1-2 1.1.3 New Applications and New Requirements.............. 1-2 1.1.4 Major Traffic Control Techniques ................
Page 822 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Table of Contents 1.6.4 Configuring Traffic Mirroring and Redirecting Traffic to a Port ......1-36 Chapter 2 QoS Profile Configuration................... 2-1 2.1 Overview ..........................2-1 2.1.1 Introduction to QoS Profile ..................2-1 2.1.2 QoS Profile Application Mode .................
Page 823: Chapter 1 Qos Configuration
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Chapter 1 QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported by the S5600 Series Ethernet Switches...
Page 824: Traditional Packet Forwarding Service
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.1.2 Traditional Packet Forwarding Service In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy is adopted for packet processing. Network resources required for packet forwarding is determined by the order in which packets arrive.
Page 825: Major Traffic Control Techniques
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.1.4 Major Traffic Control Techniques Figure 1-1 End-to-end QoS model As shown in the figure above, traffic classification, traffic policing, traffic shaping, congestion management, and congestion avoidance are the foundations for a network to provide differentiated services.
Page 826: Qos Supported By The S5600 Series Ethernet Switches
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.2 QoS Supported by the S5600 Series Ethernet Switches The S5600 series Ethernet switches support the QoS features listed in Table 1-1: Table 1-1 QoS features supported by the S5600 series Ethernet switches...
Page 827: Introduction To Qos Functions
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration QoS Feature Description Refer to … The S5600 series support SP and WRR queue scheduling algorithms and support the following three For information about Congestion queue scheduling modes:...
Page 828 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration The first three bits indicate IP precedence in the range 0 to 7. Bit 3 to bit 6 indicate ToS precedence in the range of 0 to 15.
Page 829 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration DSCP value (decimal) DSCP value (binary) Description 001110 af13 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110...
Page 830 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Figure 1-4 802.1Q tag headers In the figure above, the priority field (three bits in length) in TCI is 802.1p priority (also known as CoS precedence), which ranges from 0 to 7.
Page 831: Protocol Priority
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet. For an 802.1q tagged packet When an 802.1q tagged packet reaches the port of a switch, you can use the priority...
Page 832: Priority Marking
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.3.4 Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the...
Page 833 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Put tokens in the bucket at the set rate Packets to be sent through this port Continue to send Packet classification Token bucket Drop Figure 1-5 Evaluate the traffic with the token bucket II.
Page 834: Line Rate
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Traffic policing is widely used in policing the traffic into the network of internet service providers (ISPs). Traffic policing can identify the policed traffic and perform pre-defined policing actions based on different evaluation results.
Page 835 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
Page 836: Flow-Based Traffic Accounting
In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.
Page 837: Traffic Mirroring
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Packets of high-rate links are forwarded to low-rate links or packets of multiple links with the equal rates are forwarded to a single link that is of the same rate as that of the incoming links.
Page 838: Configuring The Mapping Between 802.1P Priority And Local Precedence
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration II. Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...
Page 839: Setting The Priority Of Protocol Packets
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Note that, this is a global setting, not a per port setting. This is only recommended for advanced network environments. I. Configuration prerequisites The mapping between 802.1p priority and local precedence has been determined.
Page 840: Marking Packet Priority
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration To do… Use the command… Remarks Enter system view system-view — Required protocol-priority protocol-type You can modify the IP Set the priority for specific protocol-type precedence or DSCP...
Page 841 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration The type and value of the precedence to be marked for the packets matching the ACL rules have been determined. The port or VLAN on which the configuration is to be performed has been determined.
Page 842: Configuring Traffic Policing
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration [Sysname-acl-basic-2000] quit [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] traffic-priority inbound ip-group 2000 dscp 56 Method II <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255...
Page 843: Configuring Line Rate
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration III. Configuration example # Assume GigabitEthernet 1/0/1 of the switch is connected to the 10.1.1.0/24 network segment. Perform traffic policing on the packets from the 10.1.1.0/24 network segment, setting the rate to 128 kbps.
Page 844: Configuring Traffic Redirecting
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] line-rate outbound 1024 1.4.7 Configuring Traffic Redirecting Refer to section Traffic Redirecting for information about traffic redirecting. I. Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules.
Page 845: Configuring Vlan Mapping
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Note: Packets redirected to the CPU are not forwarded. If the traffic is redirected to a Combo port in down state, the system automatically redirects the traffic to the port corresponding to the Combo port in up state. Refer to the Port Basic Configuration module of this manual for information about Combo ports.
Page 846: Configuring Queue Scheduling
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required traffic-remark-vlanid inbound acl-rule By default, VLAN...
Page 847 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration To do… Use the command… Remarks Enter system view system-view — Required By default, the queue queue-scheduler scheduling algorithm { strict-priority | wrr adopted on all the ports is...
Page 848: Configuring Traffic Accounting
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration Note: The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view.
Page 849: Enabling The Burst Function
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration The port that needs this configuration has been determined. II. Configuration procedure Follow these steps to configure traffic accounting: To do… Use the command… Remarks Enter system view system-view —...
Page 850: Configuring Traffic Mirroring
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration To do… Use the command… Remarks — Enter system view system-view Required Enable the burst function burst-mode enable By default, the burst function is disabled. Caution: With the IRF function enabled, do not enable the burst function.
Page 851 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration To do… Use the command… Remarks Required Omit the following steps if mirrored-to inbound you redirect traffic to the Configure the current port acl-rule CPU. as a source mirroring port...
Page 852: Displaying And Maintaining Qos
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.5 Displaying and Maintaining QoS To do… Use the command… Remarks Display the mapping display qos between 802.1p priority cos-local-precedence-map and local precedence display qos-interface Display the priority...
Page 853 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration GigabitEthernet 1/0/1 of the switch. The marketing department is connected to GigabitEthernet 1/0/2 of the switch. Configure traffic policing and line rate to satisfy the following requirements: Set the maximum rate of outbound packets sourced from the marketing department to 64 kbps.
Page 854: Configuration Example Of Priority Marking And Queue Scheduling
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration 1.6.2 Configuration Example of Priority Marking and Queue Scheduling I. Network requirements As shown in Figure 1-9, an enterprise network connects all the departments through an Ethernet switch.
Page 855: Vlan Mapping Configuration Example
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration [Sysname-acl-adv-3000] quit Configure priority marking # Mark priority for packets received through GigabitEthernet 1/0/2 and matching ACL 3000. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] traffic-priority inbound ip-group 3000 rule 0...
Page 856 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration II. Network diagram Figure 1-10 Network diagram for VLAN mapping configuration III. Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A.
Page 857 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration [SwitchA-GigabitEthernet1/0/11] port trunk permit vlan 100 500 [SwitchA-GigabitEthernet1/0/11] quit [SwitchA] interface GigabitEthernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk pvid vlan 200 [SwitchA-GigabitEthernet1/0/12] port trunk permit vlan 200 600...
Page 858: Configuring Traffic Mirroring And Redirecting Traffic To A Port
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration # Configure VLAN mapping on GigabitEthernet 1/0/10 to replace VLAN tag 500 with VLAN tag 100 and replace VLAN tag 600 with VLAN tag 200. [SwitchA] interface GigabitEthernet 1/0/10...
Page 859 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration II. Network diagram Figure 1-11 Network diagram for traffic redirecting and traffic mirroring configuration III. Configuration procedure Define a time range for working days # Create a time range trname covering the period from 8:00 to 18:00 during working days.
Page 860 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 1 QoS Configuration [Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 192.168.2.0 0.0.0.127 time-range trname [Switch-acl-basic-2001] quit # Configure to redirect traffic matching ACL 2001 to GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet 1/0/2...
Page 861: Chapter 2 Qos Profile Configuration
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration Chapter 2 QoS Profile Configuration When configuring QoS profile, go to these sections for information you are interested Overview QoS Profile Configuration Task List Displaying and Maintaining QoS Profile Configuration Configuration Example 2.1 Overview...
Page 862: Qos Profile Configuration Task List
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration The switch directly applies the QoS profile to the port the user is connected to. Note: A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information).
Page 863: Applying A Qos Profile
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration To do… Use the command… Remarks traffic-limit inbound acl-rule [ union-effect ] Configure traffic policing target-rate [ burst-bucket Optional burst-bucket-size ] [ exceed action ]...
Page 864: Displaying And Maintaining Qos Profile Configuration
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration To do… Use the command… Remarks Configure the Optional mode to apply By default, the mode to qos-profile port-based a QoS profile apply a QoS profile is as port-based user-based.
Page 865: Configuration Example
Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration 2.4 Configuration Example 2.4.1 QoS Profile Configuration Example I. Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password is hello.
Page 866 Operation Manual – QoS-QoS Profile H3C S5600 Series Ethernet Switches Chapter 2 QoS Profile Configuration [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money...
Page 867 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Mirroring Configuration ....................1-1 1.1 Mirroring Overview......................1-1 1.1.1 Local Port Mirroring....................1-1 1.1.2 Remote Port Mirroring..................... 1-2 1.1.3 Traffic Mirroring ....................... 1-3 1.2 Mirroring Configuration ......................
Page 868: Chapter 1 Mirroring Configuration
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Chapter 1 Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying and Maintaining Port Mirroring Mirroring Configuration Examples 1.1 Mirroring Overview...
Page 869: Remote Port Mirroring
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration monitoring. In this case, the source ports and the destination port must be located on the same device. 1.1.2 Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device.
Page 870: Traffic Mirroring
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored.
Page 871: Mirroring Configuration
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration monitored, traffic mirroring provides a finer monitoring granularity. For detailed configuration about traffic mirroring, refer to QoS-QoS Profile Operation. 1.2 Mirroring Configuration Complete the following tasks to configure mirroring:...
Page 872: Configuring Remote Port Mirroring
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration To do… Use the command… Remarks mirroring-group group-id In system mirroring-port Use either approach view mirroring-port-list { both | You can configure multiple inbound | outbound }...
Page 873 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Follow these steps to perform configurations on the source switch: To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the...
Page 874 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first. A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed.
Page 875 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. Configuration procedure Follow these steps to configure remote port mirroring on the destination switch: To do…...
Page 876: Displaying And Maintaining Port Mirroring
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first. A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed.
Page 877 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration II. Network diagram The R&D Switch A department GE1/0/1 GE1/0/3 GE1/0/2 Switch C Data detection device Switch B The Marketing department Figure 1-3 Network diagram for local port mirroring III.
Page 878: Remote Port Mirroring Configuration Example
Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration 1.4.2 Remote Port Mirroring Configuration Example I. Network requirements The departments of a company connect to each other through S5600 Ethernet switches: Switch A, Switch B, and Switch C are S5600 series switches.
Page 879 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration III. Configuration procedure Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN.
Page 880 Operation Manual – Mirroring H3C S5600 Series Ethernet Switches Chapter 1 Mirroring Configuration [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk permit vlan 10 [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as the trunk port, allowing packets of VLAN 10 to pass.
Page 881 Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 IRF Fabric Configuration..................... 1-1 1.1 Introduction to IRF ......................1-1 1.1.1 Establishment of an IRF Fabric................1-1 1.1.2 How IRF Works ....................... 1-5 1.2 IRF Fabric Configuration....................
Page 882: Chapter 1 Irf Fabric Configuration
IRF Fabric Configuration Example 1.1 Introduction to IRF Intelligent Resilient Framework (IRF), a feature particular to H3C S5600 series switches, is a new technology for building the core of a network. This feature allows you to build an IRF fabric by interconnecting several S5600 series switches to provide more ports for network devices and improve the reliability of your network.
Page 883 Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration Figure 1-2 Port connection mode for S5600 series ring topology IRF fabric IRF fabric also supports bus topology, which has the same requirements as the ring topology.
Page 884 Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric).
Page 885 H3C S5600 series switches provide the IRF automatic fabric function, which enables the device to automatically download the software and change the fabric name, thus reducing the manual maintenance workload.
Page 886: How Irf Works
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration Caution: You need to enable the IRF automatic fabric function on all the devices including the newly added device in the fabric to enable the newly added device to download software and discovery neighbors and thus be added to the fabric normally.
Page 887: Irf Fabric Configuration
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration integrating the routing tables of all the devices. Then each slave synchronizes this forwarding table from the master and takes it as the basis for layer 3 forwarding.
Page 888: Setting A Unit Id For A Switch
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration Note: Establishing an IRF system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the IRF (such as TACACS and VLAN-VPN) for other ports or globally.
Page 889 Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration After an IRF fabric is established, you can use the following command to change the unit IDs of the switches in the IRF fabric. Follow these steps to set a unit ID to a new value: To do…...
Page 890: Assigning A Unit Name To A Switch
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration To do… Use the command… Remarks Save the unit ID of each Optional fabric save-unit-id unit in the IRF fabric 1.2.4 Assigning a Unit Name to a Switch You can assign a unit name to a switch by performing the operations listed in the following table.
Page 891: Displaying And Maintaining Irf Fabric
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration II. Configuration procedure Follow these steps to configure IRF automatic fabric for a switch: To do… Use the command… Remarks Enter system view system-view —...
Page 892: Irf Fabric Configuration Example
Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration 1.4 IRF Fabric Configuration Example 1.4.1 Network Requirements Configure unit ID, unit name, and IRF fabric name for four switches to enable them to form an IRF fabric as shown in Figure 1-4.
Page 893 Operation Manual – IRF Fabric H3C S5600 Series Ethernet Switches Chapter 1 IRF Fabric Configuration # Set the unit ID to 2. [H3C] change unit-id 2 to 2 # Configure the unit name as Unit 2. [H3C] set unit 1 name unit2 # Configure the fabric name as hello.
Page 894 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 Cluster........................... 1-1 1.1 Cluster Overview........................ 1-1 1.1.1 Introduction to HGMP....................1-1 1.1.2 Roles in a Cluster ....................1-2 1.1.3 How a Cluster Works ....................1-4 1.2 Cluster Configuration Task List..................
Page 895: Chapter 1 Cluster
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Chapter 1 Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples 1.1 Cluster Overview...
Page 896: Roles In A Cluster
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Network Management Station Network 69. 110.1. 100 69. 110 . 1.1 Management device Member device Cluster Member device Member device Figure 1-1 A cluster implementation HGMP V2 has the following advantages:...
Page 897 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Table 1-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that is, it forwards the...
Page 898: How A Cluster Works
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Figure 1-2 State machine of cluster role A candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On...
Page 899 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Cluster management involves topology information collection establishment/maintenance of a cluster. Topology information collection and cluster establishment/maintenance are independent from each other. The former, as described below, starts before a cluster is established.
Page 900 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster management device or the network management software to implement required functions. When a member device detects a change on its neighbors through its NDP table, it informs the management device through handshake packets, and the management device triggers its NTDP to perform specific topology collection, so that its NTDP can discover topology changes timely.
Page 901 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster III. Introduction to Cluster A cluster must have one and only one management device. Note the following when creating a cluster: You need to designate a management device for the cluster. The management device of a cluster is the portal of the cluster.
Page 902 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect...
Page 903 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster transmits data to the management device, which then forwards the data to the external server. The management device is the default shared FTP/TFTP server for the cluster; it serves as the shared FTP/TFTP server when no shared FTP/TFTP server is configured for the cluster.
Page 904 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Locate which port on which switch initiates a network attack Determine the port and switch that a MAC address corresponds to Locate which switch in the cluster has a fault...
Page 905: Cluster Configuration Task List
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Note: If the queried IP address has a corresponding ARP entry, but the MAC address entry corresponding to the IP address does not exist, the trace of the device fails.
Page 906 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Task Remarks Configuring the network management interface for a Optional cluster Note: To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5600 series Ethernet switches provide the following...
Page 907 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of ndp timer aging By default, the holdtime of NDP information aging-in-seconds NDP information is 180 seconds.
Page 908 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks Optional Configure the interval to ntdp timer By default, the topology collect topology interval-in-minutes collection interval is one information periodically minute. Quit system view quit —...
Page 909 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks Required Configure a multicast By default, the cluster MAC address for the cluster-mac H-H-H multicast MAC address is cluster 0180-C200-000A. Optional Set the interval for the...
Page 910: Configuring Member Devices
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster Required Optional Configure a shared FTP By default, the ftp-server ip-address server for the cluster management device acts as the shared FTP server.
Page 911 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Task Remarks Enabling NDP globally and on specific ports Required Enabling NTDP globally and on a specific port Required Enabling the cluster function Required Accessing the shared FTP/TFTP server from a member...
Page 912 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks ndp enable interface In system view port-list Enter Enable Ethernet interface interface-type Required NDP on port interface-number specified Use either approach. Ethernet...
Page 913: Managing A Cluster Through The Management Device
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster To do… Use the command… Remarks Download a file from the tftp cluster get Optional shared TFTP server of the source-file Available in user view cluster [ destination-file ]...
Page 914: Configuring The Enhanced Cluster Features
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster 1.2.4 Configuring the Enhanced Cluster Features I. Enhanced cluster feature overview Cluster topology management function After the cluster topology becomes stable, you can use the topology management commands on the cluster administrative device to save the topology of the current cluster as the standard topology and back up the standard topology on the Flash memory of the administrative device.
Page 915 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster III. Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed. Devices in the cluster work normally.
Page 916 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Note: If the management device of a cluster is a slave device in an IRF fabric, the standard topology information is saved only to the local Flash of the master device in the IRF fabric.
Page 917: Displaying And Maintaining Cluster Configuration
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster 1.3 Displaying and Maintaining Cluster Configuration To do… Use the command… Remarks Display all NDP configuration and running information (including the interval to send NDP packets, the display ndp...
Page 918 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Serving as the management device, the S5600 switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
Page 919 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port GigabitEthernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port GigabitEthernet 1/0/1 [Sysname-vlan2] quit # Configure the IP address of VLAN-interface 2 as 163.172.55.1.
Page 920 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster [Sysname] ntdp hop 2 # Set the delay for a member device to forward topology collection requests to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology information to 3 minutes.
Page 921: Network Management Interface Configuration Example
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster After adding the devices attached to the management device to the cluster, perform the following operations on a member device. # Connect the member device to the remote shared FTP server of the cluster.
Page 922 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster Table 1-2 Connection information of the management switch VLAN IP address Connection port VLAN 3 (connected to 192.168.5.30/24 GigabitEthernet 1/0/1 Switch B) VLAN 2 (connected to 192.168.4.22/24 GigabitEthernet 1/0/2 FTP server) II.
Page 923: Enhanced Cluster Feature Configuration Example
Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster [Sysname-Vlan-interface2] quit # Enable the cluster function. [Sysname] cluster enable # Enter cluster view. [Sysname] cluster [Sysname-cluster] # Configure a private IP address pool for the cluster. The IP address pool contains 30 IP addresses, starting from 192.168.5.1.
Page 924 Operation Manual – Cluster H3C S5600 Series Ethernet Switches Chapter 1 Cluster II. Network diagram FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Figure 1-6 Network diagram for the enhanced cluster feature configuration III.
Page 925: Poe-Poe Profile
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 PoE Configuration ....................... 1-1 1.1 PoE Overview ........................1-1 1.1.1 Introduction to PoE....................1-1 1.1.2 PoE Features Supported by S5600 ................ 1-2 1.2 PoE Configuration......................
Page 926: Poe Overview
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration Chapter 1 PoE Configuration When configuring PoE, go to these sections for information you are interested in: PoE Overview PoE Configuration PoE Configuration Example Note: The newly added function is upgrading the PoE module of the fabric switch remotely.
Page 927: Poe Features Supported By S5600
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration PD: PDs receive power from the PSE. PDs include standard PDs and nonstandard PDs. Standard PDs conform to the 802.3af standard, including IP phones, Wireless APs, network cameras and so on.
Page 928: Poe Configuration
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration Note: When you use the PoE-enabled S5600 switch to supply power, the PDs need no external power supply. If a remote PD has an external power supply, the PoE-enabled S5600 switch and the external power supply will backup each other for the PD.
Page 929: Setting The Maximum Output Power On A Port
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration Caution: By default, the PoE function on a port is enabled by the default configuration file (config.def) when the device is delivered. If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device.
Page 930: Setting The Poe Mode On A Port
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration close to its full load and a new PD is now added to port A, the switch just gives a prompt that a new PD is added and will not supply power to this new PD.
Page 931: Configuring Poe Over-Temperature Protection On The Switch
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function. Follow these steps to configure the PD compatibility detection function: To do…...
Page 932: Upgrading The Pse Processing Software Of Fabric Switches Online
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration To do… Use the command… Remarks Enter system view system-view — Required Upgrade the PSE poe update { refresh | The specified PSE processing software full } filename...
Page 933: Displaying Poe Configuration
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration 1.2.10 Displaying PoE Configuration To do… Use the command… Remarks Display the PoE status of a display poe interface specific port or all ports of the...
Page 934 Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration II. Network diagram Network Switch A GE1/0/1 GE1/0/8 GE1/0/2 Switch B Figure 1-1 Network diagram for PoE III. Configuration procedure # Upgrade the PSE processing software online.
Page 935 Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 1 PoE Configuration # Enable the PD compatibility detect of the switch to allow the switch to supply power to the devices noncompliant with the 802.3af standard. [SwitchA] poe legacy enable...
Page 936: Chapter 2 Poe Profile Configuration
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 2 PoE Profile Configuration Chapter 2 PoE Profile Configuration When configuring PoE profile, go to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration...
Page 937 Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 2 PoE Profile Configuration To do… Use the command… Remarks Required Enable the PoE poe enable Disabled by feature on a port default. Optional Configure PoE Configure mode for Ethernet...
Page 938: Displaying Poe Profile Configuration
Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 2 PoE Profile Configuration The display current-configuration command can be used to query which PoE profile is applied to a port. However, the command cannot be used to query which PoE features in a PoE profiles are applied successfully.
Page 939 Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 2 PoE Profile Configuration II. Network diagram Network Switch A GE1/0/1~GE1/0/5 GE1/0/6~GE1/0/10 IP Phone IP Phone IP Phone IP Phone Figure 2-1 PoE profile application III. Configuration procedure # Create Profile 1, and enter PoE profile view.
Page 940 Operation Manual – PoE-PoE Profile H3C S5600 Series Ethernet Switches Chapter 2 PoE Profile Configuration [SwitchA] poe-profile Profile2 # In Profile 2, add the PoE policy configuration applicable to GigabitEthernet 1/0/6 through GigabitEthernet 1/0/10 ports for users of group A.
Page 941 Operation Manual – UDP Helper H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 UDP Helper Configuration ..................1-1 1.1 Introduction to UDP Helper....................1-1 1.2 Configuring UDP Helper ....................1-2 1.3 Displaying and Maintaining UDP Helper ................1-3 1.4 UDP Helper Configuration Example ..................
Page 942: Chapter 1 Udp Helper Configuration
Operation Manual – UDP Helper H3C S5600 Series Ethernet Switches Chapter 1 UDP Helper Configuration Chapter 1 UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested Introduction to UDP Helper Configuring UDP Helper...
Page 943: Configuring Udp Helper
Operation Manual – UDP Helper H3C S5600 Series Ethernet Switches Chapter 1 UDP Helper Configuration Table 1-1 List of default UDP ports Protocol UDP port number DNS (Domain Name System) NetBIOS-DS (NetBIOS Datagram Service) NetBIOS-NS (NetBIOS Name Service) TACACS (Terminal Access Controller Access Control...
Page 944: Displaying And Maintaining Udp Helper
Operation Manual – UDP Helper H3C S5600 Series Ethernet Switches Chapter 1 UDP Helper Configuration Note: On an S5600 Series Ethernet Switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, UDP Helper is available only when the ip forward-broadcast command is configured in system view.
Page 945 Operation Manual – UDP Helper H3C S5600 Series Ethernet Switches Chapter 1 UDP Helper Configuration II. Network diagram Figure 1-1 Network diagram for UDP Helper configuration III. Configuration procedure # Enable Switch A to receive directed broadcasts to a directly connected network.
Page 946: Snmp-Rmon
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 SNMP Configuration....................1-1 1.1 SNMP Overview......................... 1-1 1.1.1 SNMP Operation Mechanism.................. 1-1 1.1.2 SNMP Versions ....................... 1-2 1.1.3 Supported MIBs....................... 1-2 1.2 Configuring Basic SNMP Functions................... 1-3 1.3 Configuring Trap-Related Functions..................
Page 947: Chapter 1 Snmp Configuration
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration Chapter 1 SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management...
Page 948: Snmp Versions
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration An NMS can send GetRequest, GetNextRequest and SetRequest messages to the agents. Upon receiving the requests from the NMS, an agent performs Read or Write operation on the managed object (MIB, Management Information Base) according to the message types, generates the corresponding Response packets and returns them to the NMS.
Page 949: Configuring Basic Snmp Functions
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices. In the above figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}.
Page 950 Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration To do… Use the command… Remarks Enter system view system-view — Optional Disabled by default. You can enable SNMP agent by executing Enable SNMP agent snmp-agent this command or any...
Page 951 Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration To do… Use the command… Remarks Optional snmp-agent mib-view Create/Update the view { included | excluded } By default, the view information view-name oid-tree name is ViewDefault [ mask mask-value ] and OID is 1.
Page 952: Configuring Trap-Related Functions
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration To do… Use the command… Remarks snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode Add a user to an SNMP { md5 | sha }...
Page 953: Configuring Extended Trap Function
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration Follow these steps to configure basic trap function: To do… Use the command… Remarks Enter system view system-view — snmp-agent trap enable [ bgp [ backwardtransition | established ]...
Page 954: Enabling Logging For Network Management
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the Configure the extended snmp-agent trap...
Page 955: Displaying Snmp
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration 1.5 Displaying SNMP To do… Use the command… Remarks Display the SNMP display snmp-agent sys-info information about the [ contact | location | version ]* current device...
Page 956 Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 1 SNMP Configuration II. Network diagram Figure 1-2 Network diagram for SNMP configuration III. Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names. <Sysname> system-view...
Page 957 IV. Configuring the NMS The S5600 series Ethernet switches support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter].
Page 958: Chapter 2 Rmon Configuration
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 2 RMON Configuration Chapter 2 RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example 2.1 Introduction to RMON...
Page 959: Commonly Used Rmon Groups
(instead of all the information in the RMON MIB): alarm group, event group, history group, and statistics group. An H3C S5600 Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S5600 Ethernet switch can serve as a network device with the RMON probe function.
Page 960: Rmon Configuration
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 2 RMON Configuration Sampling the alarm variables referenced in the defined extended alarm expressions periodically Performing operations on the samples according to the defined expressions Comparing the operation results with the thresholds and triggering corresponding events if the operation result exceeds the thresholds.
Page 961 Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 2 RMON Configuration To do… Use the command… Remarks Optional rmon alarm entry-number Before adding an alarm alarm-variable sampling-time { delta entry, you need to use the Add an alarm...
Page 962: Displaying Rmon
Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 2 RMON Configuration 2.3 Displaying RMON To do… Use the command… Remarks display rmon statistics [ interface-type Display RMON statistics interface-number | unit unit-number ] Display RMON history display rmon history [ interface-type...
Page 963 Operation Manual – SNMP-RMON H3C S5600 Series Ethernet Switches Chapter 2 RMON Configuration [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1)
Page 964 Operation Manual – NTP H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 NTP Configuration ....................... 1-1 1.1 Introduction to NTP......................1-1 1.1.1 Applications of NTP....................1-1 1.1.2 Implementation Principle of NTP................1-2 1.1.3 NTP Implementation Modes..................1-4 1.2 NTP Configuration Task List....................
Page 965: Chapter 1 Ntp Configuration
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Chapter 1 NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes...
Page 966: Implementation Principle Of Ntp
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration To perform incremental backup operations between a backup server and a host, you must make sure they adopt the same time. NTP has the following advantages: Defining the accuracy of clocks by stratum to synchronize the clocks of all devices...
Page 967 Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am...
Page 968: Ntp Implementation Modes
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration 1.1.3 NTP Implementation Modes According to the network structure and the position of the local Ethernet switch in the network, the local Ethernet switch can work in multiple NTP modes to synchronize the clock.
Page 969 Table 1-1 describes how the above mentioned NTP modes are implemented on H3C S5600 series Ethernet switches. Table 1-1 NTP implementation modes on H3C S5600 series Ethernet switches NTP implementation mode Configuration on S5600 series switches Configure the local S5600 Ethernet switch to work in the NTP client mode.
Page 970: Ntp Configuration Task List
The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the H3C S5600 Ethernet switch has been synchronized. When symmetric peer mode is configured on two Ethernet switches, to synchronize the clock of the two switches, make sure at least one switch’s clock has been...
Page 971: Configuring Ntp Implementation Modes
Note: To protect unused sockets against attacks by malicious users and improve security, H3C S5600 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.
Page 972: Configuring The Ntp Symmetric Peer Mode
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Follow these steps to configure an NTP client: To do… Use the command… Remarks Enter system view system-view — ntp-service unicast-server Required { remote-ip | server-name }...
Page 973: Configuring Ntp Broadcast Mode
255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a broadcast server or a broadcast client.
Page 974: Configuring Ntp Multicast Mode
The switches working in the NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a multicast server or a multicast client. Refer to for configuring a switch to work in the NTP multicast server mode.
Page 975: Configuring Access Control Right
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Note: A multicast server can synchronize multicast clients only after its clock has been synchronized. An S5600 series switch working in the multicast server mode supports up to 1,024 multicast clients.
Page 976: Configuration Prerequisites
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration refers to query of state of the NTP service, including alarm information, authentication status, clock source information, and so on. synchronization: Synchronization right. This level of right permits the peer device to synchronize its clock to the local switch but does not permit the peer device to perform control query.
Page 977: Configuration Prerequisites
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration clock of the client is synchronized only to that of the server that passes the authentication. This improves network security. Table 1-2 shows the roles of devices in the NTP authentication function.
Page 978: Configuration Procedure
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration 1.5.2 Configuration Procedure I. Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view —...
Page 979: Configuring Optional Ntp Parameters
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration To do… Use the command… Remarks ntp-service Required authentication-keyid Configure an NTP By default, no NTP key-id authentication key authentication key is authentication-mode md5 configured. value Required...
Page 980: Configuring An Interface On The Local Switch To Send Ntp Messages
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Task Remarks Configuring an Interface on the Local Switch to Send NTP Optional Messages Configuring the Number of Dynamic Sessions Allowed on Optional the Local Switch Disabling an Interface from Receiving NTP Messages Optional 1.6.1 Configuring an Interface on the Local Switch to Send NTP Messages...
Page 981: Disabling An Interface From Receiving Ntp Messages
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Follow these steps to configure the number of dynamic sessions allowed on the local switch: To do… Use the command… Remarks Enter system view — system-view Configure the maximum...
Page 982: Configuration Examples
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration 1.8 Configuration Examples 1.8.1 Configuring NTP Server/Client Mode I. Network requirements The local clock of Device A (a switch) is to be used as a master clock, with the stratum level of 2.
Page 983: Configuring Ntp Symmetric Peer Mode
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
Page 984 Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration II. Network diagram Device A 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 Device B Device C Figure 1-7 Network diagram for NTP peer mode configuration III. Configuration procedure Configure Device C.
Page 985: Configuring Ntp Broadcast Mode
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2, one level lower than Device B.
Page 986 Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration III. Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through VLAN-interface 2.
Page 987: Configuring Ntp Multicast Mode
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration source reference stra reach poll now offset delay disper ************************************************************************** [1234]3.0.1.31 127.127.1.0 26.1 199.53 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1.8.4 Configuring NTP Multicast Mode I.
Page 988 Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration Configure Device A (perform the same configuration on Device D). # Enter system view. <DeviceA> system-view # Set Device A as a multicast client to listen to multicast messages through VLAN-interface 2.
Page 989: Configuring Ntp Server/Client Mode With Authentication
Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration 1.8.5 Configuring NTP Server/Client Mode with Authentication I. Network requirements The local clock of Device A is set as the NTP master clock, with a clock stratum level of 2.
Page 990 Operation Manual – NTP H3C S5600 Series Ethernet Switches Chapter 1 NTP Configuration [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid authentication-mode aNiceKey # Specify the key 42 as a trusted key.
Page 991 Operation Manual – SSH H3C S5600 Series Ethernet Switches Table of Contents Table of Contents Chapter 1 SSH Configuration....................... 1-1 1.1 SSH Overview........................1-1 1.1.1 Introduction to SSH ....................1-1 1.1.2 Algorithm and Key....................1-2 1.1.3 Asymmetric Key Algorithm ..................1-2 1.1.4 SSH Operating Process ..................
Page 992: Chapter 1 Ssh Configuration
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration Chapter 1 SSH Configuration Note: The DSA algorithm is newly added in SSH configuration. Click the following links for related information: Generating/Destroying Key Pairs Creating an SSH User and Specifying an Authentication Type...
Page 993: Algorithm And Key
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration Caution: Currently, the device that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the device that serves as an SSH client supports only SSH2.
Page 994: Ssh Operating Process
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration Note: Currently, SSH supports both RSA and DSA. 1.1.4 SSH Operating Process The session establishment between an SSH client and the SSH server involves the following five stages:...
Page 995 Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration Note: All the packets above are transferred in plain text. II. Key negotiation The server and the client send algorithm negotiation packets to each other, which contain public key algorithm lists supported by the server and the client, encrypted algorithm list, message authentication code (MAC) algorithm list, and compressed algorithm list.
Page 996: Ssh Server And Client Configuration Task List
The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions. The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...
Page 997: Configuring The Ssh Server
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration 1.3 Configuring the SSH Server The session establishment between an SSH client and the SSH server involves five stages. Similarly, SSH server configuration involves five aspects, as shown in the following table.
Page 998: Configuring The User Interfaces For Ssh Clients
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration Note: The SSH server needs to cooperate with an SSH client to complete the interactions between them. For SSH client configuration, refer to Configuring the SSH Client.
Page 999: Configuring The Ssh Management Functions
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration 1.3.2 Configuring the SSH Management Functions The SSH server provides a number of management functions. Some functions can prevent illegal operations such as malicious password guess, further guaranteeing the security of SSH connections.
Page 1000: Configuring The Ssh Server To Be Compatible With Ssh1 Clients
Operation Manual – SSH H3C S5600 Series Ethernet Switches Chapter 1 SSH Configuration 1.3.3 Configuring the SSH Server to Be Compatible with SSH1 Clients Follow these steps to configure the SSH server to be compatible with SSH1 clients: To do...

This manual is also suitable for:

S5600-26c S5600-26c-pwr S5600-26f S5600-50c S5600-50c-pwr

H3C S5600 Series Operation Manual

About this Manual

Chapter 1 Obtaining the Documentation

Chapter 3 Product Overview

Chapter 4 Networking Applications

CLI Configuration

Table of Contents

Chapter 2 Logging in through the Console Port

Chapter 6 Logging in through Nms

Chapter 8 User Control

Configuration File Management

VLAN Overview/Vlan Configuration

IP Addressing Configuration/Ip Performance Configuration

Voice VLAN Configuration

Gvrp Configuration

Port Basic Configuration

Link Aggregation Configuration

Port Isolation Configuration

Port Security Configuration/Port Binding Configuration

Dldp Configuration

Table of Contents

Quick Links

Chapters

Troubleshooting

Related Manuals for H3C H3C S5600 Series

Summary of Contents for H3C H3C S5600 Series