Page 2
Preface ES4624-SFP/ES4626-SFP L3 Gigabit Ethernet Switch is a high performance routing switch released by Edge-Core that can be deployed as an aggregation device for enterprise and campus networks.ES4624-SFP/ES4626-SFP L3 Gigabit Ethernet Switch support a variety of network interfaces from 100Mb, 1000Mb to 10 GB Ethernet.
Page 5
2.10.7 Telnet server user configuration ..............133 2.10.8 Telnet security IP..................133 CHAPTER 3 PORT CONFIGURATION ................ 134 3.1 I ..................134 NTRODUCTION TO 3.2 P ................... 134 ONFIGURATION 3.2.1 Network Port Configuration ................134 3.2.2 VLAN Interface Configuration ............... 143 3.2.3 Network Management Port Configuration .............
Page 6
4.6 W ....................167 ANAGEMENT 4.6.1 LACP port group configuration ..............167 4.6.2 LACP port configuration ................168 CHAPTER 5 VLAN CONFIGURATION ................ 169 5.1 VLAN C ..................169 ONFIGURATION 5.1.1 Introduction to VLAN..................169 5.1.2 VLAN Configuration Task List ............... 170 5.1.3 Commands For Vlan Configuration...............
Page 7
CHAPTER 6 MAC TABLE CONFIGURATION ............. 209 6.1 I MAC T ................209 NTRODUCTION TO ABLE 6.1.1 Obtaining MAC Table ..................209 6.1.2 Forward or Filter.....................211 6.2 M ........... 212 DDRESS ABLE ONFIGURATION 6.3 C .......... 212 OMMANDS FOR ADDRESS TABLE CONFIGURATION 6.3.1 mac-address-table aging-time...............
Page 9
10.1.3 Commands for Layer 3 Interface..............287 10.2 IP C ....................287 ONFIGURATION 10.2.1 Introduction to IPv4, IPv6 ................287 10.2.2 IP Configuration ..................289 10.2.3 IP Configuration Examples................304 10.2.4 IP Troubleshooting ..................309 10.3 IP F ....................319 ORWARDING 10.3.1 Introduction to IP Forwarding ..............
Page 10
12.1.2 option 82 Working Mechanism..............357 12.2 DHCP 82 C ............... 358 OPTION ONFIGURATION 12.2.1 DHCP option 82 Configuration Task List ............. 358 12.2.2 Command for DHCP option 82 ..............360 12.3 DHCP 82 A ............363 OPTION PPLICATION XAMPLES 12.4 DHCP 82 T ............
Page 16
23.1.3 The Encapsulation of EAPOL Messages ............ 840 23.1.4 The Encapsulation of EAP Attributes ............842 23.1.5 The Authentication Methods of 802.1x ............842 23.1.6 The Extension and Optimization of 802.1x..........848 23.1.7 The Features of VLAN Allocation ..............849 23.2 802.1 ...............
Page 17
CHAPTER 24 THE NUMBER LIMITATION FUNCTION OF PORT, MAC IN VLAN AND IP CONFIGURATION....................882 24.1 I , MAC VLAN NTRODUCTION TO THE UMBER IMITATION UNCTION OF ..........................882 24.2 T , MAC VLAN IP C UMBER IMITATION UNCTION OF ONFIGURATION ......................
Page 18
25.3.6 interface ...................... 902 25.3.7 preempt-mode..................... 902 25.3.8 priority ......................902 25.3.9 router vrrp ....................903 25.3.10 show vrrp ....................903 25.3.11 virtual-ip..................... 904 25.4 T VRRP S ................... 905 YPICAL CENARIO 25.5 VRRP T .................. 905 ROUBLESHOOTING 25.6 W .....................
Chapter 1 Switch Management 1.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. ES4624-SFP/ES4626-SFP Switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Page 21
ES4624-SFP/ES462 Functional Console port required. 6-SFP Step 2: Entering the HyperTerminal Open the HyperTerminal included in Windows after the connection established. The example below is based on the HyperTerminal included in Windows XP. 1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal.
Page 22
“Parity checksum”, “1” for stop bit and “none” for traffic control;or,you can also click “Restore default” and click “OK”. Fig 1-5 Opening HyperTerminal Step 3 :Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for ES4624-SFP/ES4626-SFP Switch. ES4624-SFP Management Switch...
Attaching to file system ... done. Loading nos.img ... done. Starting at 0x10000... Current time is WED APR 20 09: 37: 52 2005 ES4624-SFP Switch Operating System, Software Version ES4624-SFP 1.1.0.0, Copyright (C) 2001-2006 by Accton Technology Corporation http: //www.edge-core. com. ES4624-SFP Switch 24 Ethernet/IEEE 802.3 interface(s)
Page 24
3) If not 2), Telnet client can connect to an IP address of the switch via other devices, such as a router. ES4624-SFP/ES4626-SFP Switch is a Layer 3 switch that can be configured with several IP addresses. The following example assumes the shipment status of the switch where only VLAN1 exists in the system.
Page 25
Step 2: Run Telnet Client program. Run Telnet client program included in Windows with the specified Telnet target. Fig 1-7 Run telnet client program included in Windows When accessing a switch with IPv6 address, it is recommended to use the Firefox browser with 1.5 or later version.
Fig 1-8 Telnet Configuration Interface 1.1.4 Management Via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IP address configured 2) The host IP address (HTTP client) and the switch’s VLAN interface IP address are in the same network segment;...
Page 27
Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch.Or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.251”.
Fig 1-10 Web Login Interface Input the right username and password, and then the main Web configuration interface is shown as below. Fig 1-11 Main Web Configuration Interface 1.2 Management Interface 1.2.1 CLI Interface...
CLI interface is familiar to most users. As aforementioned, out-of-band management and Telnet login are all performed through CLI interface to manage the switch. CLI Interface is supported by Shell program, which consists of a set of configuration commands. Those commands are categorized according to their functions in switch configuration and management.
Page 30
Or, when exit command is run under Global Mode, it will also return to the Admin Mode. ES4624-SFP/ES4626-SFP Switch also provides a shortcut key sequence "Ctrl+z”, this allows an easy way to exit to Admin Mode from any configuration mode (except User Mode).
Page 31
supported command to ethernet ethernetxx)# duplex mode, return <interface-list> Global Mode. command under speed, etc. Global Mode. Ethernet Port. Type Configure Use the exit port-channel interface Switch(Config-if- port-channel command to port-channel port-channelx)# related return <port-channel-nu mber> command settings such Global Mode. under Global duplex...
ES4624-SFP/ES4626-SFP Switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for ES4624-SFP/ES4626-SFP Switch configuration commands. The general commands format of ES4624-SFP/ES4626-SFP Switch is shown below: cmdtxt <variable> { enum1 | … | enumN } [option] Conventions: cmdtxt in bold font indicates a command keyword;...
When a string for a command or keyword is entered, the Tab can be used to complete the command or keyword if there is no conflict. 1.2.5 Help Function There are two ways in ES4624-SFP/ES4626-SFP Switch for the user to access help...
information: the “help” command and the “?”. Access to Help Usage and function Help Under any command line prompt, type in “help” and press Enter will get a brief description of the associated help system. “?” 1. Under any command line prompt, enter “?” to get a command list of the current mode and related brief description.
ES4624-SFP/ES4626-SFP switch shell support fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict. For example: 1) For command “show interfaces status ethernet 1/1”, typing “sh in status e 1/1” will work 2) However, for command “show running-config”, the system will report a “>...
Chapter 2 Basic Switch Configuration 2.1 Commands for Basic Switch Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode...
Page 38
Function: Configure the authentication mode and priority on Telnet Server for remote login users; the “no authentication login” command restores to the default login authentication mode. Default: Default login authentication mode is local. Command mode: Global mode Usage guide: When using authentication modes combinations, the mode at the first of the queue is with the highest priority which receding accordingly.
Page 39
Command: debug ssh-server no debug ssh-server Function: Display SSH server debugging information; the “no debug ssh-server” command stops displaying SSH server debugging information. Default: This function is disabled by default. Command mode: Admin Mode Example: Switch#debug ssh-server 2.1.1.5 dir Command: dir Function: Display the files and their sizes in the Flash memory.
Page 40
The “no enable password” command deletes this password Parameter: password is the configured code. Encryption will be performed by entering 8. Command mode: Global Mode Default: This password is empty by system default Usage Guide: Configure this password to prevent unauthorized entering Admin Mode. It is recommended to set the password at the initial switch configuration.
Page 41
Parameter <hostname> is the string for the prompt, up to 30 characters are allowed. Command mode: Global Mode Default: The default prompt is ES4624-SFP/ES4626-SFP switch. Usage Guide: With this command, the user can set the CLI prompt of the switch according to their own requirements.
Page 42
2.1.1.13 ipv6 host Command: ipv6 host <hostname> <ipv6_addr> no ipv6 host <hostname> Function: Configure the mapping relationship between the IPv6 address and the host; the “no ipv6 host <hostname>” command deletes this mapping relationship name host,containing Parameter : <hostname> characters;<ipv6_addr> is the IPv6 address corresponding to the host name. Command Mode: Global Mode Usage Guide: Configure a fixed corresponding relationship between the host and the IPv6 address, applicable in commands such as “traceroute6 <host>”, etc.
Page 43
Command mode: Admin Mode Default: The default setting is English display. Usage Guide: ES4624-SFP/ES4626-SFP switch provides help information in two languages, the user can select the language according to their preference. After the system restart, the help information display will revert to English.
Page 44
Usage guide: When both this password and login command are configured, users have to enter the password set by password command to enter normal user mode on console Example:Switch(Config)#password 8 test Switch(Config)#login 2.1.1.19 ping Command: ping [<ip-addr> | <host>|vrf|] Function: The switch send ICMP packet to remote devices to verify the connectivity between the switch and remote devices.
Page 45
VRF name: VPN Routing/Forwarding instance Target IP address: Target IP address Repeat count [5] Packet number, the default is 5 Datagram size in byte [56] ICMP packet size the default is 56 bytes Timeout in milli-seconds [2000]: Timeout (in milliseconds,) the default is 2 seconds.
Page 46
Target IPv6 address:fe80::2d0:59ff:feb8:3b27 Output Interface: vlan1 Use source address option[n]:y Source IPv6 address: fe80::203:fff:fe0b:16e3 Repeat count [5]: Datagram size in byte [56]: Timeout in milli-seconds [2000]: Extended commands [n]: Type ^c to abort. Sending 5 56-byte ICMP Echos to fe80::2d0:59ff:feb8:3b27, using src address fe80::203:fff:fe0b:16e3, timeout is 2 seconds.
Page 47
Function: Warm reset the switch. Command mode: Admin Mode Usage Guide: The user can use this command to restart the switch without power off. 2.1.1.22 service password-encryption Command: service password-encryption no service password-encryption Function: Encrypt system password. The “no service password-encryption” command cancels the encryption Command mode: Global mode Default: no service password-encryption by system default...
Page 48
2.1.1.25 setup Command: setup Function: Enter the Setup Mode of the switch. Command mode: Admin Mode Usage Guide: ES4624-SFP/ES4626-SFP switch provides a Setup Mode, in which the user can configure IP addresses, etc. 2.1.1.26 terminal length Command: terminal length <0-512>...
Page 49
terminal. If this command is configured on telnet or ssh clients, debug messages will be sent to that client. The debug message is displayed on console by default Example: Switch#terminal monitor 2.1.1.28 traceroute Command: traceroute {<ip-addr> | host <hostname> }[hops <hops>] [timeout <timeout>...
Page 50
2.1.1.30 cli username Command:cli username <username> [privilege < privilege >] [ password (0|7) <password>] no cli username <username> Function: Configure shell user and priority shell by logging in user name and password. Parameter: Username is the user name, privilege is the highest level executed by the user, level is 1 to 15, default is 1, and password is user password, if input option 7 on password setting, the password is encrypted;...
When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. ES4624-SFP/ES4626-SFP switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes.
Telnet client program included in Windows or the other operation systems to login to ES4624-SFP/ES4626-SFP switch, as described earlier in the In-band management section. As a Telnet server, ES4624-SFP/ES4626-SFP switch allows up to 5 telnet client TCP connections.
Page 53
Global Mode Enable the Telnet server function in the ip telnet server switch: the “no ip telnet server” no ip telnet server command disables the Telnet function. Configure the secure IP address to login to the switch through Telnet: the telnet-server securityip <ip-addr>...
Page 54
IPv6 should be preferred when telneting this host name. Example: The switch Telnets to a remote host whose IP address is 20.1.1.1 Switch#telnet 20.1.1.1 23 The switch Telnets to a remote host whose IPv6 address is 3ffe:506:1:2::3 Switch#telnet 3ffe:506:1:2::3 Configure the mapping relationship between the host name ipv6host and the IPv6 address 3ffe:506:1:2::3, and then telnet to host ipv6host Switch#config Switch(Config)# ipv6 host ipv6host 3ffe:506:1:2::3...
Switch(Config)#telnet-server securityip 192.168.1.21 2.2.4 SSH 2.2.4.1 Introduction to SSH SSH (Secure Shell) is a protocol which ensures a secure remote access connection to network devices. It is based on the reliable TCP/IP protocol. By conducting the mechanism such as key distribution, authentication and encryption between SSH server and SSH client, a secure connection is established.
Page 56
Generate the new RSA host key on the ssh-server host-key create SSH server. modulus <moduls> Admin Mode Display SSH debug information on the SSH client side; the “no monitor” monitor command stops displaying SSH debug no monitor information on the SSH client side. 2.2.4.3 Commands for SSH 2.2.4.3.1 ssh-server authentication-retries Command: ssh-server authentication-retries <...
Page 57
is 768 to 2048. The default value is 1024. Command mode: Global Mode Default: The system uses the key generated when the ssh-server is started at the first time. Usage Guide: This command is used to generate the new host key. When SSH client logs on the server, the new host key is used for authentication.
Example: Set a SSH client which has “switch” as username and “switch” as password. Switch(Config)#ssh-user switch password 0 switch 2.2.4.4 Typical SSH Server Configuration Example : Requirement: Enable SSH server on the switch, and run SSH2.0 client software such as Secure shell client and putty on the terminal. Log on the switch by using the username and password from the client.
on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content in the IPv6 packet and the IPv6 address of the router).
Page 60
Display the information of the Telnet client which currently establishes Telnet show telnet login connection with the switch Display the information of all the Telnet clients which are authorized to access the switch show telnet user through Telnet. Display the operation information and the state of each task running on the switch.
Page 61
2.2.7.1.3 show history Command: show history Function: Display the recent user command history,. Command mode: Admin Mode Usage Guide: The system holds up to 10 commands the user entered, the user can use the UP/DOWN key or their equivalent (ctrl+p and ctrl+n) to access the command history. Example: Switch#show history enable...
Page 62
Default: If the active configuration parameters are the same as the default operating parameters, nothing will be displayed. Command mode: Admin Mode Usage Guide: When the user finishes a set of configuration and needs to verify the configuration, show running-config command can be used to display the current active parameters.
Page 63
same. 2.2.7.1.9 show interface switchport Command: show interface switchport [ethernet <interface-list>] Function: Show the VLAN port mode, VLAN number and Trunk port messages of the VLAN port mode on the switch. Parameter: <interface-list> is the port number or port list, which could be any port information existing in the switch Command mode: Admin mode Example: Show VLAN messages of port ethernet 1/1.
Page 64
2.2.7.1.11 show tcp Command: show tcp Function: Display the current TCP connection status established to the switch. Command mode: Admin Mode Example: Switch#show tcp LocalAddress LocalPort ForeignAddress ForeignPort State 0.0.0.0 0.0.0.0 LISTEN 0.0.0.0 0.0.0.0 LISTEN Displayed information Description LocalAddress Local address of the TCP connection. LocalPort Local pot number of the TCP connection.
Copyright (C) 2001-2006 by Accton Technology Corporation.. All rights reserved. Last reboot is cold reset Uptime is 0 weeks, 0 days, 0 hours, 28 minutes 2.2.8 Debug protocols ES4624-SFP/ES4626-SFP switch supports have their corresponding debug commands. The users can use the information from debug commands for troubleshooting.
Page 66
Output the log information to remote Telnet terminal or monitor, this function is good for remote maintenance Assign a proper log buffer zone inside the switch, for record the log information permanently or temporarily Configure the log host, the log system will directly send the log information to the log host, and save it in files to be viewed at any time Among above log channels, users rarely use the console monitor, but will commonly choose the Telnet terminal to monitor the system operation status.
Page 67
Severity Value Description System is unusable emergencies Action must be taken immediately alerts Critical conditions critical Error conditions errors Warning conditions warnings Normal but significant condition notifications Informational messages informational Debug-level messages debugging Right now the switch can generate information of following four levels Restart the switch, mission abnormal, hot plug on the CHASSIS switch chips are classified critical Up/down switch, topology change, aggregate port state change of the interface...
Page 68
Command Description Admin Mode show logging buffered [level { critical | Show detailed log information in warnings} range <begin-index> the log buffer channel <end-index>] Clear log buffer zone information clear logging { sdram | nvram } Configure the log host output channel Command Description Global Mode...
Page 69
example:Clear all information in the log buffer zone sdram Switch# clear logging sdram 2.2.9.2.2.3 logging host Command: logging {<ipv4-addr> | <ipv6-addr>} [ facility <local-number> ] [level <severity>] no logging {<ipv4-addr> | <ipv6-addr>}[ facility <local-number> ] Function: The command is used to configure the output channel of the log host. The “no”...
Switch(Config)#logging 3ffe:506::4 facility local7 level warnings 2.3 Configurate Switch IP Addresses All Ethernet ports of ES4624-SFP/ES4626-SFP switch is default to Data Link layer ports and perform layer 2 forwarding. VLAN interface represent a Layer 3 interface function which can be assigned an IP address, which is also the IP address of the switch.
Command Explanation Configure the VLAN interface IP address; address <ip_address> <mask> the “no ip address <ip_address> <mask> [secondary] [secondary]” command deletes VLAN no ip address <ip_address> <mask> interface IP address. [secondary] 2. BootP configuration Command Explanation Enable the switch to be a BootP client and ip address bootp-client obtain IP address and gateway address no ip address bootp-client...
Page 72
address to the switch. Example: Set 10.1.128.1/24 as the IP address of VLAN1 interface. Switch(Config)#interface vlan 1 Switch(Config-If-Vlan1)#ip address 10.1.128.1 255.255.255.0 Switch(Config-If-Vlan1)#exit 2.3.2.2 ip address bootp-client Command: ip address bootp-client no ip address bootp-client Function: Enable the switch to be a BootP client and obtain IP address and gateway address through BootP negotiation;...
2.4 SNMP Configuration 2.4.1 Introduction To SNMP SNMP (Simple Network Management Protocol) is a standard network management protocol widely used in computer network management. SNMP is an evolving protocol. SNMP v1 [RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its simplicity and easy implementation;...
Page 74
management. USM ensures the transfer security by well-designed encryption and authentication. USM encrypts the messages according to the user typed password. This mechanism ensures that the messages can’t be viewed on transmission. And USM authentication ensures that the messages can’t be changed on transmission. USM employs DES-CBC cryptography.
viewed and controlled by the support of the manufacturers MIB-I [RFC1156] is the first implemented public MIB of SNMP, and is replaced by MIB-II [RFC1213]. MIB-II expands MIB-I and keeps the OID of MIB tree in MIB-I. MIB-II contains sub-trees which are called groups. Objects in those groups cover all the functional domains in network management.
Page 76
Command Explanation Enable the SNMP Agent function on the snmp-server switch; the “no snmp-server” command no snmp-server disables the SNMP Agent function on the switch. 2. Configure SNMP community string Command Explanation Configure the community string for the snmp-server community <string>...
<write-string>] [notify <notify-string>]] no snmp-server group <group-string> {NoauthNopriv|AuthNopriv|AuthPriv} 7. Configure view Command Explanation Configure view switch. This snmp-server view <view-string> command is used for SNMP v3. <oid-string> {include|exclude} no snmp-server view <view-string> 8. Configuring TRAP Command Explanation Enable the switch to send Trap message. snmp-server enable traps This command is used for SNMP v1/v2/v3.
Page 78
Example 2: Disable RMON Switch(config)#no rmon enable 2.4.3.2 show snmp Command: show snmp Function: Display all SNMP counter information. Command mode: Admin Mode Example: Switch#show snmp 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables...
Page 79
get-request PDUs Number of packets received by “get” requests. get-next PDUs Number of packets received by “getnext” requests. set-request PDUs Number of packets received by “set” requests. snmp packets output Total number of SNMP packet outputs. too big errors Number of “Too_ big” error SNMP packets.
Page 80
SecurityIP IP address of the NMS which is allowed to access Agent 2.4.3.4 snmp-server community Command: snmp-server community <string> {ro|rw} snmp-server community <string> Function: Configure the community string for the switch; the “no snmp-server community <string>“ command deletes the configured community string. Parameter: <string>...
Page 81
command disables the switch to send Trap message. Command mode: Global Mode Default: Trap message is disabled by default. Usage Guide: When Trap message is enabled, if Down/Up in device ports or of system occurs, the device will send Trap messages to NMS that receives Trap messages. Example 1: Enable to send Trap messages.
Page 83
Command: show snmp group Function: Display the group information commands Command Mode: Admin Mode Example: Switch#show snmp group Group Name:initial Security Level:noAuthnoPriv Read View:one Write View:<no writeview specified> Notify View:one Displayed Information Explanation Group Name Group name Security level Security level Read View Read view name Write View...
Page 84
Row status User state 2.4.3.14 show snmp view Command: show snmp view Function:Display the view information commands. Command Mode: Admin Mode Example: Switch#show snmp view View Name:readview -Included active 1.3. Excluded active Displayed Information Explanation View Name View name 1.and1.3. OID number Included The view includes sub trees rooted by...
Page 85
no snmp-server group <group-string> {NoauthNopriv|AuthNopriv|AuthPriv} Function:This command is used to configure a new group; the “no” form of this command deletes this group. Command Mode: Global Mode Parameter:<group-string > group name which includes 1-32 characters NoauthNopriv Applies the non recognizing and non encrypting safety level AuthNopriv Applies the recognizing but non encrypting safety level AuthPriv Applies the recognizing and encrypting safety level Name of readable view which includes 1-32 characters...
Page 86
include|exclude , include/exclude this OID Usage Guide: The command supports not only the input using the character string of the variable OID as parameter. But also supports the input using the node name of the parameter Example: Create a view, the name is readview, including iso node but not including the iso.3 node Switch (Config)#snmp-server view readview iso include Switch (Config)#snmp-server view readview iso.3 exclude Delete the view...
Function: Configure to permit to access security IPv4 or IPv6 address of the switch NMS administration station; the “ no snmp-server securityip {<ipv4-address>| <ipv6-address>}”command deletes configured security IPv4 or IPv6 address. Command Mode: Global Mode Parameter: <ipv4-address> is NMS security IPv4 address, point separated decimal format <ipv6-address>...
The NMS can use “private” as the community string to access the switch with read-write permission, or use “public” as the community string to access the switch with read-only permission. Scenario 2: NMS will receive Trap messages from the switch (Note: NMS may have community string verification for the Trap messages.
If users still can’t solve the SNMP problems, Please contact our technical and service center. 2.5 Switch Upgrade ES4624-SFP/ES4626-SFP switch provides two ways for switch upgrade: BootROM upgrade and the TFTP/FTP upgrade under Shell. 2.5.1 Switch System Files The system files includes system image file and boot file. The updating of the switch is to update the two files by overwrite the old files with the new ones.
Page 90
cable Console cable connection connection Fig 2-3 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Page 91
[Boot]: Step 3: Under BootROM mode, run “setconfig” to set the IP address and mask of the switch under BootROM mode, server IP address and mask, and select TFTP or FTP upgrade. Suppose the switch address is 192.168.1.2/24, and PC address is 192.168.1.66/24, and select TFTP upgrade, the configuration should like: [Boot]: setconfig Host IP Address: 10.1.1.1 192.168.1.2...
[Boot]: run(or reboot) Other commands in BootROM mode DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom 327,440 1900-01-01 00: 00: 00 --SH boot.conf 83 1900-01-01 00: 00: 00 --SH nos.img 2,431,631 1980-01-01 00: 21: 34 ---- startup-config 2,922 1980-01-01 00: 09: 14 ---- temp.image...
Page 93
And file list can also be retrieved from the server in ftp client mode. Of course, ES4624-SFP/ES4626-SFP switch can also upload current configuration files or system files to the remote FTP/TFTP servers(can be hosts or other switches).
Page 94
ROM only. ES4624-SFP/ES4626-SFP switch mandates the name of the boot file to be boot.rom. Configuration file: including start up configuration file and running configuration file. The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations.
Page 95
(1) Start TFTP server (2) Configure TFTP server connection idle time (3) Configure retransmission times before timeout for packets without acknowledgement (4) Shut down TFTP server 1. FTP/TFTP client configuration (1)FTP/TFTP client upload/download file Command Explanation Admin Mode copy <source-url> <destination-url> FTP/TFTP client upload/download file [ascii | binary] (2)For FTP client, server file list can be checked.
Page 96
Global Mode tftp-server Set maximum retransmission time within retransmission-number < timeout interval. number > (3)Modify TFTP server connection retransmission time Command Explanation Global Mode tftp-server Set maximum retransmission time within retransmission-number < timeout interval. number > 2.5.3.2.2 Commands for Switch Upgrade 2.5.3.2.2.1 copy(FTP)...
Page 97
press Enter,following hints will be provided by the system: ftp server ip/ipv6 address [x.x.x.x]/[x:x::x:x] > ftp username> ftp password> ftp filename> Requesting for FTP server address, user name, password and file name Examples: (1)Save images in the FLASH to the FTP server of 2004:1:2:3::6 Switch#copy nos.img ftp://username:password@2004:1:2:3::6/ nos.img (2)Obtain system file nos.img from the FTP server 2004:1:2:3::6 Switch#copy ftp:// username:password@2004:1:2:3::6/nos.img nos.img...
Page 98
commands in following forms: copy <filename> tftp:// or copy tftp:// <filename> and press Enter,following hints will be provided by the system: tftp server ip/ipv6 address[x.x.x.x]/[x:x::x:x]> tftp filename> Requesting for TFTP server address, file name Example: (1)Save images in the FLASH to the TFTP server of 2004:1:2:3::6 Switch#copy nos.img tftp:// 2004:1:2:3::6/ nos.img (2)Obtain system file nos.img from the TFTP server 2004:1:2:3::6 Switch#copy tftp:// 2004:1:2:3::6/nos.img nos.img...
Page 99
2.5.3.2.2.5 ftp-server timeout Command: ftp-server timeout <seconds> Function: Set data connection idle time Parameter: < seconds> is the idle time threshold ( in seconds) for FTP connection, the valid range is 5 to 3600. Default: The system default is 600 seconds. Command mode: Global Mode Usage Guide: When FTP data connection idle time exceeds this limit, the FTP management connection will be disconnected.
2.5.3.2.2.8 tftp-server enable Command: tftp-server enable no tftp-server enable Function: Start TFTP server, the “no ftp-server enable” command shuts down TFTP server and prevents TFTP user from logging in. Default: TFTP server is not started by default. Command mode: Global Mode Usage Guide: When TFTP server function is enabled, the switch can still perform tftp client functions.
Page 101
Switch 10.1.1.2 computer 10.1.1.1 Fig 2-4 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2.
Page 102
Switch (Config-If-Vlan1)#no shut Switch (Config-If-Vlan1)#exit Switch (Config)#exit Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.img Scenario 2: The switch is used as FTP server. The switch operates as the FTP server and connects from one of its ports to a computer, which is a FTP client. Transfer the “nos.img”...
Page 103
Switch#copy tftp: //10.1.1.1/ nos.img nos.img Switch#copy tftp: //10.1.1.1/ boot.rom boot.rom Switch#copy tftp: //10.1.1.1/ startup-config startup-config Scenario 5: ES4624-SFP/ES4626-SFP switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1;...
PC side: Start the FTP server software on the PC and set the username “Switch”, and the password “Admin”. ES4624-SFP/ES4626-SFP switch: Switch (Config)#inter vlan 1 Switch (Config-If-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch (Config-If-Vlan1)#no shut Switch (Config-If-Vlan1)#exit Switch (Config)#dir ftp: //Switch: Admin@10.1.1.1 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
Page 105
331 User name okay, need password. 230 User logged in, proceed. 200 PORT Command successful. nos.img file length = 1526021 read file ok send file 150 Opening ASCII mode data connection for nos.img. 226 Transfer complete. close ftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy”...
The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry “copy” command again. begin to receive file,wait... recv 1526037 ************************ write ok transfer complete close tftp client. If the switch is upgrading system file or system start up file through TFTP, the switch must not be restarted until “close tftp client”...
Page 107
Enable the function of checking if the IP dosattack-check srcip-equal-dstip source address is the same as the enable destination address 2.6.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence 1.Enable the anti TCP unauthorized label attack function 2.Enable Checking IPv4 fragment function Command Explanation Global Mode...
dosattack-check tcp-fragment enable Configure the minimum permitted TCP head length of the packet. This command has no dosattack-check tcp-header <size> effect when used separately, the user should enable the dosattack-check tcp-fragment enable 2.6.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence Enable the prevent ICMP fragment attack function Configure the max permitted ICMPv4 net load length...
Page 109
Usage Guide: By enabling this function, data packet whose source IP address is equal to its destination address will be dropped Example: Drop the data packet whose source IP address is equal to its destination address Switch(Config)# dosattack-check srcip-equal-dstip enable 2.6.3.2 dosattack-check ipv4-first-fragment enable Command: [no] dosattack-check ipv4-first-fragment enable Function: Enable the function by which the switch checks the first fragment packet of...
Page 110
the destination port; the "no" form of this command disables this function Parameter:None Default:Disable the function by which the switch will check if the source port is equal to the destination port Command Mode:Global Mode Usage Guide:With this function enabled, the switch will be able to drop TCP and UDP data packet whose destination port is equal to the source port.
Page 111
2.6.3.7 dosattack-check icmp-attacking enable Command: [no] dosattack-check icmp-attacking enable Function: Enable the ICMP fragment attack checking function on the switch; the “no” form of this command disables this function Parameter: None Default:Disable the ICMP fragment attack checking function on the switch Command Mode:Global Mode Usage Guide: With this function enabled the switch will be protected from the ICMP fragment attacks, dropping the fragment ICMPv4/v6 data packets whose net length is...
enable” first Example:Set the max net length of the ICMPv6 data packet permitted by the switch to Switch(Config)# dosattack-check icmp-attacking enable Switch(Config)# dosattack-check icmpv6-size 100 2.6.4 Security Feature Example Scenario: The User has follows configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port.
Jumbo frames no jumbo enable Disable the sending/receiving function of the Jumbo frames 2.7.3 Jumbo Command Command:jumbo enable no jumbo enable Function: Enable the Jumbo receiving function, expanding the range of the frames received by the switch to 64-8996 bytes. The “NO Jumbo ENABLE” command restores to the normal frame range of 64--1518 Parameter:None Default:Jumbo function not enabled by default...
The latest SFLOW protocol presented by Inmon company is the version 5. Since it is the version 4 which is realized in the RFC3176, version conflict might exist in some case such as the structure and the packet format. This is because the version 5 has not become the official protocol, so, in order to be compatible with current applications, we will continue to follow the RFC3176.
the “no” form of this command restores to the default value. 5. Configure the max data head length of the sFlow packet Command Explanation Interface Mode Configure the max length of the data sflow data-len <length-vlaue> packet in sFlow; the “no” form of this no sflow data-len command restores to the default.
Page 116
Or else the address and port configured at global mode will be applied. The analyzer address should be configured to let the sFlow sample proxy work properly. Example:Configure the analyzer address and port at global mode. switch #config)#sflow destination 192.168.1.200 1025 2.8.3.2 sflow agent-address Command: sflow agent-address <agent-address>...
Page 117
Function: Configure the length of the head data packet copied in the sFlow data sampling. The “no” form of this command restores to the default value Parameter: <length-value> is the value of the length with a valid range of 32-256. Command Mode: Interface Mode Default: 128 by default Usage Guide:If the packet sample can not be identified whether it is IPv4 or IPv6 when...
Page 118
Switch#(Config-If-Ethernet3/2)#sflow counter-interval 20 2.8.3.7 sflow rate Command: sflow rate { input <input-rate> | output <output-rate >} no sflow rate [input | output] Function: Configure the sample rate of the sFlow hardware sampling. The “no” form of this command deletes the sampling rate value. Parameter:<...
Sample packet max len is 1400 Sample header max len is 50 Sample version is 4 Displayed Information Explanation Sflow version 1.2 Indicates the sFlow version is 1.2 Agent address is 172.16.1.100 Address of the sFlow sample proxy is 172.16.1.100 Collector address have not the sFlow global analyzer address is not configured configured...
Fig 2-5 sFlow configuration topology As shown in the figure, sFlow sampling is enabled on the port 3/1 and 3/2 of the switch. Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200. The address of the layer 3 interface on the SwitchA connected with PC is 192.168.1.100.
TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol. Compared with RADIUS, the transmission layer of TACACS+ protocol is adopted with TCP protocol, further with the packet head ( except for standard packet head) encryption, this protocol is of a more reliable transmission and encryption characteristics, and is more adapted to security control.
2.9.3 Commands for TACACS+ 2.9.3.1 tacacs-server authentication host Command: tacacs-server authentication host <ip-address> [port <port-number>] [primary] no tacacs-server authentication host <ip-address> Function: Configure the IP address and listening port number of the TACACS+ server; the “no” form of this command deletes TACACS+ authentication server. Parameter: <ip-address>...
2.9.3.3 tacacs-server timeout Command: tacacs-server timeout <seconds> no tacacs-server timeout Function: Configure a TACACS+ server authentication timeout timer; the “no tacacs-server timeout” command restores the default configuration Parameter: <seconds> is the value of TACACS+ authentication timeout timer,shown in seconds and the valid range is 1~60. Command Mode: Global Mode Default: 3 seconds by default Usage Guide: The command specifies the period the switch wait for the authentication...
Switch 10.1.1.2 10.1.1.1 Tacacs Server 10.1.1.3 Fig 2-6 TACACS Configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a TACACS+ authentication server; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 49, telnet log on authentication of the switch Switch(Config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit...
prompts of command-line interface, timeout of quitting Admin mode, etc. 2.10.1.1 Basic Configuration Users should click “Switch basic configuration” and “BasicConfig” to configure the switch’s clock, prompts of command-line interface and the mapping address relationship with the host. Basic clock configuration -configure “date and clock” of the system. Users should configure HH:MM:SS as 23:0:0 and YY.MM.DD as 2002/08/01.
Page 126
Access priority -specifies access rights to MIB, including “Read only” and “Read and write.” State -”Valid” -to configure; “Invalid” -to remove. Users should configure Community string as “public”, choose Access priority as “Read only” mode, and choose State as “Valid” or configure Community string as private, choose Access priority as “Read and write”...
Page 127
2.10.2.3 Configure IP address of SNMP manager User should click “Switch basic configuration”, “SNMP configuration”, and “Configure ip address of snmp manager” to configure the security IP address which will be allowed to access to the NMS management station of the switch. 5.4.4.2.6. Security ip address -Security IP address of NMS State –”Valid”...
Users should click “Switch basic configuration”, “SNMP configuration” and “RMON and TRAP configuration” to configure the RMON function of the switch. Snmp Agent state –open/close the switch to be SNMP agent server function. RMON state -open/close RMON function of the switch. Trap state -allows device to send Trap messages Example: choose Snmp Agent state as “Open”, choose RMON state as “Open”, and choose Trap state as “Open”.
Page 129
which has server file name is “nos.img” and local file name “nos.img.” Click “Apply” to finish. 2.10.3.2 TFTP server configuration Users should click “Switch basic configuration” and “TFTP server service” to enter into the configuration page. Words and phrases are explained in the following: Server state-status of the server.
2.10.3.4 FTP server configuration Users should click “Switch basic configuration” and “FTP server service” to enter into the configuration page and make configuration nodes, which include “server configuration” and “user configuration.” Words and phrases of “user configuration” are explained in the following: FTP Server state-status of the server.
Page 131
Show running-config-to display the current status of parameters configuration. Show switch port interface-to display properties of VLAN ports. Show tcp-to display the current TCP connection with the switch. Show udp-to display the current UDP connection with the switch. Show telnet login-to display the Telnet client messages connected through Telnet with the switch.
Other parts are easier to configure. Users just click a configuration node and the relating messages will appear. Example: to display the clock: to display FLASH files: 2.10.5 Switch Maintenance On the left directory of the root page, users should click “Switch maintenance” to configure maintenance nodes through web interface.
2.10.6 Telnet server configuration On the left directory of the root page, users may click “Telnet server configuration” and configure the Telnet server configuration nodes through web interface. 2.10.7 Telnet server user configuration Users should click “Telnet server configuration” and “Telnet server user configuration”...
Chapter 3 Port Configuration 3.1 Introduction to Port ES4624-SFP/ES4626-SFP Switch comes with 8 Gigabit Combo ports , 16 SFP Gigabit fiber ports and (for ES4626-SFP) 2 SFP 10G fiber ports. The Combo ports can be configured to as either 1000GX-TX ports or Gigabit fiber ports.
Page 135
Explanation Command Interface Mode Enters the network port configuration interface ethernet <interface-list> mode. 2. Configure the properties for the Ethernet ports Explanation Command Interface Mode Sets the combo port mode (combo ports combo-forced-mode { copper-forced only);the “no | copper-preferred-auto | sfp-forced | combo-forced-mode”...
Page 136
Enables the storm control function for broadcasts, multicasts and unicasts with unknown destinations (short rate-suppression {dlf | broadcast | broadcast), sets allowed multicast} <packets> broadcast packet number; the “no” format of this command disables the broadcast storm control function. 3.2.1.2 Commands for Network Port Configuration 3.2.1.2.1 combo-forced-mode Command:combo-forced-mode {copper-forced | copper-preferred-auto | sfp-forced | sfp-preferred-auto }...
Page 137
Copper Copper Fiber cable Fiber cable Both fiber and copper cable port cable port port port are connected Copper Fiber cable Fiber cable Fiber cable Neither fiber cable port port port port copper are connected Note: Combo port is a conception involving the physical layer and the LLC sublayer of the datalink layer.
Page 138
Usage Guide: After the flow control function is enabled, the port will notify the sending device to slow down the sending speed to prevent packet loss when traffic received exceeds the capacity of port cache. ES4624-SFP/26-SFP’s ports support IEEE802.3X flow control; the ports work in half-duplex mode, supporting back-pressure flow control. If...
Page 139
Function: Sets the cable types supported by the Ethernet port; the “no mdi” command sets the cable type to auto-identification. This command is not supported on ES4624-SFP/26-SFP’s ports of 1000Mbps or more, these ports have auto-identification set for cable types.
Page 140
3.2.1.2.8 negotiation Command: negotiation no negotiation Function: Enables/Disables the auto-negotiation function of a 1000Base-T port. Parameters: None. Command mode: Port configuration Mode Default: Auto-negotiation is enabled by default. Usage Guide: This command applies to 1000Base-T interface only. The negotiation command is not available for 1000Base-FX interface. For combo port, this command applies to the 1000Base-TX port only and has no effect on 1000Base-TX port.
Page 141
Switch(Config-If-Port-Range)#rate-limit 40 output 3.2.1.2.10 rate-suppression Command: rate-suppression {dlf | broadcast | multicast} <packets> no rate-suppression {dlf | broadcast | multicast} Function: Sets the traffic limit for broadcasts, multicasts and unknown destination unicasts on all ports in the switch; the “no rate-suppression” command disables this traffic throttle function on all ports in the switch, i.e., enables broadcasts, multicasts and unknown destination unicasts to pass through the switch at line speed.
Page 142
mode, flow control switch state, broadcast storm restrain of the port and the statistic state of the data packets; while for vlan interfaces, the port MAC address, IP address and the statistic state of the data packet will be shown; for aggregated port, port speed rate, duplex mode, flow control switch state, broadcast storm restrain of the port and the statistic state of the data packets will be displayed.
1000Mbps at full-duplex mode; nonegotiate for disable auto-negotiation for 1000 Mb port; master to force the 1000Mb port to be master mode; slave to force the 1000Mb port to be slave mode. Command mode: Interface Mode Default: Auto-negotiation for speed and duplex mode is set by default. Usage Guide: This command applies to 1000Base-TX ports only.
Page 144
Command Explanation VLAN Mode Configures the VLAN interface IP address; the “no ip address ip address <ip-address> <mask> [secondary] [<ip-address> <mask>]” no ip address [<ip-address> <mask>] command deletes the VLAN interface IP address. VLAN Mode Enables/Disables VLAN shutdown interface no shutdown 3.2.2.2 Commands for Vlan Interface 3.2.2.2.1 interface vlan Command: interface vlan <vlan-id>...
the optional parameter secondary is not present, the IP address will be the primary IP of the VLAN interface, otherwise, the IP address configured will be the secondary IP address for the VLAN interface. A VLAN interface can have one primary IP address but multiple secondary IP addresses.
Page 146
2. Configure the properties for the network management port Command Explanation Network Management Port Configuration Enables/Disables network management shutdown port no shutdown Sets network management port speed speed {auto| force10| force100| } Sets network management port duplex duplex {auto| full| half} mode Enables/Disables loopback test function loopback...
Page 147
3.2.3.2.2 interface ethernet Command: interface ethernet <interface-name> Function: Enters network management port configuration mode from Global Mode. Parameters: <interface-name> stands for port number, the default value is 0. Command mode: Global Mode Usage Guide: Run the exit command to exit the network management Interface Mode to Global Mode.
3.2.3.2.5 shutdown Command: shutdown no shutdown Function: Shuts down the network management port; the “no shutdown” command opens the port. Command mode: Network management port configuration Mode Default: Network management port is open by default. Usage Guide: When network management port is shut down, no data frames are sent in the port, and the port status displayed when the user typed “show interface”...
another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. A protocol analyzer (such as Sniffer) or RMON monitoring instrument is often attached to the mirror destination port to monitor and manage the network and diagnostic.
Usage Guide:This command is for configuring the source port of the mirror. There is not limitation on the switch to the mirror source port, which can be one port or many ports, and not only can the bilateral flow be sent out from or received into the mirror source port, but also the sent and received flows are available on single mirror source port.
3.4 Port Configuration Example SwitchA SwitchB 1/12 1/10 SwitchC Fig 3-1 Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used. Switch Port Property SwitchA Ingress bandwidth limit: 150 M SwitchB Mirror source port 100Mbps full, mirror source port 1/12 1000Mbps full, mirror destination port SwitchC...
Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation but the other to forced speed/duplex. This is determined by IEEE 802.3. The following combinations are not recommended: enabling traffic control as well as setting multicast limiting for the same port; setting broadcast, multicast and unknown destination unicast control as well as port bandwidth limiting for the same port.
applied to port 1/1. Port list table displays the related information of the switch physical ports. 3.6.3 Bandwidth control Click port configuration, Ethernet port configuration, Bandwidth control and proceed to do port bandwidth control. 1 Port: Specifies configuration port Bandwidth control level: port bandwidth control. The unit is Mbps and the value range is 1~10000Mbps Control type: Ingress means to control port bandwidth when receiving data packet sent from outside the switch.
Click Port configuration, vlan interface configuration to open the VLAN port configuration management list to allocate IP address and mask on L3 port and so on. 3.6.5 Allocate IP address for L3 port Click “Port configuration”, “vlan interface configuration”, Allocate IP address for L3 port to allocate IP address for L3 port.
Click Port configuration, Port mirroring configuration, Mirror configuration to configure port mirroring function including configuring mirroring source port and mirroring destination port functions. Configure mirroring source port: Session: Mirror dialog value source interface list Mirror direction: rx means to mirror the port receiving data packets; tx means to mirror the port sending data packets;...
Channel fails, the other ports will undertake traffic of that port through a traffic allocation algorithm. This algorithm is carried out by the hardware. ES4624-SFP/ES4626-SFP switch offers 2 methods for configuring port aggregation: manual Port Channel creation and LACP (Link Aggregation Control Protocol) dynamic Port Channel creation.
If the ports are Trunk ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on ES4624-SFP/ES4626-SFP switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel.
Command Explanation Interface Mode port-group <port-group-number> mode Adds ports to the port group and sets their {active|passive|on} mode. no port-group <port-group-number> 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel Enters port-channel configuration mode. <port-channel-number> 4.3 Commands for port channel 4.3.1 debug lacp Command: debug lacp no debug lacp...
otherwise, the group will be deleted. Parameters: <port-group-number> is the group number of a port channel from 1 to 8, if the group number is already exist, an error message will be given. dst-mac performs load balancing according to destination MAC; src-mac performs load balance according to source MAC;...
Example: Under the Port Mode of Ethernet1/1, add current port to “port-group 1” in “active” mode. Switch(C onfig-Ethernet1/1)#port-group 1 mode active 4.3.4 interface port-channel Command: interface port-channel <port-channel-number> Function: Enters the port channel configuration mode Command mode: Global Mode Usage Guide: On entering aggregated port mode, configuration to GVRP or spanning tree modules will apply to aggregated ports;...
Page 161
Number of ports in group Port number in the port group Maxports Maximum number of ports allowed in a group Number of port-channels Whether aggregated to port channel or not Max port-channels Maximum port channel number can be formed by port group.
Page 162
the machine state and port state of the port are as follows: mux_state: DETCH rcvm_state: P_DIS prm_state: NO_PER actor_oper_port_state : L_A___F_ partner_oper_port_state: _TA___F_ Displayed information Explanation portnumber Port number actor_port_agg_id The channel number to add the port to. If the port cannot be added to the channel due to inconsistent parameters between the port and the channel, 3 will be displayed.
Page 163
port state LACP activety LACP timeout Aggregation Synchronization Collecting Distributing Defaulted Expired Partner part Administrative Operational system 000000-000000 000000-000000 system priority 0x8000 0x8000 0x0001 0x0001 port number port priority 0x8000 0x8000 port state LACP activety LACP timeout Aggregation Synchronization Collecting Distributing Defaulted Expired...
Collecting Whether status of port bound status machine is “collecting” or not. Distributing Whether status of port bound status machine is “distributing” or not. Defaulted Whether the local port is using default partner end parameter. Expired Whether status of port receiving status machine is “expire” or not.
Page 165
SwitchB Fig 4-2 Configuring Port Channel in LACP Example: The switches in the description below are all ES4624-SFP/ES4626-SFP switch and as shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to vlan1. Add those four ports to group1 in active mode. Ports 1, 2, 3, 4 of SwitchB are access ports that also belong to vlan1.
Page 166
Scenario 2: Configuring Port Channel in ON mode. SwitchA SwitchB Fig 4-3 Configuring Port Channel in ON mode Example: As shown in the figure, ports 1, 2, 3, 4 of SwitchA are access ports that belong to vlan1. Add those four port to group1 in “on” mode. Ports 1, 2, 3, 4 of SwitchB are access ports that also belong to vlan1, add the these four ports to group2 in “on”...
“on” mode is completely joined forcedly, switch in other ends won’t exchange LACP BPDU to complete aggregation. Aggregation finishes immediately when the command to add port 2 to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-channel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1.
Click “LACP port group configuration” to enter configuration page. Group Num: group number Load balance mode: includes src-mac, dst-mac, dst-src-mac, src-ip, dst-ip, dst-src-ip Operation type: Add port group or Remove port group Fill in group Num, select load balance mode and select operation type as Add port group. Click Apply to add the group.
IEEE announced IEEE 802.1Q protocol to direct the standardized VLAN implementation, and the VLAN function of ES4624-SFP/ES4626-SFP switch is implemented following IEEE 802.1Q. The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands.
Lowering network cost Enhancing network security VLAN and GVRP (GARP VLAN Registration Protocol) defined by 802.1Q are implemented in ES4624-SFP/ES4626-SFP switch. The chapter will describe the use and configuration of VLAN and GVRP in details. 5.1.2 VLAN Configuration Task List 1.
Page 171
Command Explanation Interface Mode Set/delete VLAN allowed to be crossed by Trunk. The “no” switchport trunk allowed vlan {<vlan-list>|all} command restores the default no switchport trunk allowed vlan <vlan-list> setting. switchport trunk native vlan <vlan-id> Set/delete PVID for Trunk port. no switchport trunk native vlan 5.
5.1.3 Commands For Vlan Configuration 5.1.3.1 Vlan Command: vlan <vlan-id>[name <vlan-name>] no vlan <vlan-id>[name] Function: Create a VLAN and enter VLAN configuration mode, and can set VLAN name. In VLAN Mode, the user can assign the switch ports to the VLAN. The “no vlan <vlan-id>“...
Page 173
Ethernet ports their member ports. Normal VLAN will clear its Ethernet ports when set to Private VLAN. It is to be noted Private VLAN messages will not be transmitted by GVRP. Example: Set VLAN100、200、300 to private vlans, with respectively primary、Isolated、 Community types.
Page 174
for VLAN ID of the VLAN to display status information, the valid range is 1 to 4094; <vlan-name> is the VLAN name for the VLAN to display status information, valid length is 1 to 11 characters. Command mode: Admin Mode Usage Guide: If no <vlan-id>...
Page 175
access vlan” command deletes the current port from the specified VLAN, and the port will be partitioned to VLAN1. Parameter: <vlan-id> is the VID for the VLAN to be added the current port, valid range is 1 to 4094. Command mode: Interface Mode Default: All ports belong to VLAN1 by default.
Page 176
assigned to one and only one VLAN at a time. Example: Set port 1/5 to trunk mode and port 1/8 to access mode. Switch(Config)#interface ethernet 1/5 Switch(Config-ethernet1/5)#switchport mode trunk Switch(Config-ethernet1/5)#exit Switch(Config)#interface ethernet 1/8 Switch(Config-ethernet1/8)#switchport mode access Switch(Config-ethernet1/8)#exit 5.1.3.8 switchport trunk allowed vlan Command: switchport trunk allowed vlan {<vlan-list>|all} no switchport trunk allowed vlan Function: Set trunk port to allow VLAN traffic;...
Switch(Config)#interface ethernet 1/5 Switch(Config-ethernet1/5)#switchport mode trunk Switch(Config-ethernet1/5)#switchport trunk native vlan 100 Switch(Config-ethernet1/5)#exit 5.1.3.10 switchport ingress-filtering Command: switchport ingress-filtering no switchport ingress-filtering Function: Enable the VLAN ingress rule for a port; the “no vlan ingress disable” command disables the ingress rule. Command mode: Interface Mode Default: VLAN ingress rules are enabled by default.
Page 178
The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross two different location A and B. One switch is placed in each site, and cross-location requirement can be met if VLAN traffic can be transferred between the two switches.
Switch(Config-Vlan100)#switchport interface ethernet 1/5-7 Switch(Config-Vlan100)#exit Switch(Config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/8-10 Switch(Config-Vlan200)#exit Switch(Config)#interface ethernet 1/11 Switch(Config-Ethernet1/11)#switchport mode trunk Switch(Config-Ethernet1/11)#exit 5.2 GVRP Configuration 5.2.1 Introduction to GVRP GARP (Generic Attribute Registration Protocol) can be used to dynamically distribute, populate and register property information between switch members within a switch network, the property can be VLAN information, Multicast MAC address of the other information.
Interface Mode bridge-ext garp timer join <timer-value> no bridge-ext garp timer join Configure the hold, join and bridge-ext garp timer leave <timer-value> leave timers for GARP. no bridge-ext garp timer leave bridge-ext garp timer hold <timer-value> no bridge-ext garp timer hold Global Mode Configure the leave all timer bridge-ext garp timer leave all <timer-value>...
Page 181
5.2.3.2 debug gvrp Command: debug gvrp no debug gvrp Function: Enable the GVRP debugging function: the “ no debug gvrp” command disables the function. Command mode: Admin Mode Default: GVRP debug information is disabled by default. Usage Guide: Use this command to enable GVRP debugging, GVRP packet processing information can be displayed.
Page 182
GARP application entities received the join message will register this message. Example: Set the GARP join timer value of port 1/10 to 1000 ms. Switch(Config-Ethernet1/10)#bridge-ext garp timer join 1000 5.2.3.5 bridge-ext garp timer leave Command:bridge-ext garp timer leave <timer-value> no bridge-ext garp timer leave Function: Set the leave timer for GARP;the “no bridge-ext garp timer leave”...
Function: Display the global and port information for GARP. Parameter: <interface-nam> stands for the name of the Trunk port to be displayed. Command mode: Admin Mode Usage Guide: N/A. Example: Display global GARP information. Switch #show garp timer 5.2.3.8 show gvrp configuration Command: show gvrp configuration [<interface-name>] Function: Display the global and port information for GVRP.
Page 184
Switch A Switch B Switch C Fig 5-3 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that the two workstation connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
The GARP counter setting in for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work properly.It is recommended to avoid enabling GVRP and RSTP at the same time in ES4624-SFP/ES4626-SFP switch. If GVRP is to be enabled, RSTP function for the ports must be disabled first.
to be enabled, RSTP function for the ports must be disabled first. 5.3 Dot1q-tunnel Configuration 5.3.1 Dot1q-tunnel Introduction Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag).
It is obvious that, the dot1q-tunnel function has got following characteristics: Applicable through simple static configuration, no complex configuration or maintenance to be needed. Operators will only have to assign one SPVID for each user, which increases the number of concurrent supportable users; while the users has got the ultimate freedom in selecting and managing the VLAN IDs (select within 1~4094 at users’...
Page 188
no dot1q-tunnel enable Function: Set the access port of the switch to dot1q-tunnel mode; the “no dot1q-tunnel enable” command restores to default. Parameter: None. Command Mode: Port Mode. Default: Dot1q-tunnel function disabled on the port by default. Usage Guide: After enabling dot1q-tunnel on the port, data packets without VLAN tag (referred to as tag) will be packed with a tag when entering through the port;...
Switch (Config-Ethernet1/10)#exit 5.3.3.3 show dot1q-tunnel Command: show dot1q-tunnel Function: Display the information of all the ports at dot1q-tunnel state. Parameter: None. Command Mode: Admin Mode. Usage Guide: This command is used for displaying the information of the ports at dot1q-tunnel state. Example: Display current dot1q-tunnel state.
ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. The VLAN translation is classified to ingress translation and egress translation, respectively translation the VLAN ID at the entrance or exit. Application and configuration of VLAN translation will be explained in detail in this section.
Page 192
5.4.3.1 show vlan-translation Command: show vlan-translation Function: Display the information of all the ports at VLAN-translation state. Parameter: None. Command Mode: Admin Mode. Usage Guide: Display the information of all the ports at VLAN-translation state, including enabling, packet dropped, direction and other information. Example: Display current VLAN translation state information.
Switch(Config-If-Ethernet4/1)#vlan-translation 2 to 100 out Switch(Config-If-Ethernet4/1)#exit 5.4.3.3 vlan-translation enable Command: vlan-translation enable no vlan-translation enable Function: Enable VLAN translation on specified trunk port of the switch; the “no vlan-translation enable” command restores to the default value. Parameter: None. Command Mode: Port Mode. Default: VLAN translation has not been enabled on the port by default.
Configuring in port-channel is not supported. 5.5 Dynamic VLAN Configuration 5.5.1 Dynamic VLAN Introduction The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the ES4624-SFP/26-SFP switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN. Detailed...
description is as follows The MAC-based VLAN division is based on the MAC address of each host, namely every host with a MAC address will be assigned to certain VLAN. By the means, the network user will maintain his membership in his belonging VLAN when moves from a physical location to another.
Page 196
2. Configure the correspondence between the MAC address and the VLAN Command Explanation Global Mode Add/delete the correspondence mac-vlan <mac-addrss> vlan between the MAC address and the <vlan-id> priority <priority-id> VLAN, namely specified MAC no mac-vlan {mac <mac-addrss>|all} address join/leave specified VLAN 3.
Page 197
Command Explanation Global Mode Configure the priority of the dynamic dynamic-vlan mac-vlan prefer VLAN dynamic-vlan subnet-vlan prefer 5.5.2.2 Commands for Dynamic VLAN Configuration 5.5.2.2.1 dynamic-vlan mac-vlan prefer Command: dynamic-vlan mac-vlan prefer Function:Set the MAC-based VLAN preferred. Parameter: None Command Mode: Global Mode Default: MAC-based VLAN is preferred by default Usage Guide: Configure the preference of dynamic-vlan on switch.
Page 198
Function: Add the correspondence between MAC address and VLAN, namely specify certain MAC address to join specified VLAN. The “no” form of this command deletes all/the correspondence. Parameter:mac-address is the MAC address which is shown in the form of XX-XX-XX-XX-XX-XX,vlan-id is the ID of the VLAN with a valid range of 1~4094;priority-id is the level of priority and is used in the VLAN tag with a valid range of 0~7;all refers to all the MAC addresses.
Page 199
with the IP protocol or else some application may be affected Example: Assign the IP protocol data packet encapsulated by the EthernetII to VLAN200 Switch#config Switch(config)#protocol-vlan mode ethernetii etype 2048 vlan 200 5.5.2.2.5 show dynamic-vlan prefer Command: show dynamic-vlan prefer Function: Display the preference of the dynamic VLAN Parameter: None Command Mode: Admin Mode...
Page 200
Ethernet1/1 Ethernet1/2 Ethernet1/3 Ethernet1/4 Ethernet1/5 Ethernet1/6 5.5.2.2.8 show protocol-vlan Command: show portocol-vlan Function: Display the configuration of Protocol-based VLAN on the switch Parameter: None Command Mode: Admin Mode Usage Guide: Display the configuration of Protocol-based VLAN on the switch Example: Display the configuration of the current Protocol-based VLAN Switch#show protocol-vlan Protocol_Type VLAN_ID...
Page 201
Example: Display the port currently at IP-subnet-based VLAN SwitchA#show subnet-vlan interface Ethernet1/1 Ethernet1/2 Ethernet1/3 Ethernet1/4 5.5.2.2.11 subnet-vlan Command:subnet-vlan ip-address <ipv4-addrss> mask <subnet-mask> vlan <vlan-id> priority <priority-id> no subnet-vlan {ip-address <ipv4-addrss> mask <subnet-mask>|all} Function: Add a correspondence between the IP subnet and the VLAN, namely add specified IP subnet into specified VLAN;...
function on specified port to meet special user applications. Example: Disable the MAC-based VLAN function on port1. Switch#config Switch(config)#interface ethernet 4/1 Switch(Config-If-Ethernet4/1)#no switchport mac-vlan enable 5.5.2.2.13 switchport subnet-vlan enable Command: switchport subnet-vlan enable no switchport subnet-vlan enable Function: Enable the IP-subnet-based VLAN on the port; the “no” form of this command disables the IP-subnet-based VLAN function on the port Parameter: None Command Mode: Port Mode.
Figure 5-5 Typical topology application of dynamic VLAN Configuration Configuration Explanation Items MAC-based Global configuration on Switch A, Switch B, Switch C VLAN Configuration procedure Switch A, Switch B, Switch C: Switch(Config)#mac-vlan mac 00-03-0f-11-22-33 vlan 100 priority 0 Switch(Config)#exit 5.5.4 Dynamic VLAN Troubleshooting On the switch configured with dynamic VLAN, if the two connected equipment (e.g.
Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the ports of the connected voice equipments to the Voice VLAN, the user will be able to configure QoS (Quality of service) service for voice data, and improve the voice data traffic transmission priority to ensure the calling quality The switch can judge if the data traffic is the voice data traffic from specified equipment according to the source MAC address field of the data packet entering the port.
Page 205
Command Explanation Global Mode voice-vlan mac <mac-address> mask <mac-mask> priority <priority-id> [name Specify certain voice equipment <voice-name>] join/leave the Voice VLAN voice-vlan {mac <mac-address> mask <mac-mask>|name <voice-name> |all} 3. Enable the Voice VLAN of the port Command Explanation Port Mode Enable/disable the Voice VLAN switchport voice-vlan enable function on the port...
Page 206
disables Voice VLAN function on the port Parameter: None Command Mode: Port Mode Default:Voice VLAN is enabled by default Usage Guide:When voice equipment is added to the Voice VLAN, the Voice VLAN is enabled globally by default. This command disables Voice VLAN on specified port to meet specified application of the user.
Function: Configure the specified VLAN to Voice VLAN; the “no voice-vlan " command cancels the Voice VLAN configuration of this VLAN Parameter: Vlan id is the number of the specified VLAN Command Mode:Global Mode Default: No Voice VLAN is configured by default Usage Guide:Set specified VLAN for Voice VLAN, There can be only one Voice VLAN at the same time.
Configuration procedure Switch 1: Switch(Config)#vlan 100 Switch(Config-Vlan100)#exit Switch(Config)#voice-vlan vlan 100 Switch(Config)#voice-vlan mac 00-03-0f-11-22-33 mask 255 priority 5 name company Switch(Config)#voice-vlan mac 00-03-0f-11-22-55 mask 255 priority 5 name company Switch(Config)#interface ethernet 1/10 Switch(Config-If-Ethernet1/10)#switchport mode trunk Switch(Config-If-Ethernet1/10)#exit 5.6.4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC-base VLAN The Voice VLAN support maximum 1024 sets of voice equipments, the exceeded number of equipments will not be supported The Voice VLAN on the port is enabled by default.
Chapter 6 MAC Table Configuration 6.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses);...
Page 210
MAC 00-01-44-44-44-44 Fig 6-1 MAC Table dynamic learning The topology of the figure above: 4 PCs connected to ES4624-SFP/ES4626-SFP switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of ES4624-SFP/ES4626-SFP switch;...
MAC address entry in ES4624-SFP/ES4626-SFP switch. Aging time can be modified in ES4624-SFP/ES4626-SFP switch. 6.1.2 Forward or Filter The switch will forward or filter received data frames according to the MAC table. Take the above figure as an example, assuming ES4624-SFP/ES4626-SFP switch have learnt the MAC address of PC1 and PC3, and the user manually configured the mapping relationship for PC2 and PC4 to ports.
Unicast frame: When no VLAN is configured, if the destination MAC addresses are in the switch MAC table, the switch will directly forward the frames to the associated ports; when the destination MAC address in a unicast frame is not found in the MAC table, the switch will broadcast the unicast frame.
form to restore the aging-time to 300s by default. Parameter: <age> is the aging-time seconds ,range 10~100000; 0 to disable aging. Command Mode:Global mode Default: Default aging-time is 300 seconds. Usage Guide: The user had better set the aging-time according to the network condition. A too small aging-time will affect the performance of the switch by causing too much broadcast, while a too large aging-time will make the unused entries stay too long in the address table.
1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(Config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 7 and port 9, respectively. Switch(Config)#mac-address-table static 00-01-22-22-22-22 interface ethernet 1/7 vlan 1 Switch(Config)#mac-address-table static 00-01-33-33-33-33 interface ethernet 1/9 vlan 1 6.5 Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the...
Page 216
1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port MAC address binding property configuration Enable MAC address binding function for the ports Command Explanation Interface Mode Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning port security function for the port will be disabled: the...
Page 217
Set the violation mode for the port; port-security violation {protect the “no port-security violation” shutdown} command restores default no port-security violation setting. 6.6.1.3 Commands for Mac Address Binding configuration 6.6.1.3.1 clear port-security dynamic Command: clear port-security dynamic [address <mac-addr> interface <interface-id>...
Page 218
6.6.1.3.3 port-security convert Command: port-security convert Function: Converts dynamic secure MAC addresses learned by the port to static secure MAC addresses, and disables the MAC address learning function for the port. Command mode: Interface Mode Usage Guide: The port dynamic MAC convert command can only be executed after the secure port is locked.
Page 219
secure static MAC addresses must be deleted, so that the secure static MAC address number is no larger than the maximum secure MAC address number for the setting to be successful. Example: Set the maximum secure MAC address number for port 1 to 4. Switch(Config)#interface Ethernet 1/1 Switch(Config-Ethernet1/1)# port-security maximum 4 6.6.1.3.6 port-security timeout...
Page 220
6.6.1.3.8 show port-security Command: show port-security Function: Display the secure MAC addresses of the port. Command mode: Admin Mode Parameter: <interface-list> stands for the port to be displayed. Usage Guide: This command displays the secure port MAC address information, if no port is specified, secure MAC addresses of all ports are displayed.
Page 221
0000.0000.1111 SecureConfigured Ethernet1/3 -------------------------------------------------------------------------------------------------- Total Addresses : 1 Displayed information Explanation Vlan The VLAN ID for the secure MAC Address Mac Address Secure MAC address Type Secure MAC address type Ports The port that the secure MAC address belongs to Total Addresses Current secure MAC address number in the system.
Page 222
Total MAC Addresses : Current secure MAC address number for the port. Configured MAC Addresses : Current secure static MAC address number for the port. Lock Timer Whether locking timer (timer timeout) is enabled for the port. Mac-Learning function Is the MAC address learning function enabled? 6.6.1.4 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions.
Chapter 7 MSTP Configuration 7.1 MSTP Introduction The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 224
Fig 7-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge.
region to become the CST. The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other MST regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information.
Page 226
spanning-tree mode {mstp|stp} Set MSTP running mode no spanning-tree mode Interface Mode Force port migration to run under MSTP spanning-tree mcheck 2. Configure instance parameters Command Explanation Global Mode spanning-tree <instance-id> Set bridge priority for specified instance priority <bridge-priority> no spanning-tree mst <instance-id> priority Interface Mode spanning-tree mst <instance-id>...
Page 227
Command Explanation Global Mode Enter MSTP region mode. The “ no spanning-tree mst configuration spanning-tree mst configuration” command restores default no spanning-tree mst configuration setting. MSTP region mode instance <instance-id> vlan <vlan-list> Create Instance and set mapping instance <instance-id> [vlan between VLAN and Instance <vlan-list>] name <name>...
Page 228
Command Explanation Interface Mode spanning-tree link-type Set the port link type {auto|force-true|force-false} no spanning-tree link-type spanning-tree portfast Set the port to be an boundary port no spanning-tree portfast Configure the format of MSTP Command Explanation Interface Mode Configure format port spanning-tree packet ,...
Command Explanation Global Mode Enable: the spanning-tree flush once the topology changes. Disable:the spanning tree don’t flush spanning-tree tcflush enable when the topology changes. spanning-tree tcflush disable Protect: spanning-tree flush spanning-tree tcflush protect every ten seconds no spanning-tree tcflush “no spanning-tree tcflush”...
Command mode: MSTP Region Mode Usage Guide:This command is to quit MSTP region mode with saving the current configuration. Example: Quit MSTP region mode with saving the current configuration. Switch(Config-Mstp-Region)#exit 7.3.3 instance vlan Command: instance <instance-id> vlan <vlan-list> no instance <instance-id> [vlan <vlan-list>] Function: In MSTP region mode, create the instance and set the mappings between VLANs and instances;...
Command mode: MSTP Region Mode Default: Default MSTP region name is the MAC address of this bridge. Usage Guide: This command is to set MSTP region name. The bridges with same MSTP region name and same other attributes are considered in the same MSTP region. Example: Set MSTP region name to mstp-test.
7.3.7 spanning-tree format Command:spanning-tree format standard | privacy | auto no spanning-tree format Function:Configure the format of the port packet so to be interactive with products of other companies. Parameter:standard:The packet format provided by IEEE privacy: Privacy packet format, which is compatible with CISCOequipments. auto:Auto identified packet format, which is determined by checking the format of the received packets.
forward-time” restores the default setting. Parameter: <time> is forward delay time in seconds. The valid range is from 4 to 30. Command mode: Global Mode Default: The forward delay time is 15 seconds by default. Usage Guide: When the network topology changes, the status of the port is changed from blocking to forwarding.
Default: The link type is auto by default, The MSTP detects the link type automatically. Usage Guide: When the port is full-duplex, MSTP sets the port link type as point-to-point; When the port is half-duplex, MSTP sets the port link type as shared. Example: Force the port 1/7-8 as point-to-point type.
Switch(Config)#spanning-tree max-hop 32 7.3.13 spanning-tree mcheck Command: spanning-tree mcheck Function: Force the port to run in the MSTP mode. Command mode: Interface Mode Default: The port is in the MSTP mode by default. Usage Guide: If a network which is attached to the current port is running IEEE 802.1D STP, the port converts itself to run in STP mode.
Command mode: Global Mode Default: The default values of the attributes of the MSTP region are listed as below: Attribute of MSTP Default Value Instance There is only the instance 0. All the VLANs (1~4094) are mapped to the instance 0. Name MAC address of the bridge Revision...
Usage Guide: By setting the port cost, users can control the cost from the current port to the root bridge in order to control the elections of root port and the designated port of the instance. Example: On the port 1/2, set the MSTP port cost in the instance 2 to 3000000. Switch(Config-Ethernet1/2)#spanning-tree mst 2 cost 3000000 7.3.17 spanning-tree mst port-priority Command: spanning-tree mst <instance-id>...
Switch(Config)#spanning-tree mst 2 priority 4096 7.3.19 spanning-tree portfast Command: spanning-tree portfast no spanning-tree portfast Function: Set the current port as boundary port; The command “no spanning-tree portfast” sets the current port as non-boundary port. Command mode: Interface Mode Default: All the ports are non-boundary ports by default when enabling MSTP. Usage Guide: When a port is set to be a boundary port, the port converts its status from discarding to forwarding without bearing forward delay.
Usage Guide: According to MSTP , when topology changes, the port that send change message clears MAC/ARP table (FLUSH). In fact it is not needed for some network environment to do FLUSH with every topology change. At the same time ,as a method to avoid network assault, we allow the network administrator to configure FLUSH mode by the command Note:For the complicated network, especially need to switch from one spanning tree...
Page 241
Port 2 Port 3 Port 4 Port 5 Port 6 Port 7 Port 1 200000 200000 200000 Port 2 200000 200000 200000 Port 3 200000 200000 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA.
Page 243
SwitchD(Config-Vlan40)#exit SwitchD(Config)#vlan 50 SwitchD(Config-Vlan50)#exit SwitchD(Config)#spanning-tree mst configuration SwitchD(Config-Mstp-Region)#description mstp SwitchD(Config-Mstp-Region)#instance 3 vlan 20;30 SwitchD(Config-Mstp-Region)#instance 4 vlan 40;50 SwitchD(Config-Mstp-Region)#exit SwitchD(Config)#interface e1/1-7 SwitchD(Config-Port-Range)#switchport mode trunk SwitchD(Config-Port-Range)#exit SwitchD(Config)#spanning-tree SwitchD(Config)#spanning-tree mst 4 priority 0 After the above configuration, SwitchA is the root bridge of the instance 0 of the entire network.
Page 244
SwitchA SwitchB SwitchC SwitchD Fig 7-3 The Topology Of the Instance 0 after the MSTP Calculation SwitchB SwitchC SwitchD Fig 7-4The Topology Of the Instance 3 after the MSTP Calculation SwitchB SwitchC SwitchD Fig 7-5The Topology Of the Instance 4 after the MSTP Calculation...
7.5 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions.
Page 246
Self Bridge Id : 32768 - 00: 03: 0f: 01: 0e: 30 Root Id : 16384.00: 03: 0f: 01: 0f: 52 Ext.RootPathCost : 200000 Region Root Id : this switch Int.RootPathCost : 0 Root Port ID : 128.1 Current port list in Instance 0: Ethernet1/1 Ethernet1/2 (Total 2) PortName ExtRPC...
Page 247
Ethernet1/2 128.002 0 BLK ALTR 32768.00030f010e30 128.002 Displayed Information Description Bridge Information Standard STP version Bridge MAC Bridge MAC address Bridge Times Max Age, Hello Time and Forward Delay of the bridge Force Version Version of STP Instance Information Self Bridge Id The priority and the MAC address of the current bridge for the current instance Root Id...
Page 248
configuration such as MSTP name, revision, VLAN and instance mapping. Example: Display the configuration of the MSTP on the switch. Switch#show spanning-tree mst config Name switch Revision Instance Vlans Mapped ---------------------------------- 1-29, 31-39, 41-4094 ---------------------------------- 7.5.1.3 show mst-pending Command: show mst-pending Function: In the MSTP region mode, display the configuration of the current MSTP region.
Command: debug spanning-tree no debug spanning-tree Function: Enable the MSTP debugging information; The command “no debug spanning-tree” disables the MSTP debugging information Command mode: Admin Mode Usage Guide: This command is the general switch for all the MSTP debugging. Users should enable the detailed debugging information, then they can use this command to display the relevant debugging information.
Configure MSTP field name under MSTP field configuration mode. Set the MSTP field name to "mstp-test". Equivalent command 1.2.1.4. 7.6.1.3 Revision level control Click “MSTP control” to enter MSTP field operation, then "revision-level Config". Configure the revision level value for calculating MST configuration ID under MST configuration mode.
Set on port 1/1 route cost of the MSTP port corresponding to Instance 2 to 3000000. 7.6.2.4 MSTP mode Click “MSTP control” to enter MSTP port operation, then "MSTP Mode". Force switch port migrate to run under MSTP. Force port 1/1 migrate to run under MSTP. 7.6.2.5 Link type configuration Click “MSTP control”...
Page 252
7.6.3.2 Forward delay time configuration Click “MSTP control” to enter MSTP Global control, then "Forward-time Config". Set the value for switch forward delay time Set MSTP forward delay time to 20 seconds in Global Mode. 7.6.3.3 Hello_time configuration Click “MSTP control” to enter MSTP Global control, then "Hello_time Config". Set the Hello time for the switch.
7.6.3.6 Set bridge priority of the specified instance for the switch Click “MSTP control”, “MSTP Global control”, enter the "Priority Config" to set bridge priority for the switch for the specified instance. Set bridge priority of the specified instance for the switch Configure switch instance2 priority to 4096.
Chapter 8 QoS And PBR Configuration 8.1 QoS Configuration 8.1.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 255
DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP Precedence. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs.
Page 256
If devices of each hop in a network support differentiated service, an end-to-end QoS solution can be created. QoS configuration is flexible, the complexity or simplicity depends on the network topology and devices and analysis to incoming/outgoing traffic. 8.1.1.3 Basic QoS Model The basic QoS consists of five parts: Classification, Policing, Remark, Queuing and Scheduling, where classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS egress actions.
Page 257
Fig 8-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal DSCP value and can be policed and remarked. Policing can be performed based on DSCP value to configure different policies that allocate bandwidth to classified traffic. If the traffic exceeds the bandwidth set in the policy (out of profile), the out of profile traffic can be allowed, discarded or remarked.
Page 258
Fig 8-5 Policing and Remarking process Queuing and scheduling: Packets at the egress will re-map the internal DSCP value to CoS value, the queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the scheduling operation performs packet forwarding according to the prioritized queue weight.
Fig 8-6 Queuing and Scheduling process 8.1.2 QoS Configuration Task List 1. Enable QoS QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global Mode to configure the other QoS commands. 2. Configure class map. Set up a classification rule according to ACL, VLAN ID, IP Precedence or DSCP to classify the data stream.
Page 260
After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading, assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes.
Page 261
Command Explanation Global Mode Create a policy map and enter policy policy-map <policy-map-name> map mode; the “no policy-map no policy-map <policy-map-name> command <policy-map-name>” deletes the specified policy map. After a policy map is created, it can be class <class-map-name> associated to a class. Different policy no class <class-map-name>...
Page 262
command deletes the specified policy <aggregate-policer-name> set. 4. Apply QoS to ports Command Explanation Interface Mode Configure port trust; the “no trust [cos [pass-through-dscp]|dscp mls qos trust” command [pass-through-cos]|ip-precedence [pass-through disables the current trust cos]|port priority <cos>] status of the port. no mls qos trust Configure the default CoS mls qos cos {<default-cos>...
method; “queue queue mode wrr mode wrr” command restores the default WRR queue out method. Global Mode Set CoS value mapping to specified wrr-queue cos-map <queue-id> <cos1 ... egress queue; the “no wrr-queue cos8> command restores no wrr-queue cos-map cos-map” default setting.
Page 264
Switch(Config-PolicyMap)#class c1 Switch(Config-Policy-Class)#exit 8.1.3.2 class-map Command: class-map <class-map-name> no class-map <class-map-name> Function: Creates a class map and enters class map mode; the “no class-map <class-map-name>“ command deletes the specified class map. Parameters: <class-map-name> is the class map name. Default: No class map is configured by default. Command mode: Global Mode Usage Guide: Example: Creating and then deleting a class map named “c1”.
Page 265
Command Mode: Class-map Mode Usage Guide: Only one match standard can be configured in a class map. When configuring match the ACL, only the permit rule is available in the ACL except for PBR. Example: Create a class-map named c1, and configure the class rule of this class-map to match packets with IP Precedence of 0.1.
Page 266
Example: Enabling and then disabling the QoS function. Switch(Config)#mls qos Switch(Config)#no mls qos 8.1.3.6 mls qos cos Command: mls qos cos {<default-cos> } no mls qos cos Function: Configures the default CoS value of the port; the “no mls qos cos” command restores the default setting.
Page 267
<aggregate-policer-name>“ command. Example: Setting a policy set named “agg1”, the policy set defines the bandwidth for packets of up to 20 Mbps, with a burst value of 2 MB. All packets exceeding this bandwidth setting will be dropped. Switch(Config)#mls qos aggregate-policer agg1 20000 2000 exceed-action drop 8.1.3.8 mls qos trust Command: mls qos trust [cos [pass-through-dscp]|dscp [pass-through-cos]| ip-precedence [pass-through-cos] |port priority <cos>]...
Page 268
Command mode: Interface Mode Usage Guide: For configuration of DSCP mutation mapping on the port to take effect, the trust status of that port must be “trust DSCP”. Applying DSCP mutation mapping allows DSCP values specified directly to be converted into new DSCP values without class and policy process.
Page 269
<mark-down-dscp> defines DSCP mark down mapping, where <dscp-list> is a list of DSCP values containing up to 8 DSCP values, <mark-down-dscp> are DSCP value after mark down. Default: Default mapping values are: Default CoS-to-DSCP Map CoS Value 16 24 32 40 48 56 DSCP Value Default DSCP-to-CoS Map 0–7 8–15 16–23 24–31 32–39 40–47 48–55 56–63...
Page 270
Command mode: Policy class map configuration Mode Usage Guide: The ranges of <rate-kbps> and <burst-kbyte> are quite large, if the setting exceeds the actual speed of the port, the policy map applying this policy will not bind to switch ports. Example: Setting the bandwidth for packets that matching c1 class rule to 20 Mbps, with a burst value of 2 MB, all packets exceed this bandwidth setting will be dropped.
Page 271
Example: Creating and deleting a policy map named “p1”. Switch(Config)#policy-map p1 Switch(Config-PolicyMap)#exit Switch(Config)#no policy-map p1 8.1.3.14 queue mode Command: queue mode {strict|wrr} Function:Configure the queue out mode. Parameter: strict configure queue out method to strict priority-queue method; wrr restores the default wrr queue out method. Default: wrr out queue mode Command mode: Interface Mode Usage Guide: When priority-queue queue out mode is used, packets are no longer sent...
Command:queue bandwidth<weight1 weight2 weight3 weight4 weight5 weight6 weight7 weight8> no queue bandwidth Function: Sets the WRR weight for specified egress queue; the “no queue bandwidth” command restores the default setting. Parameters: <weight1 weight2 weight3 weight4 weight5 weight6 weight7 weight8> are WRR weights, ranging from 0 to 15. Default: The default values of weight1 to weight8 are 1 through 8.
Page 273
set the default QoS value of the port to 5. The configuration steps are listed below: Switch#config Switch(Config)#mls qos Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)#queue bandwidth1 1 2 2 4 4 8 8 Switch(Config-Ethernet1/1)#mls qos trust cos pass-through dscp Switch(Config-Ethernet1/1)#mls qos cos 5 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of port ethernet 1/1 is 1:1:2:2:4:4:8:8.
Page 274
Configuration result: An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1, set appropriate policies to limit bandwidth and burst value.
Switch(Config)#mls qos Switch(Config)#class-map c1 Switch(Config-ClassMap)#match access-group 1 Switch(Config-ClassMap)# exit Switch(Config)#policy-map p1 Switch(Config-PolicyMap)#class c1 Switch(Config--Policy-Class)#set ip precedence 5 Switch(Config--Policy-Class)#exit Switch(Config-PolicyMap)#exit Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)#service-policy input p1 QoS configuration in SwitchB: SWITCH#CONFIG Switch(Config)#mls qos Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)#mls qos trust ip-precedence pass-through-cos 8.1.5 QoS Troubleshooting QoS is disabled on switch ports by default, 8 sending queues are set by default, queue1 forwards normal packets, other queues are used for some important control...
Page 276
Function: Displays class map of QoS. Parameters: < class-map-name> is the class map name. Default: N/A. Command mode: Admin Mode Usage Guide: Displays all configured class-map or specified class-map information. Example: Switch # show class-map Class map name:c1 Match acl name:1 Displayed information Explanation Class map name:c1...
Page 277
Command mode: Admin Mode Example: Switch #show mls qos aggregate-policer policer1 aggregate-policer policer1 80000 80 exceed-action drop Not used by any policy map Displayed information Explanation aggregate-policer policer1 80000 Configuration for this policy set. exceed-action drop Not used by any policy map Time that the policy set is being referred to 8.1.5.1.4 show mls qos interface...
Page 278
packet number of 8 queue: 0x200 0x200 0x200 0x200 0x200 0x200 0x200 0x200 Displayed information Explanation packet number of 8 queue: Available packet number for all 8 0x200 0x200 0x200 0x200 queues out on the port, this is a 0x200 0x200 0x200 0x200 fixed setting that...
Page 279
Classified Total data packets match this class map. In-profile Total in-profile data packets match this class map. out-profile Total out-profile data packets match this class map. 8.1.5.1.5 show mls qos maps Command: show mls qos maps [cos-dscp | dscp-cos | dscp-mutation <dscp-mutation-name>...
to previously created classmap and then enter the policy classmap mode. In this way different data streams can now be assigned to different next-hop IP address and apply the policy to the port. Apply policymap A policy will not be valid until it is bonded to a specified port. 8.2.3 PBR examples On port ethernet 1/1, apply policy-based routing on packages from 192.168.1.0/24 segment, and set the next-hop as 218.31.1.119, meanwhile the local network IP of this...
Page 282
will be transmitted through 192.168.1.0/24 except those from 192.168.0.0/16 segment which are still be transmitted through normal L3 routing.
Chapter 9 Flow-based Redirection 9.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Display the information of show flow-based-redirect {interface ethernet < current flow-based interface-list > } redirection in the system/port 9.3 Command for Flow-based Redirection 9.3.1 access-group <aclname> redirect to interface ethernet Command:access-group <aclname> redirect to interface ethernet <ifname> no access-group <aclname> redirect Function :...
Examples: Switch(Config)# show flow-based-redirect Switch# show flow-based-redirect interface ethernet 1/1-5 9.4 Flow-based Redirection Examples Scenario : User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port 6 Modification of configuration: 1:Set an ACL, the condition to be matched is: source IP is 192.168.1.111;...
ES4624-SFP/ES4626-SFP switch can forward IP packets by hardware, the forwarding chip of ES4624-SFP/ES4626-SFP switch have a host route table and default route table. Host route table stores host routes to connect to the switch directly; default route table stores network routes (after aggregation algorithm process).
Global Mode Creates a VLAN interface (VLAN interface is a Layer 3 interface); the “no interface interface vlan <vlan-id> vlan <vlan-id>” command deletes the no interface vlan <vlan-id> VLAN interface (Layer 3 interface) created in the switch. 10.1.3 Commands for Layer 3 Interface 10.1.3.1 interface vlan Command:interface vlan <vlan-id>...
Page 288
Internet protocol designed by IETF to replace the current Internet protocol version 4 (IPv4). IPv6 was specially developed to make up the shortages of IPv4 so that Internet can develop further. The most important problem IPv6 has solved is to add the amount of IP address. IPv4 addresses have nearly run out, whereas the amount of Internet users has been increasing in geometric series.
while obtaining a globally unique IPv6 address automatically as well which makes the devices using IPv6 Internet plug-and-play. Automatic address configuration function also makes the readdressing of existing network easier and more convenient, and it is more convenient for network operators to manage the transformation from one provider to another.
Page 290
Configure the IPv4 address of three-layer interface Command Explanation VLAN Interface Configuration Mode Configure IP address of VLAN interface; the no ip address ip address <ip-address> <mask> [secondary] [<ip-address> <mask>] no ip address [<ip-address> <mask>] command cancels IP address of VLAN interface. 10.2.2.2 Commands for IPv4 address 10.2.2.2.1 ip address Command:ip address <ip-address>...
Page 291
Configure DAD neighbor query message number (1) Configure send neighbor query message interval (2) Enable and forbid router announce (3) Configure router announce lifespan (4) Configure router announce maximum interval (5) Configure router announce maximum interval (6) Configure prefix announce parameters (7)...
Page 292
Configure IPv6 address, including aggregatable global unicast addresses, local site addresses local link ipv6 address <ipv6-address/prefix-length> addresses. [eui-64] ipv6 no ipv6 address <ipv6-address/prefix-length> address <ipv6-address/prefix-length> command cancels IPv6 address. (3). Set IPv6 Static Routing Command Description Global mode [no] ipv6 route <iPv6-prefix/prefix-length> Configure IPv6 static routing.
Page 293
Forbid IPv6 Router Announce. The NO [no] ipv6 nd suppress-ra command enables IPv6 router announce. (4)Configure Router Announce Lifespan Command Explanation Interface Configuration Mode Configure Router Announce Lifespan. The [no] ipv6 ra-lifetime NO command resumes default value (1800 <seconds> seconds). (5)Configure Router Announce Minimum Interval Command Description...
Page 294
ipv6 neighbor <ipv6-address> Set static neighbor table entries, including <hardware-address> interface neighbor IPv6 address, MAC address and <interface-type two-layer port interface-number> Delete neighbor table entries no ipv6 neighbor <ipv6-address> (9)Clear Neighbor Table Entries Command Explanation Admin Mode Clear all static neighbor table entries clear ipv6 neighbors 3.
Page 295
(5)Configure Tunnel 6to4 Relay Command Explanation Tunnel Configuration Mode Configure 6to4 tunnel relay IPv4 address. The [no] tunnel 6to4-relay NO command deletes the IPv4 address of <ipv4-daddress> 6to4 tunnel relay. (6)Configure Tunnel Mode Command Explanation Tunnel Configuration Mode Configure tunnel mode. The NO command [no] tunnel mode ipv6ip | 6ot4 | clears tunnel mode.
Page 296
10.2.2.3.1.2 ipv6 address Command:ipv6 address <ipv6-address/prefix-length> [eui-64] no ipv6 address <ipv6-address/prefix-length> [eui-64] Function:Configure agregatable global unicast address, local site address and local link address for the interface Parameter : Parameter <ipv6-address> is the prefix of IPv6 address, parameter <prefix-length> is the distance of the prefix of IPv6 address, which is between 3-128, eui-64 means IPv6 address is generated automatically based on eui64 interface identifier of the interface Command Mode:Interface Configuration Mode...
Page 297
directly for tunnel router. Example: Configure static router 1 with destination address 3ffe:589:dfc::88, prefix length 64 and next hop 2001:8fd:c32::99 (the router has been configured IPv6 address of 2001:8fd:c32::34/64) Switch(Config)#ipv6 route 3ffe:589:dfc::88/64 2001:8fd:c32::99 Configure static router2 with destination 3ffe:ff7:123::55, prefix length 64, next hop fe80::203:ff:89fd:46ac and exit interface name Vlan1 Switch(Config)#ipv6 route 3ffe:ff7:123::55/64 fe80::203:ff:89fd:46ac Vlan1 10.2.2.3.1.4 ipv6 nd dad attempts...
Page 299
Usage Guide:The minimum time interval of routing announcement should not exceed 1/4 of the maximum time interval. Example : Set the minimum time interval of sending routing announcement is 10 seconds. Switch (Config-if-Vlan1)#ipv6 nd min-ra-interval 10 10.2.2.3.1.9 ipv6 nd max-ra-interval Command:ipv6 nd max-ra-interval <seconds>...
Page 300
Default:The default value of valid-lifetime is 2592000 seconds (30 days), the default value of preferred-lifetime is 604800 seconds (7 days). off-link is off by default, no-autoconfig is off by default. Usage Guide:This command allows controlling the router announcement parameters of every IPv6 prefix.
Page 301
10.2.2.3.1.12 ipv6 neighbor Command:ipv6 neighbor <ipv6-address> <hardware-address> interface < interface-type interface-number> no ipv6 neighbor <ipv6-address> Function:Set static neighbor table entry. Parameters : Parameter ipv6-address is static neighbor IPv6 address, parameter hardware-address is static neighbor hardware address, interface-type is Ethernet type, interface-number is Layer 2 interface name.
Page 302
ipv6-address is local link address, it is required to specify port number. Example: Switch#ping6 Target IPv6 address:fe80:0000:0000:0000:0203:0fff:fe01:2786 Repeat count [5]: 1 Datagram size in byte [56]: 80 Timeout in milli-seconds [2000]: 2500 Extended commands [n]: Type ^c to abort. n Sending 1 80-byte ICMP Echoes to fe80:0000:0000:0000:0203:0fff:fe01:2786, timeout is 2 seconds.
Page 303
Parameter:<ipv4-daddress> is the ipv4 address of tunnel destination Command Mode:Tunnel Configuration Mode Default Situation:None Usage Guide:None Example:Configure tunnel destination 203.78.120.5 Switch {Config-if-Tunnel1}#tunnel destination 203.78.120.5 10.2.2.3.1.17 tunnel nexthop Command:[no] tunnel nexthop <ipv4-daddress> Function:Configure tunnel next hop. Parameter:<ipv4-daddress> is the ipv4 address of tunnel next hop. Command Mode:Tunnel Configuration Mode Default Situation:None Usage Guide:This command is for ISATAP tunnel, other tunnels won’t check the...
tunnel. Ipv6ip 6to4 indicates it is 6to4 tunnel, ipv6ip isatap indicates it is ISATAP tunnel. Example:Configure tunnel mode 1、Switch {Config-if-Tunnel1}#tunnel mode ipv6ip 2、Switch {Config-if-Tunnel1}#tunnel mode ipv6ip 6to4 3、Switch {Config-if-Tunnel1}#tunnel mode ipv6ip isatap 10.2.2.3.1.20 clear ipv6 neighbor Command:clear ipv6 neighbors Function:Clear the neighbor cache of IPv6. Parameter:None Command Mode:Admin Mode Default:None...
Page 305
configure IPv4 address 192.168.3.1 255.255.255.0 in vlan2. 5、 The IPv4 address of PC-A is 192.168.1.100, and the IPv4 address of PC-B is 192.168.3.100 6、 Configure static routing 192.168.3.0/24 on SwitchA, and configure static routing 192.168.1.0/24 on SwitchB. 7、 Ping each other among PCs. Note: First make sure PC-A and Switch can access each other by ping, and PC-B and SwitchB can access each other by ping.
Page 306
Configuration Description: 1、 Configure two vlans on SwitchA, namely, vlan1 and vlan2. 2、 Configure IPv6 address 2001::1/64 in vlan1 of SwitchA, and configure IPv6 address 2002::1/64 in vlan. 3、 Configure 2 vlans on SwitchB, namely, vlan2 and vlan3. 4、 Configure IPv6 address 2002::2/64 in vlan2 of SwitchB, and configure IPv6 address 2003::1/64 in vlan2.
Page 307
ipv6 address 2002::2/64 interface Loopback mtu 3924 ipv6 route 2003::/64 2002::2 no login SwitchB#show run interface Vlan2 ipv6 address 2002::2/64 interface Vlan3 ipv6 address 2003::1/64 interface Loopback mtu 3924 ipv6 route 2001::/64 2002::1 no login Example 2:...
Page 308
SwitchC SwithA SwitchB PC-A PC-B This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IPv4, PC-A and PC-B communicate. Configuration Description: 1、 Configure two vlans on SwitchA, namely, vlan1 and vlan2. Vlan1 is IPv6 domain, vlan2 connects to IPv4 domain.
Page 310
IP statistics: Rcvd: 128 total, 128 local destination 0 header errors, 0 address errors 0 unknown protocol, 0 discards Frags: 0 reassembled, 0 timeouts 0 fragment rcvd, 0 fragment dropped 0 fragmented, 0 couldn't fragment, 0 fragment sent Sent: 0 generated, 0 forwarded 0 dropped, 0 no route ICMP statistics: Rcvd: 0 total 0 errors 0 time exceeded...
Page 311
Frags: 0 reassembled, 0 timeouts Fragmentation statistics: number of 0 fragment rcvd, 0 fragment dropped packets reassembled, timeouts, 0 fragmented, 0 couldn't fragment, 0 fragments received, fragments fragment sent discarded, packets that cannot be fragmented, number of fragments sent, etc. Sent:...
Page 312
Switch#debug ip pa ip packet debug is on Switch# Switch# Switch# Switch#%Apr 19 15:56:33 2005 IP PACKET: rcvd, src 192.168.2.100, dst 192.168.2.1 , size 60, Ethernet0 10.2.4.1.3 debug ipv6 packet Command:[no] debug ipv6 packet Function:IPv6 data packets receive/send debug message. Parameter:None Default:None Command Mode:Admin Mode...
Page 313
IPv6 ICMP: sent Send IPv6 data report type <129> Ping protocol No. Src <2003::1> Source IPv6 address Dst <2003::20a:ebff:fe26:8a49> Destination IPv6 address from Vlan1 Layer 3 port being sent 10.2.4.1.5 debug ipv6 nd Command:[no] debug ipv6 nd Function: ND data packets receive/send debug message. Parameter:None Default:...
Page 314
10.2.4.1.7 show ipv6 interface Command:show ipv6 interface {brief|{interface-name}} Function:Show interface IPv6 parameters. Parameter:Parameter brief is the brief summarization of IPv6 status and configuration, and parameter interface-name is Layer 3 interface name. Default:None Command Mode:Admin Mode Usage Guide:If only brief is specified, then information of all three layers is displayed, and you can also specify a specific Layer 3 interface.
Page 315
ND RA MTU is 0 ND advertised reachable time is 0 millisecond(s) ND advertised retransmit time is 0 millisecond(s) Displayed information Explanation Vlan1 Layer 3 interface name [up/up] Layer 3 interface status dev index Internal index No. fe80::203:fff:fe00:10 Automatically configured IPv6 address of Layer 3 interface 3001::1 Configured IPv6 address of Layer 3 interface...
Page 316
2004:1:2:3::/64 via fe80:1::88, Vlan2 1024 2006:1::/64 via ::, Vlan1 1024 2008:1:2:3::/64 via fe80::250:baff:fef2:a4f4, Vlan1 1024 2008:2005:5:8::/64 via ::, Ethernet0 2009:1::/64 via fe80::250:baff:fef2:a4f4, Vlan1 1024 2022:1::/64 via ::, Ethernet0 3333:1:2:3::/64 via fe80::20c:ceff:fe13:eac1, Vlan12 1024 3ffe:501:ffff:1::/64 via ::, Vlan4 3ffe:501:ffff:100::/64 via ::, Vlan5 1024 3ffe:3240:800d:1::/64...
10.3.1 Introduction to IP Forwarding Gateway devices can forward IP packets from one subnet to another; such forwarding uses routes to find a path. IP forwarding of ES4624-SFP/ES4626-SFP switch is done with the participation of hardware, and can achieve wire speed forwarding . In addition, flexible management is provided to adjust and monitor forwarding.
Command Explanation Enables the switch to use optimized IP ip fib optimize route aggregation algorithm; the “no ip fib no ip fib optimize optimize” disables the optimized IP route aggregation algorithm. 10.3.3 Commands for IP Route Aggregation 10.3.3.1 ip fib optimize Command: ip fib optimize no ip fib optimize Function: Enables the switch to use optimized IP route aggregation algorithm;...
10.4.2 URPF Operation Mechanism At present the URPF operation mechanism is dependent on the ACL function provided by the switch chip when enabling URPF on layer 3 interface. First apply deny-all rule on all layer 2 ports under the layer 3 interface. All data packet will be denied at the switch by default.
Display the URPF rules generated by show urpf interface the interface or layer 2 interface 10.4.4 Commands For URPF 10.4.4.1 urpf enable Command: urpf enable no urpf enable Function: Enable URPF on layer 3 interface, the “no” form of this command disables the URPF enabled on this interface Command Mode: Interface Mode Default: URPF protocol not enabled by system default...
10.5 ARP 10.5.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. ES4624-SFP/ES4626-SFP switch supports both dynamic ARP and static configuration.Furthermore, ES4624-SFP/ES4626-SFP switch supports configuration of proxy ARP for some applications.
10.5.2 ARP Configuration Task List 1. Configure static ARP 2. Configure proxy ARP 1. Configure static ARP Command Explanation Configures a static ARP entry; the “no arp <ip_address> <mac_address> <ip_address>” command deletes a static {[ethernet] <portName>} ARP entry. no arp <ip_address> 2.
Page 325
10.5.3.2 clear arp-cache Command: clear arp-cache Function: Clears arp table. Parameters: N/A. Command mode: Admin Mode Usage Guide: Clears the content of current ARP table, but it does not clear the current static ARP table. Example: Switch#clear arp-cache 10.5.3.3 ip proxy-arp Command: ip proxy-arp no ip proxy-arp Function: Enables proxy ARP for VLAN interface;...
Page 326
10.5.3.4.1 Commands for Monitor And Debug 10.5.3.4.1.1 debug arp Command: debug arp no debug arp Function: Enables the ARP debugging function; the “no debug arp” command disables this debugging function. Default: ARP debug is disabled by default. Command mode: Admin Mode Usage Guide: Display contents for ARP packets received/sent, including type, source and destination address, etc.
Page 327
Displayed information Explanation Total arp items Total number of Arp entries. the matched ARP entry number matching the filter conditions InCompleted ARP entries have ARP request sent without ARP reply Address IP address of Arp entries Hardware Address MAC address of Arp entries Interface Layer 3 interface corresponding to the ARP entry.
Chapter 11 DHCP Configuration 11.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network.
DHCP packets so that the DHCP packets exchange can be completed between the DHCP client and server. ES4624-SFP/ES4626-SFP switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e.
Page 330
(2) Configure DHCP address pool parameters Command Explanation DHCP Address Pool Mode network-address <network-number> Configures the address scope that can be [mask | prefix-length] allocated to the address pool no network-address default-router Configures default gateway for DHCP [address1[address2[…address8]]] clients no default-router dns-server Configures DNS server for DHCP clients [address1[address2[…address8]]]...
dhcp excluded-address Excludes the addresses in the address <low-address> [<high-address>] pool that are not for dynamic allocation. dhcp excluded-address <low-address> [<high-address>] (3) Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware-address <hardware-address> Specifies the hardware address when [{Ethernet | IEEE802|<type-number>}] assigning address manually no hardware-address...
Page 332
Command Mode: DHCP Address Pool Mode Usage Guide: Specify the name of the file to be imported for the client. This is usually used for diskless workstations that need to download a configuration file from the server on boot up. This command is together with the “next sever”. Example: The path and filename for the file to be imported is “c:\temp\nos.img”...
Page 333
Function: Configures default gateway(s) for DHCP clients; the “no default-router” command deletes the default gateway. Parameters: address1…address8 are IP addresses, in decimal format. Default: No default gateway is configured for DHCP clients by default. Command Mode: DHCP Address Pool Mode Usage Guide: The IP address of default gateway(s) should be in the same subnet as the DHCP client IP, the switch supports up to 8 gateway addresses.
Page 334
11.2.2.7 hardware-address Command: hardware-address <hardware-address> [{Ethernet IEEE802|<type-number>}] no hardware-address Function: Specifies the hardware address of the user when binding address manually; the “no hardware-address” command deletes the setting. Parameters: <hardware-address> is the hardware address in Hex; Ethernet | IEEE802 is the Ethernet protocol type, <type-number> should be the RFC number defined for protocol types, from 1 to 255, e.g., 0 for Ethernet and 6 for IEEE 802.
Page 335
Switch(dhcp-1-config)#host 10.1.128.160 24 Related command: hardware-address, client-identifier 11.2.2.9 ip dhcp conflict logging Command: ip dhcp conflict logging no ip dhcp conflict logging Function: Enables logging for address conflicts detected by the DHCP server; the “no ip dhcp conflict logging” command disables the logging. Default: Logging for address conflict is enabled by default.
Page 336
Lease settings should be decided based on network conditions: too long lease duration offsets the flexibility of DHCP, while too short duration results in increased network traffic and overhead. The default lease duration of ES4624-SFP/ES4626-SFP switch is 1 day.
Page 337
Example: Setting the lease of DHCP pool “1” to 3 days 12 hours and 30 minutes. Switch(dhcp-1-config)#lease 3 12 30 11.2.2.14 netbios-name-server Command: netbios-name-server <address1>[<address2>[…<address8>]] no netbios-name-server Function: Configures WINS servers’ address; the “no netbios-name-server” command deletes the WINS server. Parameters: address1…address8 are IP addresses, in decimal format.
Page 338
the decimal format; <prefix-length> stands for mask in prefix form. For example, mask 255.255.255.0 in prefix is “24”, and mask 255.255.255.252 in prefix is “30”. Note: When using DHCP server, the pool mask should be longer or equal to that of layer 3 interface IP address in the corresponding segment.
Usage Guide: Both DHCP server and DHCP relay are included in the DHCP service. When DHCP services are enabled, both DHCP server and DHCP relay are enabled. ES4624-SFP/ES4626-SFP switch can only assign IP address for the DHCP clients and enable DHCP relay when DHCP server function is enabled.
receiving the packet, and forwards the packet to the specified DHCP server (for DHCP frame format, please refer to RFC2131). On the receiving the DHCPDISCOVER packets forwarded by DHCP relay, the DHCP server sends the DHCPOFFER packet via DHCP relay to the DHCP client. DHCP client chooses a DHCP server and broadcasts a DHCPREPLY packet, DHCP relay forwards the packet to the DHCP server after processing.
4. Disable DHCP relay from forwarding DHCP broadcast packet. Command Explanation Global Mode When layer 3 switches are used as DHCP ip dhcp relay information policy drop relays, this command sets relay no ip dhcp relay information policy forwarding policy to drop DHCP packets; the drop “no ip dhcp relay information policy drop”...
Page 342
to delete the conflict record for an address. If "all” is specified, then all conflict records in the log will be removed. When records are removed from the log, the addresses are available for allocation by the DHCP server. Example: The network administrator finds 10.1.128.160 that has a conflict record in the log and is no longer used by anyone, so he deletes the record from the address conflict log.
Switch(Config)#interface vlan 1 Switch(Config-If-Vlan1)# ip dhcp relay information policy drop 11.4 DHCP Configuration Example Scenario 1: Too save configuration efforts of network administrators and users, a company is using ES4624-SFP/ES4626-SFP switch as a DHCP server. The Admin VLAN IP address...
Page 344
is 10.16.1.2/16. The local area network for the company is divided into network A and B according to the office locations. The network configurations for location A and B are shown below. PoolA(network 10.16.1.0) PoolB(network 10.16.2.0) Device IP address Device IP address Default gateway 10.16.1.200...
Page 345
Switch(dhcp-A1-config)#client-name management Switch(dhcp-A1-config)#exit Scenario 2: Fig 10-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: Switch(Config)#service dhcp Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0...
In such case, DHCP server should be examined for an address pool that is in the same segment of the switch VLAN, such a pool should be added if not present, and (This does not indicate ES4624-SFP/ES4626-SFP switch cannot assign IP address for different segments, see solution 2 for details.) In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e.,...
Page 347
11.5.1.1 show ip dhcp binding Command: show ip dhcp binding [ [<ip-addr>] + [type {all | manual | dynamic}] [count] ] Function: Displays IP-MAC binding information. Parameters: <ip-addr> is a specified IP address in decimal format; “all” stands for all binding types (manual binding and dynamic assignment);...
Page 348
Command: show ip dhcp server statistics Function: Displays statistics of all DHCP packets for a DHCP server. Command mode: Admin Mode Example: Switch# show ip dhcp server statistics Address pools Database agents Automatic bindings Manual bindings Conflict bindings Expired bindings Malformed message Message Received...
Message Received Statistics for DHCP packets received BOOTREQUEST Total packets received DHCPDISCOVER Number of DHCPDISCOVER packets DHCPREQUEST Number of DHCPREQUEST packets DHCPDECLINE Number of DHCPDECLINE packets DHCPRELEASE Number of DHCPRELEASE packets DHCPINFORM Number of DHCPINFORM packets Message Send Statistics for DHCP packets sent BOOTREPLY Total packets sent DHCPOFFER...
Page 350
255.255.255.0; set DHCP client node type to broadcast node; set Address lease timeout to 3 day 12 hour 30 minute, and then click Apply. The configuration is applied on the switch. 11.6.1.3 Client's default gateway configuration Click DHCP configuration, DHCP server configuration, Client's default gateway configuration.
Page 351
11.6.1.5 Client WINS server configuration Click DHCP configuration, DHCP server configuration, Client WINS server configuration. Users can configure Wins server. Users can configure maximum eight WINS server. WINS server 1 has the highest priority and WINS server 8 has the lowest priority.
Page 352
11.6.1.7 DHCP network parameter configuration Click DHCP configuration, DHCP server configuration, DHCP network parameter configuration. Users can specify DHCP network parameters. 1.128.240; set Operation type to Set network parameter, and then click Apply. The configuration is applied on the switch. 11.6.1.8 Manual address pool configuration Click DHCP configuration, DHCP server configuration, Manual address pool configuration.Users can configure DHCP manual address pool:...
Page 353
11.6.1.9 Excluded address Click DHCP configuration, DHCP server configuration, Manual address pool configuration.Users can configure the exclusive addresses on the DCHP pool. 10.1.128.1; set Ending address to 10.1.128.10; set Operation type to Add address not for allocating dynamically, and then click Apply. The configuration is applied on the switch.
switch; click Default, DHCP relay is enabled on the switch. 11.6.2 DHCP debugging Click DHCP configuration, DHCP debugging. Users can display DHCP debug information. 11.6.2.1 Delete binding log Click DHCP configuration, DHCP debugging, Delete binding log. Users can delete specified binding log or all binding logs. For example: Set Delete all binding log to Yes, and then click Apply.
Page 355
11.6.2.5 Show conflict-logging Click DHCP configuration, DHCP debugging, Show conflict-logging. Users can display conflict logging.
Chapter 12 DHCP option 82 Configuration 12.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1, the sequence number of Remote ID sub-option is 2. Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 12.1.2 option 82 Working Mechanism DHCP Relay Agent DHCP Request...
3)After receiving the DHCP request message, the DHCP server will allocate IP address and other information for the client according to the information and preconfigured policy in the option segment of the message. Then it will forward the reply message with DHCP configuration information and option 82 information to DHCP Relay Agent.
Page 359
This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option 82. The drop mode means that if the message has option82, then the system will drop it without processing; keep mode means that the system will keep the original ip dhcp relay information policy {drop option 82 segment in the message, and...
This command is used to enable the dhcp server relay information switch DHCP server to identify option82. enable The “no ip dhcp server relay information no ip dhcp server relay information enable” command will make the server enable ignore the option 82. 4.
Page 361
Switch(Config)#service dhcp Switch(Config)# ip forward-protocol udp bootps Switch(Config)# ip dhcp relay information option 12.2.2.2 ip dhcp relay information policy Command:ip dhcp relay information policy {drop | keep | replace} no ip dhcp relay information policy Function:This command is used to set the retransmitting policy of the system for the received DHCP request message which contains option82.
Page 362
Command Mode: Interface configuration mode. Default Settings:The system uses the standard format to set the circuit-id of option 82 by default. User Guide:Because the option 82 information added for the switch should cooperate with the third party DHCP server, if the standard circuit-id format of the switch cannot satisfy the server’s request, this method will be provided for users to specify the contents of circuit-id according to the situation of the server.
Vlan2: ip dhcp relay information policy keep ip dhcp relay information option subscriber-id standard Vlan3: ip dhcp relay information policy replace ip dhcp relay information option subscriber-id foobar 12.2.2.6 debug ip dhcp relay packet Command:debug ip dhcp relay packet Function: This command is used to display the information of data packets processing in DHCP Relay Agent, including the “add”...
Page 364
server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2. So, all the PC terminals connected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server.
pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; pool { range 192.168.102.51 192.168.102.80; default-lease-time 43200; #12 Hours max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51~192.168.102.80.
Chapter 13 DHCP snooping Configuration 13.1 Introduction to DHCP Snooping DHCP Snooping can effectively block attacks of fake DHCP Servers. Defense against Fake DHCP Server:once the switch intercepts the DHCP Server reply packets (including DHCPOFFER, DHCPACK, and DHCPNAK) , it will alarm and respond according to the situation(shutdown the port or send Blackhole)...
Page 368
5. Set trusted ports 6. Enable DHCP Snooping binding DOT1X function 7. Enable DHCP Snooping binding USER function 8. Adding static list entries function 9. Set defense actions 10. Set rate limitation of DHCP messages 11. Enable the debug switch 1.Enable DHCP Snooping Command Explanation...
Page 369
Command Explanation Globe mode ip dhcp snooping binding arp Enable or disable the dhcp snooping binding no ip dhcp snooping binding arp ARP function 5. Set trusted ports Command Explanation Port mode ip dhcp snooping trust Set or delete the dhcp snooping trust no ip dhcp snooping trust attributes of ports.
Command Explanation Globe mode ip dhcp snooping binding user <mac> address <ipAddr> <mask> vlan <vid> interface (ethernet|) Add/delete dhcp snooping static binding list <ifname> entries no ip dhcp snooping binding user <mac> interface (ethernet|) <ifname> 9. Set defense actions Command Explanation Port mode dhcp...
Page 371
13.2.2.1 debug ip dhcp snooping packet interface Command:debug ip dhcp snooping packet interface <ifName> no debug ip dhcp snooping packet <ifName> Function:This command is used to enable the DHCP SNOOPING debug switch to debug the information that DHCP SNOOPING is receiving a packet. Command Mode:Admin mode.
Page 372
13.2.2.5 debug ip dhcp snooping binding Command:debug ip dhcp snooping binding no debug ip dhcp snooping binding Function: This command is use to enable the DHCP SNOOPING debug switch to debug the state of binding data of DHCP SNOOPING. Command Mode:Admin mode. Usage Guide:This command is mainly used to debug the state of DHCP SNOOPING task when it adds ARP list entries, dot1x users and trusted user list entries according to binding data.
Page 373
Command:ip dhcp snooping binding user <mac> address <ipAddr> <mask> vlan <vid> interface [Ethernet] <ifname> no Ip dhcp snooping binding user <mac> interface [Ethernet] <ifname> Function: Configure the information of static binding users Parameters: mac:The MAC address of the static binding user, whic is the only index of the binding user.
Page 374
entries are deleted, the binding ARP list entries can not be recovered untill the DHCP SNOOPING recapture the biding inforamtion. Adding binding ARP list entries is used to prevent these list entried from being attacked by ARP cheating. At the same time, these static list entries need no reauthenticaiton, which can prenvent the switch from the failing to reauthenticate ARP when it is being attacked by ARP scanning.
Page 375
mutually exclusive to“ ip dhcp snooping binding dot1x“ command. Only after the DHCP SNOOPING binding function is enabled, the binding ARP function can be set. Example:Enable the binding USER funciton on port ethernet1/1 switch(Config)#interface ethernet 1/1 switch(Config- Ethernet 1/1)# ip dhcp snooping binding user-control Relative Command:ip dhcp snooping binding enable ip dhcp snooping binding dot1x 13.2.2.12 ip dhcp snooping trust...
Page 376
Default Settings:No default defense action. Usage Guide: Only when DHCP Snooping is globally enabled, can this command be set. Trusted port will not detect fake DHCP Server, so, will never trigger the corresponding defense action. When a port turns into a trusted port from a non-trusted port, the original defense action of the port will be automatically deleted.
Page 377
is relative to the type of the switch, its current load and so on. Example:Set the message transmission rate as 50pps switch(Config)#ip dhcp snooping limit-rate 50 13.2.2.16 ip user helper-address Command : ip user helper-address <svr_addr> [port <udp_port>] source <src_addr> [secondary] no ip user helper-address [secondary] Function:...
Page 378
Command:show ip dhcp snooping [interface [ethernet] <interfaceName>] Function: Display the current cofiguration information of dhcp snooping or display the records of defense actions of a specific port. Parameters: <interfaceName>:the name of the specific port. Command Mode:Admin mode. Default Settings:None Usage Guide : If there is no specific port, then display the current cofiguration information of dhcp snooping, otherwise, display the records of defense actions of the specific port.
Page 380
immediately might be that the switch needs to notify the helper server about the information, but the helper server has not acknowledged it. request binding The number of REQUEST information interface The name of port trust The truest attributes of the port action The automatic defense action of the port...
port maxnum of alarm info number automatic defense actions that can be recorded by the port binding dot1x Whether the binding dot1x function is enabled on the port binding user Whether the binding user function is enabled on the port. Alarm info The number of alarm information.
Chapter 14 SNTP Configuration 14.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking.
ES4624-SFP/ES4626-SFP switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP client multicast and unicast are not supported, nor is the SNTP server function. 14.2 Commands for SNTP 14.2.1 clock timezone Command:clock timezone <name> hour <hours> [before-utc | after-utc] Function:set the difference between local time and UTC time.
14.2.3 sntp poll Command: sntp poll <poll_interval> no sntp poll Function: Sets the interval for SNTP clients to send requests to NTP/SNTP; the “no sntp poll” command cancels the polltime sets and restores the default setting. Parameters: <poll_interval> is the interval value from 16 to 16284. Default: The default polltime is 64 seconds.
SwitchC Fig 11-2 Typical SNTP Configuration All ES4624-SFP/ES4626-SFP switch in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any ES4624-SFP/ES4626-SFP switch and the two SNTP/NTP servers.
14.4.2 Request interval configuration Click “SNTP configuration”, “Request interval configuration” to configure the sending request time interval from SNTP client to NTP/SNTP server. Example: Configure Interval as 128 minutes, Click Apply to set the configuration in the switch. 14.4.3 Time difference Click “SNTP configuration”, “Time difference”...
Chapter 15 ARP Scanning Prevention Function Configuration 15.1 Introduction Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 389
3. Configure trusted ports 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode Enable or disable the ARP Scanning anti-arpscan enable Prevention function globally no anti-arpscan enable...
Enable disable anti-arpscan recovery enable automatic recovery no anti-arpscan recovery enable function automatic recovery anti-arpscan recovery time <seconds> time no anti-arpscan recovery time Display relative information of debug information and ARP scanning Command Explanation Global configuration mode Enable or disable the log function of ARP anti-arpscan log enable scanning prevention no anti-arpscan log enable...
Command:anti-arpscan port-based threshold <threshold-value> no anti-arpscan port-based threshold Function:Set the threshold of received messages of the port-based ARP scanning prevention. If the rate of received ARP messages exceeds the threshold, the port will be closed. The unit is packet/second. The “no anti-arpscan port-based threshold” command will reset the default value, 5 packets/second.
<port | supertrust-port>”command will reset the port as an untrusted port. Parameters:None. Default Settings:By default all the ports are non- trustful. Command Mode:Port configuration mode. User Guide:If a port is configured as a trusted port, then the ARP scanning prevention function will not deal with this port, even if the rate of received ARP messages exceeds the set threshold, this port will not be closed, but the non- trustful IP of this port will still be checked.
Default Settings:Enable the automatic recovery function Command Mode:Global configuration mode User Guide:If the users want the normal state to be recovered after a while the port is closed or the IP is disabled, they can configure this function. Example: Enable the automatic recovery function of the switch Switch(Config)#anti-arpscan recovery enable 15.3.7 anti-arpscan recovery time Command:anti-arpscan recovery time <seconds>...
15.3.9 anti-arpscan trap enable Command:anti-arpscan trap enable no anti-arpscan trap enable Function:Enable ARP scanning prevention SNMP Trap function;” no anti-arpscan trap enable” command disable ARP scanning prevention SNMP Trap function. Parameters:None. Default Settings:Disable ARP scanning prevention SNMP Trap function Command Mode:Global configuration mode User Guide: After enabling ARP scanning prevention SNMP Trap function, users will receive Trap message whenever a port is closed or recovered by ARP scanning prevention, and whenever IP t is closed or recovered by ARP scanning prevention...
In the network topology above, port e4/1 of SWITCH B is connected to port e4/19 of SWITCH A, the port e4/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other ports of SWITCH A are connected to common PC. The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system.
Chapter 16 Prevent ARP, ND Spoofing Configuration 16.1 Overview 16.1.1 ARP ( Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is Mac address, for instance, IP address is 192.168.0.1, network card Mac address is 00-03-0F-FD-1D-2B.
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of counterfeited ARP application packets to switchs, after switches learn these packets, they will cover previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are modified to correspondence relationship configured by attack...
2. Disable ARP, ND automatic learning function Command Explanation Admin mode and Interface Mode ip arp-security learnprotect Disable and enable ARP, ND automatic no Ip arp-security learnprotect learning function ipv6 nd-security learnprotect no ipv6 nd-security learnprotect 3. Function on changing dynamic ARP, ND to static ARP, ND Command Explanation Admin Mode and Interface Mode...
Parameter: None Command Mode:Global Mode/ Interface configuration Example:Switch(Config-if-Vlan1)# ip arp -security convert Switch(Config)# ip arp -security convert 16.3.6 ipv6 nd-security convert Command:ipv6 nd-security convert Function: Change all of dynamic nd to static nd Parameter: None Command Mode: Global Mode/ Interface Configuration Example:Switch(Config-if-Vlan1)#ipv6 nd -security convert Switch(Config)#ipv6 nd -security conver 16.3.7 clear ip arp dynamic...
Page 403
Fig 16-1 Prevent ARP ,ND Spoofing Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; IP:192.168.1.4; mac: 04-04-04-04-04-04 IP:192.168.2.1; mac: 01-01-01-01-01-01 IP:192.168.1.2; mac: 02-02-02-02-02-02 IP:192.168.2.3; mac: 03-03-03-03-03-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
There are two dynamic routing protocols: Interior Gateway Protocol (IGP) and Exterior Gateway protocol (EGP). IGP is the protocol used to calculate the route to a destination inside an autonomous system. IGP supported by ES4624-SFP/ES4626-SFP switch include RIP and OSPF, RIP and OSRF can be configured according to the requirement.
EGP is used to exchange routing information among different autonomous systems, such as BGP protocol. EGP supported by ES4624-SFP/ES4626-SFP switch include BGP-4, BGP-4+. 17.1.1 Routing Table As mentioned before, layer3 switch is mainly used to establish the route from the current layer3 switch to a network or a host, and to forward packages according to the route.
The matching rules can be previously configured to be applied in the routing publishing, receiving and distributing policies. Five filters are provided in ES4624-SFP/ES4626-SFP switch: route-map, acl, as-path, community-list and ip-prefix for use. We will introduce each filter in following sections: 1.
Page 408
several nodes each of which is a unit for matching test. We match among nodes with by sequence-number. Match clauses define matching rules. The matching objects are some properties of routing messages. Different match clause in the same node is “and” relation logically, which means the matching test of a node, will not be passed until conditions in its entire match clause are matched.
matching conditions for Community-list field. As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration 17.2.2 IP Routing Policy Configuration Task List 1、 Define route-map 2、Define the match clause in route-map 3、Define the set clause in route-map 4、Define address prefix list 1.Define route-map Command...
Page 410
Match a community property access-list. The match community <community-list-name | no match community community-list-num > [exact-match] [<community-list-name | no match community [<community-list-name | community-list-num > community-list-num > [exact-match]] [exact-match]] command deletes match condition Match by ports; The no match interface match interface <interface-name >...
Page 411
3. Define the match clause in route-map Command Explanation Route-map configuration mode Distribute an AS No. for BGP aggregator; The no set aggregator as <as-number> <ip_addr> aggregator no set aggregator as [<as-number> <ip_addr>] [<as-number> command <ip_addr>] deletes the configuration Add a specified AS No. set as-path prepend <as-num>...
Page 412
Configure BGP extended set extcommunity <rt | soo> <AA:NN> community list property; no set extcommunity <rt | soo> [<AA:NN>] extcommunity <rt | soo> command [<AA:NN>] deletes the configuration Set next-hop IP address; set ip next-hop <ip_addr> The no set ip next-hop no set ip next-hop [<ip_addr>] command [<ip_addr>]...
Set BGP VPNv4 next-hop set vpnv4 next-hop <ip_addr> address; no set vpnv4 next-hop [<ip_addr>] vpnv4 next-hop command [<ip_addr>] deletes the configuration Set BGP routing weight; set weight < weight_val> The no set weight [< no set weight [< weight_val>] command weight_val>] deletes the configuration 4.
Page 414
contents Default: None. Command Mode: Global Mode Usage Guide: This command can be used for explaining and describing a prefix-list, e.g. the application and attention matters of the prefix-list Example: Switch#config terminal Switch(config)#ip prefix-list 3 description This list is used by BGP 17.2.3.2 ip prefix-list seq Command: ip prefix-list <list_name>...
Page 415
here can define a “permit 0.0.0.0/0 ge 0 le 32” item after several defined “deny mode” items so to grant the passage for all other routing messages. Example: Switch#config terminal Switch(config)# ip prefix-list mylist seq 12345 deny 10.0.0.0/8 le 22 ge 14 17.2.3.3 match as-path Command: match as-path <list-name>...
Page 416
Switch(config)#route-map r1 permit 5 Switch(config-route-map)#match community 100 exact-match 17.2.3.5 match interface Command: match interface <interface-name > no match interface [<interface-name > Function: Configure to match the interfaces. The “no match interface [<interface-name >“ deletes this configuration. Parameter: “ <interface-name >“ is the name of the interface. Command Mode: route-map mode Usage Guide: This command matches according to the next-hop messages in the route.
Page 417
17.2.3.7 match metric Command: match metric <metric-val > no match metric [<metric-val >] Function: Match the metric value in the routing message. The “no match metric [<metric-val >]” deletes the configuration. Parameter: <metric-val > is the metric value, ranging between 0~4294967295. Command Mode: route-map mode Usage Guide: This command matches according to metric value in the route.
Page 418
match with the OSPF type 1 external route. Command Mode: route-map mode Usage Guide: This command matches according to the type of OSPF routes (OSPF AS-external LSA type is either type 1or type 2). If the matching succeeded, then the “permit”...
Page 419
The check sequence among nodes is identified by sequence-number. “permit” means the node filter will be passed if all match subs are obtained by current route and then further all the set sub of this node will be executed without entering the check in the next node; if the match subs can not be met, the proceed to the check in next node.
Page 420
Command Mode: route-map mode Usage Guide: To add AS number in the As domain of the BGP, the AS path length should be lengthened so to affect the best neighbor path option. To use this command, one match clause should at first be defined. Example: Switch#config terminal Switch(config)#route-map r1 permit 5...
Page 421
17.2.3.16 set community Command: set community [AA:NN] [internet] [local-AS] [no-advertise] [no-export] [none] [additive] community [AA:NN] [internet] [local-AS] [no-advertise] [no-export] [none] [additive] Function: Configure the community attributes of the BGP routing message. The “no set community [AA:NN] [internet] [local-AS] [no-advertise] [no-export] [none] [additive]”...
Page 422
no set ip next-hop [<ip_addr>] Function: Configure the next-hop of the route. The “no set ip next-hop [<ip_addr>]” command deletes the configuration. Parameter: <ip_addr > is the ip address of next-hop shown with dotted decimal notation. Command Mode: route-map mode Example: Switch#config terminal Switch(config)#route-map r1 permit 5...
Page 423
compared. To extend the comparison to the metric values of different neighbor path, the bgp always-compare-med command should be configured. To use this command, one match clause should at first be defined. Example: Switch#config terminal Switch(config)#route-map r1 permit 5 Switch(config-route-map)#set metric +60 17.2.3.21 set metric-type Command: set metric-type <type-1 | type-2>...
Page 424
Command: set originator-id <ip_addr> no set originator-id [<ip_addr>] Function: Configure the origin ip address of the BGP routing message. The “no set originator-id [<ip_addr>]” command deletes the configuration. Parameter: <ip_addr> is the ip address of the route source shown by dotted decimal notation.
Switch#config terminal Switch(config)#route-map r1 permit 5 Switch(config-route-map)#set vpnv4 next-hop 10.1.1.1 17.2.3.26 set weight Command: set weight <weight_val> no set weight [<weight_val>] Function: Configure the weight value of BGP routing message. The “no set weight [<weight_val>]” command deletes this configuration. Parameter: <weight_val> is weight value, ranging between 0~4294967295 Command Mode: route-map mode Usage Guide: Weight value is adopted to facilitate the best path option and validates only within the local switch.
192.68.11.1 VLAN1 VLAN3 192.68.10.1 VLAN2 SwitchA 192.68.6.1 SwitchB VLAN2 VLAN3 VLAN1 192.68.6.2 192.68.5.2 172.16.20.1 VLAN1 VLAN3 192.68.5.1 172.16.20.2 SwitchC SwitchD VLAN2 VLAN2 172.16.1.1 172.16.1.2 Fig 17-1 Policy routing Configuration configuration procedure: (only SwitchA is listed,configurations for other switches are omitted.) The configuration of Layer 3 switchA: SwitchA#config SwitchA (config) #router bgp 1...
Page 427
mode items can be defined first to fast remove the unmatched routing messages, however if all the items are set to deny mode, any route will not be able to pass the filtering of this address prefix list. We can define a permit 0.0.0.0/0 le 32 item after several deny mode items are defined so to permit all other routing messages pass through.
Page 428
Parameter: Detail means show detailed messages, summary means show summary messages, <list-name> is the name of prefix-list. Default: None Command Mode: all modes Usage Guide: All prefix-lists will be shown if no prefix-list name is specified. Example: Switch#show ip prefix-list detail mylist ip prefix-list mylist: count: 2, range entries: 0, sequences: 5 - 10 deny 1.1.1.1/8 (hit count: 0, recount: 0)
Set clauses: metric 10 Displayed information Explanation route-map a, deny, sequence 10 route-map a means the name of route map is a, deny means the deny mode, sequence means sequence number is 10 Match clauses: Match sub as-path 60 Detailed contents in the Match sub Set clauses: Set sub metric 10...
package and has no default route configured, the package will be discarded, and an ICMP packet will be sent to the source address indicate the destination address or network is unreachable. 17.3.3 Static Route Configuration Task List 1.Static route configuration 2.Default route configuration 1.
Page 431
route {<ip-prefix> <mask> <ip-prefix>/<prefix-length>} [<gateway-address> | <gateway-interface>] [<distance>] Function: Configure the static route. The “no ip route {<ip-prefix> <mask> | <ip-prefix>/<prefix-length>} [<gateway-address> <gateway-interface>] [<distance>]” command deletes the static route. Parameter: The <ip-prefix> and <mask> are respectively destination IP address and subnet mask, shown in dotted decimal notation;...
Page 432
is the destination network address plus the length of prefix; connected is direct route; static static route; rip is RIP route; ospf is OSPF route; bgp is BGP route; isis is ISIS route; kernel is kernel route; statistics shows the number of routes; database route database;...
Page 433
network, mask, next-hop address, interface, etc. Command Mode: all modes Usage Guide: With show ip route command, contents about static route in the route table can be shown, including destination IP address, network mask and next-hop IP address or forwarding interfaces. Example: Switch#show ip route fib Codes: C - connected, S - static, R - RIP derived, O - OSPF derived...
<mask> are respectively destination IP address and sub network mask shown in dotted decimal notation; <ip-prefix> and <prefix-length> are respectively destination IP address and prefix length; <gateway-address> is the next-hop IP address show in dotted decimal notation; <gateway-interface> is the next-hop interface, < distance > is the route managing distance value ranging between 1~255.
Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C 17.4 RIP 17.4.1 Introduction to RIP...
Page 436
MD5 password authentication are supported), and support variable length subnet mask. RIP-II used some of the zero field of RIP-I and require no zero field verification. ES4624-SFP/ES4626-SFP switch send RIP-II packets in multicast by default, both RIP-I and RIP-II packets will be accepted.
The Layer3 switch modifies its local route table on receiving the reply packets and sends triggered update packets to the neighbor devices to advertise route update information. On receiving the triggered update package, the neighbor lay3 switches send triggered update packages to their neighbor lay3 switches. After a sequence of triggered update package broadcast, all layer3 switches get and maintain the latest route information.
Page 438
Configure the RIP VPN command. 1. Enable RIP protocol Applying RIP route protocol with basic configuration in ES4624-SFP/ES4626-SFP switch is simple. Normally you only have to open the RIP switch and configure the segments running RIP, namely send and receive the RIP data packet by default RIP configuration.
Page 439
protocols to be introduced in RIP) Command Explanation Router configuration mode Sets the default route metric for route to be default-metric <value> introduced; the “no default-metric” command no default-metric restores the default setting. redistribute {kernel |connected| Redistribute the routes distributed in other static| ospf| isis|...
Page 440
Enter the keychain-key mode and configure a key <keyid> key of the keychain; the no key <keyid> no key <keyid> command deletes one key. Keychain-key mode Configure the password used by the key, the key-string <text> no key-string <text> command deletes the no key-string <text>...
Page 441
5)configure the split horizon Command Explanation Interface configuration mode Configure that take the split horizon when the port sends data packets; poisoned for poison ip rip split-horizon [poisoned] reverse the no ip rip split-horizon command no ip rip split-horizon cancels the split horizon (3)Configure other RIP protocol parameters 1)Configure RIP routing priority 2)Configure the RIP route capacity limit in route table...
Page 442
Configure the versions of all the RIP data packets transmitted/received by the Layer 3 version { 1 | 2 } switch port sending/receiving the no version no version command restores the default configuration, version 2. (2)Configure the RIP version to send/receive in all ports. (3)Configure whether to enable RIP packets sending/receiving for ports Command Explanation...
The command configures a RIP address family on the VRF of the PE router. the no address-family ipv4 vrf <vrf-name> no address-family ipv4 vrf address-family ipv4 <vrf-name> command deletes the configured address <vrf-name> family Address family configuration mode This command exits the address family mode exit-address-family 17.4.3 Commands for RIP 17.4.3.1 accept-lifetime...
Page 444
Default: No default configuration Command Mode: keychain-key mode Usage Guide: Refer to the 3.13 RIP authentication Introduction Example: The example below shows the accept-lifetime configuration of key 1 on the keychain named mychain Switch# config terminal Switch(config)# key chain mychain Switch(config-keychain)# key 1 Switch(config-keychain-key)# accept-lifetime 03:03:01 Dec 3 2004 04:04:02 Oct 6 2006 17.4.3.2 address-family ipv4...
Page 445
ospf only delete OSPF routes from the RIP route table isis only delete ISIS routes from the RIP route table bgp only delete BGP routes from the RIP route table all delete all routes from the RIP route table Default: No default configurations Command Mode: Privilleged mode Usage Guide: Use this command with the all parameter will delete all learnt route in the RIP route which will be immediately recovered except for rip route.
Page 446
Example: Switch# config terminal Switch(config)# router rip Switch(config-router)# default-information originate 17.4.3.6 default-metric Command: default-metric <value> no default-metric Function: Set the default metric value of the introduced route. The “no default-metric” command restores the default value to 1. Parameter: <value> is the metric value to be set, ranging between 1~16. Default: Default route metric value is 1 Command Mode: Router mode and address-family mode Usage Guide: default-metric command is used for setting the default route metric value...
Page 447
Example: Switch# config terminal Switch(config)# router rip Switch(config-router)# distance 8 10.0.0.0/8 mylist 17.4.3.8 distribute-list Command: distribute-list{<access-list-number| access-list-name> |prefix<prefix-list-name>} {in|out} [<ifname>] no distribute-list{<access-list-number| access-list-name> |prefix<prefix-list-name>} {in|out} [<ifname>] Function: This command uses access-list or prefix-list to filter the route update packets sent and received. The “no distribute-list{<access-list-number| access-list-name>...
Page 448
the authentication. Parameter: <name-of-chain> is the name of the adopted key chain. There may be spaces in the string. The input ends with an enter and the string should not be longer than 256 bytes Default: Not configured Command Mode: Interface Mode Usage Guide: If the authentication is only configured without configuring the key chain or password used by the interface, the authentication do no effect.
Page 449
Function: Set the password used in RIP authentication. The “no ip rip authentication string” cancels the authentication Parameter: <text> is the password used in authentication of which the length should be 1-16 characters with space available. The password should end with enter Command Mode: Interface mode Usage Guide: The ip rip authentication key will not be able to be configured when this command is configured, key id value is required in MD5 authentication which is 1 when...
Page 450
Command Mode: Interface Mode Example: Switch# config terminal Switch(config)# interface vlan 1 Switch(Config-if-Vlan1)# ip rip receive-packet 17.4.3.15 ip rip receive version Command: ip rip receive version { 1 | 2|1 2 } no ip rip receive version Function: Set the version information of the RIP packets the interface receives. The default version is 2;...
Page 451
Default: Version 2 Command Mode: Interface Mode Example: Switch# config terminal Switch(config)# interface vlan 1 Switch(Config-if-Vlan1)# ip rip send version 1 17.4.3.18 ip rip split-horizon Command: ip rip split-horizon [poisoned] no ip rip split-horizon Function: Enable split horizon. The “no ip rip split-horizon” disables the split horizon. Parameter: [poisoned] means configure the split horizon with poison reverse.
Page 452
Function: This command is for entering a keychain manage mode and configure a keychain. The “no key chain < name-of-chain >“ delete one keychain. Parameter: <name-of-chain> is the name string of the keychain the length of which is not specifically limited. Command Mode: Global Mode Example: Switch# config terminal Switch(config)# key chain mychain...
Page 453
statistics command. Example: Switch# config terminal Switch(config)# router rip Switch(config-router)# maximum-prefix 150 17.4.3.23 neighbor Command: neighbor <A.B.C.D> no neighbor <A.B.C.D> Function: Specify the destination address requires targeted-peer sending. The “no neighbor <A.B.C.D>“ command cancels the specified address and restores all gateways to trustable.
Page 454
|access-list-name> {in|out }<number >[<ifname>] no offset-list <access-list-number |access-list-name> {in|out }<number >[<ifname>] Function: Add an offset value to the metric value of the routes learnt by RIP. The “no offset-list <access-list-number |access-list-name> {in|out }<number >[<ifname>]” command disables this function Parameter: < access-list-number |access-list-name> is the access-list or name to be applied.
Page 455
17.4.3.28 redistribute Command: redistribute {kernel |connected| static| ospf| isis| bgp} [metric<value>] [route-map<word>] no redistribute {kernel |connected| static| ospf| isis| bgp} [metric<value>] [route-map<word>] Function: Introduce the routes learnt from other routing protocols into RIP Parameter: kernel introduce from kernel routes connected i ntroduce from direct routes static introduce from static routes ospf introduce from OSPF routes isis introduce from ISIS routes...
Page 456
Command: router rip no router rip Function: Enable the RIP routing process and enter the RIP mode; the “no router rip” command closes the RIP routing protocol Default: Not running RIP route Command Mode: Global mode Usage Guide: This command is the switch for starting the RIP routing protocol which is required to be open before configuring other RIP protocol commands.
Page 457
<seconds> is the valid period of the key in seconding and ranging between 1-2147483646 Default: No default configuration Command Mode: Keychain-key mode Usage Guide: Refer to the 3.13 RIP authentication section. Example: The example below shows the send-lifetime configuration on the keychain named mychain for key 1.
Default: Sent and received data packet is version 2 by default Command Mode: Router mode and address-family mode Usage Guide: 1 refers to that each interface of the layer 3 switch only sends/receives the RIP-I data packets. 2 refers to that each interface of the layer 3 switch only sends/receives the RIP-II data packets.
Page 459
SwitchA(Config-Vlan2)# switchport interface ethernet 1/2 Set the port Ethernet1/2 access vlan 2 successfully SwitchA(Config-Vlan2)# exit SwitchA(Config)# interface vlan 2 SwitchA(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0 Initiate RIP protocol and configure the RIP segments SwitchA(config)#router rip SwitchA(config-router)#network vlan 1 SwitchA(config-router)#network vlan 2 SwitchA(config-router)#exit Configure that the interface vlan 2 do not transmit RIP messages to SwitchC SwitchA(config)#router rip...
Page 460
SwitchB Interface Interface vlan1:10.1.1.2/24 vlan1:10.1.1.1/24 SwitchC Interface SwitchA Interface vlan2:20.1.1.1/24 Vlan2:20.1.1.2/24 Fig 17-4 RIP VPN example In the figure shown above, a network consists of three Layer 3 switches, in which the SwitchA as PE, SwitchB and SwitchC as CE1 and CE2. The PE is connected to CE1 and CE2 through vlan 1 and vlan 2.
SwitchA(config-router-af)#network Vlan1 SwitchA(config-router-af)#exit-address-family SwitchA(config-router)#address-family ipv4 vrf vpnc SwitchA(config-router-af)#redistribute bgp SwitchA(config-router-af)#network Vlan2 SwitchA(config-router-af)#exit-address-family SwitchA(config-router)# CE1 Layer 3 SwitchB configure the IP address of Ethernet port E 1/2 SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if-Vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB (config-if-Vlan1)exit Initiate RIP protocol and configure the RIP segments SwitchB(config)#router rip SwitchB(config-router-rip)#network Vlan1 SwitchB(config-router-rip)#exit...
Page 462
After that, one feature of RIP protocol should be noticed ---the Layer 3 switch running RIP protocol sending route updating messages to all neighboring Layer 3 switches every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch is received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted.
Page 463
Default redistribution metric is 1 Redistributing: static Default version control: send version 2, receive version 2 Interface Send Recv Key-chain Vlan1 Routing for Networks: Vlan1 Vlan2 Routing Information Sources: Gateway Distance Last Update Bad Packets Bad Routes 20.1.1.1 120 00:00:31 Distance: (default is 120) Displayed information Explanation...
Page 464
passed since the last route update. The manage distance is 120 Distance: (default is 120) Default manage distance is 17.4.5.1.3 show ip rip Command: show ip rip Function: Show the routes in the RIP route data base Command Mode: Any mode Example: show ip rip Codes: R - RIP, K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS,...
Page 465
Parameter: Specifies the name of VPN routing/forwarding instances. Command Mode: Any mode Example: Switch# show ip rip database vrf IPI Codes: R - RIP, K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP Network Next Hop Metric From...
Page 466
Vlan1 is up, line protocol is up Interface is up Routing Protocol: RIP The protocol running on the interface is VPN Routing/Forwarding: vpnb Interface relates routing/forwarding instances. Receive RIP packets The interface can receive RIP packets Send RIP packets The interface can send RIP packets Passive interface: Disabled Passive-interface disabled Split...
17.5 RIPng 17.5.1 Introduction to RIPng RIPng is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIPng is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: Number of hops to reach the destination network, or metrics to use or number of networks to pass.
poison reverse split horizon not only deletes the abovementioned routes, but set the costs of those routes to infinite. “Triggering update” mechanism defines whenever route metric changed by the gateway, the gateway advertise the update packets immediately other than wait for the 30 sec timer. So far the RIPng protocol has got only one version----Version1: RIPng protocol is introduced in RFC 2080.
Page 469
(4) 1. Enable RIPng protocol Applying RIPng route protocol with basic configuration in ES4624-SFP/ES4626-SFP switch is simple. Normally you only have to open the RIPng switch and configure the segments running RIPng, namely send and receive the RIPng data packet by default RIPng configuration.
Page 470
Specify the IPv6 Link-local address and interface of the neighboring route needs [no] neighbor <IPv6-address> point-transmitting; [no] neighbor <ifname> <IPv6-address> <ifname> command cancels the appointed router. Block the RIPng multicast on specified port RIPng data packet only transmittable among Layer switch [no] passive-interface <ifname>...
Page 471
Configure that provide a deviation value to the route metric value when the port sends or [no] offset-list receives RIPng data packet; <access-list-number [no] |access-list-name> {in|out} offset-list <access-list-number <number > [<ifname>] |access-list-name> {in|out} <number > [<ifname>] command removes the deviation table 3)configure and apply route filter and route aggregation Command Explanation...
(4) Delete the specified route in RIPng route table Command Explanation Admin Mode clear IPv6 rip route the command deletes a specified route from {<IPv6-address>|kernel|static|con the RIP route table nected|rip|ospf|isis|bgp|all} 17.5.3 Commands For RIPng 17.5.3.1 aggregate-address Command: [no] aggregate-address<ipv6-address> Function: Aggregate RIPng route. The “[no] aggregate-address<ipv6-address>“...
Page 473
Default: No default configuration Command Mode: Admin mode Usage Guide: All routes in the RIPng route table will be deleted by using this command with all parameters. Example: Switch# clear ipv6 rip route 2001:1:1::/64 Switch# clear ipv6 rip route ospf 17.5.3.3 default-information originate Command: default-information originate no default-information originate...
Page 474
no ipv6 rip split-horizon Function: Permit the split horizon. The “no ipv6 rip split-horizon” disables the split horizon Parameter: [poisoned] configures split horizon with poison reverse. Default: Split horizon with poison reverse Command Mode: Interface Mode Usage Guide: The split horizon is for preventing the routing loops, namely preventing the layer 3 switch from broadcasting a route at the interface from which the very route is learnt.
Page 475
Usage Guide:The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully. Example: Switch# config terminal Switch(config)# interface Vlan1 Switch(config-if-Vlan1)# ipv6 router rip 17.5.3.8 neighbor Command: [no] neighbor <ipv6-address> <ifname> Function: Specify the destination address for fixed sending. The “[no] neighbor <ipv6-address>...
Page 476
Function: Set the RIP layer 3 switches to block RIP broadcast on the specified interfaces, and only send the RIP data packet to the layer 3 switch which is configured with neighbor. Parameter: <ifname> is the specific interface name Default: Not configured Command Mode: Router mode Example: Switch# config terminal Switch(config)# router ipv6 rip...
Page 478
SwitchA (config-router)#exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run RIPng SwitchA#config SwitchA (config)# interface Vlan1 SwitchA (config-if-Vlan1)# IPv6 address 2000:1:1::1/64 SwitchA (config-if-Vlan1)#IPv6 router rip SwitchA (config-if-Vlan1)#exit Configure the IPv6 address and interfaces of Ethernet port vlan2 to run RIPng SwitchA (config)# interface Vlan2 SwitchA (config-if-Vlan2)# IPv6 address 2001:1:1::1/64 SwitchA (config-if-Vlan2)#IPv6 router rip...
17.5.5 RIPng Troubleshooting The RIPng protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the RIPng protocol. So users should pay attention to the following: first ensure the physic connection is correct and the IP Forwarding command is open second, ensure the interface and link layer protocol are UP (use show interface command) then initiate the RIPng protocol (use router IPv6 rip command) and configure the port...
Page 480
1970/01/01 21:15:09 IMI: RECV[Ethernet1/10]: Receive from [fe80::20b:46ff:fe57:8e60]:521 1970/01/01 21:15:09 IMI: RECV[Ethernet1/10]: 3000:1:1::/64 is filtered by access-list dclist 1970/01/01 21:15:09 IMI: RECV[Ethernet1/10]: 3ffe:1:1::/64 is filtered by access-list dclist 1970/01/01 21:15:15 IMI: RECV[Ethernet1/2]: Receive from [fe80::203:fff:fe01:257c]:521 17.5.5.1.2 show debugging ipv6 rip Command: show debugging ipv6 rip Function: Show RIPng debugging status for following debugging options: nsm debugging, RIPng event debugging, RIPng packet debugging and RIPng nsm debugging Command Mode: Any mode...
Page 481
3000:1:1::1/64 fe80::203:fff:fe01:429e/64 17.5.5.1.4 show ipv6 protocols rip Command: show ipv6 protocols rip Function: Show the RIPng process parameters and statistic messages Command Mode: Any mode Example: Routing Protocol is "RIPng" Sending updates every 30 seconds with +/-50%, next due in 1 second Timeout after 180 seconds, garbage collect after 120 seconds Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set...
Page 482
17.5.5.1.5 show ipv6 rip Command: show ipv6 rip Function: Show RIPng Routing Command Mode: Any mode Example: Switch# show ipv6 rip Codes: R - RIP, K - Kernel, C - Connected, S - Static, O - OSPF, I - IS-IS, B - BGP, a - aggregate, s - suppressed Network Next Hop...
17.6 OSPF 17.6.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 484
5) Each neighboring layer3 switch copies the LSA package and passes it to the next neighbor (i.e. flooding). 6) Since routing database is not recalculated before layer3 switch forwards LSA flooding, the converging time is greatly reduced. One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is because of the way link-state routing protocols build up their routing table.
Page 485
bandwidth required in the network. OSPF uses four different kinds of routes; they are the route inside the area, route between areas, first category exterior route and second category exterior route, in the order of highest priority to lowest. The route inside an area and between areas describe the internal network structure of an autonomous system, while external routes describe how to select the routing information to destination outside the autonomous system.
RFC2328. 17.6.2 OSPF Configuration Task List The OSPF configuration for Edge-core series switches may be different from the configuration procedure to switches of the other manufacturers. It is a two-step process: 1、Enable OSPF in the Global Mode;...
Page 487
Disable OSPF protocol 1. Enable OSPF protocol Basic configuration of OSPF routing protocol on ES4624-SFP/ES4626-SFP switch is quite simple, usually only enabling OSPF and configuration of the OSPF area for the interface are required. The OSPF protocol parameters can use the default settings. If OSPF protocol parameters need to be modified, please refer to “2.
Page 488
Sets an interface to receive only, the [no] passive-interface {IFNAME | ethernet [no] passive-interface {IFNAME IFNAME | Vlan <ID>} command cancels ethernet IFNAME | Vlan <ID>} this configuration. 2. Configure OSPF protocol parameters (1)Configure OSPF package sending mechanism parameters 1)Configure OSPF package verification 2)Set the OSPF interface to receive only 3)Configure the cost for sending packages from the interface Command...
Page 489
Sets the delay time before sending link-state ip ospf transit-delay <time> broadcast; the “no ip ospf transmit-delay” no ip ospf transit-delay command restores the default setting. Sets interval retransmission link-state advertisement among neighbor ip ospf retransmit <time> layer3 switches; the “no ip ospf retransmit” no ip ospf retransmit command restores the default setting.
Configure the parameters in OSPF area <id> {authentication area (STUB area, NSSA area and [message-digest] | default-cost <cost> | virtual links); the no area <id> filter-list {access | prefix} <WORD> {in | out} | nssa [default-information-originate {authentication default-cost | no-redistribution | no-summary | filter-list {access | prefix} <WORD>...
Page 491
Parameter: <id> is the area number which could be shown in digit, ranging between 0~4294967295, or in IP address. Default: No authentication Command Mode: OSPF protocol mode Set the authentication mode to plaintext authentication or MD5 Usage Guide: authentication. The authentication mode is also configurable under interface mode of which the priority is higher than those in the area.
Page 492
Command Mode: OSPF protocol mode Usage Guide:This command is used for restraining routes from specific area from spreading between this area and other areas. Example: Set a filter on the area 1 Switch(config)#access-list 1 deny 172.22.0.0 0.0.0.255 Switch(config)#access-list 1 permit any Switch(config)#router ospf 100 Switch(config-router)#area 1 filter-list access 1 in 17.6.3.4 area nssa...
Page 493
Command: area <id> range <address> [advertise| not-advertise| substitute] no area <id> range <address> Function: Aggregate OSPF route on the area border. The “no area <id> range <address>“ cancels this function. Parameter: <id> is the area number which could be digits ranging between 0 ~ 4294967295, and also as an IP address.
Page 494
Switch(config)# router ospf Switch(config-router)# area 1 shortcut default Switch(config-router)area 52 shortcut disable Switch(config-router)no area 42 shortcut enable 17.6.3.7 area stub Command: area <id> stub [no-summary] no area <id> stub [no-summary] Function: Define a area to a stub area. The “no area <id> stub [no-summary]” command cancels this function.
Page 495
AUTH_KEY= authentication-key <key> <key>: A password consists of less than 8 characters INTERVAL= [dead-interval|hello-interval|retransmit-interval|transmit-delay] <value> <value>:>: The delay or interval seconds, ranging between 1~65535 <dead-interval>: A neighbor is considered offline for certain dead interval without its group messages which the default is 40 seconds. <hello-interval>: The time interval before the router sends a hello group message, default is 10 seconds <retransmit-interval>: The time interval before a router retransmitting a group...
Page 496
Example: Switch#config terminal Switch(config)#router ospf 100 Switch(config-router)#auto-cost reference-bandwidth 50 17.6.3.10 capability opaque Command: [no] capability opaque Function: This command enables opaque-LSA. The “[no] capability opaque” command closes this function. Default: Opaque-LSAs enabled Command Mode: OSPF protocol mode Usage Guide: Opaque-LSAs is type 9,10,11 LSA which is used for transmitting information’s for the externals.
Page 497
17.6.3.13 distance Command: distance {<value>|ROUTEPARAMETER} no distance ospf Function: Configure OSPF manage distance base on route type. The “no distance ospf” command restores the default value. Parameter: <value>, OSPF routing manage distance, ranging between 1~235 ROUTEPARAMETER= ospf {ROUTE1|ROUTE2|ROUTE3} ROUTE1= external <external-distance>, Configure the distance learnt from other routing area.
Page 498
bgp BGP route Command Mode: OSPF protocol mode Usage Guide: When distributing route from other routing protocols into0 the OSPF routing table, we can use this command Example: Example below is the advertisement based on the access-list list 1 of the BGP route.
Page 499
cancels the authentication Parameter: <ip-address> is the interface IP address, shown in dotted decimal notation. message-digest: Use MD5 authentication null: no authentication applied, which resets the password or MD5 authentication applied on the interface. Default: Authentication not required in receiving OSPF packets on the interface Command Mode: Interface Mode Example: Switch#config terminal...
Page 500
Switch#config terminal Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip ospf cost 3 17.6.3.19 ip ospf database-filter Command: ip ospf [<ip-address>] database-filter all out no ip ospf [<ip-address>] database-filter Function: The command opens LSA database filter switch on specific interface; the “no ip ospf [<ip-address>] database-filter” command closes the filter switch. Parameter: <ip-address>...
Page 501
17.6.3.21 ip ospf disable all Command: [no]ip ospf disable all Function: Stop OSPF group process on the interface Command Mode: Interface Mode Usage Guide: This command resets the network area command and stops group process on specific interface. Example: Switch#config terminal Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip ospf disable all 17.6.3.22 ip ospf hello-interval...
Page 502
Function: Specify the key id and value of MD5 authentication on the interface; the “no ip ospf [<ip-address>] message-digest-key <key_id>“ restores the default value Parameter: <ip-address> is the interface IP address show in dotted decimal notation; <key_id> ranges between 1-255; <LINE> is the OSPF key. Default: MD5 key not configured Command Mode: Interface Mode Usage Guide: MD5 key encrypted authentication is used for ensure the safety between...
Page 503
notation Default: Check mtu size in DD switch Command Mode: Interface Mode Example: Switch#config terminal Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip ospf mtu-ignore 17.6.3.26 ip ospf network Command: ip ospf network {broadcast|non-broadcast|point-to-point|point-to-multipoint} no ip ospf network Function: This command configure the OSPF network type of the interface; the “no ip ospf network”...
Page 504
number if the priorities are the same. A layer 3 switch with a priority equal to 0 will not be elected as “Defined layer 3 switch” or “Backup Defined layer 3 switch” Example: Configure the priority of DR electing. Configure the interface vlan 1 to no election right, namely set the priority to 0.
Page 505
Command Mode: Interface Mode Usage Guide: The LSA ages with time in the layer 3 switches, but not in the network transmitting process. By adding the transit-delay prior to sending the LSA, the LSA will be sent before aged Example: Set the LSA transmit delay of interface vlan1 to 3 seconds. Switch#config terminal Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip ospf transmit-delay 3...
Page 506
entry. The configured neighbor address should be the main address of the interface. The poll-interval should be much larger than the hello-interval Example: Switch#config terminal Switch(config)#router ospf 100 Switch(config-router)#neighbor 1.2.3.4 priority 1 poll-interval 90 Switch(config-router)#neighbor 1.2.3.4 cost 15 17.6.3.32 network area Command: network NETWORKADDRESS area <area-id>...
Page 507
Usage Guide: For Specifying the realizing type of abr. This command is good for interactive operation among different OSPF realizing method and is especially useful in the multiple host environment. Example: Configure abr as standard Switch#config terminal Switch(config)#router ospf 100 Switch(config-router)#ospf abr-type standard 17.6.3.34 ospf router-id Command: ospf router-id <address>...
Page 508
Command: [no]overflow database external [<maxdbsize > <maxtime>] Function: The command is for configuring the size of external link database and the waiting time before the route exits overflow state. The “[no]overflow database external [<maxdbsize > <maxtime>]” restores the default value Parameter: <...
Page 509
route-map <word> point to the probe of the route map for introducing route tag<tag-value> external identification number of the external route, ranging between 0~4294967295, defaulted at 0 Command Mode: OSPF mode Usage Guide: Learn and introduce other routing protocol into OSPF area to generate AS-external_LSAs Example: Switch#config terminal Switch(config)#router ospf...
Page 510
2 Set the OSPF external type 2 metric value ROUTEMAP = route-map <WORD> <WORD> specifies the route map name to be applied. Default: Default metric value is 10, default OSPF external link type is 2. Command Mode: OSPF protocol mode Usage Guide: When introducing route into OSPF route area with this command , the system will behaves like an ASBR Example:...
ES4624-SFP/ES4626-SFP switch for example, where layer3 SwitchA and SwitchE make up OSPF area 0, layer3 SwitchB and SwitchC form OSPF area 1 (assume vlan1 interface of layer3 SwitchA belongs to area 0), layer3 SwitchD forms OSPF area 2 (assume vlan2 interface of layer3 SwitchE belongs to area 0).
Page 512
SwitchA SwitchE Area 0 SWITCHD E1/1:100.1.1.2 E1/2:10.1.1.1 E1/1:100.1.1.1 E1/2:30.1.1.1 vlan2 vlan1 vlan2 vlan3 E1/1:10.1.1.2 vlan1 Area 1 E1/1:30.1.1.2 vlan3 SwitchD SwitchC SwitchB E1/2:20.1.1.1 E1/1:20.1.1.2 Area 2 vlan3 vlan3 Fig 17-6 Network topology of OSPF autonomous system. The configuration for layer3 SwitchA and SwitchE is shown below: Layer 3 SwitchA Configuration of the IP address for interface vlan1 SwitchA#config...
Page 513
SwitchB(config-if-vlan3)#no shut-down SwitchB(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfaces vlan1 and vlan3 in SwitchB(config)#router ospf SwitchB(config-router)# network 10.1.1.0/24 area 0 SwitchB(config-router)# network 20.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#exit SwitchB# Layer 3 SwitchC Configuration of the IP address for interface vlan3 SwitchC#config SwitchC(config)# interface vlan 3 SwitchC(config-if-vlan1)# ip address 20.1.1.2 255.255.255.0...
Page 514
SwitchE#config SwitchE(config)# interface vlan 2 SwitchE(config-if-vlan2)# ip address 100.1.1.2 255.255.255.0 SwitchE(config-if-vlan2)#no shut-down SwitchE(config-if-vlan2)#exit Configuration of the IP address for interface vlan3 SwitchE(config)# interface vlan 3 SwitchE(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 SwitchE(config-if-vlan3)#no shut-down SwitchE(config-if-vlan3)#exit Enable OSPF protocol, configure the number of the area in which interface vlan2 and vlan3 reside in.
Page 515
SwitchA0 and Switch11, and network N8-N10 share a summary route with host H1(i.e. area3 is defined as a STUB area). Layer3 SwitchA, SwitchB, SwitchD, SwitchE, SwitchG, SwitchH, Switch12 are in-area layer3 switches, SwitchC, SwitchD, SwitchF, Switch10 and Switch11 are edge layer3 switches of the area, SwitchD and SwitchF are edge layer3 switches of the autonomous system.
Page 516
The followings are just configurations for all layer3 switches in area 1, configurations for layer3 switches of the other areas are omitted. The following are the configurations of SwitchA SwitchB.SwitchC and SwitchD: 1)SwitchA: Configure IP address for interface vlan2 SwitchA#config SwitchA(config)# interface vlan 2 SwitchA(config-If-Vlan2)# ip address 10.1.1.1 255.255.255.0 SwitchA(config-If-Vlan2)#exit...
Page 517
SwitchB(config-If-Vlan2)#ip ospf authentication SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS SwitchB(config-If-Vlan2)#exit Configure IP address and area number for interface vlan1. SwitchB(config)# interface vlan 1 SwitchB(config-If-Vlan1)#ip address 20.1.2.1 255.255.255.0 SwitchB(config-If-Vlan1)#exit SwitchB(config)#router ospf SwitchB(config-router)#network 20.1.2.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#exit 3)SwitchC: Configure IP address for interface vlan2 SwitchC#config SwitchC(config)# interface vlan 2 SwitchC(config-If-Vlan2)# ip address 10.1.1.3 255.255.255.0...
Page 518
SwitchC(config-router)#network 10.1.5.0/24 area 0 SwitchC(config-router)#exit Configure MD5 key authentication. SwitchC(config)#interface vlan 1 SwitchC (config-If-Vlan1)#ip ospf authentication message-digest SwitchC (config-If-Vlan1)#ip ospf authentication-key DCS SwitchC (config-If-Vlan1)#exit SwitchC(config)#exit SwitchC# 4)SwitchD: Configure IP address for interface vlan2 SwitchD#config SwitchD(config)# interface vlan 2 SwitchD(config-If-Vlan2)# ip address 10.1.1.4 255.255.255.0 SwitchD(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2.
Page 519
SwitchB Interface vlan1:10.1.1.2/24 vlan1:10.1.1.1/24 SwitchC Interface SwitchA Interface vlan2:20.1.1.1/24 Vlan2:20.1.1.2/24 Fig 17-8 OSPF VPN Example The above figure shows that a network consists of three Layer 3 switches in which the switchA as PE, SwitchB and SwitchC as CE1 and CE2. The PE is connected to CE1 and CE2 through vlan1 and vlan2.
SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp SwitchA(config-router)#exit SwitchA(config)#router ospf 200 vpnc SwitchA(config-router)#network 20.1.1.0/24 area 0 SwitchA(config-router)#redistribute bgp The Layer 3 SwitchB of CE1: Configure the IP address of Ethernet E 1/2 SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB (config-if-vlan1)exit Enable OSPF protocol and configuring OSPF segments SwitchB(config)#router ospf...
Page 521
areas should only be connected to other non 0 area through 0 area; a border Layer 3 switch means that one part of the interfaces of this switch belongs to 0 area, the other part belongs to non 0 area; Layer 3 switch DR should be specified for multi-access network such as broadcast network.
Page 522
17.6.5.1.4 debug ospf nfsm Command: [no]debug ospf nfsm [status|events|timers] Function: Open debugging switches showing showing OSPF neighbor state machine; the “[no]debug ospf nfsm [status|events|timers]”command closes this debugging switch Default: Closed Command Mode: Admin mode and global mode Example: Switch#debug ospf nfsm events 17.6.5.1.5 debug ospf nsm Command: [no]debug ospf nsm [interface|redistribute] Function: Open debugging switches showing showing OSPF NSM, the “[no]debug...
Page 523
17.6.5.1.8 show ip ospf Command: show ip ospf [<process-id>] Function: Display OSPF main messages Parameter: <process-id> is the process ID, ranging between 0~65535 Default: Not displayed Command Mode: All modes Example: Switch#show ip ospf Routing Process "ospf 0" with ID 192.168.1.1 Process bound to VRF default Process uptime is 2 days 0 hour 30 minutes Conforms to RFC2328, and RFC1583Compatibility flag is disabled...
Page 524
Number of external LSA 0. Checksum Sum 0x000000 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of non-default external LSA 0 External LSA database is unlimited. Number of LSA originated 0 Number of LSA received 0 Number of areas attached to this router: 1 Area 0 (BACKBONE) (Inactive) Number of interfaces in this area is 0(0) Number of fully adjacent neighbors in this area is 0...
Page 525
Function: Display the OSPF link state data base messages Parameter: <process-id> is the process ID, ranging between 0~65535 <linkstate_id> Link state ID, shown in point divided demical system <advertiser_router> is the ID of Advertising router, shown in point divided demcial IP address format Default: Not displayed Command Mode: All modes...
Page 526
2.2.3.0 192.168.1.1 1103 0x8000002b 0x0ec3 E2 2.2.3.0/24 [0x0] 17.6.5.1.11 show ip ospf interface Command: show ip ospf interface <interface> Function: Display the OSPF interface messages Parameter: <interface> is the name of interface Default: Not displayed Command Mode: All modes Example: Switch#show ip ospf interface Loopback is up, line protocol is up OSPF not enabled on this interface...
Page 527
192.168.1.1 Full/Backup 00:00:32 6.1.1.1 Vlan1 192.168.1.3 Full/DR 00:00:36 20.1.1.3 Vlan2 192.168.1.3 Full/ - 00:00:30 20.1.1.3 VLINK2 Displayed information Explanation Neighbor ID ID Neighbor ID Priority Priority State Neighbor relation state Dead time Neighbor dead time Address Interface Address Interface Interface name 17.6.5.1.13 show ip ospf route Command: show ip ospf [<process-id>] route Function: Display the OSPF routing table messages...
Page 528
Command Mode: All modes Example: Switch#show ip ospf virtual-links Virtual Link VLINK0 to router 10.10.0.9 is up Transit area 0.0.0.1 via interface Vlan1 Transmit Delay is 1 sec, State Point-To-Point, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Adjacency state Full Virtual Link VLINK1 to router 10.10.0.123 is down...
Routing Protocol is "bgp 0" Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is IGP synchronization is disabled Automatic route summarization is disabled Neighbor(s): Address FiltIn FiltOut DistIn DistOut Weight RouteMap Incoming Route Filter: 17.7 OSPFv3 17.7.1 Introduction to OSPFv3 OSPFv3 (Open Shortest Path First)...
Page 530
packages to pass, link bandwidth, and current load of the link, The administrator can even add weight for better assessment of the link-state. 1) When a link-state layer3 switch enters a link-state interconnected network, it sends a HELLO package to get to know its neighbors and establish neighborhood. 2) The neighbors respond with information about the links they are connecting and the related costs.
Page 531
switches to form a link-state database describing the whole autonomous system. Each layer3 switch builds a shortest path tree rooted by itself according to the link-state database, this tree provide the routes to all nodes in an autonomous system. If two or more layer3 switches exist (i.e.
exterior border Layer 3 switches and transferred in the whole autonomic system. Link LSA is generated by Layer 3 switch on the link and sent to other Layer 3 switches on the link. Internal-area prefix LSA is generated by designated layer3 switch of each link in this area, and flooded to the whole area.
Page 533
Enable OSPFv3 Protocol It is very simple to run the basic configurations of OSPFv3 routing protocol on the Layer 3 switch of ES4624-SFP/ES4626-SFP switch, normally only enabling OSPFv3, implement OSPFv3 interface, the default value is defined to OSPFv3 protocol parameters. Refer to 2. Configure OSPF auxiliary parameters, if the OSPFv3 protocol parameters need to be modified.
Page 534
Configure router for ospfv3 process. The router-id <router_id> command returns ID to no router-id no router-id 0.0.0.0 (required) Configure an interface receiving without sending. [no] [no] passive-interface<ifname> passive-interface<ifname>command cancels configuration. Interface Configuration Mode Implement ospfv3 routing on the interface. [no] IPv6 router ospf {area <area-id> {area [no] IPv6...
Page 535
Sets the interval before regarding a neighbor IPv6 ospf dead-interval <time> layer3 switch invalid; the “no IPv6 ospf [instance-id <id>] dead-interval [instance-id <id>]” command IPv6 ospf dead-interval restores the default setting. [instance-id <id>] IPv6 ospf transit-delay <time> Sets the delay time before sending link-state broadcast;...
area <id> stub [no-summary] Configure parameters in OSPFv3 no area <id> stub [no-summary] area (STUB area, Virtual link). The no command restores default value. area <id> default-cost <cost> no area <id> default-cost area <id> virtual-link A.B.C.D [instance-id <instance-id> INTERVAL] no area <id> virtual-link A.B.C.D [|INTERVAL] 4)...
Page 537
area or NSSA area Example: Set the default-cost of area 1 to 10 Switch(config-router)#area 1 default-cost 10 17.7.3.2 area range Command: area <id> range <ipv6address> [advertise| not-advertise|] no area <id> range <ipv6address> Function:Aggregate OSPF route on the area border. The “no area <id> range <address>“...
Page 538
configuration commands for the routers in the stub area: stub and default-cost. All routers connected to the stub area should be configured with area stub command. As for area border routers connected to the stub area, their introducing cost is defined with area default-cost command.
Page 539
Example: Switch#config terminal Switch(config) #router ipv6 ospf Switch(config-router) #area 1 virtual-link 10.10.11.50 hello 5 dead 20 Switch(config-router) #area 1 virtual-link 10.10.11.50 instance-id 1 17.7.3.5 abr-type Command: abr-type {cisco|ibm| standard} no abr-type [cisco|ibm| standard] Function: Configure an OSPF ABR type with this command. The “no abr-type [cisco|ibm| standard]”...
Page 540
Switch(config)#router ipv6 ospf Switch(config-router)#default-metric 100 17.7.3.7 ipv6 ospf cost Command: ipv6 ospf cost <cost> [instance-id <id>] no ipv6 ospf cost [instance-id <id>] Function: Specify the cost required in running OSPF protocol on the interface; the “no ipv6 ospf cost [instance-id <id>]” command restores the default value Parameter: <id>...
Page 541
Switch#config terminal Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 ospf dead-interval 80 17.7.3.9 ipv6 ospf display route single-line Command: [no] ipv6 ospf display route single-line Function: show ipv6 ospf route change the display results of show ipv6 ospf route command. The “[no] ipv6 ospf display route single-line” restores to default display mode Default: Not configured Command Mode: Global Mode...
Page 542
Switch(Config-if-Vlan1)#ipv6 ospf hello-interval 20 Relevant Commands: ipv6 ospf dead-interval 17.7.3.11 ipv6 ospf priority Command: ipv6 ospf priority <priority> [instance-id <id>] no ipv6 ospf priority[instance-id <id>] Function: Configure the priority when electing “Defined layer 3 switch” at the interface. The “no ipv6 ospf [<ip-address>] priority” command restores the default value Parameter: <id>...
Page 543
packet is not received within the interval, the LSA will be retransmitted. The retransmit interval must be larger than the time it takes to make a round between two layer 3 switches. The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully.
Page 544
<instance-id> is the interface instance ID ranging between 0~255 and defaulted at 0. <tag> ospfv3 process identifier Default: Not configured Command Mode: Interface Mode Usage Guide: To enable this command on the interface, the area id must be configured. The instance ID and instance tag are optional. The ospfv3 process allows one routing instance for each instance ID.
Page 545
Example: Switch#config terminal Switch(config)#router ipv6 ospf Switch(config-router)#passive-interface vlan1 17.7.3.17 redistribute Command: [no]redistribute {kernel |connected| static| rip| isis| bgp} [metric<value>] [metric-type {1|2}][route-map<word>] Function: Introduce route learnt from other routing protocols into OSPF Parameter: kernel Introduct from kernel route connected Introduce from direct route static Introduce from static route rip Introduce from the RIP route isis Introduce from ISIS route...
Examples 1:OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five ES4624-SFP/ES4626-SFP switch for example, where layer3 SwitchA and SwitchD make up OSPF area 0, layer3 Switch2 and Switch3 form OSPF area 1 (assume vlan1 interface of layer3 SwitchA belongs to area 0), layer3 SwitchD forms OSPF area2...
Page 547
(assume vlan2 interface of layer3 SwitchD belongs to area 0). Swtich1 and SwitchD are backbone layer3 switches, Swtich2 and SwitchD are area edge layer3 switches, and Switch3 is the in-area layer3 switch. SwitchA SwitchE Area 0 SWITCHD E1/2:2030:1:1::1 E1/2:2010:1:1::1/64 E1/1:2100:1:1::1/64 E1/1:2100:1:1::2/64 vlan1 vlan2...
SwitchD(config-if-vlan2)#exit Configure interface vlan3 IPv6 address and affiliated area SwitchD(config)# interface vlan 3 SwitchD(config-if-vlan3)# IPv6 address 2030:1:1::1/64 SwitchD(config-if-vlan3)# IPv6 router ospf area 0 SwitchD(config-if-vlan3)#exit SwitchD(config)#exit 17.7.5 OSPFv3 Troubleshooting In the process of configuring and implementing OSPFv3, physical connection, configuration false probably leads to OSPFv3 protocol doesn’t work. Therefore, the customers should give their attention to it.
Page 550
Switch#debug ipv6 ospf ifsm 1970/01/01 01:11:44 IMI: IFSM[Vlan1]: Hello timer expire 1970/01/01 01:11:44 IMI: IFSM[Vlan2]: Hello timer expire 17.7.5.1.2 debug ipv6 ospf lsa Command: [no]debug ipv6 ospf lsa [generate|flooding|install|maxage|refresh] Function: Open debugging switches showing showing link state announcements; the “[no]debug ospf lsa [generate|flooding|install|maxage|refresh]” closes the debugging switches Default: Closed Command Mode: Admin mode and global mode...
Page 551
Command Mode: Admin mode and global mode 17.7.5.1.6 debug ipv6 ospf route Command: [no]debug ipv6 ospf route [ase|ia|install|spf] Function: Open debugging switches showing OSPF related routes; the “[no]debug ipv6 ospf route [ase|ia|install|spf]” command closes this debugging switch Default: Closed Command Mode: Admin mode and global mode 17.7.5.1.7 show ipv6 ospf Command: show ipv6 ospf [<tag>] Function: Display OSPF global and area messages...
Page 552
Function: Display the OSPF link state data base message Parameter: <tag> is the process tag which is a character string <advertiser_router> is the ID of Advertising router, shown in IPv4 address format Default: Not displayed Command Mode: All modes Usage Guide: Example: According to the output messages of this command, we can view the OSPF link state database messages Use show ipv6 ospf database command will be able to show LSA messages of the OSPF...
Page 553
Network-LSA (Area 0.0.0.0) Network LSA in Area 0 Intra-Area-Prefix-LSA (Area 0.0.0.0) Intra-domain Prefix LSA in Area 0 17.7.5.1.9 show ipv6 ospf interface Command: show ipv6 ospf interface [interface] Function: Display the OSPF interface messages Parameter: <interface> is the name of the interface Default: Not displayed Command Mode: All modes Example:...
Page 554
Timer interval configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:10 Neighbor Count is 1, Adjacent neighbor count is 1 Displayed information Explanations Vlan1 is up, line protocol is up Let the interface up both logically and physically IPv6 Prefixes IPv6 address of the interface and the...
Page 555
Default: Not displayed Command Mode: All modes Usage Guide: OSPF neighbor state can be checked by viewing the output of this command Example: OSPFv3 Process (*null*) Neighbor ID State Dead Time Interface Instance ID 192.168.2.3 Full/Backup 00:00:29 Vlan1 192.168.2.1 Full/DR 00:00:38 Vlan2 Vlan1...
17.7.5.1.12 show ipv6 ospf topology Command: show ipv6 ospf [<tag>] topology [area <area-id>] Function: Show messages of OSPF topology Parameter: <tag> is the processes tag, which is a character string <area-id> is an area ID which could be shown in digits ranging between 0~4294967295, or an IPv4 address Default: Not displayed Command Mode: All modes...
Page 557
Corporation. BGP has been used since1989, its earliest three versions are RFC1105(BGP-1)、 RFC1163 (BGP-2)and RFC1267(BGP-3).Currently, the most popular one is RFC1771 (BGP-4). The ES4624-SFP/ES4626-SFP switch supports BGP-4. Characteristics of BGP-4 1. BGP-4 is suitable for the distributed structure and supports Classless InterDomain Routing (CIDR).
Page 558
BGP-4 provides abundant route policies which make BGP-4 more extendable to encourage the internet development. 2. The Overview of BGP-4 operation Unlike RIP and OSPF protocols, BGP protocol is connection oriented. BGP switches must establish connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established.
Page 559
EBGP:External BGP When BGP runs in the same AS, it’s called IBGP. When in the different AS, it’s called EBGP. Generally, the outer neighbors are connected physically and the inner neighbors can be in any place of the AS. The difference is finally shown in the dealing manner of BGP to routing information.
destination. The decision-making process is as the following: 1.Select the route with the most weight first; 2. If the weights are the same, select the route with the most local preference; 3. If the local preferences are the same, select the route generated by local switch. 4.
Page 561
9.Adjust BGP Announcement Interval 10.Configure the default Local Priority 11.Allow to Transfer Default Route 12.Configure BGP’s MED Value 13.Configure BGP Routing Redistribution 14.Configure BGP Route Dampening 15.Configure BGP capability Negotiation 16.Configure Routing Server 17.Configure Path-Selected Rule Ⅰ. Basic BGP configuration tasks 1.Enable BGP Routing Command Explanation...
Page 562
Command Explanation Admin Mode clear {<*>|<as-id>| Configure outbound soft reconfiguration. external|peer-group <NAME>|<ip-address>} soft out (3)Configure inbound soft reconfiguration. Command Explanation Router configuration mode This command can store routing information from neighbors and neighbor <ip-address> <TAG> peers; neighbor soft-reconfiguration inbound <ip-address> <TAG>...
Page 563
Filter neighbor routing updating information. The no neighbor {<ip-address>|<TAG>} distribute-list neighbor {<1-199>|<1300-2699>|<WORD>} {in|out} {<ip-address>|<TAG>} no neighbor {<ip-address>|<TAG>} distribute-list distribute-list {<1-199>|<1300-2699>|<WORD>} {in|out} {<1-199>|<1300-2699>|<W ORD>} {in|out} command cancels routing filter. (6)Configure Next-Hop 1) Set Next-Hop as the switch’s address Command Explanation BGP configuration mode While sending route...
Page 564
(8)Configure BGP session identifier Command Explanation BGP configuration mode Configure the router-id value; the no bgp bgp router-id <ip-address> router-id command recovers the default no bgp router-id value. (9)Configure the BGP Version Command Explanation BGP configuration mode Set the version used by BGP neighbors;...
Page 565
Create an aggregate entry in the routing table; aggregate-address <ip-address/M> [summary-only] [as-set] aggregate-address aggregate-address <ip-address/M> <ip-address/M> [summary-only] [as-set] command cancels the [summary-only] [as-set] aggregate entry. 3.Configure BGP Community Filtering Command Explanation BGP configuration mode Allow the routing updates with community attributes sending to neighbor {<ip-address>...
Page 566
BGP configuration mode Configure the current switch as route reflector and specify a client. neighbor neighbor <ip-address> route-reflector-client <ip-address> no neighbor <ip-address> route-reflector-client route-reflector-client commands format deletes a client. (2) If there are more than one route reflectors in the cluster, the following commands can configure cluster-id Command Explanation...
Page 567
Make a neighbor a member of the peer neighbor <ip-address> peer-group group. the no neighbor <ip-address> <TAG> peer-group <TAG> command cancels the neighbor <ip-address> specified member. peer-group <TAG> 7.Configure neighbors and peer Groups’ parameters Command Explanation BGP configuration mode Specify a BGP neighbor; format neighbor {<ip-address>...
Page 568
value. Configure the allowance of EBGP connections with networks neighbor {<ip-address> <TAG>} connected indirectly; ebgp-multihop [<1-255>] neighbor {<ip-address> <TAG>} neighbor {<ip-address> ebgp-multihop <TAG>} ebgp-multihop command cancels this setting. Configure BGP neighbor weights; neighbor { <ip-address> | <TAG> } weight the no neighbor { <ip-address> <weight>...
Page 569
route-map <map-name> {in | out} route-map <map-name> {in | command cancels out} setting of route reflector. Store the route information from neighbor peers; neighbor <ip-address> <TAG> soft-reconfiguration inbound neighbor <ip-address> no neighbor { <ip-address> | <TAG> } <TAG> } soft-reconfiguration inbound command cancels the soft-reconfiguration inbound storage.
Page 570
Configure minimum interval among routes update neighbor {<ip-address> <TAG>} information; advertisement-interval <seconds> neighbor no neighbor {<ip-address> | <TAG>} {<ip-address> <TAG>} command advertisement-interval advertisement-interval recovers the default setting. 10. Configure the Local Preference Value Command Explanation BGP configuration mode Change default local preference; the no bgp default local-preference <value>...
Page 571
13. Configure BGP routing redistribution Command Explanation BGP configuration mode Redistribute IGP routes to BGP and may redistribute { connected | static | rip | specify the redistributed metric and route ospf} [metric <metric>] [route-map reflector; <NAME>] redistribute no redistribute { connected | static | { connected | static | rip | ospf} command cancels the redistribution.
Page 572
neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh} no neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh} provides capability negotiation neighbor {<ip-address>|<TAG>} regulation and carry out this capability capability prefix-list match while establishing connection. The {<both>|<send>|<receive>} currently supported capabilities include no neighbor {<ip-address>|<TAG>} route update, dynamic capability, outgoing capability prefix-list route filtering capability and the address...
bgp always-compare-med no bgp always-compare-med BGP may change some path-select rules bgp bestpath as-path ignore by configuration to change the best no bgp bestpath as-path ignore selection and compare MED under EBGP bgp bestpath compare-confed-aspath environment through these command, bestpath ignore the AS-PATH length, compare the compare-confed-aspath confederation as-path length, compare...
Page 574
Usage Guide: To support VPN, VRF has to be enabled on the border routers; to realize VPN, create neighbors for BGP with the VRF address family on the private network, and with VPNv4 address-family on the public network. Configuration performed with this command to specific VRF, is independent from IPv4 unicast address-family.
Page 575
[as-set]: Show AS on the path in list, each AS is shown once. Default: No aggregate configuration Command Mode: BGP route mode Usage Guide: Address aggregation reduces spreading routing messages outside. Use summary-only option so to spread aggregate route to the neighbors without spreading specific route.
Page 576
Example: Announce the same route prefix through the two AS (100 and 300) to the same AS (200) while carrying different MED; Configure on the route 10.1.1.64 Switch(config-router)#bgp always-compare-med 17.8.3.7 bgp bestpath as-path ignore Command: bgp bestpath as-path ignore no bgp bestpath as-path ignore Function: Set to ignore the AS-PATH length.
Page 577
Function:Compare route ID; the “no bgp bestpath compare-routerid” command cancels this configuration Parameter: None Default: Not configured Command Mode: BGP route mode Usage Guide: Normally the first arrived route from the same AS (with other conditions equal) will be chosen as the best route. By using this command, source router ID will also be compared.
Page 578
Default: Reflection defaulted when client is configured. Command Mode:BGP route mode Usage Guide:After configured reflection client with neighbor {<ip-address>|<TAG>} route-reflector-client, the router performs routing reflection in default condition. The NO form of this command cancels the route reflection among CLIENT, (reflection among Clients and non-CLIENT is not disturbed.) Example: Switch(config-router)#no bgp client-to-client reflection...
Page 579
Switch(config-router)# bgp confederation identifier 600 17.8.3.14 bgp confederation peers Command: bgp confederation peers <as-id> [<as-id>..] no bgp confederation peers <as-id> [<as-id>..] Function: Add/delete one or several AS to a confederation Parameter: ID numbers of the AS included in the confederation, which could be multiple. Default: No members Command Mode: BGP route mode.
Page 580
no bgp default {ipv4-unicast|local-preference [<0-4294967295>]} Function: Set the BGP defaults, the “no bgp default {ipv4-unicast|local-preference [<0-4294967295>]}” command cancels this configuration Parameter:<0-4294967295>: Default local priority Default: The IPv4 unicast is default enabled when BGP is enabled. The default priority is 100. Command Mode: BGP route mode.
Page 581
Usage Guide: This command is usually for avoiding unsafe or unauthenticated routes. Example: Switch(config-router)#bgp enforce-first-as 17.8.3.19 bgp fast-external-failover Command: bgp fast-external-failover no bgp fast-external-failover Function: Fast reset when the BGP neighbor connection varies at the interface other than wait for TCP timeout. The “no bgp fast-external-failover” command cancels this configuration Parameter: None Default: Configured...
Page 582
Parameter: None Default: Not configured Command Mode: BGP route mode. Usage Guide: Can display neighbor change messages on the monitor Example: Switch(config-router)# bgp log-neighbor-changes 17.8.3.22 bgp multiple-instance Command: bgp multiple-instance no bgp multiple-instance Function: Set that whether BGP supports multiple BGP instance or not; the “no bgp multiple-instance”...
Page 583
1771, namely not checking the AS internal METRIC,when different AS exist, which should be perform without this attribute set. Example: Switch(config)# bgp rfc1771-path-select Switch(config)# no bgp rfc1771-path-select 17.8.3.25 bgp rfc1771-strict Command: bgp rfc1771-strict no bgp rfc1771-strict Function: Set wither strictly follows the rfc1771 restrictions. The “no bgp rfc1771-strict” command set to not strictly following Parameter: None Default: Not following rfc 1771 restrictions...
Page 584
Default: Default interval is 60s Command Mode: BGP route mode. Usage Guide: Validate the next-hop of BGP route, this command is for configuring the interval of this check. Set the parameter to 0 if you don’t want to check Example: Switch(config-router)# bgp scan-time 30 17.8.3.28 clear ip bgp Command: clear ip bgp [view <NAME>] {<*>|<as-id>| external|peer-group...
Page 585
different parameters (such as address-family or IPv4 address) Example: Switch# clear ip bgp ipv4 unicast dampening 17.8.3.30 clear ip bgp flap-statistics Command:clear [<ADDRESS-FAMILY>] flap-statistics [<ip-address>|<ip-address/M>] Function: For resetting BGP routing dampening statistics messages. Parameter: <ADDRESS-FAMILY>: address-family such as “ipv4 unicast” <ip-address/M>: IP address and mask Default: None Command Mode: Admin mode...
Page 586
Default: Default EBGP is 20, others are 200 Command Mode: BGP route mode. Usage Guide: Set the manage distance for BGP routing as the NSM path selecting basis Example: Switch(config-router)# distance bgp 15 150 150 17.8.3.33 exit-address-family Command: exit-address-family Function: Exit the BGP address-family mode Parameter: None Default: None Command Mode: BGP address-family mode...
Page 587
Switch(config-af)#route-target both 100:10 Switch(config-af)#import map map1 Switch#show ip bgp vpn all Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:10 (Default for VRF DC1) *> 11.1.1.0/24 11.1.1.64 0 200 ? *>i15.1.1.0/24 10.1.1.68 655 300 ? *> 20.1.1.0/24 11.1.1.64 0 200 ? *>i100.1.1.0/24 10.1.1.68 655 300 ?
Page 588
<1-199>: Standard or extended community number <WORD>: Standard or extended community number <.COMMUNITY >: Members of the community list, which may be the combination of aa:nn, or internet, local-AS, no-advertise, and no-export. It can be shown in regular expressions under extended conditions Default: None Command Mode: Global mode Usage Guide: With this command we can configure the community-list so to supply...
Page 589
command is for setting the route which do not switch the specified address family Parameter: <ip-address>: IP address of the neighbor <TAG>: Name of peer group Default: Enable the routing switch of IP unicast address-family, and disable other address-families Command Mode: BGP route mode and address-family mode Usage Guide: IP unicast is configured under BGP route mode.
Page 590
table. The “no neighbor {<ip-address>|<TAG>} allowas-in” restores to not allow any repeat Parameter: <ip-address>: IP address of the neighbor <TAG>: Name of the peer group <1-10>: Allowed count of same AS number Default: In default conditions AS is not allowed repeating in the same route, and when set the repeat count it is defaulted at 3 when <1-10>...
Page 591
when transmitting the BGP route in the VRF. Parameter: IP address of neighbors, shown in dotted decimal notation Command Mode: vrf mode Usage Guide: When BGP receives remote routing messages, it will check the AS path whether its AS number exists, if yes, the route will be considered as circuit and cleared. However in VPN environment there may be two or more CE with the same AS number on the PE link.
Page 592
Command: neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh} no neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh} Configure dynamic update between neighbors and the route refresh Function: capability negotiation. The “no neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh}” command do not enable the specific capability negotiation <ip-address>: Neighbor IP address Parameter: <TAG>: Name of peer group...
Page 593
originating side will then send an OPEN excluded the capability to reestablish the connection. With this capability, the side configured with in prefix-list filter rules will transmit its own filter rules to the peer, the peer group will apply this rule as its own out rules, so to avoid sending route which will be denied by the partner.
Page 594
partner, or else not. It supplies with options of which one to supply the default route. if several neighbors of the partner supply default route, the best one will be elected according to path selecting principles. According to route mirror, it can be chosen when to send the default route.
Page 595
Configure the policies with access-list command and apply this Usage Guide: command on route sending and receiving. It will filter the update route from partner when use in mode, and will filter the route from local side to partner with out mode. Example: Configure the access-list Switch(config)#access-list 101 deny ip 100.1.0.0 0.0.1.255 any...
Page 596
Usage Guide: Without this command, EBGP peers are required to be in the same segment and after this command is configured, peer addresses may from different segments. The allowed hop count can be configured and will be 255 if not. Example: Three device 10.1.1.64(AS100) and 11.1.1.120(AS300) connected respectively to the two interface 10.1.1.66 and 10.1.1.100 of another device.
Page 597
<LINE>: AS-PATH access-list name configured through ip as-path access-list <.LINE> <permit|deny> <LINE>. Default: Not configured Command Mode: BGP route mode and address list mode Usage Guide: After first configured the IP AS-PATH access-list, apply this option to specified neighbor will be able to send/receive routes with specified AS numbers in the AS list.
Page 598
{<ip-address>|<TAG>} maximum-prefix <1-4294967295> [<1-100> <warning-only>]” command cancels this configuration Parameter: <ip-address>: Neighbor IP address <TAG>: Name of the peer <1-4294967295>: Max prefix value allowed <1-100>: Percentage of the max value at which it warns <warning-only>: Warning only or not Default: Not limited Command Mode: BGP route mode and address-family mode Usage Guide: Due to concerns of too much route updates from neighbors (e.g.
Page 599
no neighbor {<ip-address>|<TAG>} override-capability Function: Whether enable overriding capability negotiation. The “no neighbor command restores capability {<ip-address>|<TAG>} override-capability” negotiation Parameter: <ip-address>: Neighbor IP address <TAG>: Name of the peer group Default: Disabled Command Mode: EBG route mode Usage Guide: With this attribute, error notify due to unsupported capability negotiation the neighbors required will not be sent.
Page 600
Default: No peer group Command Mode: BGP mode and address-family mode Usage Guide: By configuring the peer group, a group of peers with the same attributes will be configured at the same time so to reduce the configuration staff labor. Assign members to the peer group with neighbor <ip-address>...
Page 601
17.8.3.61 neighbor prefix-list Command:neighbor {<ip-address>|<TAG>} prefix-list <LISTNAME|number> {<in|out>} neighbor {<ip-address>|<TAG>} prefix-list <LISTNAME|number> {<in>|<out>} Function: Configure the prefix restrictions applied in sending or receiving routes from specified neighbors.The “no neighbor {<ip-address>|<TAG>} prefix-list <LISTNAME|number> {<in>|<out>}” command cancels this configuration Parameter: <ip-address>: Neighbor IP address <TAG>: Name of the peer group <LISTNAME|number>: Name or sequence number of the prefix-list <in|out>: Direction on which the restrictions applied...
Page 602
Example: Switch(config)#router bgp 200 Switch(config-router)# neighbor 10.1.1.64 remote-as 100 17.8.3.63 neighbor remove-private-AS Command: neighbor {<ip-address>|<TAG>} remove-private-AS no neighbor {<ip-address>|<TAG>} remove-private-AS Function:Configures whether remove the private AS number when sending to the neighbor.The “no neighbor {<ip-address>|<TAG>} remove-private-AS” command cancels this configuration. Parameter: <ip-address>: Neighbor IP address <TAG>: Name of peer group Default: Not configured...
Page 603
Switch(config)#route-map test permit 5 Switch(config-route-map)#match interface Vlan1 Switch(config-route-map)#set as-path prepend 65532 Switch(config-route-map)#exit Switch(config)#router bgp 200 Switch(config-router)#neighbor 10.1.1.64 route-map test out 17.8.3.65 neighbor route-reflector-client Command: neighbor {<ip-address>|<TAG>} route-reflector-client no neighbor {<ip-address>|<TAG>} route-reflector-client Function:Configure the route reflector client. The “no neighbor {<ip-address>|<TAG>} route-reflector-client”...
Page 604
Usage Guide: The route service is for reducing the peers when the router between AS is too much under EBGP environment. The server transparently transforms the routing messages to other clients with its client exchanges messages through route server Example: Three routers : 10.1.1.64 (AS100)...
Page 605
Disconnect neighbor connection. “no Function: neighbor {<ip-address>|<TAG>} shutdown” cancels this configuration Parameter: <ip-address>: Neighbor IP address <TAG>: Name of peer group Default: Not disconnecting Command Mode: BGP mode and address-family mode Directly disconnect/connect to a peer (group) without canceling the Usage Guide: neighbor configuration Example:...
Page 606
Switch(config)#ROUTER BGP 100 Switch(config-router)#address-family ipv4 vrf DC1 Switch(config-router-af)# neighbor 11.1.1.64 remote 200 Switch(config-router-af)# neighbor 11.1.1.64 soo 100:10 After this attribute set, the switch will no longer spreads the route with 100:10 rt attribute to 11.1.1.64. (what have to be mentioned here is that the soo attribute will be judged together with other rt attributes, which means if the rt is configured with the same attribute, it will be regarded as the origin neighbor even if it’s not the real origin source.
Page 607
connection. The hold time is the time period for maintain the connection when no message is received from the partner (such as KEEPALIVE). And the connection will be closed after this hold time. Example: Switch(config-router)#neighbor 10.1.1.64 timers 50 200 Relevant Commands: neighbor timers connect, timers bgp, no timers bgp 17.8.3.73 neighbor timers connect Command: neighbor {<ip-address>|<TAG>} timers connect <0-65535>...
Page 608
Switch(config-router)#neighbor 10.1.1.66 unsuppress-map rmp Switch(config)#access-list 10 permit 10.1.1.100 0.0.0.255 Switch(config)#route-map rmp permit 5 Switch(config-route-map)#match ip next-hop 10 Route with nexthop as 10.1.1.100 will not be restrained 17.8.3.75 neighbor update-source Command: neighbor {<ip-address>|<TAG>} update-source <IFNAME> no neighbor {<ip-address>|<TAG>} update-source <IFNAME> Configure the update source. The “no neighbor {<ip-address>|<TAG>} Function: update-source <IFNAME>“...
Page 609
17.8.3.77 neighbor weight Command: neighbor {<ip-address>|<TAG>} weight <0-65535> no neighbor {<ip-address>|<TAG>} weight [<0-65535>] Function: Configure the route weight sent from the partner. The “no neighbor {<ip-address>|<TAG>} weight [<0-65535>]” command restores the default value Parameter: <ip-address>: Neighbor IP address <TAG>: Name of IP address <0-65535>: Weight Default: The default weight acquired from other routers is 0.
Page 610
Command: redistribute <ROUTES> [route-map <WORD>] no redistribute <ROUTES> [route-map <WORD>] Function: Set the BGP to redistribute route from other modes into BGO. The “no redistribute <ROUTES> [route-map <WORD>]” command cancels this configuration Parameter: <ROUTES>: Route source or protocol, including: connected, isis, kernel, ospf, rip, static, etc.
Page 611
Character string which is the name and index for multiple BGP <name>: instance Default: BGP Not enabled Command Mode: Global mode Usage Guide: Enable BGP by specified AS, and then enter the config-router state, the protocol can be configured at this prompt. In case no bgp multiple-instance is configured while a BGP is enabled, enabling new BGP instance will return with error.
Page 612
Switch(config-vrf)#rd 100:10 Switch(config-vrf)#route-target both 100:10 Switch(config-vrf)# In above example is created a VRF named DC1 with RD value 100:10. the RT is configured bilateral. The RT-VALUE is equal to RD. 17.8.3.83 set vpnv4 next-hop Command: set vpnv4 next-hop <ip-addr> no set vpnv4 next-hop <ip-addr> Function: Configure the nexthop of the VPNv4 route.
*>i100.1.1.0/24 10.1.1.68 0 200 ? We can see that the nexthop 10.1.1.68 of the VPN route is changed to 10.1.1.250 after applied with route-map 17.8.3.84 timers bgp Command: timers bgp <0-65535> <0-65535> no timers bgp [<0-65535> <0-65535>] Function:Configure all neighbor time in BGP. The “no timers bgp [<0-65535> <0-65535>]”...
Page 614
SwitchA(config-router-bgp)#exit The configurations of SwitchB are as following: SwitchB(config)#router bgp 200 SwitchB(config-router-bgp)#network 11.0.0.0 SwitchB(config-router-bgp)#network 12.0.0.0 SwitchB(config-router-bgp)#network 13.0.0.0 SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100 SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 200 SwitchB(config-router-bgp)#neighbor 13.1.1.4 remote-as 200 SwitchB(config-router-bgp)#exit The configurations of SwitchC are as following: SwitchC(config)#router bgp 200 SwitchC(config-router-bgp)#network 12.0.0.0 SwitchC(config-router-bgp)#network 13.0.0.0 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 200...
Page 615
SwitchB(config-router-bgp)#redistribute static When there is at least one route affiliated to the specified range, the following configuration will create an aggregation route in the BGP route table. The aggregation route will be regarded as the AS from itself. More detailed route information about 193.0.0.0 will be announced.
Page 618
SwitchC(config-router-bgp)#bgp confederation peers 20 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 10 SwitchD: SwitchD(config)#router bgp 20 SwitchD(config-router-bgp)#bgp confederation identifier 200 SwitchD(config-router-bgp)#bgp confederation peers 10 SwitchD(config-router-bgp)#neighbor 13.1.1.2 remote-as 10 17.8.4.5 Examples 5: configure BGP route reflector The following is the configuration of a route reflector. As the picture illustrated, SwitchA, SwitchB, SwitchC, SwitchD, SWE, SWF and SWG establish IBGP connection which is affiliated to AS100.
Page 619
AS200 SwitchH vlan1:8.8.8.8 SwitchG(RR) AS100 vlan1:7.7.7.7 SwitchD(RR) vlan1:3.3.3.4 vlan1:3.3.3.3 SwitchC(RR) SwitchE vlan1:1.1.1.1 vlan1:6.6.6.6 vlan1:2.2.2.2 vlan1:5.5.5.5 SwitchA SwitchF SwitchB AS300 SwitchI vlan1:9.9.9.9 Fig 17-12 the Topological Map of Route Reflector The configurations are as following: The configurations of SwitchC: SwitchC(config)#router bgp 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 route-reflector-client SwitchC(config-router-bgp)#neighbor 2.2.2.2 remote-as 100...
Page 620
SwitchD(config-router-bgp)#neighbor 5.5.5.5 remote-as 100 SwitchD(config-router-bgp)#neighbor 5.5.5.5 route-reflector-client SwitchD(config-router-bgp)#neighbor 6.6.6.6 remote-as 100 SwitchD(config-router-bgp)#neighbor 6.6.6.6 route-reflector-client SwitchD(config-router-bgp)#neighbor 3.3.3.3 remote-as 100 SwitchD(config-router-bgp)#neighbor 7.7.7.7 remote-as 100 The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 1.1.1.2 remote-as 100 SwitchA(config-router-bgp)#neighbor 9.9.9.9 remote-as 300 The SwitchA at this time needn’t to create IBGP connection with all the switches in the AS100 and could receive BGP route from other switches in the AS.
Page 621
Metric=0 AS400 AS100 vlan1:4.4.4.4 Set metric 50 vlan1:4.4.4.3 SwitchA vlan2:2.2.2.2 vlan3:3.3.3.3 SwitchB Set metric 200 Set metric 120 vlan1:2.2.2.1 AS300 vlan1:3.3.3.2 vlan2:1.1.1.2 SwitchD vlan2:1.1.1.1 SwitchC Fig 17-13 MED Configuring Topological Map The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300 SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300 SwitchA(config-router-bgp)#neighbor 4.4.4.3 remote-as 400 The configurations of SwitchC:...
Page 623
importing routes. Direct-link routes, static route, and IGP route (RIP and OSPF) are included in these imported routes. Network and redistribute (BGP) command are the ways of imported routes. For BGP, pay attention to the difference between the behaviors of IBGP and EBGP. After configuration finishes, the command of show ip bgp summary can be used to observe neighbor’s connections, so that all of the neighbors keep BGP connection situation.
Page 624
Total number of prefixes 4 17.8.5.1.2 show ip bgp attribute-info Command: show ip bgp attribute-info Function: Display the BGP attributes messages Parameter: None Default: None Command Mode: All modes. Usage Guide: For displaying the attribute messages permitted by BGP Example: Switch#sh ip bgp attribute-info attr[1] nexthop 0.0.0.0 attr[1] nexthop 10.1.1.64...
Page 625
17.8.5.1.4 show ip bgp community-info Command: show ip bgp community-info Function: For displaying the community messages permitted by BGP Parameter: None Default: None Command Mode: All modes Usage Guide: Messages in the same community multiply closable at the same time Example: Switch#show ip bgp community-info Address Refcnt Community...
Page 626
{<dampened-paths>|<flap-statistics>|<parameters>} Function: Display the routes permitted by BGP and relevant to the route dampening. Parameter: <ADDRESS-FAMILY>: Address-family, such as “ipv4 unicast” Default: None Command Mode: All mode Usage Guide: Only the surged routes will be displayed. The Parameters shows the display configuration other than specific routes.
Page 627
Min penalty (floor) : 375 Total number of prefixes 1 17.8.5.1.7 show ip bgp filter-list Command: show ip bgp [<ADDRESS-FAMILY>]filter-list [<WORD >] Function: For displaying the routes in BGP meeting the specific AS filter list Parameter: <ADDRESS-FAMILY>: address-family such as “ipv4 unicast” <...
Page 628
* 100.1.1.0/24 10.1.1.68 0 300 ? *> 10.1.1.64 0 100 ? Total number of prefixes 1 17.8.5.1.9 show ip bgp neighbors Command:show [<ADDRESS-FAMILY>] neighbors [IP-ADDRESS] [advertised-routes|received {prefix-filter|routes}|routes] Function: For displaying the BGP neighbor related messages Parameter: <ADDRESS-FAMILY>: Address-family, such as “ipv4 unicast” <ip-address>: Neighbor IP address Default: None Command Mode: All mode...
Page 629
17.8.5.1.10 show ip bgp paths Command: show ip bgp [<ADDRESS-FAMILY>] paths Function: Display the path message permitted by BGP Parameter: <ADDRESS-FAMILY>: Address-family such as “ipv4 unicast” Default: None Command Mode: All modes Usage Guide: Display the BGP path message includes the utilization state. Example: Switch#sh ip bgp paths Address...
Page 630
Parameter: <ADDRESS-FAMILY>: >: address-family such as “ipv4 unicast” <WORD>: Regular expression Default: None Command Mode: All modes Usage Guide: Selecting the required route through regular expressions. Example: Switch#sh ip bgp quote-regexp ^300$ BGP table version is 2, local router ID is 11.1.1.100 Status codes: s suppressed, d damped, h history, * valid, >...
Page 631
Network Next Hop Metric LocPrf Weight Path * 100.1.1.0/24 10.1.1.64 0 500 100 600 ? Total number of prefixes 1 17.8.5.1.14 show ip bgp route-map Command: show ip bgp [<ADDRESS-FAMILY>] route-map [<NAME>] Function: For displaying the BGP routes meets the specific related route map Parameter: <ADDRESS-FAMILY>: such as “ipv4 unicast”...
Page 632
17.8.5.1.16 show ip bgp summary Command: show ip bgp [<ADDRESS-FAMILY>] summary Function: For displaying the BGP summary information Parameter: <ADDRESS-FAMILY>: Address-family such as “ipv4 unicast” Default: None Command Mode: All modes Usage Guide: Display some basic summary information of BGP Example: Switch#show ip bgp summary BGP router identifier 10.1.1.66, local AS number 200...
Page 633
Parameter: <NAME>: Name of BGP instance <ip-address>: neighbor IP address Default: None Command Mode: All mode Usage Guide: Display neighbor messages of specified BGP instance Example: Switch#show ip bgp view as300 neighbors 17.8.5.1.19 show ip bgp vpnv4 Command: show ip bgp vpnv4 {all|rd <rd-val>|vrf <vrf-name>} Function: Display the BGP VPN routing messages Parameter: <rd-val>...
17.9 MBGP4+ 17.9.1 MBGP4+ Introduction MBGP4+ is multi-protocol BGP (Multi-protocol Border Gateway Protocol) extension to IPv6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIPng and OSPFv3, BGP has no corresponging independent protocol for IPv6, instead,it takes extensions to address families on the original BGP.
SwitchC(config-router-af)#neighbor 2003::4 activate SwitchC(config-router-af)#exit-address-family SwitchC(config-router-bgp)#exit SwitchD configuration as follows: SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#neighbor 2003::3 remote-as 200 SwitchD(config-router-bgp)#neighbor 2002::2 remote-as 200 SwitchD(config-router-bgp)#address-family IPv6 unicast SwitchD(config-router-af)#neighbor 2002::2 activate SwitchD(config-router-af)#neighbor 2003::3 activate SwitchD(config-router-af)#exit-address-family SwitchD(config-router-bgp)#exit Here the connection between SwitchB and SwitchA is EBGP, and the connection between SwitchC and SwitchD is IBGP.
ES4624-SFP/ES4626-SFP switch provides IGMP Snooping and is able to send a query from the switch so that the user can use ES4624-SFP/ES4626-SFP switch in IP multicast. 18.2 IGMP Snooping Configuration Task 1.
Page 638
Enables IGMP Snooping for specified ip igmp snooping vlan <vlan-id> VLAN no ip igmp snooping vlan <vlan-id> Sets the specified VLAN the port for igmp snooping vlan <vlan-id> connecting M-router mrouter interface <interface –name> no ip igmp snooping vlan <vlan-id> mrouter Enables IGMP Snooping in the specified igmp...
18.3 Commands for IGMP Snooping 18.3.1 ip igmp snooping Command:ip igmp snooping no ip igmp snooping Function: Enable the IGMP Snooping function: the “ no ip igmp snooping” command disables this function. Command mode: Global Mode Default: IGMP Snooping is disabled by default. Usage Guide: Use this command to enable IGMP Snooping, that is permission every vlan config the function of IGMP snooping.
function. Parameter: <vlan-id> is the VLAN number specified. Command mode: Global Mode Default: This function is disabled by default. Usage Guide: Enabling IGMP fast leave function speeds up the process for port to leave multicast group. This command is valid only in Snooping, and is not applicable to Query. Example: Enable the IGMP fast leave function for VLAN 100.
vlan <vlan-id> query command, i.e. either snooping or query can be enabled for one VLAN, but not both. Example: Enable IGMP Snooping for VLAN 100 in Global Mode. Switch(C onfig)#ip igmp snooping vlan 100 18.3.6 ip igmp snooping vlan mrouter-port interface Command:ip igmp snooping...
18.3.8 ip igmp snooping vlan query-interval Command: ip igmp snooping vlan <vlan-id> query-interval <value> no ip igmp snooping vlan <vlan-id> query-interval Function: Configure this query interval Parameter: vlan-id: vlan id , ranging between <1-4094> value: query interval, ranging between <1-65535>seconds Command Mode: Global mode Default: 125s Usage Guide:It is recommended to use the default settings.
Example: Switch(config)#ip igmp snooping vlan 2 query- robustness 3 18.3.11 ip igmp snooping vlan suppression-query-time Command: ip igmp snooping vlan <vlan-id> suppression-query-time <value> no ip igmp snooping vlan <vlan-id> suppression-query-time Function: Configure the suppression query time. The “no ip igmp snooping vlan <vlan-id>...
Page 644
respectively and the multicast router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the M-Router port.
Page 645
Multicast Router Group 1 Group 2 IGMP Snooping Query SwitchA Mrouter Port IGMP Snooping SwitchB Group 1 Group 1 Group 1 Group 2 Fig 18-2 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1.
IGMP Snooping listening result: Similar to scenario 1. 18.5 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage, IGMP Snooping might not run properly because of physical connection or configuration mistakes. So the users should noted that: Make sure correct physical connection. Activate IGMP Snooping on whole config mode (use ip igmp snooping) Config IGMP Snooping at VLAN on whole config mode ( use ip igmp snooping vlan <vlan-id>)
Page 647
messages Command Mode:Admin Mode Usage Guide: If no vlan number is specified, it will show whether global igmp snooping switch is on, which vlan is configured with l2-general-querier function, and if a vlan number is specified, detailed IGMP messages fo this vlan will be shown Example: 1.
Page 648
Igmp snooping vlan 1 mrouter port Note:"!"-static mrouter port !Ethernet1/2 Displayed Information Explanation Igmp snooping general Whether the vlan enables l2-general-querier function querier and show whether the querier state is could-query or suppressed Igmp snooping query-interval Query interval of the vlan Igmp snooping max reponse Max response time of the vlan time...
Chapter 19 Multicast VLAN 19.1 Introductions To Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
“no” form of this command disables the no ip igmp snooping IGMP snooping function 19.3 Commands For Multicast VLAN 19.3.1 multicast-vlan Command: multicast-vlan no multicast-vlan Function: Enable multicast VLAN function on a VLAN; the “no” form of this command disables the multicast VLAN function. Parameter: None Command Mode: VLAN config Mode Default: Multicast VLAN function not enabled by default...
enabled on a switch. Examples: Switch(config)#vlan 2 Switch(Config-Vlan2)#multicast-vlan Switch(Config-Vlan2)# multicast-vlan association 3;4 19.4 Examples Of Multicast VLAN SwitchB SwitchA Work Station Fig 19-1 Function configuration of the Multicast VLAN As shown in the figure, the multicast server is connected to the layer 3 switch switchA through port 1/1 which belongs to the vlan10 of the switch.
Chapter 20 IPv4 Multicast Protocol 20.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 20.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
20.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle.
224.0.0.14 RSVP Encapsulation 224.0.0.15 All CBT Routers 224.0.0.16 Specified SBM 224.0.0.17 All SBMS 224.0.0.18 VRRP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used.
point and receiving in multipoint. It has achieved the effective data transmission from a point to multiple points, saved a great deal of network bandwidth and reduced network load. Making use of the Multicast property of network, some new value-added operations can be supplied conveniently.
Multicast transmission table entry (S, G) corresponds. Thus a SPT(Shortest Path Tree, SPT) tree with source S as root is created. The Prune process is initiated by leaf router first. The process above is called Flooding&Prune process. Each pruned node also provides time-out mechanics at the same time.
Mode and turn on PIM-DM switch under corresponding interface. Command Explanation Global Mode Make PIM-DM Protocol on each interface to Enable status (but the commands below are ip pim multicast-routing required to really enable PIM-DM protocol on the interface ) And then turn on PIM-SM switch on the interface Command Explanation...
Page 659
20.2.3.1 ip pim accept-register Command: ip pim accept-register list <list-number> no ip pim accept-register Function: Filter the specified multicast group and multicast address. Parameter: <list-number>: is the access-list number ,it ranges from 100 to 199. Default: Permit the multicast registers from any sources to any groups. Command Mode: Global Mode Usage Guide: This command is used to configure the access-list filtering the PIM REGISTER packets.The addresses of the access-list respectively indicate the filtered...
Page 660
The “no ip pim dr-priority” command restores the default value. Parameter: <priority> is priority Default: 1 Command Mode: Interface Configuration Mode Usage Guide: Range from 0 to 4294967294, the higher value has more priority. Example: Configure vlan’s DR priority to 100 Switch (Config)# interface vlan 1 Switch(Config-if-Vlan1)ip pim dr-priority 100 Switch (Config -if-Vlan1)#...
Page 661
hello_holdtime is configured but less than current hello_interval,hello_holdtime is modified to 3.5*hello_interval, otherwise the configured value is maintained. Example: Configure vlan1’s Hello Holdtime Switch (Config)# interface vlan1 Switch (Config -if-Vlan1)#ip pim hello-holdtime 10 Switch (Config -if-Vlan1)# 20.2.3.6 ip pim dense-mode Command: ip pim dense-mode no ip pim dense-mode Function: Enable PIM-DM protocol on interface;...
Page 662
Switch (Config)#interface vlan1 Switch(Config-if-Vlan1)#ip pim hello-interval 20 20.2.3.8 ip pim multicast-routing Command: ip pim multicast-routing no ip pim multicast-routing Function: Enable PIM-SM globally. The “no ip pim multicast-routing » command disables PIM-SM globally. Parameter: None Default: Disabled PIM-SM Command Mode: Global Mode Usage Guide: Enable PIM-SM globally.The interface must enable PIM-SM to have PIM-SM work Example: Enable PIM-SM globally.
Switch (config)# 20.2.3.10 ip pim state-refresh origination-interval Command: ip pim state-refresh origination-interval <interval> no ip pim state-refresh origination-interval Function: Configure transmission interval of state-refresh message on interface. The “no ip pim state-refresh origination-interval” command restores default value. Parameter: <interval> packet transmission interval value is from 4s to 100s. Default: 60s Usage Guide: The first-hop router periodly transmits stat-refresh messages to maintain PIM-DM list items of all the downstream routers.
Switch(Config-if-Vlan1)#exit Switch (Config)#interface vlan2 Switch(Config-if-Vlan2)# ip address 12.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)# ip pim dense-mode Configure SwitchB: Switch (Config)#ip pim multicast-routing Switch (Config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)# ip pim dense-mode Switch(Config-if-Vlan1)#exit Switch (Config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)# ip pim dense-mode At the same time, you should pay attention to the configuration of Unicast Routing Protocol, assure that each device can communicate with each other in the...
Page 665
“no debug pim timer sat” command disenables the debug switch. Parameter: None. Default: Disabled. Command Mode: Admin Mode. Usage Guide: Enable the switch, and display source activity timer information in detail. Example: Switch # debug ip pim timer sat Remark: Other debug switches in PIM-DM are common in PIM-SM, including debug pim event, debug pim packet, debug pim nexthop, debug pim nsm, debug pim mfc, debug pim timer, debug pim state, refer to PIM-SM handbook.
Page 666
Address Interface address Interface Interface name VIF index Interface index Ver/Mode Pim version and mode,usually v2,sparse mode displays S,dense mode displays D Nbr Count The interface’s neighbor count DR Prior Dr priority The interface’s DR address 20.2.5.1.4 show ip pim neighbor Command: show ip pim neighbor Function: Display router neighbors Parameter: None...
Page 667
Usage Guide: Display the PIM buffered nexthop router information. Example: Switch(config)#show ip pim nexthop Flags: N = New, R = RP, S = Source, U = Unreachable Destination Type Nexthop Nexthop Nexthop Nexthop Metric Pref Refcnt Addr Ifindex Name 192.168.1.1 N...
Page 669
case. It can check interface information in detail commanding show interface 20.2.5.1.7 show ip mroute Command: show ip mroute [<GroupAddr> [<SourceAddr>]] Function: show IPv4 software multicast route table. Parameter: GroupAddr: show the multicast entries relative to this Group address. SourceAddr:show the multicast route entries relative to this source address. Default: None Command Mode:...
20.3 PIM-SM 20.3.1 Introduction to PIM-SM PIM-SM(Protocol Independent Multicast, Sparse Mode)is Protocol Independent Multicast Sparse Mode. It is a Multicast Routing Protocol in Sparse Mode and mainly used in big scale network with group members distributed relatively sparse and wide-spread. Unlike the Flooding&Prune of Dense Mode, PIM-SM Protocol assumes no host needs receiving Multicast data packets.
(3) SPT Switch When the Multicast router finds that the rate of the Multicast packet from RP with destination address G exceeds threshold, the Multicast router will send Join message to the next upper lever nodes in the source direction, which results in the switch from RPT to SPT.
Page 672
Global Mode Make PIM-SM Protocol on each interface to Enable status (but the commands below are ip pim multicast-routing required to really enable PIM-SM protocol on the interface) (Required) And then turn on PIM-SM switch on the interface Command Explanation Interface Configuration Mode Enable PIM-SM Protocol of the interface.
Page 673
This command is the global candidate BSR configuration command, which is used to bsr-candidate {vlan configure information PIM-SM <vlan-id>| candidate BSR so that it can compete for <ifname>}[ <mask-length>][ <prio BSR router with other candidate BSRs. The rity> ] “no ip pim bsr-candidate” command cancels no ip pim bsr-candidate the configuration of BSR.
20.3.3 Commands for PIM-SM 20.3.3.1 ip pim accept-register Command: ip pim accept-register list <list-number> no ip pim accept-register Function: Filter the specified multicast group and multicast address. Parameter: <list-number>: <list-number> is the access-list number ,it ranges from 100 to 199. Default: Permit the multicast registers from any sources to any groups.
Page 675
and is used to configure PIM-SM information about candidate BSR in order to compete the BSR router with other candidate BSRs. Only this command is configured , this switch is the BSR candidate router. Example:Globally configure the interface vlan1 as the candidate BSR-message transmitting interface.
Page 676
Command: ip pim exclude-genid no ip pim exclude-genid Function: This command makes the Hello packets sent by PIM SM do not include GenId option. The “no ipv6 pim exclude-genid” command restores the default value Parameter: None Default: The Hello packets include GenId option. Command Mode: Interface Configuration Mode Usage Guide: This command is used to interact with older Cisco IOS version.
Page 677
hello-interval” command restores the default value. Parameter: <interval> is the hello_interval of periodically transmitted pim hello packets’, ranges from 1 to 18724s. Default: The default periodically transmitted pim hello packets’ hello_interval is30s. Command Mode: Interface Configuration Mode Usage Guide: Hello messages make pim switches oriented each other and determine neighbor relationship.
Page 678
Command Mode: Global Mode Usage Guide: When selecting RP, Pim usually will select according to RP priority. When this command is configured, pim will not select according to RP priority. Unless there are older routers in the net, this command is not recommended. Example: Switch (config)#ip pim ignore-rp-set-priority 20.3.3.10 ip pim jp-timer Command: ip pim jp-timer <value>...
Page 679
created, this connection can’t be created. Parameter: <list-number>: <list-number> is the simple access-list number, it ranges from 1 to 99 Default: No neighbor filter configuration. Command Mode: Interface Configuration Mode Usage Guide: ACL’s default is DENY. If configuring access-list 1,access-list 1’s default is deny.
Page 680
Parameter: None Default: Do not check Command Mode: Global Mode Usage Guide: This command configures DR whether or not to check the RP reachability. Example: Configure DR to check the RP reachability. Switch (config)#ip pim register-rp-reachability Switch (config)# 20.3.3.15 ip pim register-source Command: ip pim register-source {<A.B.C.D>...
Page 681
command modifies Keepalive-period value. Example: Configure the value of register suppression timer to 10s. Switch (config)#ip pim register- suppression 10 20.3.3.17 ip pim rp-address Command: ip pim rp- address <A.B.C.D> <A.B.C.D/M> no ip pim rp-address <A.B.C.D> [<A.B.C.D/M>|<all>] Function: This command is to configure static RP globally or in a multicast address range.The “no ipv6 pim rp-address <A.B.C.D>...
Page 682
Example: Configure vlan1 as the sending interface of candidate RP announcing sending messages Switch (Config)# ip pim rp-candidate vlan1 100 20.3.3.19 ip pim rp-register-kat Command: ip pim rp-register-kat <vaule> no ip pim rp-register-kat Function: This command is to configure the KAT(KeepAlive Timer)value of the RP(S, G)items, the unit is second.
no ip pim ssm Function: Configure the range of pim ssm multicast address. The “no ip pim ssm” command deletes configured pim ssm multicast group. Parameter: default : indicates the default range of pim ssm multicast group is 232/8. <access-list-number > is the applying access-list number, it ranges from 1 to 99. Default: Do not configure the range of pim ssm group address Command Mode: Global Mode Usage Guide:...
Page 684
Fig 20-2 PIM-SM Typical Environment The configuration procedure for SwitchA, SwitchB, switchC and switchD is as follows: (1) Configure SwitchA: Switch (Config)#ip pim multicast-routing Switch (Config)#interface vlan 1 Switch(Config-If-Vlan1)# ip address 12.1.1.1 255.255.255.0 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch (Config)#interface vlan 2 Switch(Config-If-Vlan2)# ip address 13.1.1.1 255.255.255.0 Switch(Config-If-Vlan2)# ip pim sparse-mode (2) Configure SwitchB:...
Switch (Config)# ip pim bsr-candidate vlan2 30 10 (4) Configure SwitchD: Switch (Config)#ip pim multicast-routing Switch (Config)#interface vlan 1 Switch(Config-If-Vlan1)# ip address 34.1.1.4 255.255.255.0 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch (Config)#interface vlan 2 Switch(Config-If-Vlan2)# ip address 24.1.1.4 255.255.255.0 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch (Config)#interface vlan 3 Switch(Config-If-Vlan3)# ip address 40.1.1.1 255.255.255.0...
Page 686
solved yet, then use debug commands such debug pim/debug pim bsr please, and then copy DEBUG information in 3 minutes and send to Technology Service Center. 20.3.5.1 Commands for Monitor And Debug 20.3.5.1.1 debug pim timer sat Command: debug pim timer sat no debug pim timer sat Function: Enable debug switch of PIM-SM source activity timer information in detail;...
Page 687
Switch# debug ip pim event Switch# 20.3.5.1.4 debug pim mfc Command: debug pim mfc no debug pim mfc Function: Enable or Disable pim mfc debug switch Parameter: None Default: Disabled Command Mode: Admin Mode and Global Mode Usage Guide: Enable pim mfc debug switch and display generated and transmitted multicast id’s information.
Page 688
Default: Disabled Command Mode: Admin Mode and Global Mode Usage Guide: Inspect the communicating information between PIM and Network Services by this switch. Example: Switch# debug ip pim nsm 20.3.5.1.8 debug pim packet Command: debug pim packet debug pim packet in debug pim packet out no debug pim packet no debug pim packet in...
Page 690
Usage Guide: Enable the specified timer’s debug information. Example: Switch# debug ip pim timer assert 20.3.5.1.11 show ip pim bsr-router Command: show ip pim bsr-router Function: Display BSR address Parameter: None Default: None Command Mode: Admin Mode and Global Mode Usage Guide: Display the BSR information maintained by the PIM.
Page 691
10.1.4.3 Vlan1 v2/S 10.1.4.3 10.1.7.1 Vlan2 v2/S 10.1.7.1 Displayed Information Explanations Address Interface address Interface Interface name VIF index Interface index Ver/Mode Pim version and mode,usually v2,sparse mode displays S,dense mode displays D Nbr Count The interface’s neighbor count DR Prior Dr priority The interface’s DR address 20.3.5.1.13 show ip pim mroute sparse-mode...
Page 692
Outgoing ..o......Displayed Information Explanations Entries The counts of each item Share tree’s RP address RPF nbr RP direction or upneighbor of source direction. RPF idx RPF nbr interface Upstream State Upstream State, there are two state of Joined(join the tree, expect to receive data from upstream) and Not Joined(quit the tree, not expect to receive data from upstream), and more options such as RPT...
Page 693
10.1.4.3 Vlan3 00:00:17/00:01:29 v2 Displayed Information Explanations Neighbor Address Neighbor address Interface Neighbor interface Uptime/Expires Running time /overtime Pim version ,v2 usually DR Priority/Mode DR priority in the hello messages from the neighbor and if the neighbor is the interface’s DP. 20.3.5.1.15 show ip pim nexthop Command: show ip pim nexthop Function: Display the PIM buffered nexthop router in the unicast route table...
Page 694
Metric Metric Metric to nexthop Pref Preference Route preference Refcnt Reference count 20.3.5.1.16 show ip pim rp-hash Command: show ip pim rp-hash <A.B.C.D> Function: Display the RP address of A,B,C,D’s merge point Parameter: Group address Default: None Command Mode: Admin Mode and Global Mode Usage Guide: Display the RP address corresponding to the specified group address Example: testS2(Config-if-Vlan1)#show ip pim rp-hash 239.192.1.10 RP: 10.1.6.1...
20.4 DVMRP 20.4.1 Introduction to DVMRP DVMRP Protocol, namely, is “Distance Vector Multicast Routing Protocol”. It is a Multicast Routing Protocol in dense mode, which sets up a Forward Broadcast Tree for each source in a manner similar to RIP, and sets up a Truncation Broadcast Tree, i.e. the Shortest Path Tree to the source, for each source through dynamic Prune/Graft.
become the specified transmitter of the sub-network. If some have the same distance, then the one with the lowest IP prevails. After some interface of the switch is configured to Function DVMRP Protocol, the switch will multicast Probe message to other DVMRP switches on this interface, which is used to find neighbors and detect the capabilities of each other.
Page 697
Prune/Graft 4、 Configure DVMRP tunnel 1. Globally enable DVMRP Protocol The basic configuration to function DVMRP routing protocol on EDGECORE series Layer 3 switch is very simple. Firstly it is required to turn on DVMRP switch globally. Command Explanation Global Mode Globally enable DVMRP Protocol, the “no ip command [no] ip dvmrp multicast-routing...
Configure the interface rejects to set up neighbor relationship with ip dvmrp reject-non-pruners pruning/grafting DVMRP router. The “no ip no ip dvmrp reject-non-pruners command dvmrp reject-non-pruners” restores to being able to set up neighbor ship. (4. Configure DVMRP Tunnel Command Explanation Interface Configuration Mode This command configures a DVMRP tunnel;...
Page 699
Command Mode: Interface Configuration Mode Usage Guide:The routing information in DVMRP report messages includes a groupsource network and metric list. After configuring interface DVMRP report message metric value, it makes all received routing entriy from the interface adding configured interface metric value as new metric value of the routing. The metric value applies to calculate posion reverse, namely ensuring up-downstream relations.
Page 700
Usage Guide: Avoid message burst if setting an appropriate delay. Example: Switch (Config-If-vlan1)#ip dvmrp output-report-delay 1 1024 20.4.3.5 ip dvmrp reject-non-pruners Command: ip dvmrp reject-non-pruners no ip dvmrp reject-non-pruners Function: Configure to reject neighbor ship with DVMRP router of non pruning/grafting on the interface, the “no ip dvmrp reject-non-pruners”...
20.4.4 DVMRP Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding vlan, and enable DVMRP on each vlan interface. SwitchA SwitchB Vlan 2 Vlan 1 Vlan 1 Fig 20-3 DVMRP Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch (Config)#ip dvmrp multicast-routing...
Page 702
In configuring and using DVMRP Protocol, DVMRP Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, the user should pay attention to the following issues: Firstly to assure that physical connection is correct. Next, to assure the Protocol of Interface and Link is UP (use show interface command);...
Page 704
Example: Switch #show ip dv in vlan4 Address Interface Ver. Nbr Type Remote Index Address 13.1.1.3 Vlan1 v3.ff 0 BCAST 10.1.35.3 Vlan2 v3.ff 0 BCAST N/ASwitch # Displayed Information Explanations Address Address Interface Interface corresponding physical interface name Vif Index Virtual interface index Interface supporting version Nbr Cnt...
Page 705
20.4.5.1.5 show ip dvmrp pr Command: show ip dvmrp pr [{group <A.B.C.D> [detail]}|{source <A.B.C.D/M> group <A.B.C.D> [detail]}|{source <A.B.C.D/M> [detail] }|detail] Function: Display DVMRP message forwarding item. Parameter: None Default: Do not display Command Mode: Any Configuration Mode Usage Guide: This command applies to display DVMRP multicast forwarding item, namely multicast forwarding table calculated by dvmrp protocol.
00:00:00 13.1.1.0/24 Vlan1 Directly Connected 00:10:22 00:00:00 Displayed Information Explanations Network Target net segment or address and mask Flags Routing state flag Nexthop Xface Next hop interface address Nexthop Neighbor Next hop neighbor Metric Routing metric value Uptime Routing uptime Exptime Routing expire time 20.5 DCSCM...
consequently guarantee the transmission is processed in user-specified priority in the entire network. 20.5.2 DCSCM Configuration Task List 1. Source Control Configuration 2. Destination Control Configuration 3. Multicast Strategy Configuration 1. Source Control Configuration Source Control Configuration has three parts, of which the first is to enable source control.
Page 708
[no] access-list <5000-5099> {deny|permit} {{<source> <source-wildcard>}|{host The rule used to configure source control. <source-host-ip>}|any} This rule does not take effect until it is applied {{<destination> to specified port. Using the NO form of it can <destination-wildcard>}|{host-de delete specified rule. stination <destination-host-ip>}|any-destin ation} The last is to configure the configured rule to specified port.
Page 709
Global Configuration Mode The rule used to configure source control. This rule does not take [no] access-list <6000-7999> {deny|permit} effect until it is applied to source IP {{<source> <source-wildcard>}|{host or VLAN-MAC and port. Using the <source-host-ip>}|any} {{<destination> NO form of it can delete specified <destination-wildcard>}|{host-destination rule.
Configure multicast strategy, specify priority for sources and groups in [no] ip multicast policy <IPADDRESS/M> specific range, and the range is <IPADDRESS/M> cos <priority> <0-7> 20.5.3 Commands for DCSCM 20.5.3.1 access-list (Multicast Source Control) Command: access-list <5000-5099> {deny|permit} {{<source> <source-wildcard>}|{host <source-host-ip>}|any} {{<destination>...
Page 711
not 0.0.0.0/0 in other access-list. Example: Switch(config)#access-list 5000 permit ip 10.1.1.0 0.0.0.255 232.0.0.0 0.0.0.255 20.5.3.2 access-list (Multicast Destination Control) Command: access-list <6000-7999> {deny|permit} {{<source> <source-wildcard>}|{host <source-host-ip>}|any} {{<destination> <destination-wildcard>}|{host-destination <destination-host-ip>}|any-destination} access-list <6000-7999> {deny|permit} {{<source> <source-wildcard>}|{host <source-host-ip>}|any} {{<destination> <destination-wildcard>}|{host-destination <destination-host-ip>}|any-destination} Configure destination control multicast access-list, the “no access-list Function: <6000-7999>...
Page 712
20.5.3.3 ip multicast destination-control access-group Command: ip multicast destination-control access-group <6000-7999> no ip multicast destination-control access-group <6000-7999> Function: Configure multicast destination-control access-list used on interface, the “no ip multicast destination-control access-group <6000-7999>“ command deletes the configuration. Parameter: <6000-7999>: destination-control access-list number. Default: None Command Mode: Interface Configuration Mode Usage Guide: The command is only working under global multicast destination-control...
Page 713
20.5.3.5 ip multicast destination-control access-group (sip) Command: ip multicast destination-control <IPADDRESS/M> access-group <6000-7999> multicast destination-control <IPADDRESS/M> access-group <6000-7999> Function: Configure multicast destination-control access-list used on specified net segment, the “no ip multicast destination-control <IPADDRESS/M> access-group <6000-7999>“ command deletes this configuration. Parameter: <IPADDRESS/M>: IP address and mask length;;...
Page 714
Example: Switch(config)#multicast destination-control 20.5.3.7 ip multicast policy Command: ip multicast policy <IPADDRESS/M> <IPADDRESS/M> cos <priority> no ip multicast policy <IPADDRESS/M> <IPADDRESS/M> cos Function: Configure multicast policy, the “no ip multicast policy <IPADDRESS/M> <IPADDRESS/M> cos” command deletes it. Parameter: <IPADDRESS>: are multicast source address, source adapter identifier, destination address, and destination adapter identifier separately.
20.5.3.9 ip multicast source-control access-group Command: ip multicast source-control access-group <5000-5099> no ip multicast source-control access-group <5000-5099> Function: Configure multicast source control access-list used on interface, the “no ip multicast source-control access-group <5000-5099>“ command deletes the configuration. Parameter: <5000-5099>: Source control access-list number. Default: None Command Mode: Interface Configuration Mode Usage Guide: The command configures with only enabling global multicast source...
IP address to use that access-list. Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.255 Switch(config)#access-list 6000 permit ip any any Switch(config)#multicast destination-control Switch(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000 In this way, users of this network segment can only join groups other than 238.0.0.0/8. Multicast strategy Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows:...
Page 717
ip multicast destination-control is enabled ip multicast destination-control 11.0.0.0/8 access-group 6003 ip multicast destination-control 1 00-03-05-07-09-11 access-group 6001 multicast destination-control access-group 6000 used on interface Ethernet 20.5.5.1.2 show ip multicast destination-control access-list Command: show ip multicast destination-control access-list show ip multicast destination-control access-list <6000-7999> Function: Display destination control multicast access-list of configuration.
<Interfacename>: interface name, such as Ethernet 1/1 or ethernet 1/1. Default: None Command Mode: Admin Mode and Global Mode Usage Guide: The command displays multicast source control rules of configuration, including detail option, and access-list information applied in detail Example: Switch#show ip multicast source-control detail ip multicast source-control is enabled Interface Ethernet use multicast source control access-list 5000...
Page 719
to save all relationships of all hosts. It only gets to know if there are receivers of some multicast group, i.e. group member, on the network segment each interface connects to. And the host only needs to save which multicast groups it joined. IGMP is asymmetric between host and router: the host needs to respond the IGMP query messages of multicast switches, i.e.
4. IGMP version2 added the biggest response time field IGMP version2 added the biggest response time field to dynamically adjust the response time of the host to group query message. The main features of version3 is allowing the host to choose receiving from or rejecting a certain source, which is the basis of SSM (Source-Specific Multicast)...
Page 721
2)Configure the maximum response time of IGMP query 3)Configure time-out of IGMP query (3)Configure IGMP version 3、 Disable IGMP Protocol Enable IGMP Protocol There is not specific commands for enabling IGMP Protocol on the Layer 3 switch. Enabling any multicast protocol under corresponding interface will automatically enable IGMP.
Page 722
Configure the interface to join in some IGMP ip igmp join-group <A.B.C.D > group, the “no ip igmp join-group <A.B.C.D no ip igmp join-group <A.B.C.D > >“ command cancels the join. Configure the interface to join in some IGMP ip igmp static-group <A.B.C.D > static group;...
20.6.3 Commands for IGMP 20.6.3.1 ip igmp access-group Command: ip igmp access-group {<acl_num | acl_name>} no ip igmp access-group Function: Configure interface to filter IGMP group; the “no ip igmp access-group” command cancels the filter condition Parameter: {<acl_num | acl_name>} is SN or name of access-list, value range of acl_name is from 1 to 99.
Page 724
no ip igmp last-member-query-interval Function: Configure interval of specified group query transmitting on interface; the “no ip igmp last-member-query-interval” command cancels the value of user manual configuration, and restores default value. Parameter:<interval> is interval of specified group query, range from 1000ms to 25000ms;...
Page 725
Parameter: <A.B.C.D>: is group address Default: Do not join Command Mode: Interface Configuration Mode Usage Guide: When the switch is the HOST, the command configures HOST to join some group; that is, if configuring the interface join-group 224.1.1.1, it will transmit IGMP member report including group 224.1.1.1 when the switch receives IGMP group query transmitted by other switches.
Page 726
for its affiliated every multicast group, the value of timer is selected random from 0 to maximum response time, the host will transmit member report message of the multicast group. Reasonable configuring maximum response time, it can make host quickly response query message.
or not; that is, if configuring the interface to join static group 224.1.1.1, the interface always receives about multicast packet about group 224.1.1.1 whether the interface has a receiver or not. Carefully, it is the diffence between the command and ip igmp join-group command.
The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch(Config)#ip pim multicast-routing Switch (Config)#interface vlan 1 Switch(Config-If-Vlan1)#ip address 12.1.1.1 255.255.255.0 Switch(Config-If-Vlan1)#ip pim dense-mode (2) Configure SwitchB: Switch(Config)#ip pim multicast-routing Switch(Config)#interface vlan1 Switch(Config-If-Vlan1)#ip address 12.1.1.2 255.255.255.0 Switch(Config-If-Vlan1)#ip pim dense-mode Switch(Config-If-Vlan1)#exit Switch(Config)#interface vlan2 Switch(Config-If-Vlan1)#ip address 20.1.1.1 255.255.255.0...
Page 729
Parameter: None Default: Disabled Command Mode: Admin Mode Usage Guide: Enable debugging switch if querying IGMP event information Example: Switch# debug igmp event igmp event debug is on Switch# 01:04:30:56: IGMP: Group 224.1.1.1 on interface vlan1 timed out 20.6.5.1.2 debug igmp packet Command: debug igmp packet no debug igmp packet Function: Enable debugging switch of IGMP message information;...
Page 730
226.0.0.1 Vlan1 00:00:01 00:04:19 1.1.1.1 239.255.255.250 Vlan1 00:00:10 00:04:10 10.1.1.1 Switch# Displayed Information Explanations Group Address Multicast group IP address Interface Interface affiliated with multicast group Uptime Multicast group uptime Expires Multicast group expire time Last Reporter Last reporter to the host of the multicast group Switch (config)#show ip igmp groups 234.1.1.1 detail IGMP Connect Group Membership (2 group(s) joined)
Page 731
group Source Address Source address of this group V3 Exp Source expire time If the data of the source is forwarded or not. Flags Source property flag 20.6.5.1.4 show ip igmp interface Command: show ip igmp interface [<ifname>] Function: Display related IGMP information on interface. Parameter: <ifname>...
Chapter 21 IPv6 Multicast Protocol 21.1 PIM-DM6 21.1.1 Introduction to PIM-DM6 PIM-DM6(Protocol Independent Multicast, Dense Mode)is the IPv6 version of Protocol Independent Multicast Dense Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of network environment.
the multicast-forwarding item (S, G). Through this process, a SPT (Shortest Path Tree) is established with source S as root. Prune process is started by a sub-router. The process above is called Flooding-Prune process. Each pruned node also provides overtime mechanism at the same time. In case of overtime of prune, the router will restart flooding-prune process.
PIM-DM switch on relevant interface. Command Explanation Global Mode Enable PIM-DM Protocol (but below commands are required to really function ipv6 pim multicast-routing PIM-DM protocol ) And then turn on PIM-DM switch on the interface Command Explanation Port Configuration Mode Start PIM-DM Protocol of the interface ipv6 pim dense-mode (Required)
Page 735
21.1.3.1 ipv6 pim accept-register Command: ipv6 pim accept-register list <acess-list-name> no ipv6 pim accept-register Function: Filter the specified multicast group. Parameter: <acess-list-name> is the applying access-list name Default: Permit the multicast registers from any sources to any groups Command Mode: Global Mode Usage Guide: This command is used to configure the access-list filtering the PIM REGISTER packets.The addresses of the access-list respectively indicate the filtered multicast sources and multicast groups’...
Page 736
Parameter: None Default: Disable PIM-DM protocol Command Mode: Interface Configure Mode Usage Guide: The command will be taken effect, executing ipv6 multicast-routing in Global Mode.Don’t support multicast protocol mutual operation, namely can’t synchronously enable dense mode and sparse mode in one swtich. The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully.
Page 737
configure tunnel carefully. Example: Configure hello messages transmitted by switch to exclude Genid option. Switch(Config-if-Vlan1)#ipv6 pim exclude-genid 21.1.3.6 ipv6 pim hello-holdtime Command: ipv6 pim hello-holdtime <value> no ipv6 pim hello-holdtime Function: Configure and cancel Holdtime item value in Hello message, the value describes neighbor overtime.
Page 738
neighbor overtime. The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully. Example: Configure PIM-DM hello interval on interface vlan1 Switch (Config)#interface vlan1 Switch(Config-if-Vlan1)#ipv6 pim hello-interval 20 21.1.3.8 ipv6 pim multicast-routing Command: ipv6 pim multicast-routing no ipv6 pim multicast-routing Function: Globally enable PIM-DM protocol;...
no ipv6 pim state-refresh origination-interval Function: Configure transmission interval of state-refresh message on interface. The “no ipv6 pim state-refresh origination-interval” command restores default value. Parameter: <interval> message transmission interval value is from 4s to 100s. Default: 60s Usage Guide: The first-hop router periodly transmits stat-refresh messages to maintain PIM-DM list ltems of all the downstream routers.
(2) Configure SwitchB: Switch (Config) #ip pim multicast-routing Switch (Config) #interface vlan 1 Switch (Config-if-Vlan1) # ipv6 address 2000:12:1:1::2/64 Switch (Config-if-Vlan1) # ipv6 pim dense-mode Switch (Config-if-Vlan1) #exit Switch (Config) #interface vlan 2 Switch (Config-if-Vlan2) # ipv6 address 2000:20:1:1::1/64 Switch (Config-if-Vlan2) # ipv6 pim dense-mode 21.1.5 PIM-DM Troubleshooting When configuring and using PIM-DM protocol, PIM-DM protocol may fail to work normally due to physical connections, incorrect configuration and so on.
Page 741
21.1.5.1.2 debug ipv6 pim timer srt Command: debug ipv6 pim timer srt no debug ipv6 pim timer srt Function: Enable debug switch of PIM-DM state-refresh timer information in detail; the “no debug ipv6 pim timer srt” command disenables the debug switch. Parameter: None Default: Disabled Admin Mode...
Page 742
Nbr Count The interface’s neighbor count DR Prior Dr priority The interface’s DR address 21.1.5.1.4 show ipv6 pim neighbor Command: show ipv6 pim neighbor [detail|] Function: Display router neighbors Parameter: None Default: None Command Mode: Any Mode Usage Guide: Display multicast router neighbors maintained by the PIM Example: Switch(config)#show ipv6 pim neighbor Neighbor...
Page 743
Addr Ifindex Name 2000:1:111::11 ..S. 1 2004 2000:1:111::100 .RS. 1 2004 2004 Displayed Information Explanations Destination Destination of next item Type N: created nexthop,RP direction and S direction are not determined . R: RP derection S: source direction U: can’t reach Nexthop Num Nexthop number Nexthop Addr...
case. It can check interface information in detail commanding show interface 21.1.5.1.7 show ipv6 mroute Command: show ipv6 mroute [<GroupAddr> [<SourceAddr>]] Function: show IPv6 software multicast route table Parameter: GroupAddr: show the multicast entries relative to this Group address. SourceAddr:show the multicast route entries relative to this source address Default: None Command Mode:Admin mode and global mode Usage Guide:...
the value of TTL Remark: This command is common in PIM-SM6. 21.2 PIM-SM6 21.2.1 Introduction to PIM-SM6 PIM-SM6(Protocol Independent Multicast, Sparse Mode)is the IPv6 version of Protocol Independent Multicast Sparse Mode. It is a multicast routing protocol in sparse mode and mainly used in large network with group members distributed relatively sparse and wide.
(2) Multicast Source Registration When multicast source S sends a multicast packet to multicast group G, the PIM-SM multicast router directly connected to it will take charge of sealing the multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM multicast routers on a network segment, then DR (Designated Router) takes charge of forwarding the multicast packet.
Page 748
1) Configure PIM-SM hello message interval time 2) Configure interface as PIM-SM domain boundary (2) Configure PIM-SM global parameters 1) Configure switch as candidate BSR 2) Configure switch as candidate RP 3) Configure static RP 3、 Shut down PIM-SM Protocol 1.
Page 749
Configure the value of holdtime domain in interface PIM-SM hello message; the NO Ipv6 pim hello-holdtime <value> operation of this command restores the no ipv6 pim hello-holdtime default value. 3) Configure PIM-SM Neighbor Access-list Command Explanation Port Configuration Mode Configure Neighbor Access-list. If a neighbor is filtered by the list and a connection has been set up with this neighbor, then this (no)ipv6 pim neighbor-filter...
This command is the global candidate RP configuration command, which is used to Ipv6 rp-address configure information PIM-SM <rp-address> [<group-range>] candidate RP so that it can compete for RP ipv6 rp-address router with other candidate RPs. The NO <rp-address> {all|<group-range>} operation is to cancel the configuration of RP.
Page 751
is used to configure PIM-SM information about candidate BSR in order to compete the BSR router with other candidate BSRs. The command “no ipv6 pim bsr-candidate [ifname]” command disables the candidate BSR. Parameter: <ifname> is the specified interface name; [hash-mask-length] is the specified hash mask length. It’s used for the RP enable selection and ranges from 0 to 32.;...
Page 752
Parameter: <priority> priority, it ranges from 0 to 4294967294 Default: 1 Command Mode: Interface Configuration Mode Usage Guide: Range from 0 to 4294967294, the higher value has more priority. The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully.
Page 753
modified to 3.5*hello_interval, otherwise the configured value is maintained. The command can configure on IPv6 tunnel interface, but it is successful configuration to only configure tunnel carefully. Example: Configure vlan1’s Hello Holdtime to 10s Switch (Config)# interface vlan1 Switch (Config -if-Vlan1)#ipv6 pim hello-holdtime 10 21.2.3.7 ipv6 pim hello-interval Command: ipv6 pim hello-interval <interval>...
Page 754
Example: Configure to ignore RP priority. Switch(config)#ipv6 pim ignore-rp-set-priority 21.2.3.9 ipv6 pim jp-timer Command: ipv6 pim jp-timer <value> no ipv6 pim jp-timer Function: Configure to add JP timer. no ipv6 pim jp-timer restores the default value. Parameter: <value> ranges from 10 to 65535 Default: 60s Command Mode: Global Mode Usage Guide: Configure the interval of transmitting J/P messages to59s.
Page 756
Command: ipv6 pim Register-rp-reachability no ipv6 pim Register-rp-reachability Function: This command makes DR check the RP reachability in the process of registration Parameter: None Default: Do not check Command Mode: Global Mode Usage Guide: This command configures DR whether or not to check the RP reachability. Example: Configure the router to check the RP reachability before sending register packets.
Page 757
Usage Guide: If this value is configured at DR,it’s the value of register suppression timer; if this value is configured at RP and ipv6 pim rp-register-kat is not used at RP, this command modifies Keepalive-period value. The “no ipv6 pim register-suppression” command restores the default value.
Page 758
Example: Configure vlan1 as the sending interface of candidate RP announce messages Switch (Config)# ipv6 pim rp-candidate vlan1 100 21.2.3.19 ipv6 pim rp-register-kat Command: ipv6 pim rp-register-kat <vaule> no ipv6 pim rp-register-kat Function: This command is to configure the KAT(KeepAlive Timer)value of the RP(S,G)items, the unit is second.
Command Mode: Global Mode Usage Guide: 1. Only this command is configured, pim ssm can be available. 2. Before configuring this command, make sure ipv6 pim multicasting succeed. 3. Access-list only can use the lists created by ipv6 access-list. 4.Users can execute this command first and then configure the corresponding acl; or delete corresponding acl in the bondage.
Switch (Config-If-Vlan2) # ipv6 address 2000:24:1:1::4/64 Switch (Config-If-Vlan2) # ipv6 pim sparse-mode Switch (Config-If-Vlan2) #exit Switch (Config) #interface vlan 3 Switch (Config-If-Vlan3) # ipv6 address 2000:40:1:1::1/64 Switch (Config-If-Vlan3) # ipv6 pim sparse-mode 21.2.5 PIM-SM Troubleshooting When configuring and using PIM-SM protocol, PIM-SM protocol may fail to work normally due to physical connections, incorrect configuration and so on.
Page 762
21.2.5.1.2 debug ipv6 pim timer srt Command: debug ipv6 pim timer srt no debug ipv6 pim timer srt Function: Enable debug switch of PIM-SM state-refresh timer information in detail; the “no debug ipv6 pim timer srt” command disenables the debug switch. Parameter: None Default: Disabled Command Mode: Admin Mode...
Page 763
Default: Disabled Command Mode: Admin Mode and Global Mode Usage Guide: Inspect PIM MIB information by PIM MIB debug switch. It’s not available now and it’s for the future extension. Example: Switch# debug ipv6 pim mib 21.2.5.1.6 debug ipv6 pim nexthop Command: debug ipv6 pim nexthop no debug ipv6 pim nexthop Function: Enable or Disable pim nexthop debug switch...
Page 764
21.2.5.1.9 debug ipv6 pim state Command: debug ipv6 pim state no debug ipv6 pim state Function: Enable or Disable pim debug switch Parameter: None Default: Disabled Command Mode: Admin Mode and Global Mode Usage Guide: Inspect the changing information about pim state by this switch. Example: Switch# debug ipv6 pim state 21.2.5.1.10 debug ipv6 pim timer Command: debug ipv6 pim timer...
Page 765
no debug ipv6 pim timer hello ht no debug ipv6 pim timer hello nlt no debug ipv6 pim timer hello tht no debug ipv6 pim timer hello no debug ipv6 pim timer joinprune et no debug ipv6 pim timer joinprune grt no debug ipv6 pim timer joinprune jt no debug ipv6 pim timer joinprune kat no debug ipv6 pim timer joinprune ot...
Page 766
RP: 2000:1:111::100(Vlan2) Displayed Information Explanations BSR address Bsr-router Address Priority Bsr-router Priority Hash mask length Bsr-router hash mask length State The current state of this candidate BSR, Elected BSR is selected BSR 21.2.5.1.12 show ipv6 pim interface Command: show ipv6 pim interface [detail|] Function: Display PIM interface information Parameter: None Default: None...
Page 767
Parameter: None Default: None Command Mode: Admin Mode and Global Mode Usage Guide: Display the BSP routers in the network maintained by PIM-SM Example: Switch#show ipv6 pim mr group ff1e::15 IPv6 Multicast Routing Table (*,*,RP) Entries: 0 (*,G) Entries: 1 (S,G) Entries: 1 (S,G,rpt) Entries: 1 FCR Entries: 0...
Page 768
Displayed Information Explanations Entries The counts of each item Share tree’s RP address RPF nbr RP direction or upneighbor of source direction RPF idx RPF nbr interface Upstream State Upstream State, there are two state of Joined(join the tree, expect to receive data from upstream) and Not Joined(quit the tree, not expect to receive data from upstream), and more options such as RPT...
Page 769
Pim version ,v2 usually DR Priority/Mode DR priority in the hello messages from the neighbor and if the neighbor is the interface’s DP 21.2.5.1.15 show ipv6 pim nexthop Command: show ipv6 pim nexthop Function: Display the PIM buffered nexthop router in the unicast route table Parameter: None Default: None Command Mode: Any Mode...
Page 770
Pref Preference Route preference Refcnt Reference count 21.2.5.1.16 show ipv6 pim rp-hash Command: show ipv6 pim rp-hash X:X::X:X Function: Display the RP address of group X:X::X:X’s merge point Parameter: Group address Default: None Command Mode: Any Mode Usage Guide: Display the RP address corresponding to the specified group address Example: Switch#show ipv6 pim rp-hash ff1e::15 RP: 2000:1:111::100...
Info source Source of Bootstrap messages Priority Priority of Bootstrap messages 21.3 MLD 21.3.1 Introduction to MLD MLD (Multicast Listener Discovery) is the multicast group member (receiver) discovery protocol serving IPv6 multicast. It is similar to IGMP Protocol in IPv4 multicast application.
Page 772
(2)Configure MLD query parameters 1)Configure the interval of MLD sending query message 2)Configure the maximum response time of MLD query 3)Configure overtime of MLD query 3、 Shut down MLD Protocol Start MLD Protocol There is no special commands for starting MLD Protocol on EDGECORE series layer 3 switches.
Configure interval query ipv6 query-interval messages sent periodically; the NO operation <time_val> of this command restores the default value. no ipv6 mld query-interval Configure the maximum response time of the ipv6 interface for MLD query; the NO operation of query-max-response-time this command restores the default value.
Page 774
Command: ipv6 mld immediate-leave group-list {<acl-name>} no ipv6 mld immediate-leave Function: Configure MLD to work in the immediate leave mode, that’s when the host sends a membership qualification report that equals to leave a group, the router doesn’t send query and consider there is no this group’s member in the subnet. The “no ipv6 mld immediate-leave”...
Page 775
host-query messages periodically. This command is used to configure the query period Example: Configure the interval of the periodically sent MLD host-query messages to Switch (Config)#interface vlan 1 Switch(Config-If-Vlan1)#ipv6 mld query-interval 10 21.3.3.5 ipv6 mld query-max-response-time Command: ipv6 mld query-max-response-time <time_val> no ipv6 mld query- max-response-time Function: Configure the maximum of the response time of MLD queries;...
Page 776
Switch (Config)#interface vlan 1 Switch(Config-If-Vlan1)#ipv6 mld query-timeout 100 21.3.3.7 ipv6 mld access-group Command: ipv6 mld access-group {<acl_name>} no ipv6 mld access-group Function: Configure the filter conditions of the interface on the MLD group; the “no ipv6 mld access-group” ommand cancels the filter conditions. Parameter: <acl-name>...
Page 777
Function: Configure the sources of certain multicast group which the interface join in. Note: because of the client group has got only INLCUDE and EXCLUDE modes, if the source mode is not in accordance with current mode configured, the group mode will be changed and the original sources of the other modes configured will be cleared permanently;...
Page 778
Switch(Config-if-Vlan2)#ipv6 mld limit 4000 21.3.3.11 ipv6 mld static-group Command: ipv6 mld static-group <group_address> [source <source_address>] no ipv6 mld static-group <group_address> [source <source_address>] Function: Configure certain static group or static source on the interface. The “no” form of this command cancels certain previously configured static group or static source Parameter:<group_address>...
21.3.4 MLD Typical Application As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding vlan, and start PIM6 on each vlan interface. SwitchA SwitchB Vlan 2 Vlan 1 Vlan 1 Fig 21-3 Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as below: (1) Configure SwitchA: Switch (Config) #ipv6 pim multicast-routing...
Page 780
Assure the physical connection is correct. Assure the protocol of interface and link is UP (use show interface command) Assure to start one kind of multicast protocol on the interface Assure the time of the timers of each router on the same network segment is consistent;...
Page 781
Usage Guide: This switch can be enabled to get MLD packets information. Example: Switch# deb ipv6 mld packet Switch#1970/01/01 07:33:12 IMI: Recv MLD packet 1970/01/01 07:33:12 IMI: Type: Listener Report (131) 1970/01/01 07:33:12 IMI: Code: 0 1970/01/01 07:33:12 IMI: Checksum: 3b7a 1970/01/01 07:33:12 IMI: Max Resp Delay: 0 1970/01/01 07:33:12 IMI: Reserved: 0 1970/01/01 07:33:12 IMI: Multicast Address: ff1e::1:3...
Parameter: <ifname> is the name of the interface . Display the MLD information of a specific interface. Default: Do not display Command Mode: Admin Mode Example: Display the MLD information of the Ethernet Interface vlan1 Switch#show ipv6 mld interface Vlan1 Interface Vlan1(2003) Index 2003 Internet address is fe80::203:fff:fe01:e4a...
21.4.2 MLD Snooping Configuration Task 1. Enable the MLD Snooping function 2. Configure the MLD Snooping 1. Enable the MLD Snooping function Command Explanation Global Mode Enable global MLD Snooping, the “no ipv6 mld ipv6 mld snooping snooping” command disables the global MLD no ipv6 mld snooping snooping 2.
ipv6 snooping vlan <vlan-id> query-interval Configure immediate leave multicast group ipv6 mld snooping vlan <vlan-id> function for the MLD Snooping of specify vlan. immediate-leave The “no” form of this command cancels the ipv6 snooping vlan immediate leave configuration. <vlan-id> immediate-leave Configure the query maximum response period.
Page 785
snooping” command disables MLD Snooping Command Mode: Global Mode Default:MLD Snooping disabled on the switch by default Usage Guide: Enable global MLD Snooping on the switch, namely allow every vlan to be configured with MLD Snooping; the “no” form of this command will disable MLD Snooping on all the vlans as well as the global MLD snooping Example: Enable MLD Snooping under global mode.
Page 786
Command: ipv6 mld snooping vlan < vlan-id > l2-general-querier no ipv6 mld snooping vlan < vlan-id > l2-general-querier Function: Set the vlan to Level 2 general querier Parameter: vlan-id: is the id number of the VLAN, with a valid range of <1-4094> Command Mode: Global Mode Default: vlan is not a MLD Snooping L2 general querier by default.
Page 787
21.4.3.7 ipv6 mld snooping vlan mrouter-port interface Command: ipv6 snooping vlan <vlan-id> mrouter-port interface (<ehternet>|<port-channel>)<ifname> ipv6 snooping vlan <vlan-id> mrouter-port interface (<ehternet>|<port-channel>)<ifname> Function: Set the static mrouter port of the vlan; the “no” form of this command cancels the configuration. Parameter: vlan-id: vlan id, the valid range is<1-4094>...
Page 788
Usage Guide: It is recommended to use default value and if layer 3 MLD is in operation, please make this configuration in accordance with the MLD configuration as possible. Example: Switch(config)#ipv6 mld snooping vlan 2 query-interval 130 21.4.3.10 ipv6 mld snooping vlan query-mrsp Command: ipv6 mld snooping vlan <vlan-id>...
Page 789
Parameter: vlan-id: vlan id, valid range: <1-4094> value:query interval, valid range: <1-65535>secs. Command Mode: Global Mode Default: 255s Usage Guide:This command can only be configured on L2 general querier. The Suppression-query-time represents the period the suppression state maintains when general querier receives queries from layer 3 MLD within the segment. To use this command, the query-intervals in different switches within the same segment must be in accordance.
Page 790
2. Display the detailed MLD Snooping information of vlan1 Switch#show ipv6 mld snooping vlan 1 Mld snooping information for vlan 1 Mld snooping L2 general querier :Yes(COULD_QUERY) Mld snooping query-interval :125(s) Mld snooping max reponse time :10(s) Mld snooping robustness Mld snooping mrouter port keep-alive time :255(s) Mld snooping query-suppression time...
Command: show mac-address-table multicast [vlan <vlan-id>] Function: Display the information of multicast MAC address table Parameter: <vlan-id> ,the VLAN ID included in the entries to be displayed. Command Mode: Admin Mode Default: Mapping between the multicast MAC address and port is not displayed by system default.
Page 792
Four hosts are respectively connected to 2, 6, 10, 12 while the multicast router on port 1. Suppose we need mld snooping on vlan 100, however by default, the global mld snooping as well as the mld snooping on each vlan are, therefore first we have to enable the global mld snooping at the same time enable the mld snooping on vlan 100, furthermore we need to set the port 1 of vlan 100 as a mrouter port.
Fig 16-5 Switches as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2.
Chapter 22 ACL Configuration 22.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access through the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit”...
There are two access-list actions and default actions: “permit” or “deny” The following rules apply: An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed.
Page 796
Exit MAC-IP Configuration Mode 2. Configuring the packet filtering function Enable global packet filtering function Configure default action. 3. Configuring time range function Create the name of the time range Configure periodic time range Configure absolute time range 4. Bind access-list to a specific direction of the specified port. 5.
Page 797
Creates a numbered IGMP extended IP access rule; if the access-list <num> {deny permit} igmp numbered extended {{<sIpAddr> <sMask>} | any | {host <sIpAddr>}} access-list of specified number {{<dIpAddr> <dMask>} any-destination does exist, then {host-destination <dIpAddr>}} [<igmp-type>] access-list will created [precedence <prec>] [tos <tos>] using this number.
Page 798
Creates standard access-list based nomenclature; “no access-list ip {standard | extended} <name> access-list ip {standard | no access-list ip {standard | extended} <name> extended} <name> “ command delete name-based standard access-list b. Specify multiple “permit” or “deny” rules Command Explanation Standard IP ACL Mode Creates standard...
Page 799
Creates extended [no] {deny | permit} icmp {{<sIpAddr> <sMask>} | name-based ICMP any | {host <sIpAddr>}} {{<dIpAddr> <dMask>} | access rule; the “no” form any-destination | {host-destination <dIpAddr>}} command deletes this [<icmp-type> [<icmp-code>]] [precedence <prec>] name-based extended IP [tos <tos>] access rule Creates extended...
Page 800
Creates numbered standard MAC access-list, if access-list already access-list<num>{deny|permit}{any-source-mac|{ exists, then a rule will add to host-source-mac<host_smac>}|{<smac><smac-m the current access-list; the ask>}} “no access-list no access-list <num> <num>“ command deletes a numbered standard MAC access-list. Creates a numbered MAC extended access-list Command Explanation Global Mode...
Page 801
[no]{deny|permit}{any-source-mac|{host-source- Creates extended mac<host_smac>}|{<smac><smac-mask>}} name-based MAC access {any-destination-mac|{host-destination-mac rule matching MAC frame; <host_dmac>} |{<dmac> <dmac-mask>}} [cos the “no” form command <cos-val> [<cos-bitmask>]] [vlanId <vid-value> deletes this name-based [<vid-mask>]][ethertype<protocol>[<protocol-mas extended MAC access rule k>]] Creates extended name-based MAC access [no]{deny|permit}{any-source-mac|{host-source- rule matching untagged mac<host_smac>}|{<smac><smac-mask>}}{any-d...
Page 802
Quit extended name-based MAC access Exit configure mode Configuring a numbered extended MAC-IP access-list Command Explanation Global mode access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac- Creates numbered mask>}} mac-icmp extended mac-ip {any-destination-mac|{host-destination-mac access rule; if the numbered <host_dmac>}|{<dmac><dmac-mask>}}icmp extended access-list {{<source><source-wildcard>}|any-source| specified number does not {host-source<source-host-ip>}} exist, then an access-list will {{<destination><destination-wildcard>}|any-desti...
Page 803
access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac- Creates numbered mask>}}{any-destination-mac|{host-destination-m mac-icmp extended mac-tcp <host_dmac>}|{<dmac><dmac-mask>}}tcp access rule; if the numbered {{<source><source-wildcard>}|any-source| extended access-list {host-source<source-host-ip>}}[s-port<port1>] specified number does not {{<destination><destination-wildcard>}|any-desti exist, then an access-list will nation| {host-destination <destination-host-ip>}} created using this [d-port <port3>] [ack+fin+psh+rst+urg+syn] number. [precedence <precedence>] [tos <tos>][time-range<time-range-name>] access-list<num>{deny|permit}{any-source-mac|...
Page 804
a) Create a standard MAC-IP access-list based on nomenclature Command Explanation Global Mode Creates extended name-based MAC-IP access rule; the “no” form mac-ip-access-list extended <name> command deletes this no mac-ip-access-list extended <name> name-based extended MAC-IP access rule b) Specify multiple “permit” or “deny” rule entries Command Explanation Extended name-based MAC-IP access Mode...
Page 805
[no]{deny|permit}{any-source-mac|{host-source- mac<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac Creates extended <host_dmac>}|{<dmac><dmac-mask>}}tcp name-based MAC-TCP {{<source><source-wildcard>}|any-source| access rule; the “no” form {host-source<source-host-ip>}}[s-port<port1>] command deletes this {{<destination><destination-wildcard>}|any-desti name-based extended nation| {host-destination <destination-host-ip>}} MAC-TCP access rule [d-port<port3>][ack+fin+psh+rst+urg+syn] [precedence<precedence>][tos<tos>][time-range< time-range-name>] [no]{deny|permit}{any-source-mac|{host-source- mac<host_smac>}|{<smac><smac-mask>}} Creates extended {any-destination-mac|{host-destination-mac name-based MAC-UDP <host_dmac>}|{<dmac><dmac-mask>}}udp access rule; the “no” form {{<source><source-wildcard>}|any-source| command deletes...
Page 806
2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables global packet Firewall enable filtering function disables global packet Firewall disable filtering function (2) Configure default action. Command Explanation Global Mode Sets default action firewall default {permit |deny [ipv4|ipv6|arp|all]} “permit”...
Page 807
[no]absolute-periodic{Monday|Tuesday|Wednesd ay|Thursday|Friday|Saturday|Sunday}<start_time >to{Monday|Tuesday|Wednesday|Thursday|Frida y|Saturday| Sunday} <end_time> stop the function of the time range in the week [no]periodic{{Monday+Tuesday+Wednesday+Thu rsday+Friday+Saturday+Sunday}|daily|weekdays| weekend} <start_time> to <end_time> (3)Configure absolute time range Command Explanation Global Mode Absolute Configure absolute time start<start_time><start_data>[end<end_time> range <end_data>] [no]absolute stop the function of the time start<start_time><start_data>[end<end_time><en range d_data>]...
22.2.2 Commands for ACL 22.2.2.1 absolute-periodic/periodic Command: [no] absolute-periodic{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday| Sunday}<start_time>to{Monday|Tuesday|Wednesday|Thursday|Friday|Saturday| Sunday} <end_time> [no]periodic{{Monday+Tuesday+Wednesday+Thursday+Friday+Saturday+Sunday}| daily| weekdays | weekend} <start_time> to <end_time> Functions: Define the time-range of different commands within one week, and every week to circulate subject to this time. Parameters: (Friday) Friday (Monday)
Page 809
Make configurations effective within the period from 14:30:00 to 16:45:00 on Monday, Wednesday, Friday and Sunday. Switch (Config-Time-Range) # periodic Monday Wednesday Friday Sunday 14:30:00 to 16:45:00 22.2.2.2 absolute start Command:[no]absolute start <start_time> <start_data> [end <end_time> <end_data>] Functions: Define an absolute time-range, this time-range operates subject to the clock of this equipment.
Page 811
34(0x22): IGMP V3 REPORT packet 19(0x13): DVMR packet 20(0x14): PIM V1 packet Particular notice: the packet types included here are not the types excluding IP OPTION. Normally, IGMP packet contains OPTION fields, and such configuration is of no use for this type of packet.
Page 812
<length2> <value2> [<offset3> <length3> <value3> [<offset4> <length4> <value4>]]]]] no access-list <num> Functions:Define a extended numeric MAC ACL rule,‘no access-list <num>’ command deletes an extended numeric MAC access-list rule. Parameters: <num> is the access-list No. which is a decimal’s No. from 1100-1199; deny if rules are matching, deny access;...
Page 814
{host-destination<destination-host-ip>}} [precedence <precedence>] [tos <tos>][time-range<time-range-name>] Functions: Define a extended numeric MAC-IP ACL rule, ‘No’ command deletes a extended numeric MAC-IP ACL access-list rule. Parameters: num access-list serial No. this is a decimal’s No. from 3100-3199.; deny if rules are matching, deny to access; permit if rules are matching, permit to access; any-source-mac: any source MAC address;...
Page 815
Command Mode: Global mode Default Configuration:no access-list configured Usage Guide: When the user assign specific <num> for the first time, ACL of the serial number is created, then the lists are added into this ACL. Examples: Permit the passage of TCP packet with source MAC 00-12-34-45-XX-XX, any destination MAC address, source IP address 100.1.1.0 0.255.255.255, and source port 100 and destination interface 40000.
Page 816
22.2.2.9 firewall Command: firewall { enable | disable} Functions: Enable or disable firewall Parameters: enable means to enable of firewall; disable means to disable firewall. Default: It is no use if default is firewall Command Mode: Global mode Usage Guide: Whether enabling or disabling firewall, access rules can be configured. But only when the firewall is enabled, the rules can be used in specific orientations of specific ports.
Page 817
Examples: Create a name extended IP access-list whose name is tcpFlow. Switch(Config)# access-list ip extended tcpFlow 22.2.2.12 ipv6 access-list Command:ipv6 access-list <num-std> {deny | permit} {<sIPv6Prefix/sPrefixlen> | any-source | {host-source <sIPv6Addr>}} ipv6 access-list <num-ext> {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} | any-source {host-source <sIPv6Addr>}}...
Page 818
port;<dPort>,destination port No., range from 0 to 65535; <dPortMin>, the down boundary of destination port;<dPortMax>, the up boundary of destination port; <next-header>,the next header of IPv6, range from 0 to 255. Command Mode: Global mode Default: No access-list configured Usage Guide: Creates a numbered 520 standard IP access-list first time,the following configuration will add to the current access-list.
Page 819
no entry will be created Example: Create an extensive IPv6 access list named “tcpFlow”. Switch (Config)#ipv6 access-list extended tcpFlow 22.2.2.15 {ip|ipv6|mac|mac-ip} access-group Command :{ip|ipv6|mac|mac-ip} access-group <name> {in}[traffic-statistic] no {ip|mac|mac-ip} access-group <name> {in} Function:Apply a access-list on some direction of port, and determine if ACL rule is added statistic counter or not by options;...
Page 820
Parameters:<name> name of access-list excluding blank or quotation mark, and it must start with letter, and the length cannot exceed 16 (remark: sensitivity on capital or small letter.) Command Mode: Global mode Default Configuration: No access-lists configured Usage Guide:After assigning this commands for the first time, only an empty name access-list is created and no list item included.
Page 822
name standard IP access rule. Parameters: <sIpAddr> is the source IP address, the format is dotted decimal notation; <sMask > is the reverse mask of source IP, the format is dotted decimal notation; Command Mode: Name standard IP access-list configuration mode Default: No access-list configured Example: Permit packets with source address 10.1.1.0/24 to pass, and deny other packets with source address 10.1.1.0/16.
Page 823
untagged-802-3 format of untagged ethernet 802.3 packet; tagged-802-3 format of tagged ethernet 802.3 packet; cos-val: cos value, 0-7; cos-bitmask: cos mask, 0-7reverse mask mask consecutive; vlanNo, 1-4094; vid-value: vid-bitmask :vlan mask, 0-4095, reverse mask and mask bit is consecutive; protocol: specific Ethernet protocol No., 1536-65535;...
Page 824
[no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}|{<smac> <smac-mask>}}{any-destination-mac|{host-destination-mac<host_dmac>}| {<dmac><dmac-mask>}}udp{{<source><source-wildcard>}|any-source| {host-source<source-host-ip>}}[s-port{<port1> | range <sPortMin> <sPortMax>}] {{<destination> <destination-wildcard>}|any-destination| {host-destination <destination-host-ip>}} [d-port {<port3> range <dPortMin> <dPortMax>}] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-mac<host_smac>}|{<smac> <smac-mask>}}{any-destination-mac|{host-destination-mac<host_dmac>}| {<dmac><dmac-mask>}}{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} {{<source><source-wildcard>}|any-source|{host-source<source-host-ip>}} {{<destination><destination-wildcard>}|any-destination|{host-destination <destination-host-ip>}} [precedence <precedence>] [tos <tos>][time-range<time-range-name>] Functions:Define an extended name MAC-IP ACL rule, ‘No’ form deletes one extended numeric MAC-IP ACL access-list rule.
Page 825
of TCP/UDP source interface No., Interface No. is an integer from 0-65535; <sPortMin>, the down boundary of source port; <sPortMax>, the up boundary of source port; d-port(optional): means need to match TCP/UDP destination interface; port3(optional): value of TCP/UDP destination interface No., Interface No. is an integer from 0-65535; <dPortMin>, the down boundary of destination port;...
Page 826
protocol. Parameter:<sIPv6Addr> is the source IPv6 address;<sPrefixlen> is the length of the IPv6 address prefix,the range is 1 ~ 128;<dIPv6Addr> is the destination IPv6 address;<dPrefixlen> is the length of the IPv6 address prefix,the range is 1 ~ 128;<igmp-type>,type of the igmp;<icmp-type>,icmp type;<icmp-code>,icmp protocol number;<dscp>,IPv6 priority ,the range is 0~63;<fl>,value of the flow label,the range 0 ~...
Functions: Create the name of time-range as time range name, enter the time-range mode at the same time. Parameters:time_range_name,time range name must start with letter, and the length cannot exceed 16-character long. Command Mode: Global mode Default: No time-range configuration Guide: Examples:Reate a time-range named dc timer.
interface name:Ethernet1/10 the ingress acl use in firewall is 110. 22.4 ACL Troubleshooting Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched. Default rule will be used only if no ACL is bound to the specific direction of the port, or no ACL entry is matched.
Page 829
access-list 100 deny ip any any-destination access-list 100 deny tcp any any-destination access-list 1100(used 0 time(s)) access-list 1100 permit any-source-mac any-destination-mac tagged-eth2 14 2 0800 access-list 3100(used 0 time(s)) access-list 3100 deny any-source-mac any-destination-mac udp any s-port 100 any-destination d-port 40000 Displayed information Explanation access-list 10(used 1 time(s))
Page 830
interface name: Ethernet the ingress acl use in firewall is 111,packet(s) number is 10. the egress acl use in firewall is 100,packet(s) number is 10. interface name: Ethernet the ingress acl use in firewall is 10,packet(s) number is 10. Displayed information Explanation interface name: Ethernet Tying situation on port Ethernet1/2...
Parameters: word assign name of time-range needed to be revealed Default: None Command Mode:Admin mode Usage Guide: When not assigning time-range names, all time-range will be revealed. Examples: Switch#show time-range time-range timer1 (inactive) absolute-periodic Saturday 0:0:0 to Sunday 23:59:59 time-range timer2 (active) absolute-periodic Monday 0:0:0 to Friday 23:59:59 22.4.1.5 show ipv6 access-lists Command: show ipv6 access-lists [<num>|<acl-name>]...
the following parts: Numeric ACL Configuration -Standard and Extended types ACL Name Configuration -Standard and Extended types Filter Configuration -- enable global configuration and the default action to bind ACL to the ports 22.5.1 Numeric standard ACL configuration Click “Numeric ACL Configuration”, and then “Add Standard Numeric ACL” section to enter the configuration page.
22.5.3 Configure the numeric extended ACL There are several extended numeric extended ACLs available: Add ICMP numeric extended ACL Add IGMP numeric extended ACL Add TCP numeric extended ACL Add UDP numeric extended ACL Add numeric extended ACL for other protocols By clicking the icons, it will enter the related configuration page There are several sub-sections in this category: ACL number (100-199)
selects to input manually, they can just simply key-in the protocol number in the right hand side of icon. Example: a user wants to configure the “ Add TCP numeric extended ACL” with the ACL number of 110, deny the source IP address of 10.0.0.0/24 section, and make the target port is 21.
Operation type -Add or Remove To add a numeric ACL, specify the ACL name and related value, select the “add” in the Operation type and then click “Apply”. 22.5.5 Configure extended ACL name configuration Click “ACL name configuration”, the configuration sections will then be shown. There are 6 types of extended ACL name configurations: IP extended ACL name configuration ICMP extended ACL name configuration...
Page 836
Click “Filter configuration”, and then select “ACL port binding” to enter the configuration page. There are five items in this section. Port -the target port to bind to ACL ACL name -the target ACL name to bind Ingress/Egress -the target direction to bind Operation type -”Add”...
Chapter 23 802.1x Configuration 23.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device(such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
Page 838
Fig 23-1 The Authentication Structure of 802.1x The supplicant system is an entity on one end of the lan segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users starts 802.1x authentication by starting supplicant system software.
needing to access the LAN via the authentication server system, and deal with the authenticated/unauthenticated state of the controlled port according to the result of the authentication. The authenticated state means the user is allowed to access the network resources, the unauthenticated state means only the EAPOL messages are allowed to be received and sent while the user is forbidden to access network resources.
Fig 23-2 the Work Mechanism of 802.1x EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN. Between the PAE of the authenticator system and the RADIUS server, there are two methods to exchange information: one method is that EAP messages adopt EAPOR (EAP over RADIUS) encapsulation format in RADIUS protocol;...
Page 841
Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Type: represents the type of the EAPOL data packets, including: EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP messages. This kind of frame can pass through the authenticator system to transmit EAP messages between the supplicant system and the authentication server system.
query messages. Fig 23-5 the Format of Data Domain in Request and Response Packets Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type.
Page 843
The authentication can either be started by supplicant system initiatively or by devices. When the device detects unauthenticated users to access the network, it will send supplicant system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant system can send EAPOL-Start message to the device via supplicant software.
Page 844
EAP-MD5 EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Security) PEAP(Protected Extensible Authentication Protocol) EAP-MD5 EAP-TLS(Transport Layer Security) EAP-TTLS(Tunneled Transport Layer Security) PEAP(Protected Extensible Authentication Protocol) They will be described in detail in the following part. Attention: The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future.
Page 845
Fig 23-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication.
Page 846
Fig 23-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only request is that the Radius server should have a digital certificate.
Page 847
design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication. The following figure illustrates the basic operation flow of PEAP authentication method. Fig 23-11 the Authentication Flow of 802.1x PEAP 23.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and...
Fig 23-12 the Authentication Flow of 802.1x EAP Termination Mode 23.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
access the network, while the others can not. When one user becomes offline, the other users will not be affected. When the user-based (IP address+ MAC address+ port) method is used, all users can access limited resources before being authenticated. There are two kinds of control in this method: standard control and advanced control.
mode, and on the ports whose link type is Access. 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x authentication, with the right to access the resources within this VLAN without authentication.
Page 851
3) Configure RADIUS Service parameters. 1. Enable 802.1x function Command Explanation Global Mode Enables the AAA authentication function in the switch; aaa enable the “no aaa enable” command disables the AAA no aaa enable authentication function. Enables the accounting function in the switch; the “no aaa-accounting enable command disables...
Page 852
Command Explanation Port Mode dot1x port-method Sets the port access management method; the “no { userbased | macbased | dot1x port-method” command restores MAC-based portbased} access management. no dot1x port-method dot1x max-user Sets the maximum number of access users for the macbased <number>...
Page 853
Global Mode Sets the number of EAP request/MD5 frame to be sent before the switch re-initials authentication on no dot1x max-req <count> supplicant response, “no no dot1x max-req dot1x max-req” command restores the default setting. Enables periodical supplicant authentication; the “no dot1x re-authentication dot1x re-authentication”...
radius-server authentication host Specifies the IP address or IPv6 address and listening {<IPaddress>|<IPv6address port number for RADIUS authentication server; the “no >} [[port {<portNum>}] radius-server authentication host [primary]] <IPaddress>“ command deletes the RADIUS server radius-server authentication host <IPaddress> radius-server accounting host Specifies the IP address or IPv6 address and listening {<IPaddress>|<IPv6address...
Command mode: Global Mode Parameters: N/A. Default: AAA authentication is not enabled by default. Usage Guide: The AAA authentication for the switch must be enabled first to enable IEEE 802.1x authentication for the switch. Example: Enabling AAA function for the switch. Switch(Config)#aaa enable 23.3.2 aaa-accounting enable Command: aaa-accounting enable...
Default: N/A. Usage Guide: The dot1x address filter function is implemented according to the MAC address filter table, dot1x address filter table is manually added or deleted by the user. When a port is specified in adding a dot1x address filter table entry, that entry applies to the port only;...
enabled on the port, or the port is a Trunk port or member of port aggregation group, 802.1x function cannot be enabled for that port unless such conditions are removed. Example: Enabling the 802.1x function of the switch and enable 802.1x for port 1/12. Switch(Config)#dot1x enable Switch(Config)#interface ethernet 1/12 Switch(Config-Ethernet1/12)#dot1x enable...
23.3.7 dot1x macfilter enable Command: dot1x macfilter enable no dot1x macfilter enable Function: Enables the dot1x address filter function in the switch; the "no dot1x macfilter enable" command disables the dot1x address filter function. Command mode: Global Mode Default: dot1x address filter is disabled by default. Usage Guide: When dot1x address filter function is enabled, the switch will filter the authentication user by the MAC address.
Default: The default maximum user allowed is 1. Usage Guide: This command is available for ports using MAC-based access management, if MAC address authenticated exceeds the number of allowed user, additional users will not be able to access the network. Example: Setting port 1/3 to allow 5 users.
Default: When 802.1x is enabled for the port,auto is set by default. Usage Guide: If the port needs to provide 802.1x authentication for the user, the port authentication mode should be set to auto. Example: Setting port1/1 to require 802.1x authentication mode. Switch(Config)#interface ethernet 1/1 Switch(Config-Ethernet1/1)#dot1x port-control auto 23.3.12 dot1x port-method...
Command: dot1x re-authentication no dot1x re-authentication Function:Enables periodical supplicant authentication; the “no dot1x re-authentication” command disables this function. Command mode: Global Mode Default: Periodical re-authentication is disabled by default. Usage Guide: When periodical re-authentication for supplicant is enabled, the switch will re-authenticate the supplicant at regular interval.
Example: Setting the re-authentication time to 1200 seconds. Switch(Config)#dot1x timeout re-authperiod 1200 23.3.17 dot1x timeout tx-period Command: dot1x timeout tx-period <seconds> no dot1x timeout tx-period Function: Sets the interval for the supplicant to re-transmit EAP request/identity frame; the “no dot1x timeout tx-period” command restores the default setting. Parameters: <seconds>...
switch will send accounting packets to all the configured accounting servers, and all the accounting servers can be backup servers for each other. If primary is specified, then the specified RADIUS server will be the primary server. Example: Sets the RADIUS accounting server of IP address to 100.100.100.60 as the primary server, with the accounting port number as 3000.
valid range is 1 to 255. Command mode: Global Mode Default: The default value is 5 minutes. Usage Guide: This command specifies the time to wait for the RADIUS server to recover from inaccessible to accessible. When the switch acknowledges a server to be inaccessible, it marks that server as having invalid status, after the interval specified by this command;...
retransmission count reaches the retransmission time threshold without the server responding, the server will be considered to as not working, the switch sets the server as invalid. Example: Setting the RADIUS authentication packet retransmission time to five times. Switch(Config)# radius-server retransmit 5 23.3.23 radius-server timeout Command: radius-server timeout <seconds>...
Page 866
Fig 23-13 The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 2, E3 means Ethernet 3 and E6 means Ethernet 6. As showed in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS server as its authentication server.
Page 867
Fig 23-14 User Joining Guest VLAN As illustrated in the up figure, on the switch port Ethernet 2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet 2 is added into VLAN10, allowing the user to access the Update Server.
Page 868
authentication, the authentication server will assign VLAN5, which makes the user and Ethernet 6 both in VLAN5, allowing the user to access the Internet. The following are configuration steps: # Configure RADIUS server. Switch(Config)#radius-server authentication host 10.1.1.3 Switch(Config)#radius-server accounting host 10.1.1.3 Switch(Config)#radius-server key test Switch(Config)#aaa enable Switch(Config)#aaa-accounting enable...
authentication-triggering messages (EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100. 23.4.2 Examples of IPv4 Radius Applications 10.1.1.2 Radius Server 10.1.1.1 10.1.1.3 Fig 23-16 IEEE 802.1x Configuration Example Topology The PC is connecting to port 1/2 of the switch;...
Page 870
23.5 802.1x Troubleshooting It is possible that 802.1x be congfigured on ports and 802.1x authentication be setted to auto,but switch cann’t be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions: If 802.1x cannot be enabled for a port, make sure the port is not executing Spanning tree, or MAC binding, or configured as a Trunk port or for port aggregation.
Page 871
23.5.1.2 debug dot1x Command: debug dot1x no debug dot1x Function: Enables dot1x debugging information; the “ no debug dot1x” command disables the dot1x debugging information. Command mode: Admin Mode Parameters: N/A. Usage Guide: Enabling dot1x debug information allows the check of dot1x protocol negotiation process and is helpful in troubleshooting.
Page 872
------------------------- authenticating users ------------------------------ User-name Retry-time Radius-ID Port Eap-ID Chap-ID Mem-Addr State ----------------------------------------------------------------------------- --------------- total: 0 --------------- 23.5.1.5 show aaa config Command: show aaa config Function: Displays the configured commands for the switch as a RADIUS client. Command mode: Admin Mode Usage Guide: Displays whether AAA authentication, accounting are enabled and information for key, authentication and accounting server specified.
Page 873
.Udp Port = 1813 .Is Primary = 0 .Is Server Dead = 0 .Socket No = 0 Time Out = 3 Retransmit = 3 Dead Time = 5 Account Time Interval = 0 Displayed information Description Is AAA Enabled Indicates whether AAA authentication is enabled or not.
Page 874
23.5.1.6 show dot1x Command: show dot1x [interface <interface-list>] Function: Displays dot1x parameter related information, if parameter information is added, corresponding dot1x status for corresponding port is displayed. Parameters: <interface-list> is the port list. If no parameter is specified, information for all ports is displayed.
Page 875
Global 802.1x Parameters Global 802.1x parameter information reauth-enabled Whether re-authentication is enabled or not reauth-period Re-authentication interval quiet-period Silent interval tx-period EAP retransmission interval max-req EAP packet retransmission interval authenticator mode Switch authentication mode Mac Filter Enables dot1x address filter or not MacAccessList Dot1x address filter table Dot1x-EAPoR...
The authencating user num is: The stopping user num is: The stopped user num is: The total user num is: 23.6 Web Management Click “Authentication configuration”, open authentication configuration management list. Users may configure switch 802.1x authentication function. 23.6.1 RADIUS client configuration Click “Authentication configuration”, “RADIUS client configuration”, to open Radius client configuration management list Users may the configure switch Radius client.
Page 877
23.6.1.2 RADIUS authentication configuration Click “Authentication configuration”, “RADIUS client configuration”, “RADIUS authentication configuration” to configure the RADIUS authentication server IP address and monitor port ID. Authentication server IP -Server IP address. Authentication server port (optional) - Is the server monitor port ID, with range: 0~65535, where “0” means it are not working as an authentication server.
where “0” means that it’s not work as authentication server. Primary accounting server -Primary Accounting server, is the primary server; Non-Primary Accounting server, is the non-primary server. Operation type -Add accounting server, adds an accounting server; Remove accounting server, removes an accounting server Example: Configure Accounting server IP as 10.0.0.1, Accounting server port as default port, choose Primary accounting server, choose Operation type as “Add accounting server”...
Page 879
EAP relay authentication mode - Configures switch to adopt EAP relay method to make authentication; use the “no” command to configure switch to adopt EAP local terminating method to make authentication. MAC filtering -Enables, disables the switch dot1x address filter function. Example: Choose 802.1x status as Open 802.1x, Configure Maximum retransmission times of EAP-request/identity as 1, choose Re-authenticate client periodically as Disable Re-authenticate, configure Holddown time for authentication failure as 1, configure...
Page 880
access control method which is based on port. Port maximum user(1-254) - Configures the permission maximum user for specific port. Example: Choose Ethernet port1/1, choose 802.1x status as Open, choose Authentication type as auto, choose Authentication mode as port based, configure Port maximum user as 10 and then click the Set button to apply this configuration to switch.
Page 881
Authentication type -Authentication type Authentication status -Authentication status Authentication mode -Authentication mode Example: Choose Ethernet port 1/1, then Click Reauthenticate button, the user in Ethernet port 1/1 will be force to make re-authentication.
Page 882
Chapter 24 The Number Limitation Function Of Port, MAC in VLAN and IP Configuration 24.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch.
Page 883
Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the switch, causing successful DOS attacks. To summer up, it is very meaningful to develop the number limitation function of port, MAC in VLAN and IP.
Page 884
switchport mac-address dynamic Enable disable number maximum <value> limitation function of MAC on the ports no switchport mac-address dynamic maximum switchport arp dynamic maximum Enable disable number <value> limitation function of ARP on the ports no switchport arp dynamic maximum switchport nd dynamic maximum Enable disable...
show mac-address dynamic count Display the number of dynamic MAC in {vlan <vlan-id>|interface ethernet corresponding ports and VLAN <portName>} show arp-dynamic count Display the number of dynamic ARP in {vlan <vlan-id>|interface ethernet corresponding ports and VLAN <portName>} show nd-dynamic count Display number dynamic...
Parameters:<value> upper limit of the number of dynamic MAC address of the port, ranging from 1 to 4096. Default Settings:The number limitation function of dynamic MAC address on the port is disabled. Command Mode:Port mode. Usage Guide:When configuring the max number of dynamic MAC address allowed by the port, if the number of dynamically learnt MAC address on the port is already larger than the max number of dynamic MAC address to be set, the extra dynamic MAC addresses will be deleted.
Enable the number limitation function of dynamic MAC address in VLAN 1, the max number to be set is 50 Switch(Config)#interface ethernet 1/2 Switch(Config-if-Vlan1)# ip mac-address dynamic maximum 50 Enable the number limitation function of dynamic MAC address in VLAN 1. Switch(Config-if-Vlan1)#no ip mac-address dynamic maximum 24.3.3 switchport arp dynamic maximum Command:switchport arp dynamic maximum <value>...
function of dynamic NEIGHBOR on the port. Parameters:<value> upper limit of the number of dynamic NEIGHBOR of the port, ranging from 1 to 4096. Default Settings:The number limitation function of dynamic ARP on the port is disabled. Command Mode:Port mode. Usage Guide:...
Switch(Config-if-Vlan1)#no ip arp dynamic maximum 24.3.6 ipv6 nd dynamic maximum Command:ipv6 nd dynamic maximum <value> no ipv6 nd dynamic maximum Function:Set the max number of dynamic NEIGHBOR allowed in the VLAN, and, at the same time, enable the number limitation function of dynamic NEIGHBOR in the VLAN; “no ipv6 nd dynamic maximum”...
Switch(Config)# mac-address query timeout 30 24.3.8 show mac-address dynamic count Command:show mac-address dynamic count { (vlan <1-4096>)| interface ethernet <portName>} Function:Display the number of dynamic MAC of corresponding port and VLAN. Parameters:<vlan-id>display the specified vlan ID. <portName> is the name of layer-2 port Command Mode:Admin Mode Usage Guide :...
Switch(Config)# show arp-dynamic count interface ethernet 1/3 Port MaxCount CurrentCount ----------------------------------------------------------------------------------------------------- Ethernet1/3 ----------------------------------------------------------------------------------------------------- Switch(Config)# show arp-dynamic count vlan 1 Vlan MaxCount CurrentCount ----------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------- 24.3.10 show nd-dynamic count Command : show nd-dynamic count { (vlan <1-4096>)| interface ethernet <portName>} Function:Display the number of dynamic ND of corresponding port and VLAN. Parameters:<vlan-id>...
no debug switchport mac count Function:When the number limitation function debug of mac on the port, if the number of dynamic MAC and the number of MAC on the port is larger than the max number allowed, users will see debug information.” no debug switchport mac count” command is used to disable the number limitation function debug of mac on the port.
dynamic nd and the number of nd on the port is larger than the max number allowed, users will see debug information.” no debug switchport nd count” command is used to disable the number limitation function debug of nd on the port. Parameters:None Command Mode:Admin Mode Default Settings:None...
users will see debug information.” no debug ip arp count” command is used to disable the number limitation function debug of arp in the VLAN. Parameters:None Command Mode:Admin Mode Default Settings:None Usage Guide:Display the debug information of the number of dynamic arp in the VLAN. Examples:...
24.4 The Number Limitation Function of Port, MAC in VLAN and IP Typical Examples Fig 24-1 The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation function of port, MAC in VLAN and IP, if the system hardware has no other limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a...
Switch (Config-if-Vlan1)#ip mac-address dynamic maximum 30 Switch (Config-if-Vlan1)#ip arp dynamic maximum 30 Switch (Config-if-Vlan1)#ipv6 nd dynamic maximum 20 24.5 The Number Limitation Function Of Port, MAC in VLAN and IP Troubleshooting Help The number limitation function of port, MAC in VLAN and IP is disabled by default, if users need to limit the number of user accessing the network, they can enable it.
Chapter 25 VRRP Configuration 25.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
Page 898
normal and uninterrupted communication can be achieved. 25.2 Configuration Task List Create/Remove the Virtual Router (required) Configure VRRP dummy IP and interface (required) Activate/Deactivate Virtual Router (required) Configure VRRP authentication (optional) Configure VRRP sub-parameters (optional) Configure the preemptive mode for VRRP Configure VRRP priority Configure VRRP Timer intervals Configure VRRP interface monitor...
Page 899
Configures simple authentication strings for VRRP packets sending on the ip vrrp authentication string <string> interface, the "no ip vrrp authentication no ip vrrp authentication string command removes string" authentication string. 5. Configure VRRP Sub-parameters (1) Configure the preemptive mode for VRRP Command Explanation VRRP protocol configuration mode...
restores the default setting. Parameters: <adver_interva> is the interval for sending VRRP packets in seconds, ranging from 1 to 10. Default: The default <adver_interva> is 1second. Command mode: VRRP protocol configuration mode Usage Guide: The Master in a VRRP Standby cluster will send VRRP packets to member routers (or L3 Ethernet switch) to announce its properness at a specific interval;...
Command mode: VRRP protocol configuration mode Usage Guide: Activates the appropriate Virtual Router. Only a router (or L3 Ethernet switch) interface started by this enable command is part of Standby cluster. VRRP virtual IP and interface must be configured first before starting Virtual Router. Example: Activating the Virtual Router of number 10 Switch(config)# router vrrp 10 Switch(Config-Router-Vrrp)# enable...
Priority is always 254 for IP Owner. Parameters: < value> is the priority value, ranging from 1 to 254. Default: The priority of all backup routers (or L3 Ethernet switch) in a Standby cluster is 100; the Master router (or L3 Ethernet switch) in all Standby cluster is always 254. Command mode: VRRP protocol configuration mode Usage Guide: Priority determines the ranking of a router (or L3 Ethernet switch) in a Standby cluster, the higher priority the more likely to become the Master.
Interface is Vlan2 Priority is 100 Advertisement interval is 1 sec Preempt mode is TRUE VrId <10> State is Initialize Virtual IP is 10.1.10.1 (IP owner) Interface is Vlan1 Configured priority is 255, Current priority is 255 Advertisement interval is 1 sec Preempt mode is TRUE Circuit failover interface Vlan1, Priority Delta 10, Status UP Displayed information...
25.4 Typical VRRP Scenario As shown in the figure below, SwitchA and SwitchB are Layer 3 Ethernet Switches in the same group and provide redundancy for each other. SwitchB SwitchA Vlan 1 Vlan 1 Fig 25-1 VRRP Network Topology Configuration of SwitchA: SwitchA(config)#interface vlan 1 SwitchA (Config-If-Vlan1)# ip address 10.1.1.1 255.255.255.0 SwitchA (Config-If-Vlan1)#exit...
If VRRP problems persist after the above-mentioned procedures, please run debug gingcommands like “debug vrrp”, and copy the DEBUG information in 3 minutes and send the information to Edge-Core technical service center. 25.6 Web Management Click “VRRP control” to enter VRRP control configuration mode to manage VRRP features for the switch.
Example: Enter created Virtual Router number "1" and VLAN port IP "23". Click Apply to add port 23 to Virtual Router number 1. Click Remove to remove port 23 from Virtual Router number 1. 25.6.4 Activate Virtual Router Click “VRRP control” to configure VRRP and enter "Enable Virtual Router". Example: Enter the created Virtual Router number "1".
25.6.7 Configure VRRP Timer interval Click “VRRP control” to configure VRRP and enter "VRRP Interval". Example: Enter created Virtual Router number "1" and interval "3". Click Enable to set the interval of virtual router number 1 to "3". Click Disable to disable the interval of Virtual Router number 1.
Chapter 26 MRPP Configuration 26.1 MRPP introduction MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link.MRPP is the expansion of EAPS(Ethernet link automatic protection protocol).
Each ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network 3.nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend.
Packet Type Explanation Hello packet (Health examine The primary port of primary node evokes to detect packet) Hello ring, if the secondary port of primary node can receive Hello packet in configured overtime, so the ring is normal. LINK-DOWN (link Down event After transfer node detects Down event on port,...
Page 912
restore after a while. For the normal data VLAN, the network maybe forms a temporary ring and creates broadcast storm. To avoid temporary ring, transfer node finds it to connect to ring network port to refresh UP, immediately block temporarily (only permit control VLAN packet pass), after only receiving LINK-UP-FLUSH-FDB packet from primary node, and releases the port block state.
Default: None Usage Guide: The command specifies Virtual VLAN ID of MRPP ring, currently it can be any value in 1-4094.To avoid confusion, it is recommended that the ID is non-configured VLAN ID, and the same to MRPP ring ID. In configuration of MRPP ring of the same MRPP loop switches, the control VLAN ID must be the same, otherwise the whole MRPP loop may can’t work normally or form broadcast.
Switch(Config)# mrpp ring 4000 Switch(mrpp-ring-4000)#node-mode master 26.3.10 primary-port Command:primary-port ethernet IFNAME Function: Specify MRPP ring primary-port Parameter: IFNAME is port name, the port must be switch layer 2 physical port. Command Mode: MRPP ring mode Default: None Usage Guide: The command specifies MRPP ring primary port. Primary node uses primary port to send Hello packet, secondary port is used to receive Hello packet from primary node.
Default: Usage Guide: Example: Display configuration of MRPP ring 4000 of switch Switch# show mrpp 4000 26.3.13 show mrpp statistics Command: show mrpp statistics {<INT>|} Function: Display statistic information of data package of MRPP ring receiving and transferring Parameter: <INT> is MRPP ring ID, the valid range is from 1 to 4096, if not specified ID, it displays all of MRPP ring statistic information.
Page 919
nodes of MRPP ring, configures primary port and secondary port separately. To avoid ring, it should temporarily disable one of the ports of primary node, when it enables each MRPP ring in the whole MRPP ring; and after all of the nodes are configured, open the port.
SWITCH D configuration Task Sequence: Switch(Config)#MRPP enable Switch(Config)#MRPP ring 4000 Switch(MRPP-ring-4000)#control-vlan 4000 Switch(MRPP-ring-4000)#primary-port Ethernet 1/11 Switch(MRPP-ring-4000)#secondary-port Ethernet 1/12 Switch(MRPP-ring-4000)#enable Switch(MRPP-ring-4000)#exit Switch(Config)# 26.5 MRPP troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring.
Chapter 27 Cluster Configuration 27.1.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Page 922
3) Add or remove a member switch Configure attributes of the cluster in the commander switch Enable or disable joining the cluster automatically Set holdtime of heartbeat of the cluster Set interval of sending heartbeat packets among the switches of the cluster Clear the list of candidate switches discovered by the commander switch Configure attributes of the cluster in the candidate switch Set interval of sending cluster register packet...
Command Explanation Global Mode Enable or disable adding newly discovered cluster auto-add enable candidate switch to the cluster no cluster auto-add enable cluster holdtime < second> Set holdtime of heartbeat of the cluster no cluster holdtime Set interval of sending heartbeat packets cluster heartbeat <interval>...
Page 924
Command: cluster run no cluster run Function: Enable cluster function; the “no cluster run” command disables cluster function. Command mode: Global Mode Default: Cluster function is disabled by default. Instructions: This command enables cluster function. Cluster function has to be enabled before implementing any other cluster commands.
Page 925
address pool. The “no cluster ip-pool” command clears the address pool and there is no default setting to be restored. Example: Set the private IP address pool for the member switches to 192.168.1.64 Switch(config)#cluster ip-pool 192.168.1.64 27.1.3.4 cluster commander Command:cluster commander <cluster-name> [vlan <vlan-id>] no cluster commander Function: Enables a commander switch, create a cluster, or modify a cluster’s name;...
Page 926
Instructions: When this command is executed in the commander switch, the switch with <mac-add> or <cand-sn> will be added to the cluster which the commander switch belongs to. If this command is executed in a non-commander switch, an error will be displayed.
Page 927
Command: rcommand commander Function: In the member switch, use this command to configure the commander switch. Command mode: Admin Mode Instructions: This command is used to configure the commander switch remotely. Users have to telnet the commander switch by passing the authentication. The command “exit” is used to quit the configuration interface of the commander switch.
Page 928
Keyword Source address or destination address Startup configuration file startup-config System file nos.img System startup file boot.rom Command mode: Admin Mode Instructions: The commander switch sends the remote upgrade command to the member switch. The member switch is upgraded and reset. If this command is executed in a non-commander switch, an error will be displayed.
Parameter: <interval> is the interval of heartbeat of the cluster, valid range is 1 to 65535. Command mode: The interval of heartbeat is 8 seconds by default. Default: Global Mode Instructions: In the commander switch, this command is used to set the interval of heartbeat.
Switch(Config)#cluster ip-pool 1.2.3.4 Switch(Config)#cluster commander 4624 Switch(Config)#cluster auto-add enable 2. Configure the member switch Configuration of SwitchB-SwitchD Switch(Config)#cluster run 27.1.5 Cluster Administration Troubleshooting 27.1.5.1 Cluster Administration Debugging and Monitoring Command 27.1.5.1.1 show cluster Command: show cluster Function: Display the basic information of the member or command switch Command Mode:Admin Mode Example:Execute this command on the switch 1234 Switch#show cluster...
Page 931
command switch Command Mode: Admin Mode Usage Guide: Executing this command on the switch will display the information of the candidate member switches such as member ID, MAC address, IP address, equipment name and type 27.1.5.1.4 debug cluster packets Command: debug cluster packets {register |build |heartbeat } {in|out} no cluster packets {register|build |heartbeat } {in|out} Function: Enable the debugging message of cluster admin receiving and sending packets;...
Page 932
switch belongs to Vlan1 (assumed to be in Vlan1 under current application) Whether the connection between the command switch and the member switch is correct. We can use the debug cluster packets to check if the command and the member switches can receive and process related cluster admin packets correctly...
Need help?
Do you have a question about the ES4624-SFP and is the answer not in the manual?
Questions and answers