Page 1 User's Manual XGS3-24042 XGS3-24242 24-Port Gigabit with 4 Optional 10G slots Layer 3 Managed Stackable Switch...
Page 2: Fcc Warning
Information in this User's Manual is subject to change without notice and does not represent a commitment on the part of PLANET. PLANET assumes no responsibility for any inaccuracies that may be contained in this User's Manual. PLANET makes no commitment to update or keep current the information in this User's Manual, and reserves the right to make improvements to this User's Manual and/or to the products described in this User's Manual, at any time without notice.
Page 3: Table Of Contents
Content CHAPTER 1 INTRODUTION ................... 1-1 1.1 P ..........................1-1 ACKET ONTENTS 1.2 P ........................1-1 RODUCT ESCRIPTION 1.3 P ........................... 1-3 RODUCT EATURES 1.4 P ........................1-5 RODUCT PECIFICATION CHAPTER 2 INSTALLATION ..................2-1 2.1 H ........................2-1 ARDWARE ESCRIPTION 2.1.1 Switch Front Panel ........................
Page 4 4.4.4 SNMP Configuration ....................... 4-8 4.4.5 Typical SNMP Configuration Examples ................4-11 4.4.6 SNMP Troubleshooting ......................4-12 4.5 S ..........................4-13 WITCH PGRADE 4.5.1 Switch System Files ......................4-13 4.5.2 BootROM Upgrade ........................ 4-13 4.5.3 FTP/TFTP Upgrade ....................... 4-16 CHAPTER 5 FILE SYSTEM OPERATIONS ..............5-1 5.1 I ...................
Page 5 10.3 ULDP F ....................10-4 UNCTION YPICAL XAMPLES 10.4 ULDP T ......................10-5 ROUBLESHOOTING CHAPTER 11 LLDP FUNCTION OPERATION CONFIGURATION ....... 11-1 11.1 I LLDP F ....................11-1 NTRODUCTION TO UNCTION 11.2 LLDP F ................. 11-2 UNCTION ONFIGURATION EQUENCE 11.3 LLDP F ....................
Page 6 15.3.1 Introduction to Dot1q-tunnel ....................15-11 15.3.2 Dot1q-tunnel Configuration ....................15-12 15.3.3 Typical Applications of the Dot1q-tunnel ................15-12 15.3.4 Dot1q-tunnel Troubleshooting ................... 15-13 15.4 VLAN- .................... 15-14 TRANSLATION ONFIGURATION 15.4.1 Introduction to VLAN-translation ..................15-14 15.4.2 VLAN-translation Configuration ..................15-14 15.4.3 Typical application of VLAN-translation ................
Page 7 18.1.2 QoS Implementation ......................18-2 18.1.3 Basic QoS Model ........................ 18-2 18.2 Q ..................... 18-7 ONFIGURATION 18.3 Q ..........................18-10 XAMPLE 18.4 Q ....................... 18-13 ROUBLESHOOTING CHAPTER 19 FLOW-BASED REDIRECTION .............19-14 19.1 I ................19-14 NTRODUCTION TO BASED EDIRECTION 19.2 F ............
Page 8 22.4 URPF ............................22-43 22.4.1 Introduction to URPF ......................22-43 22.4.2 URPF Configuration Task Sequence ................22-44 22.4.3 URPF Typical Example ..................... 22-44 22.4.4 URPF Troubleshooting ...................... 22-45 22.5 ARP ............................. 22-45 22.5.1 Introduction to ARP ......................22-45 22.5.2 ARP Configuration Task List ....................22-45 22.5.3 ARP Troubleshooting ......................
Page 9 27.3 G ARP C ................27-62 RATUITOUS ONFIGURATION XAMPLE 27.4 G ARP T ..................27-62 RATUITOUS ROUBLESHOOTING CHAPTER 28 KEEPALIVE GATEWAY CONFIGURATION .........28-63 28.1 I ..................28-63 NTRODUCTION TO EEPALIVE ATEWAY 28.2 K ................28-63 EEPALIVE ATEWAY ONFIGURATION 28.3 K .....................
Page 10 32.4 DHCP 37, 38 T .................. 32-15 OPTION ROUBLESHOOTING CHAPTER 33 DHCP SNOOPING CONFIGURATION ...........33-1 33.1 I DHCP S ....................33-1 NTRODUCTION TO NOOPING 33.2 DHCP S ................ 33-2 NOOPING ONFIGURATION EQUENCE 33.3 DHCP S ..................33-6 NOOPING YPICAL PPLICATION 33.4 DHCP S ..................
Page 11 37.3.1 Typical RIPng Examples ..................... 37-7 37.3.2 RIPng Aggregation Route Function Typical Examples ............37-8 37.4 RIP ......................37-9 ROUBLESHOOTING CHAPTER 38 OSPF .......................38-1 38.1 I OSPF ......................... 38-1 NTRODUCTION TO 38.2 OSPF C ....................38-4 ONFIGURATION 38.3 OSPF E ..........................
Page 12 42.3 IP ................. 42-1 LACK OUTING ONFIGURATION 42.4 B ................. 42-2 LACK OUTING ONFIGURATION XMAPLES 42.5 B ..................42-3 LACK OUTING ROUBLESHOOTING CHAPTER 43 GRE TUNNEL CONFIGURATION ............43-5 43.1 I GRE T ...................... 43-5 NTRODUCTION TO UNNEL 43.2 GRE T ....................
Page 13 48.1 IP ................... 48-1 ULTICAST ROTOCOL VERVIEW 48.1.1 Introduction to Multicast ...................... 48-1 48.1.2 Multicast Address ........................ 48-1 48.1.3 IP Multicast Packet Transmission ..................48-3 48.1.4 IP Multicast Application ....................... 48-3 48.2 PIM-DM ............................48-3 48.2.1 Introduction to PIM-DM ....................... 48-3 48.2.2 PIM-DM Configuration Task List..................
Page 14 48.9 IGMP ............................48-41 48.9.1 Introduction to IGMP ......................48-41 48.9.2 IGMP Configuration Task List .................... 48-43 48.9.3 IGMP Configuration Examples ..................48-45 48.9.4 IGMP Troubleshooting ...................... 48-45 48.10 IGMP S ......................... 48-46 NOOPING 48.10.1 Introduction to IGMP Snooping ..................48-46 48.10.2 IGMP Snooping Configuration Task List .................
Page 15 49.6.2 MLD Configuration Task List ..................... 49-25 49.6.3 MLD Typical Application ....................49-26 49.6.4 MLD Troubleshooting Help....................49-27 49.7 MLD S ..........................49-27 NOOPING 49.7.1 Introduction to MLD Snooping................... 49-27 49.7.2 MLD Snooping Configuration Task..................49-28 49.7.3 MLD Snooping Examples ....................49-29 49.7.4 MLD Snooping Troubleshooting ..................
Page 16 53.2 T , MAC VLAN IP C UMBER IMITATION UNCTION OF ONFIGURATION EQUENCE ................................53-2 53.3 T , MAC VLAN IP T ....53-4 UMBER IMITATION UNCTION OF YPICAL XAMPLES 53.4 T , MAC VLAN IP T ..53-5 UMBER IMITATION UNCTION OF ROUBLESHOOTING...
Page 17 CHAPTER 59 VLAN-ACL CONFIGURATION ...............59-1 59.1 I VLAN-ACL ......................59-1 NTRODUCTION TO 59.2 VLAN-ACL C ..................59-1 ONFIGURATION 59.3 VLAN-ACL C .................... 59-3 ONFIGURATION XAMPLE 59.4 VLAN-ACL T ...................... 59-4 ROUBLESHOOTING CHAPTER 60 MAB CONFIGURATION .................60-5 60.1 I MAB ........................60-5 NTRODUCTION TO 60.2 MAB C .....................
Page 18 65.1 I VRRP 3 ......................65-1 NTRODUCTION TO 65.1.1 The Format of VRRPv3 Message ..................65-2 65.1.2 VRRPv3 Working Mechanism ..................... 65-3 65.2 VRRP ....................... 65-4 ONFIGURATION 65.2.1 Configuration Task Sequence ..................... 65-4 65.3 VRRP ......................65-5 YPICAL XAMPLES 65.4 VRRP ......................
Page 19 70.3 T RSPAN ....................... 70-4 YPICAL XAMPLES OF 70.4 RSPAN T ......................70-7 ROUBLESHOOTING CHAPTER 71 SFLOW CONFIGURATION ..............71-1 71.1 I ........................ 71-1 NTRODUCTION TO S 71.2 ....................71-1 ONFIGURATION 71.3 ........................... 71-3 XAMPLES 71.4 ......................71-4 ROUBLESHOOTING CHAPTER 72 SNTP CONFIGURATION ................72-1 72.1 I SNTP .........................
Page 20 76.7 S ........................... 76-3 YSTEM LOG 76.7.1 System Log Introduction ..................... 76-3 76.7.2 System Log Configuration ....................76-5 76.7.3 System Log Configuration Example ..................76-6 CHAPTER 77 RELOAD SWITCH AFTER SPECIFIED TIME ........77-1 77.1 I ..............77-1 NTRODUCE TO ELOAD WITCH AFTER PECIFID 77.2 R...
Page 21 81.3.1 Create BGP MPLS VPN between PE-CE via EBGP ............81-41 81.3.2 Create BGP MPLS VPN between PE-CE via OSPF ............81-46 81.3.3 Create BGP MPLS VPN between PE-CE via RIP ............81-49 81.3.4 Create BGP MPLS VPN between PE-CE via Static Routes ..........81-52 81.4 MPLS BGP VPN T ...................
Page 22: Chapter 1 Introdution
Chapter 1 INTRODUTION The PLANET XGS3-24042 / XGS3-24242 is 24-Port Gigabit with 4 Optional 10G slots Layer 3 Managed Stackable Switch. It boasts a high performance switch architecture that is capable of providing non-blocking switch fabric and wire-speed throughput as high as 128Gbps. Its two optional 2-Port 10Gbps SFP+ uplink module slots also offer incredible extensibility, flexibility and connectivity to the Core switch or Servers.
Page 23 Support 10Gb Ethernet 10Gb Ethernet which adopts full-duplex technology instead of low-speed, half-duplex CSMA/CD protocol, is a big leap in the evolution of Ethernet. 10Gb Ethernet can be deployed in star or ring topologies. With 10Gb Ethernet, XGS3 switch provide broad bandwidth and powerful processing capacity. It is suitable for metropolitan networks and wide area networks.
Page 24: Product Features
1.3 Product Features  Physical Port XGS3-24042  24-Port 10/100/1000Base-T RJ-45 copper  4 100/1000Base-X mini-GBIC/SFP slots, shared with Port-21 to Port-24.  2 10GbE module slots, support up to 4 10G SFP+ transceivers  1 RJ-45 serial console interface for Switch basic management and setup XGS3-24242 ...
Page 25 − IEEE 802.1Q Tagged VLAN − Up to 4K VLANs groups, out of 4096 VLAN IDs − Provider Bridging (VLAN Q-in-Q) support (IEEE 802.1ad) − GVRP protocol for VLAN Management − Private VLAN Edge (PVE) − Voice VLAN − MAC-based VLAN −...
Page 26: Product Specification
4 SFP slots, 100/1000Base-X SFP 24 SFP slots, 100/1000Base-X SFP SFP/mini-GBIC Slots transceiver compatible transceiver compatible Shared with Port-21 to Port-24 2 slots for PLANET XGS3-2SFP+, 2-Port 10G SFP+ optic module Expansion Slots Support module Hot-swappable Switch Processing Scheme Store-and-Forward Switch Fabric...
Page 27 Back pressure for Half-Duplex Jumbo Frame 9Kbytes System: Power, SYS diagnostic, Redundant Power, Alert Malfunction Ports: 10/100/1000 Link/Act, SFP+ Link/Act Dimension (W x D x H) 440 x 325 x 44.5mm, 1U height Weight 4.3kg AC: 100~240V AC, 50/60Hz, Auto-sensing. Power Requirement DC: -48V DC Power Consumption...
Page 28 MSTP, IEEE 802.1s (Multiple Spanning Tree Protocol, spanning tree by VLAN) Root Guard BPDU Guard Static Trunk Link Aggregation IEEE 802.3ad LACP Support 128 groups of 8-Port trunk support Traffic classification based, Strict priority and WRR 8-level priority for switching - Port Number - 802.1p priority - DSCP/TOS field in IP Packet...
Page 29 LLDP MAU-MIB Management Function System Configuration Console, Telnet, SSH, Web Browser, SSL, SNMPv1, v2c and v3 Support the unite for IPv4/IPv6 HTTP and SSL Support the user IP security inspection for IPv4/IPv6 SNMP Support MIB and TRAP Support IPv4/IPv6 FTP/TFTP Support IPv4/IPv6 NTP Support RMOM 1, 2, 3, 9 four group Support the RADIUS authentication for IPv4/IPv6 telnet user name and...
Page 30: Chapter 2 Installation
& Figure 2-1-2 shows the front panel of the Managed Switches. XGS3-24042 Front Panel Figure 2-1-1 XGS3-24042 front panel XGS3-24242 Front Panel Figure 2-1-2 XGS3-24242 front panel ■ Gigabit TP interface 10/100/1000Base-T Copper, RJ-45 Twist-Pair: Up to 100 meters. ■ Gigabit SFP slots 100/1000Base-X mini-GBIC slot, SFP (Small Factor Pluggable) transceiver module: From 550 meters (Multi-mode fiber), up to 10/30/50/70/120 kilometers (Single-mode fiber).
Page 31: Led Indications
2.1.2 LED Indications The front panel LEDs indicates instant status of port links, data activity, system operation, Stack status and system power, helps monitor and troubleshoot when needed. XGS3-24042 LED indication Figure 2-1-3 XGS3-24042 LED panel ■ System Color Function Green Lights to indicate that the Switch has power.
Page 32 ■ 10/100/1000Base-T and SFP interfaces Color Function Lights to indicate the link through that port is successfully established with speed 100Mbps Blink to indicate that the switch is actively sending or receiving data over that port. Lights to indicate the link through that port is successfully established with LNK/ACT speed 1000Mbps Green...
Page 33 ■ 10/100/1000Base-T and SFP interfaces Color Function Lights: To indicate the link through that port is successfully established Green Blink: To indicate that the switch is actively sending or receiving data over that LNK/ACT port. No flow go through the port...
Page 34: Switch Rear Panel
Figure 2-1-5 Rear panel of XGS3-24042/24242 XGS3-24042/24242 Rear Panel with two 2-Port 10G SFP+ module Figure 2-1-6 Rear panel of XGS3-24042/24242 with two 2-Port 10G SFP+ module ■ AC Power Receptacle For compatibility with electric service in most areas of the world, the Managed Switch’s power supply automatically adjusts to line power in the range 100-240VAC and 50/60 Hz.
Page 35: Install The Switch
2.2 Install the Switch This section describes how to install your Managed Switch and make connections to the Managed Switch. Please read the following topics and perform the procedures in the order being presented. To install your Managed Switch on a desktop or shelf, simply complete the following steps. 2.2.1 Desktop Installation To install the Managed Switch on desktop or shelf, please follows these steps: Step1:...
Page 36: Rack Mounting
Connection to the Managed Switch requires UTP Category 5 network cabling with RJ-45 tips. For more information, please see the Cabling Specification in Appendix A. Step5: Supply power to the Managed Switch. Connect one end of the power cable to the Managed Switch. Connect the power plug of the power cable to a standard wall outlet.
Page 37: Installing The Sfp Transceiver
Figure 2-2-3 Mounting XGS3-24042 in a Rack Step6: Proceeds with the steps 4 and steps 5 of session 2.2.1 Desktop Installation to connect the network cabling and supply power to the Managed Switch. 2.2.3 Installing the SFP transceiver The sections describe how to insert an SFP transceiver into an SFP slot.
Page 38  Approved PLANET SFP Transceivers PLANET Managed Switch supports both Single mode and Multi-mode SFP transceiver. The following list of approved PLANET SFP transceivers is correct at the time of publication: Gigabit SFP Transceiver modules: ■ MGB-SX SFP (1000BASE-SX SFP transceiver / Multi-mode / 850nm / 220m~550m) ■...
Page 39 management interface of the switch/converter (if available) to disable the port in advance. Remove the Fiber Optic Cable gently. Turn the handle of the MGB module to horizontal. Pull out the module gently through the handle. Figure 2-22 Pull out the SFP transceiver Never pull out the module without pull the handle or the push bolts on the module.
Page 40: Chapter 3 Switch Management
Chapter 3 Switch Management 3.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 3.1.1 Out-Of-Band Management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Page 41 Figure 3-2 Opening Hyper Terminal 2) Type a name for opening HyperTerminal, such as “Switch”. Figure 3-3 Opening HyperTerminal 3) In the “Connecting using” drop-list, select the RS-232 serial port used by the PC, e.g. COM1, and click “OK”. 3-12...
Page 42 Figure 3-4 Opening HyperTerminal 4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default” and click “OK”. Figure 3-5 Opening HyperTerminal Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode...
Page 43: In-Band Management
Testing RAM... 0x077C0000 RAM OK Loading MiniBootROM... Attaching to file system ... Loading nos.img ... done. Booting..Starting at 0x10000... Attaching to file system ... …… --- Performing Power-On Self Tests (POST) --- DRAM Test....PASS! PCI Device 1 Test....PASS! FLASH Test....PASS! FAN Test.....PASS! Done All Pass.
Page 44 The following describes the steps for a Telnet client to connect to the switch’s VLAN1 interface by Telnet(IPV4 address example): Figure 3-6 Manage the switch by Telnet Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the switch. First is the configuration of host IP address.
Page 45 Figure 3-7 Run telnet client program included in Windows Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access. This is a method to protect the switch from unauthorized access. As a result, when Telnet is enabled for configuring and managing the switch, username and password for authorized Telnet users must be configured with the following command: username <username>...
Page 46: Management Via Http
3.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: Switch has an IPv4/IPv6 address configured; The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment; If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other devices, such as a router.
Page 47 Switch(config)#username admin privilege 15 password 0 admin Switch(config)#authentication line web login local The Web login interface of XGS3-24042 is as below: Figure 3-10 Web Login Interface Input the right username and password, and then the main Web configuration interface is shown as below.
Page 48 Figure 3-11 Main Web Configuration Interface When configure the switch, the name of the switch is composed with English letters. 3.1.2.3 Manage the Switch via SNMP Network Management Software The necessities required by SNMP network management software to manage switches: 1) IP addresses are configured on the switch;...
Page 49: Cli Interface
3.2 CLI Interface The switch provides thress management interface for users: CLI (Command Line Interface) interface, Web interface, Snmp netword management software. We will introduce the CLI interface and Web configuration interface in details, Web interface is familiar with CLI interface function and will not be covered, please refer to “Snmp network management software user manual”.
Page 50: User Mode
3.2.1.1 User Mode On entering the CLI interface, entering user entry system first. If as common user, it is defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User Mode. When exit command is run under Admin Mode, it will also return to the User Mode.
Page 51: Global Mode
3.2.1.3 Global Mode Type the config command under Admin Mode will enter the Global Mode prompt “Switch(config)#”. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode. The user can perform global configuration settings under Global Mode, such as MAC Table, Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc.
Page 52: Configuration Syntax
 ACL Mode ACL type Entry Operates Exit Standard IP ACL Type ip access-list Configure parameters Use the exit command Mode standard command under for Standard IP ACL to return to Global Global Mode. Mode. Mode. Extended IP ACL Type ip access-list Configure parameters Use the exit command Mode...
Page 53: Help Function
The same as Down key “↓”. Ctrl +n The same as Left key “←”. Ctrl +b The same as Right key “→”. Ctrl +f Ctrl +z Return to the Admin Mode directly from the other configuration modes (except User Mode). Ctrl +c Break the ongoing command process, such as ping or other command execution.
Page 54: Fuzzy Match Support
Please configure precursor The command is recognized, but the prerequisite command command "*" at first! has not been configured. syntax error : missing '"' before the Quotation marks are not used in pairs. end of command line! 3.2.6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword.
Page 55: Chapter 4 Basic Switch Configuration
Chapter 4 Basic Switch Configuration 4.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc. Command Explanation Normal User Mode/ Admin Mode...
Page 56: Telnet Management
4.2 Telnet Management 4.2.1 Telnet 4.2.1.1 Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user’s keystrokes to the remote host and send the remote host output to the user’s screen through TCP connection.
Page 57: Ssh
{<num-std>|<name>} Telnet/SSH/Web; the no form command will no authentication ip access-class cancel the binding ACL. authentication ipv6 access-class Binding standard IPv6 ACL protocol to login with {<num-std>|<name>} Telnet/SSH/Web; the no form command will no authentication ipv6 access-class cancel the binding ACL. authentication line {console | vty | web} login {local | radius | tacacs } Configure telnet authentication mode.
Page 58 Global Mode Enable SSH function on the switch; the “no ssh-server enable ssh-server enable” command disables SSH no ssh-server enable function. Configure the username and password of SSH ssh-user <user-name> password {0 | 7} client software for logging on the switch; the “no <password>...
Page 59: Configurate Switch Ip Addresses
4.3 Configurate Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding. VLAN interface represent a Layer 3 interface function which can be assigned an IP address, which is also the IP address of the switch.
Page 60: Snmp Configuration
3. BOOTP configuration Command Explanation VLAN Port Mode Enable the switch to be a BootP client and obtain IP ip bootp-client enable address and gateway address through BootP no ip bootp-client enable negotiation; the “no ip bootp-client enable” command disables the BootP client function. 4.
Page 61: Introduction To Mib
 Get-Bulk-Request  Set-Request  Trap  Inform-Request NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and Set-Request messages; and the Agent, upon receiving the requests, replies with Get-Response message. On some special situations, like network device ports are on Up/Down status or the network topology changes, Agents can send Trap messages to NMS to inform the abnormal events.
Page 62: Introduction To Rmon
In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this unique OID and gets the standard variables of the object. MIB defines a set of standard variables for monitored network devices by following this structure.
Page 63 Configure IP address of SNMP management base Configure engine ID Configure user Configure group Configure view Configuring TRAP Enable/Disable RMON 1. Enable or disable SNMP Agent server function Command Explanation Global Mode Enable the SNMP Agent function on the switch; the snmp-server enabled no command disables the SNMP Agent function on no snmp-server enabled...
Page 64 Command Explanation Global Mode snmp-server engineid <engine-string> Configure the local engine ID on the switch. This no snmp-server engineid command is used for SNMP v3. Configure user Command Explanation Global Mode snmp-server user <use-string> <group-string> [{authPriv | authNoPriv} auth {md5 | sha} <word>] [access {<num-std>|<name>}] Add a user to a SNMP group.
Page 65: Typical Snmp Configuration Examples
Command Explanation Global Mode snmp-server enable traps Enable the switch to send Trap message. This no snmp-server enable traps command is used for SNMP v1/v2/v3. snmp-server host { <ipv4-addr> | Set the host IPv4/IPv6 address which is used to <ipv6-addr> } {v1 | v2c | {v3 {noauthnopriv receive SNMP Trap information.
Page 66: Snmp Troubleshooting
Scenario 3: NMS uses SNMP v3 to obtain information from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch.
Page 67: Switch Upgrade
 The switch enabled SNMP Agent server function (use “snmp-server” command)  Secure IP for NMS (use “snmp-server securityip” command) and community string (use “snmp-server community” command) are correctly configured, as any of them fails, SNMP will not be able to communicate with NMS properly.
Page 68 cable Console cable connection connection Figure 4-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below: Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Page 69 file. [Boot]: load nos.img Loading... Loading file ok! Step 5: Execute write nos.img in BootROM mode. The following saves the system update image file. [Boot]: write nos.img File nos.img exists, overwrite? (Y/N)?[N] y Writing nos.img............. Write nos.img OK. [Boot]: Step 6: The following update file boot.rom, the basic environment is the same as Step 4.
Page 70: Ftp/Tftp Upgrade
Step 9: Execute write flash:/config.rom in BootROM mode. The following saves the update file. [Boot]: write flash:/config.rom [Boot]: write flash:/config.rom File exists, overwrite? (Y/N)[N] y Writing flash:/config.rom... Write flash:/config.rom OK. [Boot]: Step 10: After successful upgrade, execute run or reboot command in BootROM mode to return to CLI configuration interface.
Page 71 There are two types of data connections: active connection and passive connection. In active connection, the client transmits its address and port number for data transmission to the server, the management connection maintains until data transfer is complete. Then, using the address and port number provided by the client, the server establishes data connection on port 20 (if not engaged) to transfer data;...
Page 72 To prevent illicit file upload and easier configuration, switch mandates the name of start up configuration file to be startup-config.  Running configuration file: refers to the running configuration sequence use in the switch. In switch, the running configuration file stores in the RAM. In the current version, the running configuration sequence running-config can be saved from the RAM to FLASH by write command or copy running-config startup-config command, so that the running configuration sequence becomes the start up configuration file, which is called configuration save.
Page 73 copy <source-url> <destination-url> FTP/TFTP client upload/download file. [ascii | binary] （2）For FTP client, server file list can be checked. Admin Mode For FTP client, server file list can be ftp-dir <ftpServerUrl> checked. FtpServerUrl format looks like: ftp: //user: password@IPv4|IPv6 Address. 2.
Page 74 Start TFTP server, the no command shuts down tftp-server enable TFTP server and prevents TFTP user from no tftp-server enable logging in. （2）Modify TFTP server connection idle time Command Explanation Global Mode tftp-server retransmission-timeout Set maximum retransmission time within timeout <seconds>...
Page 75 Place the “12_30_nos.img” file to the appropriate FTP server directory on the computer. The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy ftp: //Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the “nos.img” file in the computer downloaded to the FLASH. ...
Page 76 The configuration procedures of the switch are listed below: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#no shut Switch(Config-if-Vlan1)#exit Switch(config)#tftp-server enable Computer side configuration: Login to the switch with any TFTP client software, use the “tftp” command to download “nos.img” file from the switch to the computer.
Page 77 4.5.3.4 FTP/TFTP Troubleshooting 4.5.3.4.1 FTP Troubleshooting When upload/download system file with FTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and server before running the FTP program.
Page 78 When upload/download system file with TFTP protocol, the connectivity of the link must be ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and server before running the TFTP program. If ping fails, you will need to check for appropriate troubleshooting information to recover the link connectivity.
Page 79: Chapter 5 File System Operations
Chapter 5 File System Operations 5.1 Introduction to File Storage Devices File storage devices used in switches mainly include FLASH cards. As the most common storage device, FLASH is usually used to store system image files (IMG files), system boot files (ROM files) and system configuration files (CFG files).
Page 80 directory on a certain device. 4. Changing the current working directory of the storage device Command Explanation Admin Configuration Mode cd <directory> Change the current working directory of the storage device. 5. The display operation of the current working directory Command Explanation Admin Configuration Mode...
Page 81: Typical Applications
5.3 Typical Applications Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img. The configuration of the switch is as follows: Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img. 5.4 Troubleshooting If errors occur when users try to implement file system operations, please check whether they are caused by the following reasons ...
Page 82: Chapter 6 Cluster Configuration
Chapter 6 Cluster Configuration 6.1 Introduction to cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Config which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Page 83 5) Clear the list of candidate switches maintained by the switch 4． Configure attributes of the cluster in the candidate switch 1) Set the time interval of keep-alive messages of the cluster 2) Set the max number of lost keep-alive messages that can be tolerated in the cluster 5．...
Page 84 number lost cluster keepalive loss-count <int> keep-alive messages that can be no cluster keepalive loss-count tolerated in the cluster. Admin mode clear cluster nodes [nodes-sn Clear nodes in the list of candidate <candidate-sn-list> | mac-address switches maintained by the switch. <mac-addr>] 4.
Page 85: Examples Of Cluster Administration
Enable http function in commander switch and member switch. Notice: must insure the http function be enabled in member switch when ip http server commander switch visiting member switch by web. The commander switch visit member switch via beat member node in member cluster topology.
Page 86: Cluster Administration Troubleshooting
Configuration of SW1: Switch(config)#cluster run Switch(config)#cluster ip-pool 10.2.3.4 Switch(config)#cluster commander 5526 Switch(config)#cluster auto-add Configure the member switch Configuration of SW2-SW4 Switch(config)#cluster run 6.4 Cluster Administration Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes: ...
Page 87: Chapter 7 Port Configuration
Chapter 7 Port Configuration 7.1 Introduction to Port XGS3-24042 switches contain Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet <interface-list>...
Page 88 Command Explanation Port Mode combo-forced-mode {copper-forced | copper-preferred-auto | sfp-forced | Sets the combo port mode (combo ports only). sfp-preferred-auto } shutdown Enables/Disables specified ports. no shutdown name <string> Names or cancels the name of specified ports. no name Sets the cable type for the specified port; this mdi {auto | across | normal} command is not supported by combo port and no mdi...
Page 89: Port Configuration Example
Set the max packet reception rate of a port. If the rate of the received packet violates the rate-violation <200-2000000> packet reception rate, shut down this port and [recovery <0-86400>|] configure the recovery time, the default is no rate-violation 300s. The no command will disable the rate-violation function of a port.
Page 90: Port Troubleshooting
The configurations are listed below: Switch1: Switch1(config)#interface ethernet 1/0/7 Switch1(Config-If-Ethernet1/0/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/0/9 Switch2(Config-If-Ethernet1/0/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/0/9)#exit Switch2(config)#interface ethernet 1/0/10 Switch2(Config-If-Ethernet1/0/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/0/10)#exit Switch2(config)#monitor session 1 source interface ethernet1/0/8;1/0/9 Switch2(config)#monitor session 1 destination interface ethernet 1/0/10 Switch3: Switch3(config)#interface ethernet 1/0/12 Switch3(Config-If-Ethernet1/0/12)#speed-duplex force100-full Switch3(Config-If-Ethernet1/0/12)#exit...
Page 91: Chapter 8 Port Isolation Function Configuration
Chapter 8 Port Isolation Function Configuration 8.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Page 92: Port Isolation Function Typical Examples
3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate-port apply [<l2|l3|all>] isolate layer-2 flows, layer-3 flows or all flows. 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode Display the configuration of port isolation, show isolate-port group [ <WORD>...
Page 93 between any downlink port and a specified uplink port is normal. The uplink port can communicate with any port normally. The configuration of S1: Switch(config)#isolate-port group test Switch(config)#isolate-port group test switchport interface ethernet 1/0/1;1/0/10...
Page 94: Chapter 9 Port Loopback Detection Function Configuration
Chapter 9 Port Loopback Detection Function Configuration 9.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Page 95 1．Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback <loopback> <no-loopback> detection. no loopback-detection interval-time 2．Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan <vlan-list> Enable and disable the function of port no loopback-detection specified-vlan loopback detection.
Page 96: Port Loopback Detection Function Example
5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode Configure the loopback-detection control loopback-detection control-recovery mode (automatic recovery enabled or not) timeout <0-3600> or recovery time. 9.3 Port Loopback Detection Function Example SWITCH Network Topology Figure 9-1 A typical example of port loopback detection As shown in the above configuration, the switch will detect the existence of loopbacks in the network topology.
Page 97: Port Loopback Detection Troubleshooting
If adopting the control method of block, MSTP should be globally enabled. And the corresponding relation between the spanning tree instance and the VLAN should be configured. Switch(config)#spanning-tree Switch(config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#instance 2 vlan 2 Switch(Config-Mstp-Region)# 9.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required.
Page 98: Chapter 10 Uldp Function Configuration
Chapter 10 ULDP Function Configuration 10.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
Page 99: Uldp Configuration Task Sequence
mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a unidirectional link is discovered, it will send warnings to users and can disable the port automatically or manually according to users’ configuration. The ULDP of switches recognizes remote devices and check the correctness of link connections via interacting ULDP messages.
Page 100 Global configuration mode uldp aggressive-mode Set the global working mode. no uldp aggressive-mode 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode Set the working mode of the port. no uldp aggressive-mode 5. Configure the method to shut down unidirectional link Command Explanation Global configuration mode...
Page 101: Uldp Function Typical Examples
Command Explanation Admin mode Display ULDP information. No parameter means to display global ULDP information. show uldp [interface ethernet IFNAME] The parameter specifying a port will display global information neighbor information of the port. debug uldp fsm interface ethernet Enable or disable the debug switch of the <IFname>...
Page 102: Uldp Troubleshooting
connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link. The final result is that port g1/0/1, g1/0/2 of SWITCH A and port g1/0/3, g1/0/4 of SWITCH B are all shut down by ULDP.
Page 103 the port is considered as “Down”.  In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered, it is required that both end of the link should enable ULDP, using the same authentication method and password.
Page 104: Chapter 11 Lldp Function Operation Configuration
Chapter 11 LLDP Function Operation Configuration 11.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them.
Page 105: Lldp Function Configuration Task Sequence
11.2 LLDP Function Configuration Task Sequence Globally enable LLDP function Configure the port-based LLDP function switch Configure the operating state of port LLDP Configure the intervals of LLDP updating messages Configure the aging time multiplier of LLDP messages Configure the sending delay of updating messages Configure the intervals of sending Trap messages Configure to enable the Trap function of the port Configure the optional information-sending attribute of the port...
Page 106 Command Explanation Global Mode Configure the aging time multiplier of lldp msgTxHold <value> LLDP messages as the specified value or no lldp msgTxHold default value. 6. Configure the sending delay of updating messages Command Explanation Global Mode Configure the sending delay of updating lldp transmit delay <seconds>...
Page 107 Configure the size of space to store lldp neighbors max-num < value > Remote Table of the port as the no lldp neighbors max-num specified value or default value. 11. Configure the type of operation when the Remote Table of the port is full Command Explanation Port Configuration Mode...
Page 108: Lldp Function Typical Example
11.3 LLDP Function Typical Example Figure 11-1 LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Page 109: Chapter 12 Port Channel Configuration
Chapter 12 Port Channel Configuration 12.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel.
Page 110: Brief Introduction To Lacp
should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel. If the spanning tree function is enabled in the switch, the spanning tree protocol will regard Port Channel as a logical port and send BPDU frames via the master port.
Page 111: Port Channel Configuration Task List
1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The ports which have the same attribute of speed and duplex, are connected to the same device, have the same basic configuration, can be dynamically aggregated together.
Page 112 2. Add physical ports to the port group Command Explanation Port Mode port-group <port-group-number> mode Add the ports to the port group and set their {active | passive | on} mode. no port-group 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel Enter port-channel configuration mode.
Page 113: Port Channel Examples
12.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP. Figure 12-2 Configuring Port Channel in LACP The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with active mode.
Page 114 Scenario 2: Configuring Port Channel in ON mode. Figure 12-3 Configuring Port Channel in ON mode As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with “on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on”...
Page 115: Port Channel Troubleshooting
Configuration result: Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in “on” mode is completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete aggregation. Aggregation finishes immediately when the command to add port 2 to port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 3 joins port-group 1, port-channel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form port-channel 1, when port 4 joins port-group 1, port-channel 1 of port 1, 2 and 3 are...
Page 116: Chapter 13 Jumbo Configuration
Chapter 13 Jumbo Configuration 13.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%.
Page 117: Chapter 14 Efm Oam Configuration
Chapter 14 EFM OAM Configuration 14.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development.
Page 118 need to wait until it receives the connection request. After an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange Information OAMPDUs continuously to keep the valid Ethernet OAM connection. If an Ethernet OAM entity receives no Information OAMPDU for five seconds, the Ethernet OAM connection is disconnected.
Page 119: Efm Oam Configuration
4. Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is established. With remote loopback enabled, operating Ethernet OAM entity in active mode issues remote loopback requests and the peer responds to them. If the peer operates in loopback mode, it returns all packets except Ethernet OAMPDUs to the senders along the original paths.
Page 120 Configure work mode of EFM OAM, default is ethernet-oam mode {active | passive} active mode. ethernet-oam Enable EFM OAM of port, no command no ethernet-oam disables EFM OAM of port. Configure transmission period of OAMPDU ethernet-oam period <seconds> (optional), no command restores the default no ethernet-oam period value.
Page 121: Efm Oam Example
no ethernet-oam remote-failure (failure means critical-event or link-fault event of the local), no command disables the function. (optional) ethernet-oam errored-symbol-period Configure the high threshold of errored threshold high {high-symbols | none} symbol period event, no command restores no ethernet-oam errored-symbol-period the default value.
Page 122: Efm Oam Troubleshooting
Ethernet Ethernet 1/0/1 1/0/1 802.1ah OAMPDU Figure 14-3 Typical OAM application topology Configuration procedure: (Omitting SNMP and Log configuration in the following) Configuration on CE: CE(config)#interface ethernet 1/0/1 CE (config-if-ethernet1/0/1)#ethernet-oam mode passive CE (config-if-ethernet1/0/1)#ethernet-oam CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration. Configuration on PE: PE(config)#interface ethernet 1/0/1 PE (config-if-ethernet1/0/1)#ethernet-oam...
Page 123 exclusive.  When enabling OAM, the negotiation of the port will be disabled automatically. So the negotiation in the peer of the link must be disabled, otherwise the link connection will unsuccessful. When disabling OAM, the negotiation of the port will be restored. Therefore, to ensure the link connection is normal, the negotiations must be accordant in two peers of the link.
Page 124: Chapter 15 Vlan Configuration
Chapter 15 VLAN Configuration 15.1 VLAN Configuration 15.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices.
Page 125: Vlan Configuration Task List
XGS3 Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer.
Page 126 3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface <interface-list> Assign Switch ports to VLAN. no switchport interface <interface-list> 4. Set the Switch Port Type Command Explanation Port Mode Set the current port as Trunk, Access switchport mode {trunk | access | hybrid} Hybrid port.
Page 127: Typical Vlan Application
8. Disable/Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable Enable/Disable VLAN ingress rules. no vlan ingress enable 9. Configure Private VLAN Command Explanation VLAN mode private-vlan {primary | isolated | Configure current VLAN to Private VLAN. community} The no command deletes private VLAN.
Page 128 VLAN100 VLAN2 VLAN200 Workstation Workstation Switch A Trunk Link Switch B VLAN2 VLAN200 VLAN100 Workstation Workstation Figure 15-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200.
Page 129: Typical Application Of Hybrid Port
Switch(Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit Switch(config)# Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit 15.1.4 Typical Application of Hybrid Port Scenario:...
Page 130 PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA.
Page 131: Gvrp Configuration
15.2 GVRP Configuration 15.2.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute. According to different transmission attributes, GARP can be divided to many application protocols, such as GMRP and GVRP.
Page 132: Example Of Gvrp
Command Explanation Global Mode garp timer join <200-500> garp timer leave <500-1200> Configure leaveall, join and garp timer leaveall <5000-60000> leave timer for GVRP. no garp timer (join | leave | leaveAll) 2. Configure port type Command Explanation Port mode gvrp Enable/ disable GVRP function no gvrp...
Page 133 Figure 15-5 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Page 134: Gvrp Troubleshooting
Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit 15.2.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first.
Page 135: Dot1Q-Tunnel Configuration
transmitted in VLAN3 when traveling in the ISP internet network while carrying two VLAN tags (the inner tag is added when entering PE1, and the outer is SPVID), whereas the VLAN information of the user network is open to the provider network. When the packet reaches PE2 and before being forwarded to CE2 from the client port on PE2, the outer VLAN tag is removed, then the packet CE2 receives is absolutely identical to the one sent by CE1.
Page 136: Dot1Q-Tunnel Troubleshooting
network. Configuration Item Configuration Explanation VLAN3 Port1 of PE1 and PE2. dot1q-tunnel Port1 of PE1 and PE2. tpid 9100 Configuration procedure is as follows: PE1: Switch(config)#vlan 3 Switch(Config-Vlan3)#switchport interface ethernet 1/0/1 Switch(Config-Vlan3)#exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-Ethernet1/0/1)# dot1q-tunnel enable Switch(Config-Ethernet1/0/1)# exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-Ethernet1/0/1)#switchport mode trunk Switch(Config-Ethernet1/0/1)#dot1q-tunnel tpid 0x9100...
Page 137: Vlan-Translation Configuration
15.4 VLAN-translation Configuration 15.4.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation is classified to ingress translation and egress translation, this switch only supports switchover of ingress for VLAN ID.
Page 138: Typical Application Of Vlan-Translation
Command Explanation Admin mode Show the related configuration of show vlan-translation vlan-translation. 15.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network; port1 of PE2 is connected to CE2, port10 is connected to public network.
Page 139: Vlan-Translation Troubleshooting
15.4.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports. Priority of vlan translation and vlan ingress filtering for processing packets is: vlan translation > vlan ingress filtering 15.5 Dynamic VLAN Configuration 15.5.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN.
Page 140 1. Configure the MAC-based VLAN function on the port Command Explanation Port Mode switchport mac-vlan enable Enable/disable the MAC-based VLAN no switchport mac-vlan enable function on the port. 2. Set the VLAN to MAC VLAN Command Explanation Global Mode Configure the specified VLAN to MAC mac-vlan vlan <vlan-id>...
Page 141: Typical Application Of The Dynamic Vlan
protocol-vlan mode {ethernetii etype <etype-id>|llc {dsap <dsap-id> ssap Add/delete the correspondence between <ssap-id>}|snap etype <etype-id>} vlan the Protocols and the VLAN, namely <vlan-id> priority <priority-id> specified protocol joins/leaves specified no protocol-vlan {mode {ethernetii etype VLAN. <etype-id>|llc {dsap <dsap-id> ssap <ssap-id>}|snap etype <etype-id>}|all} 7.
Page 142: Dynamic Vlan Troubleshooting
For example, M at E1/0/1 of SwitchA, then the configuration procedures are as follows: Switch A, Switch B, Switch C: SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0 SwitchA (Config)#interface ethernet 1/0/1 SwitchA (Config-Ethernet1/0/1)# swportport mode hybrid SwitchA (Config-Ethernet1/0/1)# swportport hybrid allowed vlan 100 untagged SwitchB (Config)#mac-vlan mac 00-30-4f-11-22-33 vlan 100 priority 0 SwitchB (Config)#exit SwitchB#...
Page 143: Voice Vlan Configuration
15.6 Voice VLAN Configuration 15.6.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the ports of the connected voice equipments to the Voice VLAN, the user will be able to configure QoS (Quality of service) service for voice data, and improve the voice data traffic transmission priority to ensure the calling quality.
Page 144: Typical Applications Of The Voice Vlan
<voice-name>] no voice-vlan {mac <mac-address> mask <mac-mask>|name <voice-name> |all} 3. Enable the Voice VLAN of the port Command Explanation Port Mode switchport voice-vlan enable Enable/disable the Voice VLAN function no switchport voice-vlan enable on the port 15.6.3 Typical Applications of the Voice VLAN Scenario: A company realizes voice communication through configuring Voice VLAN.
Page 145: Voice Vlan Troubleshooting
Switch(Config-If-Ethernet1/0/10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#switchport mode hybrid Switch(Config-If-Ethernet1/0/1)#switchport hybrid allowed vlan 100 untag Switch(Config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode hybrid Switch(Config-If-Ethernet1/0/2)#switchport hybrid allowed vlan 100 untag Switch(Config-If-Ethernet1/0/2)#exit 15.6.4 Voice VLAN Troubleshooting  Voice VLAN can not be applied concurrently with MAC-base VLAN. ...
Page 146: Chapter 16 Mac Table Configuration
Chapter 16 MAC Table Configuration 16.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses. Static MAC addresses are manually configured by the user, have the highest priority and are permanently effective (will not be overwritten by dynamic MAC addresses);...
Page 147: Forward Or Filter
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch. The initial MAC table contains no address mapping entries.
Page 148: Mac Address Table Configuration Task List
Three types of frames can be forwarded by the switch:  Broadcast frame  Multicast frame  Unicast frame The following describes how the switch deals with all the three types of frames:  Broadcast frame: The switch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the switch are in the same broadcast domain.
Page 149: Typical Configuration Examples
<interface-name>] | [source|destination|both] no mac-address-table {static | blackhole | dynamic} [address <mac-addr>] [vlan <vlan-id>] [interface [ethernet | portchannel] <interface-name>] 3. Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic [address Clear the dynamic address table. <mac-addr>] [vlan <vlan-id>] [interface [ethernet | portchannel] <interface-name>] 16.3 Typical Configuration Examples 1/11...
Page 150: Mac Table Troubleshooting
Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. Set the static mapping relationship for PC2 and PC3 to port 7 and port 9, respectively. Switch(config)#mac-address-table static 00-01-22-22-22-22 interface ethernet 1/0/7 vlan 1 Switch(config)#mac-address-table static 00-01-33-33-33-33 interface ethernet 1/0/9 vlan 1 16.4 MAC Table Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the MAC of a device...
Page 151 4. mac-notification trap configuration Enable MAC address binding function for the ports Command Explanation Port Mode Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning function switchport port-security for the port will be disabled: the “no no switchport port-security switchport port-security”...
Page 152 switchport port-security violation Set the violation mode for the port; the “no {protect | shutdown} switchport port-security violation” no switchport port-security violation command restores the default setting. 4. mac-notification trap configuration Command Explanation Global Mode Set the MAC monitor interval to count the mac-address-table added and deleted MAC in time, and send periodic-monitor-time <5-86400>...
Page 153: Chapter 17 Mstp Configuration
Chapter 17 MSTP Configuration 17.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 154: Operations Within An Mstp Region
Root Root REGION Figure 17-1 Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge.
Page 155: Port Roles
17.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP.  CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port  On top of those roles, each MSTI port has one new role: Master Port. The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are defined in the same ways as those in the RSTP.
Page 156 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst <instance-id> priority <bridge-priority> Set bridge priority for specified instance. no spanning-tree mst <instance-id> priority spanning-tree priority <bridge-priority> Configure the spanning-tree priority of the no spanning-tree priority switch. Port Mode spanning-tree mst <instance-id> cost <cost>...
Page 157 name <name> Set MSTP region name. no name revision-level <level> Set MSTP region revision level. no revision-level Quit MSTP region mode and return to abort Global mode without saving MSTP region configuration. Quit MSTP region mode and return to exit Global mode with saving MSTP region configuration.
Page 158 Port Mode Configure format port spanning-tree packet，standard format spanning-tree format standard spanning-tree format privacy provided by IEEE, privacy is spanning-tree format auto compatible with CISCO and auto no spanning-tree format means the format is determined by checking the received packet. 7.
Page 159: Mstp Example
topology changes. Port Mode spanning-tree tcflush {enable| disable| Configure the port flush mode. The no protect} command restores to use the global no spanning-tree tcflush configured flush mode. 17.3 MSTP Example The following is a typical MSTP application example: Switch1 Switch2 Switch3 Switch4...
Page 160 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: ...
Page 161 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/0/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 Switch4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit Switch4(config)#vlan 30 Switch4(Config-Vlan30)#exit Switch4(config)#vlan 40 Switch4(Config-Vlan40)#exit Switch4(config)#vlan 50...
Page 162 forwarding. Because the instance 3 and the instance 4 are only valid in the MSTP region, the following figure only shows the topology of the MSTP region. Switch1 Switch2 Switch3 Switch4 Figure 17-3 The Topology Of the Instance 0 after the MSTP Calculation Switch2 Switch3 Switch4...
Page 163: Mstp Troubleshooting
Switch2 Switch3 Switch4 Figure 17-5 The Topology Of the Instance 4 after the MSTP Calculation 17.4 MSTP Troubleshooting  In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port.
Page 164: Chapter 18 Qos Configuration
Chapter 18 QoS Configuration 18.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 165: Qos Implementation
Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop precedence, the ranging is 0-1. It’s shortening is Drop-Prec or DP. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets.
Page 166 Figure 18-3 Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this in detail. 18-3...
Page 167 Start tag packet L2 COS value L2 COS value of the obtained by the packet is its own L2 packet as the default COS(*1) Trust DSCP IP packet (*2) Trust COS (*2) tag packet Set Int-Prio as the DSCP-to-Int-Prio default ingress Int- conversion according to COS -to-Int-Prio Prio...
Page 168 Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be single bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action.
Page 169 Note 1: Int-Prio will be covered with the after setting, Set Int-Prio of the specific color action will cover Set Int-Prio of the unrelated action with the color. Note 2: Drop the internal priority of the packets according to IntP-to-IntP map. Source Int-Prio means to the obtainable Int-Prio in Classification flow or Int-Prio set by the unrelated action with the color.
Page 170: Qos Configuration Task List
18.2 QoS Configuration Task List 1. Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies. 2.
Page 171 Global Mode Create a policy map and enter policy policy-map <policy-map-name> map mode; the no command deletes the no policy-map <policy-map-name> specified policy map. After a policy map is created, it can be associated to a class. Different policy or class <class-map-name>...
Page 172 drop Drop or transmit the traffic that match no drop the class, the no command cancels the assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Interface Configuration Mode mls qos trust {cos | dscp} Configure port trust;...
Page 173: Qos Example
mls qos map (cos-dp <dp1…dp8> | dscp-dscp Set the priority mapping for QoS, the <in-dscp list> to <out-dscp> | dscp-intp no command restores the default <in-dscp list> to <intp> | dscp-dp <in-dscp list> mapping value. to <dp> ) no mls qos map (cos-dp | dscp-dscp | dscp-intp | dscp-dp) mls qos map intp-dscp <dscp1..dscp8>...
Page 174 Switch(Config-If-Ethernet 1/0/1)#mls qos trust cos Switch(Config-If-Ethernet1/0/1)#mls qos cos 5 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of each port is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/0/1, it will be map to the internal priority according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8 respectively.
Page 175 Server QoS area Switch3 Switch2 Trunk Switch1 Figure 18-7 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1(set the internal priority to 40, set the default intp-dscp mapping to 40-40, the corresponding IP precedence to 5).
Page 176: Qos Troubleshooting
18.4 QoS Troubleshooting  trust cos and EXP can be used with other trust or Policy Map.  trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets.  trust exp, trust dscp and trust cos may be configured at the same time, the priority is: EXP>DSCP>COS.
Page 177: Chapter 19 Flow-Based Redirection
Chapter 19 Flow-based Redirection 19.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Page 178: Flow-Based Redirection Examples
19.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6.
Page 179: Chapter 20 Egress Qos Configuration
Chapter 20 Egress QoS Configuration 20.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination. However, it does not guarantee the performance like reliability and transmission delay.
Page 180: Basic Egress Qos Model
20.1.2 Basic Egress QoS Model Ingress Egress Generate internal Policing and priority color Classification Policing Remark scheduling remark of Egress Sort packet traffic Decide whether traffic Place packets into priority Set the color of packet according to the color is single bucket Degrade or discard queues according to traffic according to policing...
Page 181: Egress Qos Configuration
Description of action that modify QoS attribute according to egress remark table: cos-cos：for cos value of packets, modify cos value of packets according to cos table of QoS remarking cos-dscp：for cos value of packets, modify dscp value of packets according to cos table of QoS remarking dscp-cos：for dscp value of packets, modify cos value of packets according to dscp table of QoS remarking dscp-dscp：...
Page 182 access-group} 2. Configure a policy-map Command Explanation Global Mode Create a policy-map and enter policy-map policy-map <policy-map-name> mode, no command deletes the specific no policy-map <policy-map-name> policy-map. class <class-map-name> [insert-before Create a policy map to associate with a <class-map-name>] class map and enter policy class map no class <class-map-name>...
Page 183 class map mode, add statistic function to the flow of the policy class map. In single bucket mode, packets can only red or green when passing policy. In the print information, in-profile means green and out-profile means red. In dual bucket mode, there are three colors of packets in-profile means green and out-profile means red and yellow.
Page 184: Egres Qo Example
Admin Mode clear mls qos statistics [interface Clear accounting data of the specified <interface-name> | vlan <vlan-id>] ports or VLAN Policy Map. If there are no parameters, clear accounting data of all policy map. 6. Show QoS configuration Command Explanation Admin Mode show mls qos {interface [<interface-id>] Show QoS configuration of the port.
Page 185 switch(config)#class-map 1 switch(config-classmap-1)#match ipv6 dscp 7 switch(config-classmap-1)#exit Create a policy map: switch(config)#policy-map 1 switch(config-policymap-1)#class 1 switch(config-policymap-1-class-1)#set cos 4 switch(config-policymap-1-class-1)#exit switch(config-policymap-1)#exit Bind a policy to VLAN switch(config)#service-policy output 1 vlan 10 Example 3: In egress of port 1, limit the speed of packets. Set the bandwidth for packets to 1 Mb/s, with the normal burst value of 1 MB, the max burst value of 4 MB, set dscp value of 1 as 10 for green packets, set dscp value of yellow packets as 9 and drop red packets.
Page 186: Egres Qo Example
switch(config-if-port-range)#mls qos trust dscp Bind policy to egress of port1 switch(config-if-ethernet1/0/1)#service-policy output p1 20.4 Egress QoS Examples  Not all equipments support Egress QoS presently, so please make sure the current device supports this function.  If the policy configured cannot bind to the port or VLAN, please check whether the match option in classification table is supported by the current device.
Page 187: Chapter 21 Flexible Qinq Configuration
Chapter 21 Flexible QinQ Configuration 21.1 Introduction to Flexible QinQ 21.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
Page 188 Command Explanation Global mode class-map <class-map-name> Create a class-map and enter class-map no class-map <class-map-name> mode, the no command deletes the specified class-map. match {access-group <acl-index-or-name> Set the match standard of class-map, | ip dscp <dscp-list>| ip precedence (classify data flow by ACL, CoS, VLAN ID, <ip-precedence-list>| ipv6 access-group IPv4 Precedent or DSCP, etc for the class <acl-index-or-name>| ipv6 dscp <dscp-list>...
Page 189: Flexible Qinq Example
vlan<vid> command deletes the specified no service-policy input<policy-map-name> policy-map applied to the VLAN. vlan <vid> 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode show mls qos {interface [<interface-id>] Show flexible QinQ configuration on the port. 21.3 Flexible QinQ Example Figure 21-1 Flexible QinQ application topology As shown in the figure, the first user is assigned three VLANs that the tag values are 1001, 2001, 3001 respectively in DSLAM1.
Page 190 Switch(config-classmap-c1)#match vlan 1001 Switch(config-classmap-c1)#exit Switch(config)#class-map c2 Switch(config-classmap-c2)#match vlan 2001 Switch(config-classmap-c2)#exit Switch(config)#class-map c3 Switch(config-classmap-c3)#match vlan 3001 Switch(config-classmap-c3)#exit Switch(config)#policy-map p1 Switch(config-policymap-p1)#class c1 Switch(config-policymap-p1-class-c1)# set s-vid 1001 Switch(config-policymap-p1)#class c2 Switch(config-policymap-p1-class-c2)# set s-vid 2001 Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set s-vid 3001 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/0/1 Switch(config-if-ethernet1/0/1)#service-policy input p1 If the data flow of DSLAM2 enters the switch’s downlink port1, the configuration is as follows: Switch(config)#class-map c1...
Page 191: Flexible Qinq Troubleshooting
21.4 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port, please check whether the problem is caused by the following reasons:  Make sure flexible QinQ whether supports the configured class-map and policy-map  Make sure ACL includes permit rule if the class-map matches ACL rule ...
Page 192: Chapter 22 Layer 3 Forward Configuration
Chapter 22 Layer 3 Forward Configuration Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result.
Page 193 1. Create Layer 3 Interface Command Explanation Global Mode Creates a VLAN interface (VLAN interface interface vlan <vlan-id> is a Layer 3 interface); the no command no interface vlan <vlan-id> deletes the VLAN interface (Layer 3 interface) created in the switch. Creates a Loopback interface then enter interface loopback <loopback-id>...
Page 194: Ip Configuration
Global Mode ip vrf <vrf-name> Create VRF instance; VRF instance is not no ip vrf <vrf-name> created by default. VRF Mode Configure RD of VRF instance. RD is not rd <ASN:nn_or_IP-address:nn> created by default. route-target {import | export | both} Configure RT of VRF instance <rt-value>...
Page 195 every connection status which increases network delay greatly and decreases network performance. Moreover, the translation of network data packet addresses baffles the end-to-end network security check, IPSec authentication header is such an example. Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at present.
Page 196: Ip Configuration
22.2.2 IP Configuration Layer 3 interface can be configured as IPv4 interface, IPv6 interface. 22.2.2.1 IPv4 Address Configuration IPv4 address configuration task list: 1. Configure the IPv4 address of three-layer interface 1. Configure the IPv4 address of three-layer interface Command Explanation VLAN Interface Configuration Mode Configure IP address of VLAN interface;...
Page 197 via DHCPv6 (15) Set the flag representing whether the address information will be obtained via DHCPv6 3. IPv6 Tunnel configuration (1) Create/Delete Tunnel (2) Configure tunnel description (3) Configure Tunnel Source (4) Configure Tunnel Destination (5) Configure Tunnel Next-Hop (6) Configure Tunnel Mode (7) Configure Tunnel Routing 1.
Page 198 makes duplicate address detection. The no command resumes default value (1). (2) Configure Send Neighbor solicitation Message Interval Command Explanation Interface Configuration Mode Set the interval of the interface to send ipv6 nd ns-interval <seconds> neighbor query message. The NO no ipv6 nd ns-interval command resumes default value (1 second).
Page 199 Interface Configuration Mode ipv6 nd prefix <ipv6-address/prefix-length> <valid-lifetime> <preferred-lifetime> Configure the address prefix and [off-link] [no-autoconfig] advertisement parameters of router. The no ipv6 nd prefix NO command cancels the address prefix <ipv6-address/prefix-length> of routing advertisement. <valid-lifetime> <preferred-lifetime> [off-link] [no-autoconfig] (8) Configure static IPv6 neighbor Entries Command Explanation Interface Configuration Mode...
Page 200 Interface Configuration Mode Set the retrans-timer of sending router ipv6 nd retrans-timer <seconds> advertisement. (14) Set the flag representing whether information other than the address information will be obtained via DHCPv6. Command Explanation Interface Configuration Mode Set the flag representing whether ipv6 nd other-config-flag information other than the address information will be obtained via DHCPv6.
Page 201: Ip Configuration Examples
Tunnel Configuration Mode Configure tunnel destination end tunnel destination {<ipv4-address> | IPv4/IPv6 address. The NO command <ipv6-address>} deletes the IPv4/IPv6 address of tunnel no tunnel destination destination end. (5) Configure Tunnel Next-Hop Command Explanation Tunnel Configuration Mode Configure tunnel next-hop IPv4 address. tunnel nexthop <ipv4-address>...
Page 202 address 192.168.2.1 255.255.255.0 in VLAN2. 3． Configure two VLANs on Switch2, respectively VLAN2 and VLAN3. 4． Configure IPv4 address 192.168.2.2 255.255.255.0 in VLAN2 of Switch2, and configure IPv4 address 192.168.3.1 255.255.255.0 in VLAN3. 5． The IPv4 address of PC1 is 192.168.1.100 255.255.255.0, and the IPv4 address of PC2 is 192.168.3.100 255.255.255.0.
Page 203 Configuration Description: 1． Configure two VLANs on Switch1, namely, VLAN1 and VLAN2. 2． Configure IPv6 address 2001::1/64 in VLAN1 of Switch1, and configure IPv6 address 2002::1/64 in VLAN2. 3． Configure 2 VLANs on Switch2, namely, VLAN2 and VLAN3. 4． Configure IPv6 address 2002::2/64 in VLAN2 of Switch2, and configure IPv6 address 2003::1/64 in VLAN3.
Page 204 no login Switch2#show run interface Vlan2 ipv6 address 2002::2/64 interface Vlan3 ipv6 address 2003::1/64 interface Loopback mtu 3924 ipv6 route 2001::/64 2002::1 no login Example 2: SwitchC SwithA SwitchB PC-A PC-B -3 IPv6 tunnel Figure 22 This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported.
Page 205: Ip Configuration Examples
3. Configure two VLANs on SwitchB, namely, VLAN3 and VLAN4, VLAN4 is IPv6 domain, and VLAN3 connects to IPv4 domain. 4. Configure IPv6 address 2002:cbcb:cb01:2::1/64 in VLAN4 of SwitchB and turn on RA function, configure IPv4 address 203.203.203.1 on VLAN3. 5.
Page 206: Ip Forwarding
22.3 IP Forwarding 22.3.1 Introduction to IP Forwarding Gateway devices can forward IP packets from one subnet to another; such forwarding uses routes to find a path. IP forwarding of switch is done with the participation of hardware, and can achieve wire speed forwarding.
Page 207: Urpf Configuration Task Sequence
Figure 22-4 URPF application situation In the above figure, Router A sends requests to the server Router B by faking messages whose source address are 2.2.2.1/8 .In response, Router B will send the messages to the real ”2.2.2.1/8”. Such illegal messages attack both Router B and Router C.
Page 208: Urpf Troubleshooting
In the network, topology shown in the graph above, IP URPF function is enabled on SW3. When there is someone in the network pretending to be someone else by using his IP address to launch a vicious attack, the switch will drop all the attacking messages directly through the hardware function. Enable the URPF function in SW3.
Page 209 3. Clear dynamic ARP 4. Clear the statistic information of ARP messages 1. Configure static ARP Command Explanation VLAN Interface Mode arp <ip_address> <mac_address> Configures a static ARP entry; the no {interface [ethernet] <portName>} command deletes a ARP entry of the no arp <ip_address>...
Page 210: Arp Troubleshooting
22.5.3 ARP Troubleshooting If ping from the switch to directly connected network devices fails, the following can be used to check the possible cause and create a solution.  Check whether the corresponding ARP has been learned by the switch. ...
Page 211: Chapter 23 Arp Scanning Prevention Function Configuration
Chapter 23 ARP Scanning Prevention Function Configuration 23.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 212 anti-arpscan enable Enable or disable the ARP Scanning no anti-arpscan enable Prevention function globally. 2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global configuration mode anti-arpscan port-based threshold <threshold-value> Set the threshold of the port-based no anti-arpscan port-based ARP Scanning Prevention.
Page 213: Arp Scanning Prevention Typical Examples
anti-arpscan log enable Enable or disable the log function of ARP no anti-arpscan log enable scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function no anti-arpscan trap enable of ARP scanning prevention. show anti-arpscan [trust <ip | port | Display state operation...
Page 214: Arp Scanning Prevention Troubleshooting Help
SWITCHB configuration task sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#interface ethernet1/0/1 SwitchB (Config-If-Ethernet 1/0/1)#anti-arpscan trust port SwitchB (Config-If-Ethernet 1/0/1)exit 23.4 ARP Scanning Prevention Troubleshooting Help  ARP scanning prevention is disabled by default. After enabling ARP scanning prevention, users can enable the debug switch, “debug anti-arpscan”, to view debug information. 23-51...
Page 215: Chapter 24 Prevent Arp, Nd Spoofing Configuration
Chapter 24 Prevent ARP, ND Spoofing Configuration 24.1 Overview 24.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-30-4F-FD-1D-2B.
Page 216: Prevent Arp, Nd Spoofing Configuration
What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic learning function of ARP.
Page 217: Prevent Arp, Nd Spoofing Example
24.3 Prevent ARP, ND Spoofing Example Switch Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; IP:192.168.1.4; mac: 00-00-00-00-00-04 IP:192.168.2.1; mac: 00-00-00-00-00-01 IP:192.168.1.2; mac: 00-00-00-00-00-02 IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
Page 218 If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect 24-55...
Page 219: Chapter 25 Arp Guard Configuration
Chapter 25 ARP GUARD Configuration 25.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
Page 220 Command Explanation Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr> 25-57...
Page 221: Chapter 26 Arp Local Proxy Configuration
Chapter 26 ARP Local Proxy Configuration 26.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid ARP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch.
Page 222: Arp Local Proxy Function Configuration Task List
26.2 ARP Local Proxy Function Configuration Task List 1．Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp Enable or disable ARP local proxy function. no ip local proxy-arp 26.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation.
Page 223: Arp Local Proxy Function Troubleshooting
26.4 ARP Local Proxy Function Troubleshooting ARP local proxy function is disabled by default. Users can view the current configuration with display command. With correct configuration, by enabling debug of ARP, users can check whether the ARP proxy is normal and send proxy ARP messages. In the process of operation, the system will show corresponding prompts if any operational error occurs.
Page 224: Chapter 27 Gratuitous Arp Configuration
Chapter 27 Gratuitous ARP Configuration 27.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for XGS3 switches is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
Page 225: Gratuitous Arp Configuration Example
27.3 Gratuitous ARP Configuration Example Switch Interface vlan10 Interface vlan1 192.168.15.254 192.168.14.254 255.255.255.0 255.255.255.0 Figure 27-1 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface.
Page 226: Chapter 28 Keepalive Gateway Configuration
Chapter 28 Keepalive Gateway Configuration 28.1 Introduction to Keepalive Gateway Ethernet port is used to process backup or load balance, for the reason that it is a broadcast channel, it may not detect the change of physical signal and fails to get to down when the gateway is down. Keepalive Gateway is introduced to detect the connectivity to the higher-up gateway, in the case that a Ethernet port connect with a higher-up gateway to form a point-to-point network topology.
Page 227: Keepalive Gateway Example
Show keepalive running status specified interface, if there is no interface is show keepalive gateway [interface-name] specified, show keepalive running status of all interfaces. Show IPv4 running status of the specified show ip interface [interface-name] interface, if there is no interface is specified, show IPv4 running status of all interfaces.
Page 228: Kepalive Gteway Troubleshooting
Send ARP detection once 3 seconds to detect whether gateway A is reachable, after 3 times detection is failing, gateway A is considered to be unreachable. 28.4 Kepalive Gteway Troubleshooting If there is any problem happens when using keepalive gateway function, please check whether the problem is caused by the following reasons: ...
Page 229: Chapter 29 Dhcp Configuration
Chapter 29 DHCP Configuration 29.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network.
Page 230: Dhcp Server Configuration
allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time; manually bound IP address will be the same all the time. 2) The lease period of IP address obtained dynamically is the same as the lease period of the address pool, and is limited; the lease of manually bound IP address is theoretically endless.
Page 231 dns-server Configure DNS server for DHCP clients. The [<address1>[<address2>[…<address8> command deletes server configuration. no dns-server Configure Domain name for DHCP clients; domain-name <domain> the “no domain-name” command deletes no domain-name the domain name. netbios-name-server [<address1>[<address2>[…<address8> Configure the address for WINS server. The no operation cancels the address for server.
Page 232: Dhcp Relay Configuration
host <address> [<mask> | Specify/delete the IP address to be <prefix-length> ] assigned to the specified client when no host binding address manually. client-identifier <unique-identifier> Specify/delete the unique ID of the user no client-identifier when binding address manually. client-name <name> Configure/delete a client name when no client-name binding address manually.
Page 233: Dhcp Configuration Examples
On receiving DHCPREQUEST, the DHCP server responds with a DHCPACK packet via DHCP relay to the DHCP client. DHCP Relay Configuration Task List: 1. Enable DHCP relay. 2. Configure DHCP relay to forward DHCP broadcast packet. 1. Enable DHCP relay. Command Explanation Global Mode...
Page 234 Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0 Switch(Config-Vlan-1)#exit Switch(config)#ip dhcp pool A Switch(dhcp-A-config)#network 10.16.1.0 24 Switch(dhcp-A-config)#lease 3 Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201 Switch(dhcp-A-config)#dns-server 10.16.1.202 Switch(dhcp-A-config)#netbios-name-server 10.16.1.209 Switch(dhcp-A-config)#netbios-node-type H-node Switch(dhcp-A-config)#exit Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201 Switch(config)#ip dhcp pool B Switch(dhcp-B-config)#network 10.16.2.0 24 Switch(dhcp-B-config)#lease 1 Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201 Switch(dhcp-B-config)#dns-server 10.16.2.202...
Page 235: Dhcp Troubleshooting
E1/1 E1/2 DHCP Client 192.168.1.1 10.1.1.1 DHCP Relay DHCP Client DHCP Server 10.1.1.10 DHCP Client Figure 29-3 DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.10, TFTP server address is 10.1.1.20, the configuration steps is as follows: Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0...
Page 236 servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function. If DHCP relay is not available for the intermediate router, it is recommended to replace the router or upgrade its software to one that has a DHCP relay function. ...
Page 237: Chapter 30 Dhcpv6 Configuration
Chapter 30 DHCPv6 Configuration 30.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
Page 238: Dhcpv6 Server Configuration
The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message. The above four steps finish a Dynamic host configuration assignment process. However, if the DHCPv6 server and the DHCPv6 client are not in the same network, the server will not receive the DHCPv6 broadcast packets sent by the client, therefore no DHCPv6 packets will be sent to the client by the server.
Page 239: Dhcpv6 Relay Delegation Configuration
（2）To configure parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode network-address <ipv6-pool-start-address> To configure the range of IPv6 address {<ipv6-pool-end-address> | assignable of address pool. <prefix-length>} [eui-64] no network-address dns-server <ipv6-address> To configure DNS server address for no dns-server <ipv6-address>...
Page 240: Prefix Delegation Server Configuration
Command Explanation Interface Configuration Mode ipv6 dhcp relay destination {[<ipv6-address>] [interface To specify the destination address of { <interface-name> | vlan <1-4096>}]} DHCPv6 relay transmit; The no form of no ipv6 dhcp relay destination this command delete the configuration. {[<ipv6-address>] [interface { <interface-name>...
Page 241 ipv6 dhcp pool <poolname> To configure DHCPv6 address pool. no ipv6 dhcp pool <poolname> （2）To configure prefix delegation pool used by DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode prefix-delegation pool <poolname> To specify prefix delegation pool used by [lifetime { <valid-time>...
Page 242: Prefix Delegation Client Configuration
30.5 DHCPv6 Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below: To enable/disable DHCPv6 service To enable DHCPv6 prefix delegation client function on port 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2.
Page 243 Usage guide: Switch3 configuration： Switch3>enable Switch3#config Switch3(config)#service dhcpv6 Switch3(config)#ipv6 dhcp pool EastDormPool Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100 Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20 Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21 Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600 Switch3(dhcpv6-EastDormPool-config)#exit Switch3(config)#interface vlan 1 Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64 Switch3(Config-if-Vlan1)#exit Switch3(config)#interface vlan 10 Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64 Switch3(Config-if-Vlan10)#ipv6 dhcp server EastDormPool preference 80 Switch3(Config-if-Vlan10)#exit Switch3(config)#...
Page 244 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config-if-Vlan100)#ipv6 dhcp relay destination 2001:da8:10:1::1 Switch2(Config-if-Vlan100)#exit Switch2(config)# Example2: When the network operator is deploying IPv6 networks, network automatically configuration can be achieved through the prefix delegation allocation of IPv6 addresses, in stead of configuring manually for each switch: To configure the switching or routing device which is connected to the client switch as DHCPv6 prefix delegation server, that is to setup a local database for the relationship between the allocated...
Page 245 Usage guide: Switch2 configuration Switch2>enable Switch2#config Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 address 2001:da8:1100::1/64 Switch2(Config-if-Vlan2)#exit Switch2(config)#service dhcpv6 Switch2(config)#ipv6 local pool client-prefix-pool 2001:da8:1800::/40 48 Switch2(config)#ipv6 dhcp pool dhcp-pool Switch2(dhcpv6-dhcp-pool-config)#prefix-delegation pool client-prefix-pool 1800 600 Switch2(dhcpv6-dhcp-pool-config)#exit Switch2(config)#interface vlan 2 Switch2(Config-if-Vlan2)#ipv6 dhcp server dhcp-pool Switch2(Config-if-Vlan2)#exit Switch1 configuration Switch1>enable Switch1#config Switch1(config)#service dhcpv6...
Page 246: Dhcpv6 Troubleshooting
Switch1(Config-if-Vlan3)#ipv6 dhcp server foo Switch1(Config-if-Vlan3)#ipv6 nd other-config-flag Switch1(Config-if-Vlan3)#no ipv6 nd suppress-ra Switch1(Config-if-Vlan3)#exit 30.7 DHCPv6 Troubleshooting If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the following procedures can be followed when DHCPv6 client hardware and cables have been verified ok: ...
Page 247: Chapter 31 Dhcp Option 82 Configuration
Chapter 31 DHCP option 82 Configuration 31.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
Page 248: Option 82 Working Mechanism
31.1.2 option 82 Working Mechanism DHCP Relay Agent DHCP Request DHCP Request Option82 DHCP Reply DHCP Reply Option82 DHCP Client DHCP Server DHCP option 82 flow chart If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge.
Page 249 1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode Set this command to enable the option 82 function of the switch Relay Agent. The “no ip dhcp relay information option ip dhcp relay information option” is used to no ip dhcp relay information option disable the option 82 function of the switch Relay Agent.
Page 250 Set the suboption2 (remote ID option) ip dhcp relay information option content of option 82 added by DHCP request packets (They are received by the interface). remote-id {standard | <remote-id>} command sets additive no ip dhcp relay information option suboption2 (remote ID option) format of remote-id option 82 as standard.
Page 251: Dhcp Option 82 Application Examples
ip dhcp relay information option Set self-defined format of remote-id for self-defined remote-id format [ascii | relay option82. hex] ip dhcp relay information option self-defined subscriber-id {vlan | port | id Set creation method for option82, users (switch-id (mac | hostname)| can define the parameters of circute-id remote-mac)| string WORD } suboption by themselves...
Page 252 In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish that whether the DHCP client is from the network connected to Switch1 or Switch2.
Page 253: Dhcp Option 82 Troubleshooting
max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51～192.168.102.80.
Page 254: Chapter 32 Dhcpv6 Option37, 38
Chapter 32 DHCPv6 option37, 38 32.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
Page 255: Dhcpv
This command enables DHCPv6 ipv6 dhcp snooping remote-id option SNOOPING to support option 37 option, no no ipv6 dhcp snooping remote-id option command disables it. ipv6 dhcp snooping subscriber-id This command enables DHCPv6 option SNOOPING to support option 38 option, no no ipv6 dhcp snooping subscriber-id command disables it.
Page 256 ipv6 dhcp snooping subscriber-id select Configures user configuration options to (sp | sv | pv | spv) delimiter WORD generate subscriber-id, command (delimiter WORD |) restores to its original default configuration, no ipv6 dhcp snooping subscriber-id i.e. enterprise number together with vlan select delimiter MAC.
Page 257 Configures user configuration options to ipv6 dhcp relay remote-id delimiter generate remote-id. The no command WORD restores to its original default configuration, no ipv6 dhcp relay remote-id delimiter i.e. enterprise number together with vlan MAC. ipv6 dhcp relay subscriber-id select (sp | Configures user configuration options to sv | pv | spv) delimiter WORD (delimiter generate subscriber-id.
Page 258 This command enables DHCPv6 server to support the using of DHCPv6 class during ipv6 dhcp use class address assignment, the no form of this no ipv6 dhcp use class command disables it without removing the relative DHCPv6 class information that has been configured.
Page 259: Dhcp Voption 37, 38 Examples
32.3 DHCPv6 option37, 38 Examples 32.3.1 DHCPv6 Snooping option37, 38 Example Figure 32-1 DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
Page 260: Dhcpv
SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.com SwitchB(dhcpv6-eastdormpool-config)# excluded-address 2001:da8:100:1::2 SwitchB(dhcpv6-eastdormpool-config)#exit SwitchB(config)# SwitchB(config)#ipv6 dhcp class CLASS1 SwitchB(dhcpv6-class-class1-config)#remote-id 00-03-0f-00-00-01 subscriber-id vlan1+Ethernet1/0/1 SwitchB(dhcpv6-class-class1-config)#exit SwitchB(config)#ipv6 dhcp class CLASS2 SwitchB(dhcpv6-class-class2-config)#remote-id 00-03-0f-00-00-01 subscriber-id vlan1+Ethernet1/0/2 SwitchB(dhcpv6-class-class2-config)#exit SwitchB(config)#ipv6 dhcp class CLASS3...
Page 261: Dhcp Voption 37, 38 Troubleshooting
Network topology: In access layer, layer2 access device Switch1 connects users in dormitory; in first-level aggregation layer, aggregation device Switch2 is used as DHCPv6 relay agent; in second-level aggregation layer, aggregation device Switch3 is used as DHCPv6 server and connects with backbone network or devices in higher aggregation layer;...
Page 262 execute adding, discarding or forwarding operation. Therefore, please check policy configuration of snooping option37,38 on second device when obtaining the false address or no address is obtained according to option37,38.  DHCPv6 server obtains option37,38 of the packets from client by default, if no, it will obtain option37,38 of the packet sent by relay.
Page 263: Chapter 33 Dhcp Snooping Configuration
Chapter 33 DHCP Snooping Configuration 33.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
Page 264: Dhcp Snooping Configuration Task Sequence
33.2 DHCP Snooping Configuration Task Sequence 1. Enable DHCP Snooping 2. Enable DHCP Snooping binding function 3. Enable DHCP Snooping binding ARP function 4. Enable DHCP Snooping option82 function 5. Set the private packet version 6. Set DES encrypted key for private packets 7.
Page 265 Globe mode ip dhcp snooping information enable Enable/disable DHCP Snooping option 82 no ip dhcp snooping information function. enable 5． Set the private packet version Command Explanation Globe mode ip user private packet version two To configure/delete the private packet version. no ip user private packet version two 6．...
Page 266 Command Explanation Port mode ip dhcp snooping binding user-control Enable or disable the DHCP snooping binding no ip dhcp snooping binding user function. user-control 11． Add static binding information Command Explanation Globe mode ip dhcp snooping binding user <mac> address <ipAddr> <mask> vlan <vid>...
Page 267 Command Explanation Globe mode ip dhcp snooping information This command is used to set subscriber-id option subscriber-id format {hex | format of DHCP snooping option82. acsii | vs-hp} ip dhcp snooping information Set the suboption2 (remote ID option) content of option remote-id {standard | option 82 added by DHCP request packets (they <remote-id>}...
Page 268: Dhcp Snooping Typical Application
option subscriber-id {standard | option 82 added by DHCP request packets (they <circuit-id>} are received by the port). The no command sets no ip dhcp snooping information the additive suboption1 (circuit ID option) format option subscriber-id of option 82 as standard. 33.3 DHCP Snooping Typical Application Figure 33-1 Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the...
Page 269: Dhcp Snooping Troubleshooting Help
33.4 DHCP Snooping Troubleshooting Help 33.4.1 Monitor and Debug Information The “debug ip dhcp snooping” command can be used to monitor the debug information. 33.4.2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function, please check if the problem is caused by the following reasons: ...
Page 270: Monitor And Debug Information
33.5 DHCPv6 Snooping Typical Application DHCPv6 Server Interface E1/1 Interface E1/2 Interface E1/4 Interface E1/3 MAC-AA MAC-CC Virtual DHCPv6 Server MAC-BB Figure 4-1 Sketch Map of preventing lawless DHCPv6 Server As showed in the above chart, MAC-AA and MAC-BB devices are normal users, they are connected to the non-trusted ports 1/2 and 1/3 of the switch, and obtain IP 2010::3 and IP 2010::4 through DHCPv6 Client;...
Page 271: Dhcpv6 Snooping Troubleshooting Help
The “debug ipv6 dhcp snooping” command can be used to monitor the debug information. 33.6.2 DHCPv6 Snooping Troubleshooting Help If there is any problem happens when using DHCPv6 Snooping function, please check whether the problem is caused by the following reasons: ...
Page 272: Chapter 34 Routing Protocol Overview
Chapter 34 Routing Protocol Overview To communicate with a remote host over the Internet, a host must choose a proper route via a set of routers or Layer3 switches. Both routers and layer3 switches calculate the route using CPU, the difference is that layer3 switch adds the calculated route to the switch chip and forward by the chip at wire speed, while the router always store the calculated route in the route table or route buffer, and data forwarding is performed by the CPU.
Page 273: Ip Routing Policy
 Destination address: used to identify the destination address or destination network of an IP packet.  Network mask: used together with destination address to identify the destination host or the network the layer3 switch resides. Network mask consists of several consecutive binary 1's, and usually in the format of dotted decimal (an address consists of 1 to 4 255’s.) When “AND”...
Page 274 To achieve routing policy, first we have to define the characteristics of the routing messages to be applied with routing policies, namely define a group matching rules. We can configure by different properties in the routing messages such as destination address, the router address publishing the routing messages. The matching rules can be previously configured to be applied in the routing publishing, receiving and distributing policies.
Page 275: Ip Routing Policy Configuration Task List
autonomic system path field. As for relevant as-path configurations, please refer to the ip as-path command in BGP configuration. 5. community-list Community-list is only for BGP. There is a community property field in the BGP routing messages packet for identifying a community. The community list is for specifying matching conditions for Community-list field. As for relevant Community-list configuration, please refer to the ip as-path command in BGP configuration 34.2.2 IP Routing Policy Configuration Task List 1．...
Page 276 Match a community property access-list. The match community <community-list-name | no match community community-list-num > [exact-match] [<community-list-name no match community [<community-list-name | | community-list-num > community-list-num > [exact-match]] [exact-match]] command deletes match condition. Match by ports; The no match interface match interface <interface-name >...
Page 277 Distribute an AS No. for set aggregator as <as-number> <ip_addr> BGP aggregator; The no no set aggregator as [ <as-number> <ip_addr> ] command deletes configuration set as-path prepend <as-num> Add a specified AS No. no set as-path prepend [ <as-num> ] before the BGP routing messages as-path...
Page 278: Configuration Examples
set tag <tag_val> Set OSPF routing tag no set tag [ <tag_val> ] value; The no command deletes the configuration set vpnv4 next-hop <ip_addr> Set BGP VPNv4 no set vpnv4 next-hop [ <ip_addr> ] next-hop address; the no command deletes the configuration set weight <...
Page 279: Troubleshooting
192.68.11.1 VLAN1 VLAN3 192.68.10.1 VLAN2 SwitchA 192.68.6.1 SwitchB VLAN2 VLAN3 VLAN1 192.68.6.2 192.68.5.2 172.16.20.1 VLAN1 VLAN3 192.68.5.1 172.16.20.2 SwitchC SwitchD VLAN2 VLAN2 172 16 1 1 172.16.1.2 Figure 34-1 Policy routing Configuration Configuration procedure: (only SwitchA is listed, configurations for other switches are omitted.) The configuration of Layer 3 switchA: SwitchA#config SwitchA(config) #router bgp 1...
Page 280: Chapter 35 Static Route
Chapter 35 Static Route 35.1 Introduction to Static Route As mentioned earlier, the static route is the manually specified path to a network or a host. Static route is simple and consistent, and can prevent illegal route modification, and is convenient for load balance and route backup.
Page 281: Static Route Configuration Examples
2. VRF configuration Command Explanation Global mode ip route vrf <name> {<ip-prefix> <mask>|<ip-prefix/<prefix-length>} Configure the static route, the {<gateway-address>|<gateway-interface>} no command will delete the [<distance>] static route. no ip route vrf <name> {<ip-prefix> <mask>|<ip-prefix/<prefix-length>} [<gateway-address>|<gateway-interface>] [<distance>] 35.4 Static Route Configuration Examples The figure shown below is a simple network consisting of three layer3 switches, the network mask for all switches and PC is 255.255.255.0.
Page 282 Switch(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 Next hop use the partner IP address Switch(config)#ip route 10.1.4.0 255.255.255.0 10.1.3.1 Configuration of layer3 SwitchB Switch#config Switch(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.2 In this way, ping connectivity can be established between PC-A and PC-C, and PC-B and PC-C. 35-3...
Page 283: Chapter 36 Rip
Chapter 36 RIP 36.1 Introduction to RIP RIP is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIP is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send two kind of information to the neighboring devices regularly: •...
Page 284: Rip Configuration Task List
(simple plaintext password and MD5 password authentication are supported), and support variable length subnet mask. RIP-II used some of the zero field of RIP-I and require no zero field verification. switch send RIP-II packets in multicast by default, both RIP-I and RIP-II packets will be accepted. Each layer3 switch running RIP has a route database, which contains all route entries for reachable destination, and route table is built based on this database.
Page 285 4) Configure and apply route filter 5) Configure Split Horizon (3) Configure other RIP protocol parameters 1) Configure the managing distance of RIP route 2) Configure the RIP route capacity limit in route table 3) Configure the RIP update, timeout, holddown and other timer. 4) Configure the receiving buffer size of RIP UDP 3.
Page 286 Command Explanation Router Configuration Mode Specify the IP address of the neighbor router neighbor <A.B.C.D> needs point-transmitting; the no neighbor no neighbor <A.B.C.D> <A.B.C.D> command cancels the appointed router. Block the RIP broadcast on specified pot and the RIP data packet is only transmittable among passive-interface<ifname|vlan>...
Page 287 ip rip authentication key-chain Sets the key chain used in authentication, the no <name-of-chain> authentication key-chain no ip rip authentication key-chain [<name-of-chain>] command means the key [<name-of-chain>] chain is not used. After configure this command, configure MD5 ip rip authentication cisco-compatible authentication, then can receive RIP packet of no ip rip authentication cisco, the no command resores the defaule...
Page 288 distribute-list {< access-list-number Configure and apply the access table and prefix |access-list-name >|prefix<prefix-list-n table to filter the routes. The no distribute-list ame>}{in|out} [<ifname>] {< access-list-number no distribute-list {< access-list-number |access-list-name>|prefix<prefix-list-name>}{ |access-list-name >|prefix<prefix-list-n in|out} [<ifname>]command means do not use ame>}{in|out} [<ifname>] the access table and prefix table.
Page 289 Configure the versions of all the RIP data packets transmitted/received by the Layer 3 version { 1 | 2 } switch port sending/receiving the no version no version command restores the default configuration, version 2. （2）Configure the RIP version to send/receive in all ports. （3）Configure whether to enable RIP packets sending/receiving for ports Command Explanation...
Page 290 Command Explanation Interface Configuration Mode ip rip aggregate-address A.B.C.D/M To configure or delete IPv4 aggregation route no ip rip aggregate-address on interface. A.B.C.D/M （3） Display IPv4 aggregation route information Command Explanation Admin Mode and Configuration Mode show ip rip aggregate To display aggregation route information.
Page 291: Rip Examples
exit-address-family This command exits the address family mode. 36.3 RIP Examples 36.3.1 Typical RIP Examples Interface Interface SWITCHB vlan1:10.1.1.1/24 vlan1:10.1.1.2/24 SWITCHC SWITCHA Interface Interface vlan2:20.1.1.1/24 vlan1:20.1.1.2/24 Figure 36-1 RIP example In the figure shown above, a network consists of three Layer 3 switches, in which SwitchA connected with SwitchB and SwitchC, and RIP routing protocol is running in all of the three switches.
Page 292: Typical Examples Of Rip Aggregation Function
Configure that the interface vlan 2 do not transmit RIP messages to SwitchC SwitchA(config)#router rip SwitchA(config-router)#passive-interface vlan 2 SwitchA(config-router)#exit SwitchA(config) # Layer 3 SwitchB Configure the IP address of interface vlan 1 SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(Config-if-Vlan1)# ip address 10.1.1.2 255.255.255.0 SwitchB(Config-if-Vlan1)exit Initiate RIP protocol and configure the RIP segments SwitchB(config)#router rip...
Page 293: Rip Troubleshooting
vlan1:192.168.10.1 192.168.20.0/22 192.168.21.0/24 vlan1:192.168.10.2 192.168.22.0/24 192.168.23.0/24 192.168.24.0/24 Figure 36-2 Typical application of RIP aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 192.168.21.0/24, 192.168.22.0/24, 192.168.23.0/24, 192.168.24.0/24. S2 supports route aggregation, and to configure aggregation route 192.168.20.0/22 in interface vlan1 of S2, after that, sending router messages to S1 through vlan1, and put the four subnet routers aggregated to one router as 192.168.20.0/22, and send to S1, and not send subnet to neighbor.
Page 294 sending route updating messages to all neighboring Layer 3 switches every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch is received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIP route, this route item is assured to be deleted from route table after 300 seconds.
Page 295: Chapter 37 Ripng
Chapter 37 RIPng 37.1 Introduction to RIPng RIPng is first introduced in ARPANET, this is a protocol dedicated to small, simple networks. RIPng is a distance vector routing protocol based on the Bellman-Ford algorithm. Network devices running vector routing protocol send 2 kind of information to the neighboring devices regularly: •...
Page 296: Ripng Configuration Task List
destination, and route table is built based on this database. When a RIPng layer3 switch sent route update packets to its neighbor devices, the complete route table is included in the packets. Therefore, in a large network, routing data to be transferred and processed for each layer3 switch is quite large, causing degraded network performance.
Page 297 Configure other RIPng parameters (1) Configure timer for RIPng update, timeout and hold-down Delete the specified route in RIPng route table Configure RIPng route aggregation （1） Configure aggregation route of IPv6 route mode （2） Configure aggregation route of IPv6 interface configuration mode （3）...
Page 298 1） Configure route introduction (default route metric, configure routes of the other protocols to be introduced in RIP) Command Explanation Router configuration mode Configure the default metric of distributed route; default-metric <value> the no default-metric command restores the no default-metric default configuration 1.
Page 299 4）Configure split horizon Command Explanation Interface configuration mode Configure that take the split-horizon when the IPv6 rip split-horizon [poisoned] port sends data packets, poisoned means with poison reverse. no IPv6 rip split-horizon Cancel the split-horizon. 3. Configure other RIPng protocol parameters (1) Configure timer for RIPng update, timeout and hold-down Command Explanation...
Page 300 ipv6 rip aggregate-address X:X::X:X/M To configure or delete IPv6 aggregation route no ipv6 rip aggregate-address on interface. X:X::X:X/M (3) Display IPv6 aggregation route information Command Explanation Admin Mode and Configuration Mode To display IPv6 aggregation route information, show ipv6 rip aggregate such as aggregation interface, metric, numbers of aggregation route, times of aggregation.
Page 301: Ripng Configuration Examples
37.3 RIPng Configuration Examples 37.3.1 Typical RIPng Examples Interface VLAN1: Interface VLAN1: SwitchC 2000:1:1::1/64 2000:1:1::2/64 SwitchB SwitchA Interface VLAN2: Interface VLAN1: 2001:1:1::1/64 2001:1:1::2/64 Figure 37-1 RIPng Example As shown in the above figure, a network consists of three layer 3 switches. SwitchA and SwitchB connect to SwitchC through interface vlan1 and vlan2.
Page 302: Ripng Aggregation Route Function Typical Examples
SwitchA(config-router)#passive-interface Vlan1 SwitchA(config-router)#exit Layer 3 SwitchB Enable RIPng protocol SwitchB (config)#router IPv6 rip SwitchB (config-router-rip)#exit Configure the IPv6 address and interfaces of Ethernet port vlan1 to run RIPng SwitchB#config SwitchB(config)# interface Vlan1 SwitchB(config-if)# IPv6 address 2001:1:1::2/64 SwitchB(config-if)#IPv6 router rip SwitchB(config-if)exit Layer 3 SwitchC Enable RIPng protocol SwitchC(config)#router IPv6 rip...
Page 303: Ripng Troubleshooting
VLAN1 2001:1::1:1 2001:1::20:0/110 VLAN1 2001:1::20:0/112 2001:1::1:2 2001:1::21:0/112 2001:1::22:0/112 2001:1::23:0/112 Figure 37-2 Typical application of RIPng aggregation As the above network topology, S2 is connected to S1 through interface vlan1, there are other 4 subnet routers of S2, which are 2001:1::20:0/112, 2001:1::21:0/112, 2001:1::22:0/112, 2001:1::23:0/112. S2 supports route aggregation, and to configure aggregation route 2001:1::20:0/110 in interface vlan1 of S2, after that, sending router messages to S2 through vlan1, and put the four subnet routers aggregated to one router as 2001:1::20:0/110, and send to S1, and not send subnet to neighbor.
Page 304 route updating messages every 30 seconds. A Layer 3 switch is considered inaccessible if no route updating messages from the switch are received within 180 seconds, then the route to the switch will remains in the route table for 120 seconds before it is deleted. Therefore, if to delete a RIPng route, this route item is assured to be deleted from route table after 300 seconds.
Page 305: Chapter 38 Ospf
Chapter 38 OSPF 38.1 Introduction to OSPF OSPF is abbreviation for Open Shortest Path First. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 306 One major advantage of link-state routing protocols is the fact that infinite counting is impossible, this is because of the way link-state routing protocols build up their routing table. The second advantage is that converging in a link-state interconnected network is very fast, once the routing topology changes, updates will be flooded throughout the network very soon.
Page 307 In conclusion, LSA can only be transferred between neighboring Layer3 switches, OSPF protocol includes 5 types of LSA: router LSA, network LSA, network summary LSA to the other areas, ASBR summary LSA and AS external LSA. They can also be called type1 LSA, type2 LSA, type3 LSA, type4 LSA, and type5 LSA. Router LSA is generated by each layer3 switch inside an OSPF area, and is sent to all the other neighboring layer3 switches in the same area;...
Page 308: Ospf Configuration Task List
38.2 OSPF Configuration Task List The OSPF configuration for XGS3 series switches may be different from the configuration procedure to switches of the other manufacturers. It is a two-step process: 1、 Enable OSPF in the Global Mode;2、Configure OSPF area for the interfaces. The configuration task list is as follows: Enable OSPF protocol (required) Enable/disable OSPF protocol (required)
Page 309 Enables OSPF protocol; the “no router [no] router ospf [process <id>] ospf” command disables OSPF protocol. (required) OSPF Protocol Configuration Mode Configures the ID number for the layer3 switch running OSPF; the “no router id” router-id <router_id> command cancels the ID number. The IP no router-id address of an interface is selected to be the layer3 switch ID.
Page 310 Command Explanation Interface Configuration Mode Sets interval for sending HELLO packets; the ip ospf hello-interval <time> “no ip ospf hello-interval” command restores no ip ospf hello-interval the default setting. Sets the interval before regarding a neighbor ip ospf dead-interval <time > layer3 switch invalid;...
Page 311 Admin Mode or Configure Mode Display the configuration information of the show ip ospf [<process-id>] OSPF process importing other outside redistribute routes. 3）Debug Command Explanation Admin Mode debug ospf redistribute message send Enable or disable debugging of sending no debug ospf redistribute message command from OSPF process redistributed send to other OSPF process routing.
Page 312: Ospf Examples
4）Configure the priority of the interface when electing designated layer3 switch (DR). Command Explanation Interface Configuration Mode Sets the priority of the interface in “designated ip ospf priority <priority> layer3 switch” election; the no ip ospf priority no ip ospf priority command restores the default setting.
Page 313 E1/1:100.1.1.1 E1/2:30.1.1.1 SwitchA SwitchE SwitchD vlan2 vlan3 E1/2:10.1.1.1 E1/1:100.1.1.2 E1/1:30.1.1.2 vlan1 vlan2 vlan3 Area 0 E1/1:10.1.1.2 vlan1 E1/1:20.1.1.2 vlan3 E1/2:20.1.1.1 SwitchB SwitchC vlan3 Area 1 Figure 38-1 Network topology of OSPF autonomous system The configuration for layer3 Switch1 and Switch5 is shown below: Layer 3 Switch1 Configuration of the IP address for interface vlan1 Switch1#config...
Page 314 Switch2(config-if-vlan1)# ip address 10.1.1.2 255.255.255.0 Switch2(config-if-vlan1)#no shutdown Switch2(config-if-vlan1)#exit Switch2(config)# interface vlan 3 Switch2(config-if-vlan3)# ip address 20.1.1.1 255.255.255.0 Switch2(config-if-vlan3)#no shutdown Switch2(config-if-vlan3)#exit Enable OSPF protocol, configure the OSPF area interfaces vlan1 and vlan3 in Switch2(config)#router ospf Switch2(config-router)# network 10.1.1.0/24 area 0 Switch2(config-router)# network 20.1.1.0/24 area 1 Switch2(config-router)#exit Switch2(config)#exit Switch2#...
Page 315 Switch4(config)#exit Switch4# Layer 3 Switch5: Configuration of the IP address for interface vlan2 Switch5#config Switch5(config)# interface vlan 2 Switch5(config-if-vlan2)# ip address 100.1.1.2 255.255.255.0 Switch5(config-if-vlan2)#no shutdown Switch5(config-if-vlan2)#exit Configuration of the IP address for interface vlan3 Switch5(config)# interface vlan 3 Switch5(config-if-vlan3)# ip address 30.1.1.1 255.255.255.0 Switch5(config-if-vlan3)#no shutdown Switch5(config-if-vlan3)#exit Enable OSPF protocol, configure the number of the area in which interface vlan2 and vlan3 reside in.
Page 316 SwitchD SwitchA SwitchE SwitchB SwitchF SwitchC Area1 Area0 SwitchK SwitchI SwitchJ SwitchG SwitchH SwitchL Area2 Area3 Figure 38-2 Typical complex OSPF autonomous system This scenario is a typical complex OSPF autonomous system network topology. Area1 include network N1-N4 and layer3 SwitchA-SwitchD, area2 include network N8-N10, host H1 and layer3 SwitchH, area3 include N5-N7 and layer3 SwitchF, SwitchG SwitchA0 and Switch11, and network N8-N10 share a summary route with host H1(i.e.
Page 317 SwitchB interface VLAN2 is 10.1.1.2, IP address of layer3 SwitchC interface VLAN2 is 10.1.1.3, IP address of layer3 SwitchD interface VLAN2 is 10.1.1.4. SwitchA is connecting to network N1 through Ethernet interface VLAN1 (IP address 20.1.1.1); SwitchB is connecting to network N2 through Ethernet interface VLAN1 (IP address 20.1.2.1);...
Page 318 SwitchB(config)# interface vlan 2 SwitchB(config-If-Vlan2)# ip address 10.1.1.2 255.255.255.0 SwitchB(config-If-Vlan2)#exit Enable OSPF protocol, configure the area number for interface vlan2. SwitchB(config)#router ospf SwitchB(config-router)#network 10.1.1.0/24 area 1 SwitchB(config-router)#exit SwitchB(config)#interface vlan 2 Configure simple key authentication. SwitchB(config)#interface vlan 2 SwitchB(config-If-Vlan2)#ip ospf authentication SwitchB(config-If-Vlan2)#ip ospf authentication-key DCS SwitchB(config-If-Vlan2)#exit Configure IP address and area number for interface vlan1.
Page 319 SwitchC(config-If-Vlan2)#exit Configure IP address and area number for interface vlan3 SwitchC(config)# interface vlan 3 SwitchC(config-If-Vlan3)#ip address 20.1.3.1 255.255.255.0 SwitchC(config-If-Vlan3)#exit SwitchC(config)#router ospf SwitchC(config-router)#network 20.1.3.0/24 area 1 SwitchC(config-router)#exit Configure IP address and area number for interface vlan 1 SwitchC(config)# interface vlan 1 SwitchC(config-If-Vlan1)#ip address 10.1.5.1 255.255.255.0 SwitchC(config-If-Vlan1)#exit SwitchC(config)#router ospf...
Page 320 SwitchD(config-If-Vlan2)#ip ospf authentication-key DCS SwitchD(config-If-Vlan2)#exit Configure the IP address and the area number for the interface vlan 1 SwitchD(config)# interface vlan 1 SwitchD(config-If-Vlan1)# ip address 10.1.6.1 255.255.255.0 SwitchD(config-If-Vlan1)exit SwitchD(config)#router ospf SwitchD(config-router)#network 10.1.6.0/24 area 0 SwitchD(config-router)#exit Configure MD5 key authentication SwitchD(config)#interface vlan 1 SwitchD(config-If-Vlan1)#ip ospf authentication message-digest SwitchD(config-If-Vlan1)#ip ospf authentication-key DCS SwitchD(config-If-Vlan1)exit...
Page 321: Configuration Examples Of Ospf Vpn
Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 1.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 2.2.2.2 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#router ospf 10 Switch(config-router)#network 2.2.2.0/24 area 1 Switch(config-router)#exit Switch(config)#router ospf 20 Switch(config-router)#network 1.1.1.0/24 area 1 Switch(config-router)#redistribute ospf 10 Switch(config-router)#exit 38.3.2 Configuration Examples of OSPF VPN Interface Interface SWITCHB...
Page 322 Associate the vlan 1 and vlan 2 respectively with vpnb and vpnc while configuring IP address SwitchA(config)#in vlan1 SwitchA(config-if-Vlan1)#ip vrf forwarding vpnb SwitchA(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 SwitchA(config-if-Vlan1)#exit SwitchA(config)#in vlan2 SwitchA(config-if-Vlan2)#ip vrf forwarding vpnc SwitchA(config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 SwitchA(config-if-Vlan2)#exit Configure OSPF examples associated with vpnb and vpnc respectively SwitchA(config)# SwitchA(config)#router ospf 100 vpnb SwitchA(config-router)#network 10.1.1.0/24 area 0...
Page 323: Ospf Troubleshooting
SwitchC(config-router)#exit 38.4 OSPF Troubleshooting The OSPF protocol may not be working properly due to errors such as physic connection, configuration error when configuring and using the OSPF protocol. So users should pay attention to following:  First ensure the physic connection is correct ...
Page 324: Chapter 39 Ospfv3
Chapter 39 OSPFv3 39.1 Introduction to OSPFv3 OSPFv3 （ Open Shortest Path First） is the third version for Open Shortest Path First, and it is the IPv6 version of OSPF Protocol. It is an interior dynamic routing protocol for autonomous system based on link-state. The protocol creates a link-state database by exchanging link-states among layer3 switches, and then uses the Shortest Path First algorithm to generate a route table basing on that database.
Page 325 be flooded throughout the network very soon. Those advantages release some layer3 switch resources, as the process ability and bandwidth used by bad route information are minor. The features of OSPFv3 protocol include the following: OSPFv3 supports networks of various scales, several hundreds of layer3 switches can be supported in an OSPFv3 network.
Page 326 In one word, LSA can only be transferred between neighboring Layer3 switches, and OSPFv3 protocol includes seven kinds of LSA: link LSA, internal-area prefix LSA, router LSA, network LSA, inter-area prefix LSA, inter-area router LSA and autonomic system exterior LSA. Router LSA is generated by each Layer 3 switch in an OSPF area, and is sent to all other neighboring Layer 3 switch in this area;...
Page 327: Ospfv3 Configuration Task List
39.2 OSPFv3 Configuration Task List OSPFv3 Configuration Task List: Enable OSPFv3 (required) （1） Enable/disable OSPFv3(required) （2） Configure the router-id number of the layer3 switch running OSPFv3 (optional) （3） Configure the network scope for running OSPFv3 (optional) （4） Enable OSPFv3 on the interface (required) Configure OSPFv3 auxiliary parameters (optional) （1）...
Page 328 Configure router for OSPFv3 process. The router-id <router_id> no router-id command returns ID to no router-id 0.0.0.0 .(required) Configure an interface receiving without sending. [no] [no] passive-interface<ifname> passive-interface<ifname>command cancels configuration. Interface Configuration Mode Implement OSPFv3 routing on the interface. [no] IPv6 router ospf {area <area-id> The [no] IPv6 router ospf {area <area-id>...
Page 329 IPv6 ospf transit-delay <time> Sets the delay time before sending link-state [instance-id <id>] broadcast; the “no IPv6 ospf transit-delay no IPv6 ospf transit-delay [instance-id <id>]” command restores the [instance-id <id>] default setting. IPv6 ospf retransmit <time> .Sets the interval for retransmission of link-state [instance-id <id>] advertisement among neighbor layer3 switches;...
Page 330 Command Explanation Admin Mode debug ipv6 ospf redistribute message send Enable or disable debugging of sending no debug ipv6 ospf redistribute command from OSPFv3 process redistributed message send to other OSPFv3 process routing. debug ipv6 ospf redistribute route Enable or disable debugging of received receive routing message from NSM for OSPFv3 no debug ipv6 ospf redistribute route...
Page 331: Ospfv3 Examples
no router IPv6 ospf ospf [<tag>] Disable OSPFv3 Routing Protocol. 39.3 OSPFv3 Examples Examples 1: OSPF autonomous system. This scenario takes an OSPF autonomous system consists of five switch for example. E1/0/1: E1/0/2: SwitchA SwitchE SwitchD 2100:1:1::1/64 2030:1:1::1/64 E1/0/2: 2010:1:1::1/64 E1/0/1:2100:1:1::2/6 E1/0/1: 2030:1:1::2/64 vlan1...
Page 332 SwitchA(config-if-vlan2)# IPv6 router ospf area 0 SwitchA (config-if-vlan2)#exit SwitchA(config)#exit SwitchA# Layer 3 SwitchB: Enable OSPFv3 protocol, configure router ID SwitchB(config)#router IPv6 ospf SwitchB (config-router)#router-id 192.168.2.2 Configure interface vlan1 address, VLAN2 IPv6 address and affiliated OSPFv3 area SwitchB#config SwitchB(config)# interface vlan 1 SwitchB(config-if-vlan1)# IPv6 address 2010:1:1::2/64 SwitchB(config-if-vlan1)# IPv6 router ospf area 0 SwitchB(config-if-vlan1)#exit...
Page 333: Ospfv3 Troubleshooting
Configure interface vlan3 IPv6 address and affiliated OSPFv3 area SwitchD#config SwitchD(config)# interface vlan 3 SwitchD(config-if-vlan3)# IPv6 address 2030:1:1::2/64 SwitchD(config-if-vlan3)# IPv6 router ospf area 0 SwitchD(config-if-vlan3)#exit SwitchD(config)#exit SwitchD# Layer 3 SwitchE: Startup OSPFv3 protocol, configure router ID SwitchE(config)#router IPv6 ospf SwitchE(config-router)#router-id 192.168.2.5 Configure interface IPv6 address and affiliated OSPFv3 area SwitchE#config SwitchE(config)# interface vlan 2...
Page 334 switch is a part of this Layer 3 switch interface belongs to area 0, and another part of interface belongs to not area 0; for multi-access net etc like broadcast, Layer 3 switch DR needs vote and appoint; for each OSPFv3 process must not configure router ID of 0.0.0.0 address. 39-11...
Page 335: Chapter 40 Bgp
Chapter 40 BGP 40.1 Introduction to BGP BGP stands for a Border Gateway Protocol.It’s a dynamic routing protocol inter-autonomous system. Its basic function is automatically exchanging routing information without loops. By exchanging routing reachable information with autonomous number of AS sequence attributes, BGP could create autonomous topological map to eliminate routing loop and implement policies configured by users.
Page 336 connection to exchange routing information. The operation of BGP protocol is driven by messages and the messages can be divided into four kinds: Open message----It’s the first message which is sent after a TCP connection is established. It is used to create BGP connecting relation among BGP peers.
Page 337 switches are in the same AS, they can be neighbors each other. Because BGP can’t detect route, the route tables of other inner route protocols (such as static route, direct route, OSPF and RIP) need contain neighbor IP addresses and these routes are used to exchange information among BGPs. In order to avoid routing loops, when a BGP speaker receives a route notification from inner neighbor, it would not notify this route to other inner neighbors.
Page 338: Bgp Configuration Task List
40.2 BGP Configuration Task List The BGP configuration tasks include basic and advanced tasks. Basic BGP configuration tasks include the following: 1． Enable BGP Routing (required) 2． Configure BGP Neighbors (required) 3． Administrate the change of routing policy 4． Configure BGP Weights 5．...
Page 339 no router bgp <as-id> <as-id>”command disenable BGP process. Router configuration mode Show AS number and match the regular bgp asnotation asdot expression with ASDOT method. The no no bgp asnotation asdot command cancels this method. Set the network that BGP will announce, the no network <ip-address/M>...
Page 340 BGP configuration mode This command can store routing information from neighbors and neighbor { <ip-address> | <TAG> } peers; neighbor soft-reconfiguration inbound <ip-address> <TAG> no neighbor { <ip-address> | <TAG> } soft-reconfiguration inbound soft-reconfiguration inbound command cancels the storage of routing information.
Page 341 Command Explanation Route mapped configuration command Set the Next-Hop attribute of outbound set ip next-hop <ip-address> route. The no set ip next-hop command no set ip next-hop cancels this setting. 7. Configure EGBP Multi-Hop If the connections with outer neighbors are not direct, the following command can configure neighbor Multi-Hop.
Page 342 BGP configuration mode Apply a route map to incoming or neighbor { <ip-address> | <TAG> } route-map outgoing routes; the no neighbor <map-name > {in | out} <ip-address> <TAG> no neighbor { <ip-address> | <TAG> } route-map <map-name > {in | route-map <map-name >...
Page 343 [<as-id>..]command deletes from confederation. 5．Configure a Route Reflector （1） The following commands can be used to configure route reflector and its clients. Command Explanation BGP configuration mode Configure the current switch as route reflector and specify a client. neighbor neighbor <ip-address> route-reflector-client <ip-address>...
Page 344 （2） Add neighbors to peers groups Command Explanation BGP configuration mode neighbor <ip-address> peer-group Make a neighbor a member of the peer group. <TAG> The no neighbor <ip-address> peer-group no neighbor <ip-address> peer-group <TAG> command cancels specified <TAG> member. 7．Configure neighbors and peer Groups’ parameters Command Explanation BGP configuration mode...
Page 345 advertisement-interval <TAG>} advertisement-interval command recovers default value. Configure the allowance of EBGP neighbor {<ip-address> | <TAG>} ebgp-multihop connections with networks [<1-255>] connected indirectly; no neighbor {<ip-address> | <TAG>} neighbor {<ip-address> | <TAG>} ebgp-multihop ebgp-multihop command cancels this setting. Configure BGP neighbor weights; neighbor { <ip-address>...
Page 346 route reflector. Store the route information from neighbor { <ip-address> | <TAG> } neighbor or peers; the no neighbor soft-reconfiguration inbound <ip-address> <TAG> no neighbor { <ip-address> | <TAG> } soft-reconfiguration inbound soft-reconfiguration inbound command cancels the storage. Shutdown BGP neighbor or peers; the no neighbor { <ip-address>...
Page 347 10． Configure the Local Preference Value Command Explanation BGP configuration mode Change default local preference; the no bgp bgp default local-preference <value> default local-preference command no bgp default local-preference recovers the default value. 11． Enable sending default route Command Explanation BGP configuration mode Permit sending default route 0.0.0.0;...
Page 348 14． Configure Route Dampening Command Explanation BGP configuration mode Enable BGP route dampening and apply the bgp dampening [<1-45>] [<1-20000> specified parameters; <1-20000> <1-255>] [<1-45>] dampening command stops route no bgp dampening dampening 15． Configure BGP capability Negotiation Command Explanation BGP configuration mode neighbor {<ip-address>|<TAG>} capability {dynamic | route-refresh}...
Page 349 route-server-client under EBGP environment to reduce the no neighbor {<ip-address>|<TAG>} number of peers that every client has route-server-client configured; format “no” of the command configures this router as route server and specify the clients it serves, the no neighbor {<ip-address>|<TAG>} route-server-client command can delete clients.
Page 350: Configuration Examples Of Bgp
no debug bgp redistribute message sent by BGP for redistributing OSPF routing. send To enable or disable debugging messages debug bgp redistribute route receive received from NSM for redistributing OSPF no debug bgp redistribute route routing. receive 40.3 Configuration Examples of BGP 40.3.1 Examples 1: configure BGP neighbor SwitchB, SwitchC and SwitchD are in AS200, SwitchA is in AS100.
Page 351: Examples 2: Configure Bgp Aggregation
The configurations of SwitchC are as following: SwitchC(config)#router bgp 200 SwitchC(config-router-bgp)#network 12.0.0.0 SwitchC(config-router-bgp)#network 13.0.0.0 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 200 SwitchC(config-router-bgp)#neighbor 13.1.1.4 remote-as 200 SwitchC(config-router-bgp)#exit The configurations of SwitchD are as following: SwitchD(config)#router bgp 200 SwitchD(config-router-bgp)#network 13.0.0.0 SwitchD(config-router-bgp)#neighbor 12.1.1.2 remote-as 200 SwitchD(config-router-bgp)#neighbor 13.1.1.3 remote-as 200 SwitchD(config-router-bgp)#exit Presently, the connection between SwitchB and SwitchA is EBGP, and other connections with SwitchC and SwitchD are IBGP.
Page 352: Examples 3: Configure Bgp Community Attributes
40.3.3 Examples 3: configure BGP community attributes In the following sample, “route map set-community” is used for the outgoing update to neighbor 16.1.1.6. By accessing to route in table 1 to configure special community value to “1111”, other can be announced normally.
Page 353: Examples 4: Configure Bgp Confederation
Switch(config)#ip community-list com2 permit 90 Switch(config)#exit Switch#clear ip bgp 16.1.1.6 soft out 40.3.4 Examples 4: configure BGP confederation The following is the configuration of an AS. As the picture illustrated, SwitchB and SwitchC establish IBGP connection. SwitchD is affiliated to AS 20.SwitchB and SwitchC establish EBGP of inner AS confederation. AS10 and AS20 form AS confederation with the AS number AS200;...
Page 354: Examples 5: Configure Bgp Route Reflector
SwitchB(config)#router bgp 10 SwitchB(config-router-bgp)#bgp confederation identifier 200 SwitchB(config-router-bgp)#bgp confederation peers 20 SwitchB(config-router-bgp)#neighbor 12.1.1.3 remote-as 10 SwitchB(config-router-bgp)#neighbor 13.1.1.4 remote-as 20 SwitchB(config-router-bgp)#neighbor 11.1.1.1 remote-as 100 SwitchC: SwitchC(config)#router bgp 10 SwitchC(config-router-bgp)#bgp confederation identifier 200 SwitchC(config-router-bgp)#bgp confederation peers 20 SwitchC(config-router-bgp)#neighbor 12.1.1.2 remote-as 10 SwitchD: SwitchD(config)#router bgp 20 SwitchD(config-router-bgp)#bgp confederation identifier 200 SwitchD(config-router-bgp)#bgp confederation peers 10...
Page 355 AS200 SwitchH vlan1:8.8.8.8 SwitchG(RR) AS100 vlan1:7.7.7.7 SwitchD(RR) vlan1:3.3.3.4 vlan1:3.3.3.3 SwitchC(RR) SwitchE vlan1:1.1.1.1 vlan1:6.6.6.6 vlan1:2.2.2.2 vlan1:5.5.5.5 SwitchA SwitchF SwitchB AS300 SwitchI vlan1:9.9.9.9 Figure 40-3 the Topological Map of Route Reflector The configurations are as following: The configurations of SwitchC: SwitchC(config)#router bgp 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 remote-as 100 SwitchC(config-router-bgp)#neighbor 1.1.1.1 route-reflector-client SwitchC(config-router-bgp)#neighbor 2.2.2.2 remote-as 100...
Page 356: Examples 6: Configure Med Of Bgp
SwitchD(config-router-bgp)#neighbor 6.6.6.6 remote-as 100 SwitchD(config-router-bgp)#neighbor 6.6.6.6 route-reflector-client SwitchD(config-router-bgp)#neighbor 3.3.3.3 remote-as 100 SwitchD(config-router-bgp)#neighbor 7.7.7.7 remote-as 100 The configurations of SwitchA: SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 1.1.1.2 remote-as 100 SwitchA(config-router-bgp)#neighbor 9.9.9.9 remote-as 300 The SwitchA at this time needn’t to create IBGP connection with all the switches in the AS100 and could receive BGP route from other switches in the AS.
Page 357 SwitchA(config)#router bgp 100 SwitchA(config-router-bgp)#neighbor 2.2.2.1 remote-as 300 SwitchA(config-router-bgp)#neighbor 3.3.3.2 remote-as 300 SwitchA(config-router-bgp)#neighbor 4.4.4.3 remote-as 400 The configurations of SwitchC: SwitchC(config)#router bgp 300 SwitchC (config-router-bgp)#neighbor 2.2.2.2 remote-as 100 SwitchC (config-router-bgp)#neighbor 2.2.2.2 route-map set-metric out SwitchC (config-router-bgp)#neighbor 1.1.1.2 remote-as 300 SwitchC (config-router-bgp)#exit SwitchC (config)#route-map set-metric permit 10 SwitchC (Config-Router-RouteMap)#set metric 120 The configurations of SwitchD...
Page 358: Examples 7: Example Of Bgp Vpn
40.3.7 Examples 7: example of BGP VPN For the configuration of MPLS VPN, BGP is part of the core routing system and it is also an important utility to support ILM and FTN entries on the edge devices. For DCNOS, the BGP protocol together with the LDP protocol, constructs the foundation of the MPLS VPN application.
Page 359 CE-A1(config)#interface vlan 2 CE-A1(config-if-Vlan2)#ip address 192.168.101.2 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#interface vlan 1 CE-A1(config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0 CE-A1(config-if-Vlan2)#exit CE-A1(config)#router bgp 60101 CE-A1(config-router)#neighbor 192.168.101.1 remote-as 100 CE-A1(config-router)#exit Configurations on CE-A2： CE-A2#config CE-A2(config)#interface vlan 2 CE-A2(config-if-Vlan2)#ip address 192.168.102.2 255.255.255.0 CE-A2(config-if-Vlan2)#exit CE-A2(config)#interface vlan 1 CE-A2(config-if-Vlan2)#ip address 10.1.2.1 255.255.255.0 CE-A2(config-if-Vlan2)#exit CE-A2(config)#router bgp 60102 CE-A2(config-router)#neighbor 192.168.102.1 remote-as 100...
Page 360 CE-B2(config-router)#neighbor 192.168.202.1 remote-as 100 CE-B2(config-router)#exit Configurations on PE1： PE1#config PE1(config)#ip vrf VRF-A PE1(config-vrf)#rd 100:10 PE1(config-vrf)#route-target both 100:10 PE1(config-vrf)#exit PE1(config)#ip vrf VRF-B PE1(config-vrf)#rd 100:20 PE1(config-vrf)#route-target both 100:20 PE1(config-vrf)#exit PE1(config)#interface vlan 1 PE1(config-if-Vlan1)#ip vrf forwarding VRF-A PE1(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.0 PE1(config-if-Vlan1)#exit PE1(config)#interface vlan 2 PE1(config-if-Vlan2)#ip vrf forwarding VRF-B PE1(config-if-Vlan2)#ip address 192.168.201.1 255.255.255.0 PE1(config-if-Vlan2)#exit...
Page 361 PE2(config)#ip vrf VRF-A PE2(config-vrf)#rd 100:10 PE2(config-vrf)#route-target both 100:10 PE2(config-vrf)#exit PE2(config)#ip vrf VRF-B PE2(config-vrf)#rd 100:20 PE2(config-vrf)#route-target both 100:20 PE2(config-vrf)#exit PE2(config)#interface vlan 1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.102.1 255.255.255.0 PE2(config-if-Vlan1)#exit PE2(config)#interface vlan 2 PE2(config-if-Vlan2)#ip vrf forwarding VRF-B PE2(config-if-Vlan2)#ip address 192.168.202.1 255.255.255.0 PE2(config-if-Vlan2)#exit PE2(config)#interface vlan 3 PE2(config-if-Vlan3)#ip address 202.200.2.2 255.255.255.0...
Page 362: Bgp Troubleshooting
40.4 BGP Troubleshooting In the process of configuring and implementing BGP protocol, physical connection, configuration false probably leads to BGP protocol doesn’t work. Therefore, the customers should give their attention to points as follow:  First of all, to ensure correct physical connection; ...
Page 363: Chapter 41 Mbgp4
Chapter 41 MBGP4+ 41.1 Introduction to MBGP4+ MBGP4+ is multi-protocol BGP (Multi-protocol Border Gateway Protocol) extension to IPv6, referring to BGP protocol chapter about BGP protocol introduction in this manual. Different from RIPng and OSPFv3, BGP has no corresponging independent protocol for IPv6, instead,it takes extensions to address families on the original BGP.
Page 364: Mbgp4+ Examples
3. Configure redistribution of OSPFv3 routing to MBGP4+ (1) Enable redistribution of OSPFv3 routing to MBGP4+ Command Explanation Router IPv6 BGP Configuration Mode redistribute ospf [<process-tag>] [route-map<word>] To enable or disable redistribution of OSPFv3 no redistribute ospf routing to MBGP4+. [<process-tag>] (2) Display and debug the information about configuration of redistribution of OSPFv3 routing to MBGP4+ Command...
Page 365 Accordingly SwitchA configuration as follows: SwitchA(config)#router bgp 100 SwitchA(config-router)#bgp router-id 1.1.1.1 SwitchA(config-router)#neighbor 2001::2 remote-as 200 SwitchA(config-router)#address-family IPv6 unicast SwitchA(config-router-af)#neighbor 2001::2 activate SwitchA(config-router-af)#exit-address-family SwitchA(config-router-bgp)#exit SwitchA(config)# SwitchB configuration as follows: SwitchB(config)#router bgp 200 SwitchA(config-router)#bgp router-id 2.2.2.2 SwitchB(config-router)#neighbor 2001::1 remote-as 100 SwitchB(config-router)#neighbor 2002::3 remote-as 200 SwitchB(config-router)#neighbor 2003::4 remote-as 200 SwitchB(config-router)#address-family IPv6 unicast SwitchB(config-router-af)#neighbor 2001::1 activate...
Page 366: Mbgp4+ Troubleshooting
SwitchD(config-router-af)#exit-address-family SwitchD(config-router)#exit Here the connection between SwitchB and SwitchA is EBGP, and the connection between SwitchC and SwitchD is IBGP. The BGP connection can be processed between SwitchB and SwitchD without physical link, but the premise is a route which reaches from one switch to the other switch. The route can be obtained by static routing or IGP.
Page 367: Chapter 42 Black Hole Routing Manual
Chapter 42 Black Hole Routing Manual 42.1 Introduction to Black Hole Routing Black Hole Routing is a special kind of static routing which drops all the datagrams that match the routing rule. 42.2 IPv4 Black Hole Routing Configuration Task 1. Configure IPv4 Black Hole Routing Command Explaination Global Configuration Mode...
Page 368: Black Hole Routing Configuration Exmaples
42.4 Black Hole Routing Configuration Exmaples Example 1: IPv4 Black Hole Routing function. 192.168.0.1/21 SWITCH1 192.168.0.2/21 SWITCH2 ……… 192.168.1.0/24 192.168.7.0/24 Figure 42-1 IPv4 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 369: Black Hole Routing Troubleshooting
Example 2: IPv6 Black Hole Routing function. 2004:1:2:3::1/64 SWITCH1 2004:1:2:3::2/64 SWITCH2 ……… 2004:1:2:3:1::/80 2004:1:2:3:7::/80 Figure 41-2 IPv6 Black Hole Routing Configuration Example As it is shown in the figure, in Switch 2, eight in all interfaces are configured as Layer 3 VLAN interfaces for access interfaces.
Page 370 For problems that cannot be fixed through above methods, please issue the command show ip route distance and show ip route fib, and show l3. And copy and paste the output of the commands, and send to the technical service center of our company. 42-4...
Page 371: Chapter 43 Gre Tunnel Configuration
Chapter 43 GRE Tunnel Configuration 43.1 Introduction to GRE Tunnel GRE (General Routing-protocol Encapsulation) was referred to IETF by Cisco and Net-smiths companies in 1994, in RFC1701 and RFC1702. At present, the network devices of the most manufacturers support the GRE tunnel protocol.
Page 372 Command Explanation Tunnel interface configuration mode Configure the tunnel mode as GREv4 tunnel. tunnel mode gre ip After the data packet is encapsulated with GRE, no tunnel mode it has a head of IPv4 packets, and passes the IPv4 network. Configure the tunnel mode as GREv6 tunnel.
Page 373: Example Of Gre Tunnel
ip route <ipv4-address/mask> tunnel <ID> Configure the egress interface of the IPv4 static no ip route <ipv4-address/mask> route to GRE tunnel. tunnel <ID> ipv6 route <ipv6-address/prefix> tunnel <ID> Configure the egress interface of the IPv6 static no ipv6 route route to GRE tunnel. <ipv6-address/prefix>...
Page 374 Configuration steps Instruction: the topology environment of this chapter may be different to the actual environment. To ensure the effect of the configuration, please make sure the current configuration of the device does not conflict with the following configuration. (1) The configuration of device A 1.
Page 375 SwitchA(config)#interface vlan 10 SwitchA(config-if-vlan10)# ip address 10.1.1.2 255.255.255.0 SwitchA(config-if-vlan10)#exit  Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route 20.1.1.0/24 [110/2] via 100.1.1.1, Tunnel1, 01:41:49 tag:0 (2) The configuration of device B...
Page 376 Tunnel1 gre ipv6 2005:1000:3000::1 2000:1000:3000::1 The configuration of GRE tunnel is successful.  Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0  Configure the interface VLAN20 and its address. SwitchA(config)#vlan 20 SwitchA(config-vlan20)#switchport interface ethernet 1/0/10 SwitchA(config-vlan20)#exit...
Page 377: Example Of Gre Tunnel Quotes Loopback Group
 Create the interface VLAN 12 and its address SwitchA(config)#vlan 12 SwitchA(config-vlan12)#switchport interface ethernet 1/0/12 SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC  Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.0, the default gateway: 20.1.1.2 43.4 Example of GRE Tunnel Quotes Loopback Group Introduction to loopback group...
Page 378 Switch C 2000:3000:1000::2/64 2005:3000:1000::2/64 Interface e1/0/11 Interface e1/0/12 2000:3000:1000::1/64 2005:3000:1000::1/64 Interface e1/0/11 Interface e1/0/12 Interface e1/0/12 Switch A GRE tunnel Switch B Tunnel1 Tunnel 1 100.1.1.1/24 100.1.1.2/24 10.1.1.2/24 20.1.1.2/24 Interface e1/0/10 Interface e1/0/10 10.1.1.1/24 20.1.1.1/24 Figure 43-2 GRE tunnel quotes loopback group topology Introduction to loopback group topology IPv6 network between SwitchA and SwitchB, PC1 and PC2 at IPv4 network, so PC1 must pass IPv6 network between SwitchA and SwitchB to communicate with PC2 through GRE tunnel.
Page 379 (1) The configuration of device A 1. The configuration step  Enable IPv6 function. SwitchA(config)#ipv6 enable  Create the interface VLAN 11 and its address. SwitchA(config)#vlan 11 SwitchA(config-vlan11)#switchport interface ethernet 1/0/11 SwitchA(config-vlan11)#exit SwitchA(config)#interface vlan 11 SwitchA(config-if-vlan11)#ipv6 address 2000:3000:1000::1/64  Configure the IPv6 static route to switch B from interface Vlan11. SwitchA(config)#ipv6 route 2005:3000:1000::1/64 2000:3000:1000::2 ...
Page 380 SwitchA (config-if-tunnel1)# loopback-group 1  Configure OSPF routing protocol. SwitchA(config)#router ospf SwitchA(config-router)#router-id 1.1.1.1 SwitchA(config-router)#network 100.1.1.0/24 area 0 SwitchA(config-router)#network 10.1.1.0/24 area 0 SwitchA(config-router)#exit After the OSPF protocol of two ends are fully connected through the tunnel, we can see the tunnel route SwitchA(config)#show ip route 20.1.1.0/24 [110/2] via 100.1.1.1, Tunnel1, 01:41:49 tag:0 (2) The configuration of device B...
Page 381  Configure the IPv4 address of the tunnel interface. To run OSPF routing protocol, the interface address must be configured. SwitchA (config-if-tunnel1)#ip address 100.1.1.2 255.255.255.0  Configure the interface VLAN20 and its address. SwitchA(config)#vlan 20 SwitchA(config-vlan20)#switchport interface ethernet 1/0/10 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(config-if-vlan20)# ip address 20.1.1.2 255.255.255.0 SwitchA(config-if-vlan20)#exit...
Page 382 SwitchA(config-vlan12)#exit SwitchA(config)#interface vlan 12 SwitchA(config-if-vlan12)#ipv6 address 2005:3000:1000::2/64 SwitchA(config-if-vlan12)#exit (4) The configuration of PC  Configure the IP address of PC1 and the default gateway. PC1: the IP address: 10.1.1.1 255.255.255.0, the default gateway: 10.1.1.2 PC2: the IP address: 20.1.1.1 255.255.255.0, the default gateway: 20.1.1.2 43.5 GRE Tunnel Troubleshooting If there is any problem happens when using GRE tunnel, please check whether the problem is caused by the following reasons:...
Page 383: Chapter 44 Ecmp Configuration
Chapter 44 ECMP Configuration 44.1 Introduction to ECMP ECMP (Equal-cost Multi-path Routing) works in the network environment where there are many different links to arrive at the same destination address. If using the traditional routing technique, only a link can be used to send the data packets to the destination address, other links at the backup state or the invalidation state, and it needs some times to process the mutual switchover under the static routing environment.
Page 384: Ecmp Typical Example
Command Explanation Global mode load-balance {dst-src-mac | Set load-balance for switch, it takes effect for dst-src-ip | dst-src-mac-ip } port-group and ECMP function at the same time. 44.3 ECMP Typical Example Figure 44-3 the application environment of ECMP As it is shown in the figure, the R1 connect to R2 and R3 with the interface address 100.1.1.1/24 and 100.1.2.1/24.
Page 385: Ospf Implements Ecmp
5.5.5.5/32 [1/0] via 100.1.1.2, Vlan100 tag:0 [1/0] via 100.1.2.2, Vlan200 tag:0 100.1.1.0/24 is directly connected, Vlan100 tag:0 100.1.2.0/24 is directly connected, Vlan200 tag:0 127.0.0.0/8 is directly connected, Loopback tag:0 Total routes are : 6 item(s) 44.3.2 OSPF Implements ECMP R1 configuration: R1(config)#interface Vlan100 R1(Config-if-Vlan100)# ip address 100.1.1.1 255.255.255.0 R1(config)#interface Vlan200...
Page 386: Ecmp Troubleshooting
R3(config-router)# network 100.1.2.0/24 area 0 R3(config-router)# network 100.2.2.0/24 area 0 R4 configuration: R4(config)#interface Vlan100 R4(Config-if-Vlan100)# ip address 100.2.1.1 255.255.255.0 R4(config)#interface Vlan200 R4(Config-if-Vlan200)# ip address 100.2.2.1 255.255.255.0 R4(config)#interface loopback 1 R4(Config-if-loopback1)# ip address 5.5.5.5 255.255.255.255 R4(config)#router ospf 1 R4(config-router)# ospf router-id 4.4.4.4 R4(config-router)# network 100.2.1.0/24 area 0 R4(config-router)# network 100.2.2.0/24 area 0 On R1, show ip route, the following is displayed:...
Page 387: Chapter 45 Bfd
Chapter 45 BFD 45.1 Introduction to BFD BFD (Bidirectional Forwarding Detection) provides a detection mechanism to quickly detect and monitor the connectivity of links in networks. To improve network performance, between protocol neighbors must quickly detect communication failures to restore communication through backup paths as soon as possible. BFD provides a general-purpose, standard, medium-independent and protocol-independent fast failure detection mechanism.
Page 388 Configure the minimum transmission interval interval <value1> min_rx and the multiplier of session detection for BFD <value2> multiplier <value3> control packets, no command restores the no bfd interval default detection multiplier. min-echo-receive-interval Configure the minimum receiving interval for <value> BFD control packets, no command restores its no bfd min-echo-receive-interval default value.
Page 389: Examples Of Bfd
ipv6 route {vrf <name> <ipv6-address> | <ipv6-address>} prefix <nexthop> bfd Configure BFD for the static IPv6 route, no no ipv6 route {vrf <name> command cancels the configuration. <ipv6-address> | <ipv6-address>} prefix <nexthop> bfd 4. Configure BFD for VRRP (v3) Command Explanation VRRP(v3) Group Configuration Mode Enable BFD for VRRP(v3) protocol and enable...
Page 390: Example For Linkage Of Bfd And Rip Route
Switch(config)#interface vlan 14 Switch(config-if-vlan15)#ip address 14.1.1.1 255.255.255.0 Switch(config)#ip route 15.1.1.0 255.255.255.0 12.1.1.1 bfd When the link between Switch B and layer 2 switch is failing, Switch A can detect the change of Switch B immediately, here the static routing is at inactive state. 45.3.2 Example for Linkage of BFD and RIP Route Example: Switch A and Switch B are connected and run RIP protocol, both of them enable BFD function.
Page 391: Example For Linkage Of Bfd And Vrrp
Switch (config-router)#network vlan 300 Switch(config)#interface vlan 100 Switch(config-if-vlan100) #rip bfd enable When the link between Switch A and Switch B is failing, BFD can detect it immediately and notifies RIP to delete the learnt route. 45.3.3 Example for Linkage of BFD and VRRP Example: When the master is failing, the backup cannot become the master until the configured timeout timer expires.
Page 392: Bfd Troubleshooting
Switch(config-router)#enable Switch(config-router)#bfd enable # Configure Switch B Switch#config Switch(config)#bfd mode passive Switch(config)#interface vlan 2 Switch(config-ip-vlan2)#ip address 192.16.0.102 255.255.255.0 Switch(config)#router vrrp 1 Switch(config-router)#virtual-ip 192.168.0.10 Switch(config-router)#interface vlan 1 Switch(config-router)#enable Switch(config-router)#bfd enable 45.4 BFD Troubleshooting When the problem of BFD function happens, please check whether the problem is resulted by the following reasons: ...
Page 393: Chapter 46 Bgp Gr
Chapter 46 BGP GR 46.1 Introduction to GR Along with network development, it requires the higher availability, so HA (High Availability) is set, namely, how to ensure packets to be forwarded and does not affect traffic operation when router control layer can not work normally.
Page 394: Gr Configuration Task List
information and enable selection deferral timer. 5. R1 delays the count process of the local BGP route until it receives all End-of-RIB from BGP neighbors in GR-Aware or until the local selection deferral timer is overtime. 6. Count route and send the update route. After that, it will send End-of-RIB to neighbors. Restarting Speaker（GR-Helper）: 1.
Page 395 BGP protocol unicast address family mode and VRF address family mode neighbor (A.B.C.D | X:X::X:X | WORD) capability graceful-restart Set a label for neighbor, it takes GR parameter no neighbor (A.B.C.D | X:X::X:X | when send OPEN messages. WORD) capability graceful-restart 3.
Page 396: Typical Example Of Gr
Stalepath-time uses the default value of 360s, which is much longer than restart-time and bgp graceful-restart stale-path-time selection-deferral-time. Because during the time <1-3600> from Receiving Speaker receives OPEN no bgp graceful-restart messages to receives EOR, it sends the initial stale-path-time <1-3600> route update and waits that the initial route update is received completely.
Page 397 R2 configuresint vlan 12，ip address 12.1.1.2 R1 configuration: R1#config R1(config)#vlan 12 R1(config-vlan12)#int vlan 12 R1(config-if-vlan12)#ip address 12.1.1.1 255.255.255.0 R1(config-if-vlan12)#exit R1(config)#router bgp 1 R1(config-router)#neighbor 12.1.1.2 remote-as 2 R1(config-router)#neighbor 12.1.1.2 capability graceful-restart R1(config-router)#bgp selection-deferral-time 120 R1(config-router)#bgp graceful-restart restart-time 60 R1(config-router)#bgp graceful-restart stale-path-time 180 R1(config-router)#exit R2 configuration: R2#config...
Page 398: Chapter 47 Ospf Gr
Chapter 47 OSPF GR 47.1 Introduction to OSPF GR OSPF Graceful-Restart （ short for OSPF GR）， is used to maintain data forwarding correctly and flow of crucial service is not interrupted when routing protocol restarts or switchover of layer 3 switches between active master and standby master.
Page 399: Ospf Gr Configuration
protocol while GR helper is layer 3 switch to help GR restarter. In the above example, S1 is GR restarter and S2 is GR helper The advantages of OSPF GR in the following:  Increase network reliability  Reduce the effect of routing shiver to network ...
Page 400: Ospf Gr Example
47.3 OSPF GR Example Example: There are for switches from S1 to S4 (They are two master control board and supports OSPF GR), they enable OSPF to implement the following functions: 1. S1 keeps traffic forwarding during the switchover, S2-S4 ensure that no routing shiver and the continuous network traffic.
Page 401 specific GR is not disabled.  Whether network topology is changed during OSPF GR process. When it is changed, switch may quit GR and restart OSPF.  Please ensure all neighbors of GR restarter support GR.  Do not modify the relevant configuration of OSPF during GR. 47-19...
Page 402: Chapter 48 Ipv4 Multicast Protocol
Chapter 48 IPv4 Multicast Protocol 48.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 48.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 403 Multicast group are dynamic, the hosts can join and leave the Multicast group at any time. Multicast group can be permanent or temporary. Some of the Multicast group addresses are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group keeps its IP address fixed but its member structure can vary within.
Page 404: Ip Multicast Packet Transmission
48.1.3 IP Multicast Packet Transmission In Multicast mode, the source host sends packets to the host group indicated by the Multicast group address in the destination address field of IP data packet. Unlike Unicast mode, Multicast data packet must be forwarded to a number of external interfaces to be sent to all receiver sites in Multicast mode, thus Multicast transmission procedure is more complicated than Unicast transmission procedure.
Page 405 The working process of PIM-DM can be summarized as: Neighbor Discovery, Flooding & Prune, and Graft. 1. Neigh hour Discovery After PIM-DM router is enabled, Hello message is required to discover neighbors. The network nodes which run PIM-DM use Hello message to contact each other. PIM-DM Hello message is sent periodically. 2.
Page 406: Pim-Dm Configuration Task List
48.2.2 PIM-DM Configuration Task List 1. Enable PIM-DM (Required) 2. Configure static multicast routing entries(Optional) 3. Configure additional PIM-DM parameters(Optional) a) Configure the interval for PIM-DM hello messages b) Configure the interval for state-refresh messages c) Configure the boundary interfaces d) Configure the management boundary 4.
Page 407 To configure the interval for PIM-DM hello ip pim hello-interval < interval> messages. The no form of this command will no ip pim hello-interval restore the interval to the default value. Configure the interval for state-refresh messages Command Explanation Interface Configuration Mode ip pim state-refresh To configure the interval for sending PIM-DM origination-interval...
Page 408: Pim-Dm Configuration Examples
48.2.3 PIM-DM Configuration Examples As shown in the following figure, add the Ethernet interfaces of Switch A and Switch B to corresponding vlan, and enable PIM-DM Protocol on each vlan interface. SwitchB SwitchA Vlan 1 Vlan 2 Vlan 1 Vlan 2 Figure 48-1 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA:...
Page 409: Pim-Dm Troubleshooting
48.2.4 PIM-DM Troubleshooting In configuring and using PIM-DM Protocol, PIM-DM Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, the user should pay attention to the following issues:  To assure that physical connection is correct ...
Page 410: Pim-Sm Configuration Task List
and reach the host. In this way the RPT with RP as root is generated. Multicast Source Registration When a Multicast Source S sends a Multicast packet to Multicast Group G, the PIM-SM Multicast router connected to it directly will take charge of encapsulating the Multicast packet into registered message and unicast it to corresponding RP.
Page 411 1. Enable PIM-SM Protocol The PIM-SM protocol can be enabled on XGS3 series Layer 3 switches by enabling PIM in global configuration mode and then enabling PIM-SM for specific interfaces in the interface configuration mode. Command Explanation Global Mode To enable the PIM-SM protocol for all the interfaces (However, in order to make PIM-SM ip pim multicast-routing work for specific interfaces, the following...
Page 412 To configure the value of the holdtime field in the ip pim hello-holdtime <value> PIM-SM hello messages. The no form of this no ip pim hello-holdtime command will restore the hold time to the default value. 3) Configure ACL for PIM-SM neighbors Command Explanation Interface Configuration Mode...
Page 413 Command Explanation Global Configuration Mode This command is the global candidate BSR ip pim bsr-candidate {vlan configuration command, which is used to <vlan-id>| configure the information of PIM-SM candidate <ifname>}[ <mask-length>][ <priorit BSR so that it can compete for BSR router with y>...
Page 414: Pim-Sm Configuration Examples
Command Explanation Interface Configuration Mode no ip pim sparse-mode | no ip pim multicast-routing(Global To disable the PIM-SM protocol. configuration mode) 48.3.3 PIM-SM Configuration Examples As shown in the following figure, add the Ethernet interfaces of SwitchA, SwitchB, SwitchC and SwitchD to corresponding VLAN, and enable PIM-SM Protocol on each VLAN interface.
Page 415: Pim-Sm Troubleshooting
Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 24.1.1.2 255.255.255.0 Switch(Config-if-Vlan2)# ip pim sparse-mode Switch(Config-if-Vlan2)# exit Switch(config)# ip pim rp-candidate vlan2 (3) Configure SwitchC: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 34.1.1.3 255.255.255.0 Switch(Config-if-Vlan1)# ip pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 13.1.1.3 255.255.255.0 Switch(Config-if-Vlan2)# ip pim sparse-mode Switch(Config-if-Vlan2)#exit...
Page 416: Msdp Configuration
In configuring and using PIM-SM Protocol, PIM-SM Protocol might not operate normally caused by physical connection or incorrect configuration. Therefore, the user should pay attention to the following issues:  Assure that physical connection is correct;  Assure the Protocol of Interface and Link is UP (use show interface command); ...
Page 417: Brief Introduction To Msdp Configuration Tasks
48.4.2 Brief Introduction to MSDP Configuration Tasks Configuration of MSDP Basic Function Enabling MSDP (Required) Configuring MSDP entities (Required) Configuring the Connect-Source interface Configuring static RPF entities Configuring Originator RP Configuring TTL value Configuration of MSDP entities Configuring the Connect-Source interface Configuring the descriptive information for MSDP entities Configuring the AS number Configuring the specified mesh group of MSDP...
Page 418: Enabling Msdp
48.4.3.2 Enabling MSDP MSDP should be enabled before various MSDP functions can be configured. Enable the MSDP function Configure MSDP 1. Enabling MSDP Commands Explanation Global Configuration Mode router msdp To enable MSDP. The no form of this no router msdp command will disable MSDP globally.
Page 419: Configuration Of Delivery Of Msdp Packet
48.4.4.2 Configuration of MSDP parameters Commands Explanation MSDP Peer Configuration Mode To configure the Connect-Source interface for connect-source <interface-type> MSDP Peer. The no form of this command will <interface-number> remove configured Connect-Source no connect-source interface. To configure the descriptive information about description <text>...
Page 420: Configuration Of Parameters Of Sa-Cache
no sa-request-filter [list command will remove the configured filter <access-list-number | access-list-name>] rules for SA request packets. 48.4.6 Configuration of Parameters of SA-cache Commands Explanation MSDP Configuration Mode cache-sa-state To enable the SA packet cache. no cache-sa-state To disable the SA packets cache. MSDP Configuration Mode The aging time for entries in the SA cache.
Page 421 DomainB RouterB DomainC RouterA Receiver DomainA Source Figure 48-3 Network Topology for MSDP Entry Configuration tasks are listed as below: Prerequisites: Enable the single cast routing protocol and PIM protocol on every router, and make sure that the inter-domain routing works well and multicasting inside the domain works well. Suppose the multicast server S in Domain A offers multicast programs at 224.1.1.1.
Page 422 Switch(router-msdp)#peer 20.1.1.1 Router B in Domain B: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(Config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.2 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.2 RP2 in Domain B: Switch#config Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.2 255.255.255.0 Switch(config)#interface vlan 4 Switch(Config-if-Vlan4)#ip address 40.1.1.2 255.255.255.0 Switch(Config-if-Vlan4)#exit...
Page 423 Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 48-4 Flooding of SA messages Mesh Group Peer Peer Peer PIM SM 1 Peer Peer Peer Figure 48-5 Flooding of SA messages with mesh group configuration Configuration steps are listed as below: Router A: Switch#config Switch(config)#interface vlan 1...
Page 424 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 10.1.1.2 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 20.1.1.4 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.3 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Router B: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 4 Switch(Config-if-Vlan4)#ip address 40.1.1.2 255.255.255.0 Switch(Config-if-Vlan4)#exit Switch(config)#interface vlan 6 Switch(Config-if-Vlan6)#ip address 60.1.1.2 255.255.255.0...
Page 425: Msdp Troubleshooting
Switch(Config-if-Vlan6)#ip address 60.1.1.4 255.255.255.0 Switch(Config-if-Vlan6)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.1 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 40.1.1.4 Switch(router-msdp)#mesh-group XGS3-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 60.1.1.2 Switch(router-msdp)#mesh-group XGS3-1 Router D: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.4 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 4 Switch(Config-if-Vlan1)#ip address 40.1.1.4 255.255.255.0 Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 5 Switch(Config-if-Vlan5)#ip address 50.1.1.4 255.255.255.0 Switch(Config-if-Vlan5)#exit...
Page 426: Anycast Rp Configuration
If the MSDP problems cannot be solved through all the methods provided above, please issue the command debug msdp to get the debugging messages within three minutes, and send them to the technical service center of our company. 48.5 ANYCAST RP Configuration 48.5.1 Introduction to ANYCAST RP Anycast RP is a technology based on PIM protocol, which provides redundancy in order to recover as soon as possible once an RP becomes unusable.
Page 427 2. Configure ANYCAST RP v4 (1) Configure the RP candidate Command Explanation Global Configuration Mode Now, the PIM-SM has allowed the Loopback interface to be a RP candidate.(necessary) Please pay attention to that, ANYCAST RP protocol can configure the Loopback interface ip pim rp-candidate {vlan<vlan-id>...
Page 428 done with the absence of the interface. The self-rp-address should be unique. No operation will cancel the self-rp-address which is used to communicate with other RPs by this router (as a RP). (3) Configure other-rp-address (other RP communication addresses) Command Explanation Global Configuration Mode Configure anycast-rp-addr on this router (as a...
Page 429: Anycast Rp Configuration Examples
from a DR is received, it should be forwarded to all of these other RP one by one. No operation will cancel an other-rp-address communicating with this router. 48.5.3 ANYCAST RP Configuration Examples VLAN1:10.1.1.1 Multicast Server VLAN2:192.168.2.5 VLAN2:192.168.2.1 VLAN1:192.168.1.4 ……… VLAN2:192.168.3.2 receiver VLAN2:2.2.2.2...
Page 430: Anycast Rp Troubleshooting
Switch(config)#ip pim rp-candidate loopback1 Switch(config)#ip pim bsr-candidate vlan 1 Switch(config)#ip pim multicast-routing Switch(config)#ip pim anycast-rp Switch(config)#ip pim anycast-rp self-rp-address 192.168.2.1 Switch(config)#ip pim anycast-rp 1.1.1.1 192.168.3.2 RP2 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ip address 1.1.1.1 255.255.255.255 Switch(Config-if-Loopback1)#exit Switch(config)#ip pim rp-candidate loopback1 Switch(config)#ip pim multicast-routing Switch(config)#ip pim anycast-rp Switch(config)#ip pim anycast-rp self-rp-address 192.168.3.2...
Page 431: Pim-Ssm Configuration Task List
Source Specific Multicast (PIM-SSM) is a new kind of multicast service protocol. With PIM-SSM, a multicast session is distinguished by the multicast group address and multicast source address. In SSM, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared tree and RP management in PIM-SM.
Page 432 Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.255 Switch(config)#ip multicast ssm range 1 (2) Configuration of Switch B Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2...
Page 433: Pim-Ssm Troubleshooting
Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-If-Vlan3)# ip pim sparse-mode Switch(Config-If-Vlan3)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.255 Switch(config)#ip multicast ssm range 1 48.6.4 PIM-SSM Troubleshooting In configuring and using PIM-SSM Protocol, PIM-SSM Protocol might not operate normally caused by physical connection or incorrect configuration.
Page 434 The check which determines if the packet gets to the correct interface is called RPF check. When some Multicast data packets get to some interface, it will determine the reverse path to the source network by looking up DVMRP router table. If the interface data packets get to is the one which is used to send Unicast message to the source, then the reverse path check is correct, and the data packets are forwarded out from all downstream interfaces.
Page 435: Dvmrp Configuration Task List
48.7.2 DVMRP Configuration Task List 1． Globally enable and disable DVMRP (Required) 2． Configure Enable and Disable DVMRP Protocol at the interface (Required) 3． Configure DVMRP Sub-parameters (Optional) Configure DVMRP interface parameters 1) Configure the delay of transmitting report message on DVMRP interface and the message number each time it transmits 2) Configure metric value of DVMRP interface 3) Configure if DVMRP is able to set up neighbors with DVMRP routers which can not Prune/Graft...
Page 436: Dvmrp Configuration Examples
Configure the delay of transmitting DVMRP ip dvmrp output-report-delay report message on interface and the message <delay_val> [<burst_size>] number each time it transmits, the “no ip dvmrp no ip dvmrp output-report-delay output-report-delay” command restores default value. Configure interface DVMRP report message ip dvmrp metric <metric_val>...
Page 437: Dvmrp Troubleshooting
Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)# ip dvmrp enable (2) Configure SwitchB: Switch (config)#ip dvmrp multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)# ip dvmrp enable Switch(Config-if-Vlan1)#exit Switch (config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)# ip dvmrp Since DVMRP itself does not rely on Unicast Routing Protocol, it is not necessary to configure Unicast Routing Protocol.
Page 438: Dcscm Configuration Task List
The Multicast Packet Source Controllable technology of Security Controllable Multicast technology is mainly processed in the following manners: 1． On the edge switch, if source under-control multicast is configured, then only multicast data from specified group of specified source can pass. 2．...
Page 439 The next is to configure the rule of source control. It is configured in the same manner as for ACL, and uses ACL number of 5000-5099, every rule number can be used to configure 10 rules. It is noticeable that these rules are ordered, the front one is the one which is configured the earliest.
Page 440 Globally enable IPv4 IPv6 destination control. The no operation of this command will globally disable [no] multicast destination-control destination control. All of the other （required） configuration can only take effect after globally enabled. next configuring destination control rules, which are similar. Next is to configure destination control rule.
Page 441: Dcscm Configuration Examples
to set priority for the specified multicast. The commands are as follows: Command Explanation Global Configuration Mode Configure multicast strategy, specify [no] ip multicast policy <IPADDRESS/M> priority for sources and groups in <IPADDRESS/M> cos <priority> specific range, and the range is <0-7>. 48.8.3 DCSCM Configuration Examples 1．...
Page 442: Dcscm Troubleshooting
Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.3/32 cos 4 In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher, the higher possible one is protocol data;...
Page 443 Under this kind of situation, since all switches which runs IGMP under this network segment can get membership report message from the host, therefore, only one switch is required to transmit membership query message, so an exchange election mechanism is required to determine a switch as query machine. In IGMP version1, the selection of query machine is determined by Multicast Routing Protocol;...
Page 444: Igmp Configuration Task List
membership trace. 11. In querying messages, the new router side restraint process (S sign) modified the existing strength of IGMPv2. 48.9.2 IGMP Configuration Task List 1． Enable IGMP (Required) 2． Configure IGMP sub-parameters (Optional) （1）Configure IGMP group parameters 1) Configure IGMP group filtering conditions 2) Configure IGMP to join in group 3) Configure IGMP to join in static group （2）Configure IGMP query parameters...
Page 445 Command Explanation Interface Configuration Mode ip igmp access-group {<acl_num | Configure the filtering conditions of the interface acl_name>} to IGMP group; the “no ip igmp access-group” no ip igmp access-group command cancels the filtering condition. Configure the interface to join in some IGMP ip igmp join-group <A.B.C.D >...
Page 446: Igmp Configuration Examples
no ip dvmrp | no ip pim dense-mode | no ip pim sparse-mode | no ip dvmrp Disable IGMP Protocol. multicast-routing | no ip pim multicast-routing 48.9.3 IGMP Configuration Examples As shown in the following figure, add the Ethernet ports of Switch A and Switch B to corresponding VLAN, and start PIM-DM on each VLAN interface.
Page 447: Igmp Snooping
 Firstly to assure that physical connection is correct;  Next, to assure the Protocol of Interface and Link protocol is UP (use show interface command);  Afterwards, to assure to start a kind of multicast protocol on the interface; ...
Page 448 Enables IGMP Snooping for specified VLAN. ip igmp snooping vlan <vlan-id> The no operation disables IGMP Snooping for no ip igmp snooping vlan <vlan-id> specified VLAN. ip igmp snooping proxy Enable IGMP Snooping proxy function, the no no ip igmp snooping proxy command disables the function.
Page 449: Igmp Snooping Examples
query-mrsp <value> period. The “no ip igmp snooping vlan no ip igmp snooping vlan <vlan-id> <vlan-id> query-mrsp” command restores to query-mrsp the default value. ip igmp snooping vlan <vlan-id> Configure the query robustness. The “no ip query-robustness <value> igmp snooping vlan <vlan-id>...
Page 450 Multicast router Multicast Server 1 Multicast Server 2 Multicast port IGMP Snooping Group 1 Group 1 Group 1 Group 2 Enabling IGMP Snooping function Figure 48-10 Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12.
Page 451 Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Multicast port Switch B IGMP Snooping Group 1 Group 1 Group 1 Group 2 The switches as IGMP Queries Figure 48-11 The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1.
Page 452: Igmp Snooping Troubleshooting
router) Configurations are listed as below: switch#config switch(config)#ip pim multicast-routing switch(config)#interface vlan 100 switch(config-if-vlan100)#ip pim sparse-mode IGMP snooping does not distribute entries when layer 3 multicast protocol is enabled. It only does the following tasks.  Remove the layer 2 multicast entries. ...
Page 453: Igmp Proxy Configuration Task List
the join and leave messages received from downstream ports and forward them to the multicast router through upstream ports. The IGMP proxy configuration is exclusive with PIM and DVMRP configuration. 48.11.2 IGMP Proxy Configuration Task List 1． Enable IGMP Proxy function 2．...
Page 454: Igmp Proxy Examples
no ip igmp proxy unsolicited-report this command will restore the default value. robustness To configure non-query downstream ports to ip igmp proxy aggregate be able to aggregate the IGMP operations. no ip igmp proxy aggregate The no form of this command will restore the default configuration.
Page 455 The configuration steps are listed below: Switch#config Switch(config)#ip igmp proxy Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip igmp proxy upstream Switch(Config)#interface vlan 2 Switch(Config-if-Vlan2)#ip igmp proxy downstream Multicast Configuration: Suppose the multicast server offers some programs through 224.1.1.1. Some hosts subscribe that program at the edge of the network.
Page 456: Igmp Proxy Troubleshooting
Switch#config Switch(config)#ip igmp proxy Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip igmp proxy upstream Switch(Config)#interface vlan 2 Switch(Config-if-Vlan2)#ip igmp proxy downstream Switch(Config-if-Vlan2)#ip igmp proxy multicast-source Route1 configuration: Switch#config Switch(config)#ip pim multicast Switch(Config)#interface vlan 1 Switch(Config-if-Vlan1)#ip pim sparse-mode Switch(Config-if-Vlan1)#ip pim bsr-border Multicast Configuration: Suppose the server provides programs through the multicast address 224.1.1.1, and some hosts subscribe that program on the edge of the network.
Page 457: Chapter 49 Ipv6 Multicast Protocol
Chapter 49 IPv6 Multicast Protocol 49.1 PIM-DM6 49.1.1 Introduction to PIM-DM6 PIM-DM6 （ Protocol Independent Multicast, Dense Mode） is the IPv6 version of Protocol Independent Multicast Dense Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of network environment.
Page 458: Pim-Dm6 Configuration Task List
the multicast packet will be discarded as redundant message. The unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific unicast routing protocol. 4.
Page 459 To enable PIM-DM for the specified interface ipv6 pim dense-mode (required). 2．Configure static multicast routing entries Command Explanation Global configuration mode ipv6 mroute <X:X::X:X> To configure IPv6 static multicast routing entries. <X:X::X:X> <ifname> <.ifname> The no form of this command will remove the no ipv6 mroute <X:X::X:X>...
Page 460: Pim-Dm6 Typical Application
Command Explanation Interface Configuration Mode To configure PIM-DM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group. If ACL is configured, then <500-599>|<acl_name>...
Page 461: Pim-Dm6 Troubleshooting
Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:10:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 Switch(Config-if-Vlan2)#ipv6 pim dense-mode (2) Configure SwitchB: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:20:1:1::1/64 Switch(Config-if-Vlan2)#ipv6 pim dense-mode 49.1.4 PIM-DM6 Troubleshooting When configuring and using PIM-DM protocol, PIM-DM protocol may fail to work normally due to physical...
Page 462 PIM-SM routers and establish, using Join/Prune message of routers, RPT (RP-rooted shared tree) based on RP. Consequently the network bandwidth occupied by data packets and control messages is cut down and the transaction cost of routers is reduced. Multicast data get to the network segment where the multicast group members are located along the shared tree flow.
Page 463: Pim-Sm6 Configuration Task List
Notice: Multicast Routing Protocol is not supported by 5950-28T-L and 5950-52T-L in this chapter. 49.2.2 PIM-SM6 Configuration Task List 1． Enable PIM-SM (Required) 2． Configure static multicast routing entries (Optional) 3． Configure additional parameters for PIM-SM (Optional) Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages 2) Configure the holdtime for PIM-SM hello messages 3) Configure ACL for PIM-SM6 neighbors...
Page 464 ipv6 mroute <X:X::X:X> To configure a static multicast routing entry. The <X:X::X:X> <ifname> <.ifname> no form of this command will remove the no ipv6 mroute <X:X::X:X> specified static multicast routing entry. <X:X::X:X> [<ifname> <.ifname>] 3. Configure the additional parameters for PIM-SM （1）Configure parameters for PIM-SM interfaces 1) Configure the interval for PIM-SM hello messages Command...
Page 465 5) Configure the interface as the management boundary of the PIM-SM6 protocol Command Explanation Interface Configuration Mode To configure PIM-SM6 management boundary for the interface and apply ACL for the management boundary. With default settings, ffx0::/13 is considered as the scope of the ipv6 pim scope-border management group.
Page 466: Pim-Sm6 Typical Application
Global Configuration Mode ipv6 pim rp-address <rp-address> To configure the address of the candidate RP. [<group-range>] The no form of this command will remove the no ipv6 pim rp-address configuration for the candidate RP. <rp-address> {all|<group-range>} 4) Configure the cache time of kernel multicast route Command Explanation Global Configuration Mode...
Page 467 The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as below: (1) Configure SwitchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:13:1:1::1/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode (2) Configure Switch B: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:12:1:1::2/64...
Page 468: Pim-Sm6 Troubleshooting
Switch(Config-if-Vlan1)#ipv6 address 2000:34:1:1::4/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:24:1:1::4/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ipv6 address 2000:40:1:1::1/64 Switch(Config-if-Vlan3)#ipv6 pim sparse-mode 49.2.4 PIM-SM6 Troubleshooting When configuring and using PIM-SM protocol, PIM-SM protocol may fail to work normally due to physical connections, incorrect configuration and so on.
Page 469: Anycast Rp V6 Configuration Task
Anycast RP defines that the nearest RP to the multicast source should forward the source register messages to all the other RP to guarantee that all joiners of the RP can find the multicast source. The method to realize the PIM-protocol-based Anycast RP is that: maintaining an ANYCAST RP list on every switch configured with Anycast RP and using another address as the label to identify each other.
Page 470 no ipv6 pim anycast-rp self-rp-address identify this router when communicating with other RP.(necessary) the effect of self-rp-address refers to two respects: 1 Once this router (as a RP) receives the register message from a DR unicast, it needs to forward the register message to all the other RP in the network, notifying them of the state of source (S.G).
Page 471: Anycast Rp V6 Configuration Examples
absence of the interface in accordance with the anycast-rp-addr. Configure on this router (as a other-rp-addresses other communicating with it. This unicast address identifies other used communication with local routers. The effect of other-rp-address refers to two respects: 1 Once this router (as a RP) receives the register message from a DR unicast, it should forward it to other RP in the network to notify all the RP in the network of the source (S.G) state.
Page 472: Anycast Rp V6 Troubleshooting
RP1 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ipv6 address 2006::1/128 Switch(Config-if-Loopback1)#exit Switch(config)#ipv6 pim rp-candidate loopback1 Switch(config)#ipv6 pim bsr-candidate vlan 1 Switch(config)#ipv6 pim multicast-routing Switch(config)#ipv6 pim anycast-rp Switch(config)#ipv6 pim anycast-rp self-rp-address 2003::1 Switch(config)#ipv6 pim anycast-rp 2006::1 2004::2 RP2 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ipv6 address 2006::1/128 Switch(Config-if-Loopback1)#exit Switch(config)#ipv6 pim rp-candidate loopback1...
Page 473: Pim-Ssm6
49.4 PIM-SSM6 49.4.1 Introduction to PIM-SSM6 Source Specific Multicast (PIM-SSM6) is a new kind of multicast service protocol. With PIM-SSM6, a multicast session is distinguished by the multicast group address and multicast source address. In SSM6, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM6, but leave out the shared tree and RP management in PIM-S6M.
Page 474 Figure 49-4 PIM-SSM typical environment Configurations of switchA , switchB, switchC and switchD are listed as below: (1) Configuration of switchA： Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:12:1:1::1/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:13:1:1::1/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#ipv6 access-list 500 permit ff1e::1/64...
Page 475: Pim-Ssm6 Troubleshooting
Switch(config)# ipv6 pim rp-candidate vlan2 Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 (3) Configuration of SwitchC： Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:34:1:1::3/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:13:1:1::3/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3...
Page 476: Ipv6 Dcscm
 Make sure the physical links are connected correctly.  Make sure the state of the data link layer has become UP. (Use show interface command).  Make sure PIM6 is enabled in global configuration mode (Refer to the command ipv6 pim multicast-routing).
Page 477 the command of globally enabling the source control: Command Explanation Global Configuration Mode Globally enable the source control, the no operation of this command will globally disable the source control. What should be paid attention to is that, once globally enable ipv6 multicast source-control(necessary) source control,...
Page 478 First, globally enable the destination control, since destination control needs to avoid the unauthorized users from receiving multicast data, once it is enabled globally, the switch will stop broadcasting received multicast data, so if a switch has enabled destination control, users should not connect two or more other Layer three switches within the same VLAN where it locates.
Page 479: Ipv6 Dcscm Typical Examples
3． The configuration of multicast policy The multicast policy adopts the method of specifying a priority for the specified multicast data to meet the user’s particular demand, what should be paid attention to is that only when multicast data is transmitted in TRUNK, can it be taken special care of.
Page 480: Ipv6 Dcscm Troubleshooting
Switch(config)#ipv6 multicast destination-control fe80::203:fff:fe01:228a/64 access-group 9000 Thus, the users of this segment can only join groups other than 2ff1e::1/64. 3．Multicast policy Server 2008::1 is sending important multicast data in group ff1e::1, we can configure on its access switch as follows: Switch(config)#ipv6 multicast policy 2008::1/128 ff1e::1/128 cos 4 Thus this multicast flow will have a priority of 4, when it passes the TRUNK port of this switch to another switch (generally speaking, it is a relatively high priority, the data with higher priority might be protocol data, if...
Page 481: Mld Configuration Task List
MLD protocol version2 use FF02::16 as destination address of membership report, and 143 as data type. The other logic of MLD Protocol version2 is similar to IGMP Protocol version3. 49.6.2 MLD Configuration Task List 1、 Start MLD (Required) 2、 Configure MLD auxiliary parameters (Required) （1）Configure MLD group parameters 1）Configure MLD group filter conditions （2）Configure MLD query parameters...
Page 482: Mld Typical Application
1）Configure interval time for MLD to send query messages 2）Configure the maximum response time of MLD query 3）Configure the overtime of MLD query Command Explanation Port Configuration Mode Configure the interval of MLD query messages ipv6 mld query-interval <time_val> sent periodically; the NO operation of this no ipv6 mld query-interval command restores the default value.
Page 483: Mld Troubleshooting Help
(1) Configure SwitchA: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan 1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::1/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode (2) Configure SwitchB: Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::2/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode...
Page 484: Mld Snooping Configuration Task
(namely ff02::1). Once there is a listener who wishes to join the multicast address, it will send a MLD Multicast listener Report back through the multicast address. MLD Snooping is namely the MLD listening. The switch restricts the multicast traffic from flooding through MLD Snooping, and forward the multicast traffic to ports associated to multicast devices only.
Page 485: Mld Snooping Examples
mrouter-port interface <interface –name> ipv6 mld snooping vlan <vlan-id> Enable the function that the specified VLAN mrouter-port learnpim6 learns mrouter-port (according to pimv6 no ipv6 mld snooping vlan <vlan-id> packets), the no command will disable the mrouter-port learnpim6 function. ipv6 mld snooping vlan <vlan-id> mrpt Configure the keep-alive time of the mrouter <value>...
Page 486 Scenario 1: MLD Snooping Function Multicast Router Mrouter Port MLD Snooping Switch Group1 Group1 Group1 Group2 Figure 49-6 Open the switch MLD Snooping Function figure As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10, 12. Four hosts are respectively connected to 2, 6, 10, 12 while the multicast router on port 1.
Page 487 SwitchA SwitchB Figure 49-7 Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2.
Page 488: Mld Snooping Troubleshooting
Scenario 3: To run in cooperation with layer 3 multicast protocols SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure PIM-SM6 on ROUTER, and enable PIM-SM6 on vlan 100 (use the same PIM mode with the connected multicast router), the configurations are listed as below: switch#config...
Page 489: Chapter 50 Multicast Vlan
Chapter 50 Multicast VLAN 50.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
Page 490: Multicast Vlan Examples
3. Configure the MLD Snooping Command Explanation Global Mode Enable MLD Snooping on multicast VLAN; ipv6 mld snooping vlan <vlan-id> the “no” form of this command disables MLD no ipv6 mld snooping vlan <vlan-id> Snooping on multicast VLAN. Enable the MLD Snooping function. The “no” ipv6 mld snooping form of this command disables the MLD no ipv6 mld snooping...
Page 491 SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/0/15 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#Switchport access ethernet 1/0/20 SwitchB(config-vlan101)exit SwitchB(config)# interface ethernet 1/0/10 SwitchB(Config-If-Ethernet1/0/10)#Switchport mode trunk...
Page 492: Chapter 51 Acl Configuration
Chapter 51 ACL Configuration 51.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks. The user can lay down a set of rules according to some information specific to packets, each rule describes the action for a packet with certain information matched: “permit”...
Page 493: Acl Configuration Task List
51.2 ACL Configuration Task List ACL Configuration Task Sequence: 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit”...
Page 494 5. Clear the filtering information of the specified port 1. Configuring access-list (1) Configuring a numbered standard IP access-list (2) Configuring a numbered extended IP access-list (3) Configuring a standard IP access-list based on nomenclature a) Create a standard IP access-list based on nomenclature b) Specify multiple “permit”...
Page 495 5. Clear the filtering information of the specified port 1. Configuring access-list (1) Configuring a numbered standard IP access-list Command Explanation Global Mode Creates a numbered standard IP access-list, if the access-list already exists, then a rule will access-list <num> {deny | permit} {{<sIpAddr> add to the current access-list;...
Page 496 access-list <num> {deny | permit} udp {{<sIpAddr> Creates numbered <sMask>} | any-source | {host-source <sIpAddr>}} extended IP access rule; if the [s-port {<sPort> | range <sPortMin> <sPortMax>}] numbered extended access-list of {{<dIpAddr> <dMask>} | any-destination | specified number does not exist, {host-destination <dIpAddr>}} [d-port {<dPort>...
Page 497 Command Explanation Standard IP ACL Mode Exits name-based standard IP exit ACL configuration mode. (4) Configuring an name-based extended IP access-list a. Create an extended IP access-list basing on nomenclature Command Explanation Global Mode Creates extended access-list basing nomenclature; “no ip access-list extended <name>...
Page 498 <tos>][time-range<time-range-name>] [no] {deny | permit} udp {{<sIpAddr> <sMask>} | any-source | {host-source <sIpAddr>}} [s-port Creates extended {<sPort> | range <sPortMin> <sPortMax>}] name-based UDP IP access {{<dIpAddr> <dMask>} | any-destination | rule; the no form command {host-destination <dIpAddr>}} [d-port {<dPort> | deletes this name-based...
Page 499 extended access-list, if the {host-source-mac<host_smac>}|{<smac><smac-ma access-list already exists, sk>}}{any-destination-mac|{host-destination-mac<h then a rule will add to the ost_dmac>}|{<dmac><dmac-mask>}}[{untagged-eth current access-list; the “no 2 | tagged-eth2 | untagged-802-3 | tagged-802-3} access-list [ <offset1> <length1> <value1> [ <offset2> <length2> <num>“ command deletes a <value2>...
Page 500 [no]{deny|permit} {any-source-mac|{host-source-mac<host_smac>}|{< smac><smac-mask>}} {any-destination-mac |{host-destination-mac<host_dmac>}|{<dmac><dma c-mask>}} [vlanid <vid-value> [<vid-mask>][ethertype <protocol> [<protocol-mask>]]] Creates extended [no]{deny|permit}{any-source-mac|{host-source-ma name-based MAC access rule c<host_smac>}|{<smac><smac-mask>}}{any-destin matching untagged ethernet 2 ation-mac|{host-destination-mac<host_dmac>}|{<d frame; the no form command mac><dmac-mask>}}[untagged-eth2 [ethertype deletes this name-based <protocol> [protocol-mask]]] extended MAC access rule. [no]{deny|permit}{any-source-mac|{host-source-ma Creates an MAC access rule c<host_smac>}|{<smac><smac-mask>}}...
Page 501 (8) Configuring a numbered extended MAC-IP access-list Command Explanation Global mode access-list<num>{deny|permit} {any-source-mac| {host-source-mac <host_smac>} | {<smac> <smac-mask>}} {any-destination-mac | Creates numbered {host-destination-mac <host_dmac>} | mac-icmp extended mac-ip {<dmac><dmac-mask>}} icmp {{<source> access rule; if the numbered <source-wildcard>} |any-source| {host-source extended access-list <source-host-ip>}} {{<destination>...
Page 502 access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac-ma sk>}}{any-destination-mac|{host-destination-mac Creates a numbered mac-udp <host_dmac>}|{<dmac><dmac-mask>}}udp extended mac-ip access rule; {{<source><source-wildcard>}|any-source| if the numbered extended {host-source<source-host-ip>}} [s-port {<port1> | access-list specified range <sPortMin> <sPortMax>}] number does not exist, then {{<destination><destination-wildcard>}|any-destinati an access-list will be created on| {host-destination<destination-host-ip>}} [d-port using this number.
Page 503 Command Explanation Extended name-based MAC-IP access Mode [no]{deny|permit} {any-source-mac|{host-source-mac <host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac Creates extended <host_dmac>}|{<dmac><dmac-mask>}}icmp name-based MAC-ICMP {{<source><source-wildcard>}|any-source| access rule; the no form {host-source<source-host-ip>}} command deletes this {{<destination><destination-wildcard>}|any-destinati name-based extended on| {host-destination <destination-host-ip>}} MAC-ICMP access rule. [<icmp-type> [<icmp-code>]] [precedence <precedence>][tos<tos>][time-range<time-range-na me>] [no]{deny|permit}{any-source-mac|{host-source-ma c <host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac...
Page 504 c<host_smac>}|{<smac><smac-mask>}} name-based MAC-UDP {any-destination-mac|{host-destination-mac access rule; the no form <host_dmac>}|{<dmac><dmac-mask>}}udp command deletes this {{<source><source-wildcard>}|any-source| name-based extended {host-source<source-host-ip>}} [s-port {<port1> | MAC-UDP access rule. range <sPortMin> <sPortMax>}] {{<destination><destination-wildcard>}|any-destinati on| {host-destination <destination-host-ip>}} [d-port {<port3> | range <dPortMin> <dPortMax>}] [precedence <precedence>] [tos <tos>][time-range<time-range-name>] [no]{deny|permit}{any-source-mac|{host-source-ma c<host_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac...
Page 505 deletes a numbered standard IPv6 access-list. （11） Configuring a numbered extensive IPV6 access-list Command Explanation Global Mode ipv6 access-list <num-ext> {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} | any-source | {host-source <sIPv6Addr>}} {<dIPv6Prefix/dPrefixlen> | any-destination | {host-destination <dIPv6Addr>}} [<icmp-type> [<icmp-code>]] [dscp <dscp>] [flow-label <flowlabel>] [time-range <time-range-name>] ipv6 access-list <num-ext>...
Page 506 a. Create a standard IPV6 access-list based on nomenclature Command Explanation Global Mode ipv6 access-list standard <name> Creates standard no ipv6 access-list standard <name> access-list based nomenclature; command delete name-based standard IPV6 access-list. b. Specify multiple permit or deny rules Command Explanation Standard IPV6 ACL Mode...
Page 507 Command Explanation Extended IPV6 ACL Mode [no] {deny | permit} icmp {{<sIPv6Prefix/sPrefixlen>} | Creates extended any-source | {host-source <sIPv6Addr>}} name-based ICMP IPv6 {<dIPv6Prefix/dPrefixlen> | any-destination | access rule; the no form {host-destination <dIPv6Addr>}} [<icmp-type> command deletes this [<icmp-code>]] [dscp <dscp>] [flow-label <flowlabel>] name-based extended IPv6 [time-range <time-range-name>] access rule.
Page 508 Command Explanation Extended IPV6 ACL Mode exit Exits extended name-based IPV6 configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables global packet firewall enable filtering function. Disables global packet firewall disable filtering function.
Page 509: Acl Example
[no] periodic {{Monday+Tuesday+Wednesday+Thursday+ Friday+Saturday+Sunday} | daily | weekdays | weekend} <start_time> to <end_time> （3）Configure absolute time range Command Explanation Global Mode absolute start <start_time> <start_data> [end Configure absolute time <end_time> <end_data>] range. [no] absolute start <start_time> <start_data> [end Stop the function of the time <end_time>...
Page 510 3． Bind the ACL to the port The configuration steps are listed below: Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 Switch(config)#firewall enable Switch(config)#firewall default permit Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#ip access-group 110 in Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall status: enable.
Page 511 Configuration result: Switch#show firewall Firewall Status: Enable. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 MAC Ingress access-list used is 1100,traffic-statistics Disable. Scenario 3: The configuration requirement is stated as below: The MAC address range of the network connected to the interface 10 of the switch is 00-12-11-23-xx-xx, and IP network is 10.0.0.0/24.
Page 512 access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21 access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp any-source 10.0.0.0 0.0.0.255 Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 MAC-IP Ingress access-list used is 3110, traffic-statistics Disable. Scenario 4: The configuration requirement is stated as below: IPv6 protocol runs on the interface 600 of the switch.
Page 513: Acl Troubleshooting
IPv6 Ingress access-list used is 600, traffic-statistics Disable. Scenario 5: The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces. Configuration description: 1．...
Page 514  If an access-list contains same filtering information but conflicting action rules, binding to the port will fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any any-destination” at the same time is not permitted. ...
Page 515: Chapter 52 802.1X Configuration
Chapter 52 802.1x Configuration 52.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able to get all the devices or resources in the LAN.
Page 516 system should support EAPOL (Extensible Authentication Protocol over LAN).  The authenticator system is another entity on one end of the LAN segment to authenticate the supplicant systems connected. An authenticator system usually is a network device supporting 802,1x protocol, providing ports to access the LAN for supplicant systems. The ports provided can either be physical or logical.
Page 517: The Work Mechanism Of 802.1X
52.1.2 The Work Mechanism of 802.1x IEEE 802.1x authentication system uses EAP (Extensible Authentication Protocol) to implement exchange of authentication information between the supplicant system, authenticator system and authentication server system. Figure 52-2 the Work Mechanism of 802.1x  EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system and the PAE of the authenticator system in the environment of LAN.
Page 518 PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets. Type: represents the type of the EAPOL data packets, including:  EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP messages.
Page 519: The Encapsulation Of Eap Attributes
Identifier: to assist matching the Request and Response messages. Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and Data, in byte. Data: the content of the EAP packet, depending on the Code type. 52.1.4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication: EAP-Message and Message-Authenticator.
Page 520 the remote RADIUS server. The following is the description of the process of these two authentication methods, both started by the supplicant system. 52.1.5.1 EAP Relay Mode EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such as EAP over RADIUS, making sure that extended authentication protocol messages can reach the authentication server through complicated networks.
Page 521 the same. 1. EAP-MD5 Authentication Method EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash function is vulnerable to dictionary attacks. The following figure illustrated the basic operation flow of the EAP-MD5 authentication method. the Authentication Flow of 802.1x EAP-MD5 Figure 52-9 2.
Page 522 The following figure illustrates the basic operation flow of the EAP-TLS authentication method. the Authentication Flow of 802.1x EAP-TLS Figure 52-10 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate.
Page 523 authentication. The following figure illustrates the basic operation flow of PEAP authentication method. the Authentication Flow of 802.1x PEAP Figure 52-11 52.1.5.2 EAP Termination Mode In this mode, EAP messages will be terminated in the access control unit and mapped into RADIUS messages, which is used to implement the authentication, authorization and fee-counting.
Page 524: The Extension And Optimization Of 802.1X
the Authentication Flow of 802.1x EAP Termination Mode Figure 52-12 52.1.6 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x. ...
Page 525: The Features Of Vlan Allocation
resources, which means all users of this port can access limited resources before being authenticated. The user-based advanced control will restrict the access to limited resources, only some particular users of the port can access limited resources before being authenticated. Once those users pass the authentication, they can access all resources.
Page 526: Configuration Task List
the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low. Once the 802.1x feature is enabled and the Guest VLAN is configured properly, a port will be added into Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant system after the device sends more authentication-triggering messages than the upper limit (EAP-Request/Identity) from the port.
Page 527 Command Explanation Port Mode dot1x port-control {auto|force-authorized|force- Sets the 802.1x authentication mode; the no command unauthorized } restores the default setting. no dot1x port-control 2) Configure port access management method Command Explanation Port Mode dot1x port-method {macbased | portbased Sets the port access management method; the no |webbased|userbased command restores MAC-based access management.
Page 528: Application Example
Enables the EAP relay authentication function in the dot1x eapor enable switch; command sets local no dot1x eapor enable authentication. 3. Supplicant related property configuration Command Explanation Global Mode Sets the number of EAP request/MD5 frame to be sent dot1x max-req <count> before the switch re-initials authentication on no supplicant no dot1x max-req response, the no command restores the default setting.
Page 529 Update server Authenticator server VLAN2 VLAN10 SWITCH VLAN100 VLAN5 Internet User The Network Topology of Guest VLAN Figure 52-13 Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6. As showed in the next figure, a switch accesses the network using 802.1x authentication, with a RADIUS server as its authentication server.
Page 530 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/0/2 is added into VLAN10, allowing the user to access the Update Server. Update server Authenticator server VLAN2 VLAN10 SWITCH VLAN5 VLAN5...
Page 531: Examples Of Ipv4 Radius Applications
# Set the access control mode on the port as portbased. Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased # Set the access control mode on the port as auto. Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto # Set the port’s Guest VLAN as 100. Switch(Config-If-Ethernet1/0/2)#dot1x guest-vlan 100 Switch(Config-If-Ethernet1/0/2)#exit Using the command of show running-config or show interface ethernet 1/2, users can check the configuration of Guest VLAN.
Page 532: Examples Of Ipv6 Radius Application
Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto Switch(Config-If-Ethernet1/0/2)#exit 52.3.3 Examples of IPv6 Radius Application 2004:1:2:3::2 2004:1:2:3::1 Radius Server...
Page 533: Troubleshooting
Switch(config)#radius-server authentication host 2004:1:2:3::3 Switch(config)#radius-server accounting host 2004:1:2:3::3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto Switch(Config-If-Ethernet1/0/2)#exit 52.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can’t be to authenticated state after the user runs 802.1x supplicant software.
Page 534: Chapter 53 The Number Limitation Function Of Port, Mac In Vlan And Ip Configuration
Chapter 53 The Number Limitation Function of Port, MAC in VLAN and IP Configuration 53.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch.
Page 535: The Number Limitation Function Of Port, Mac In Vlan And Ip Configuration Task Sequence
through configuration commands. Limiting the number of dynamic MAC and IP of ports: 1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address by the switch is already larger than or equal with the max number of dynamic MAC address, then shutdown the MAC study function on this port, otherwise, the port can continue its study.
Page 536 2． Enable the number limitation function of MAC、IP in VLAN Command Explanation VLAN configuration mode vlan mac-address dynamic maximum <value> Enable and disable the number limitation no vlan mac-address dynamic function of MAC in the VLAN. maximum Interface configuration mode ip arp dynamic maximum <value>...
Page 537: The Number Limitation Function Of Port, Mac In Vlan And Ip Typical Examples
show nd-dynamic count {vlan Display number dynamic <vlan-id> | interface ethernet NEIGHBOUR in corresponding ports and <portName> } VLAN. debug switchport mac count All kinds of debug information when no debug switchport mac count limiting the number of MAC on ports. debug switchport arp count All kinds of debug information when no debug switchport arp count...
Page 538: The Number Limitation Function Of Port, Mac In Vlan And Ip Troubleshooting Help
SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the switch, causing successful DOS attacks.
Page 539: Chapter 54 Operational Configuration Of Am Function
Chapter 54 Operational Configuration of AM Function 54.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
Page 540 Enable/disable AM function on the port. am port When the AM function is enabled on the no am port port, no IP or ARP message will be forwarded by default. 3. Configure the forwarding IP Command Explanation Port Mode am ip-pool <ip-address> <num> Configure the forwarding IP of the port.
Page 541: Am Function Example
54.3 AM Function Example Internet SWITCH Port1 Port2 HUB1 HUB2 ……… PC30 a typical configuration example of AM function Figure 54-1 In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Page 542: Chapter 55 Tacacs+ Configuration
Chapter 55 TACACS+ Configuration 55.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol. Compared with RADIUS, the transmission layer of TACACS+ protocol is adopted with TCP protocol, further with the packet head ( except for standard packet head) encryption, this protocol is of a more reliable transmission and encryption characteristics, and is more adapted to security control.
Page 543: Tacacs+ Scenarios Typical Examples
3. Configure the TACACS+ authentication timeout time Command Explanation Global Mode Configure the authentication timeout for the tacacs-server timeout <seconds> TACACS+ server, the “no tacacs-server no tacacs-server timeout timeout” command restores the default configuration. 4. Configure the IP address of the TACACS+ NAS Command Explanation Global Mode...
Page 544: Tacacs+ Troubleshooting
Switch(config)#authentication line vty login tacacs 55.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following:  First good condition of the TACACS+ server physical connection. ...
Page 545: Chapter 56 Radius Configuration
Chapter 56 RADIUS Configuration 56.1 Introduction to RADIUS 56.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Authorization, Accounting, the framework can meet the access control for the security network: which one can visit the network device, which access-level the user can have and the accounting for the network resource.
Page 546 Identifier field (1 octet): Identifier for the request and answer packets. Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length, Authenticator and Attributes Authenticator field (16 octets): used for validation of the packets received from the RADIUS server. Or it can be used to carry encrypted passwords.
Page 547: Radius Configuration Task List
56.2 RADIUS Configuration Task List 1． Enable the authentication and accounting function. 2． Configure the RADIUS authentication key. 3． Configure the RADIUS server. 4． Configure the parameter of the RADIUS service. 5． Configure the IP address of the RADIUS NAS. 1.
Page 548: Radius Typical Examples
radius-server accounting host Specifies the IPv4/IPv6 address and the {<ipv4-address> | <ipv6-address>} [port port number, whether be primary server for <port-number>] [key <string>] [primary] RADIUS accounting server; no radius-server accounting host command deletes the RADIUS accounting {<ipv4-address> | <ipv6-address>} server. 4.
Page 549: Ipv6 Radiusexample
10.1.1.2 10.1.1.1 Radius Server 10.1.1.3 Figure 56-2 The Topology of IEEE802.1x configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a RADIUS authentication server without Ethernet1/0/2; IP address of the server is 10.1.1.3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Page 550: Radius Troubleshooting
Figure 56-3 The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/2; IP address of the server is 2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Page 551: Chapter 57 Ssl Configuration
Chapter 57 SSL Configuration 57.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
Page 552: Ssl Configuration Task List
Firstly, SSL should be enabled on the switch. When the client tries to access the switch through https method, a SSL session will be set up between the switch and the client. When the SSL session has been set up, all the data transmission in the application layer will be encrypted.
Page 553: Ssl Typical Example
2. Configure/delete port number by SSL used Command Explanation Global Mode Configure port number by SSL used, the“no ip http secure-port <port-number> ip http secure-port” command deletes the no ip http secure-port port number. 3. Configure/delete secure cipher suite by SSL used Command Explanation Global Mode...
Page 554: Ssl Troubleshooting
Web Server Date Acquisition Fails Malicious Users Web Browser https SSLSession Connected PC Users Configuration on the switch: Switch(config)# ip http secure-server Switch(config)# ip http secure-port 1025 Switch(config)# ip http secure-ciphersuite rc4-128-sha 57.4 SSL Troubleshooting In configuring and using SSL, the SSL function may fail due to reasons such as physical connection failure or wrong configurations.
Page 555: Chapter 58 Ipv6 Security Ra Configuration
Chapter 58 IPv6 Security RA Configuration 58.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Page 556: Ipv6 Security Ra Typical Examples
Enable the debug information of IPv6 debug ipv6 security-ra security RA module, the no operation of no debug ipv6 security-ra this command will disable the output of debug information of IPv6 security RA. show ipv6 security-ra [interface Display the distrust port and whether <interface-list>] globally security RA is enabled.
Page 557: Chapter 59 Vlan-Acl Configuration
Chapter 59 VLAN-ACL Configuration 59.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Page 558 2. Configure VLAN-ACL of MAC type Command Explanation Global mode vacl mac access-group {<700-1199> | WORD} {in | out} [traffic-statistic] vlan WORD Configure or delete MAC VLAN-ACL. no vacl mac access-group {<700-1199> | WORD} {in | out} vlan WORD 3. Configure VLAN-ACL of MAC-IP Command Explanation Global mode...
Page 559: Vlan-Acl Configuration Example
59.3 VLAN-ACL Configuration Example A company’s network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique department can access the outside network at timeout, but finance department are not allowed to access the outside network at any time for the security.
Page 560: Vlan-Acl Troubleshooting
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1 Configure the extended acl_b of IP, at any time it only allows to access resource within the internal network (such as 192.168.1.255). Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255 Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination Apply the configuration to VLAN Switch(config)#vacl ip access-group vacl_a in vlan 1 Switch(config)#vacl ip access-group vacl_b in vlan 2...
Page 561: Chapter 60 Mab Configuration
Chapter 60 MAB Configuration 60.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network resources, they need to use MAB authentication to replace 802.1x authentication.
Page 562 mac-authentication-bypass enable Enable the port MAB authentication no mac-authentication-bypass enable function. 2. Configure MAB authentication username and password Command Explanation Global Mode mac-authentication-bypass Set the authentication mode of MAB username-format {mac-address | {fixed authentication function. username WORD password WORD}} 3. Configure MAB parameters Command Explanation Port Mode...
Page 563: Mab Example
mac-authentication-bypass timeout To obtain IP again, set the interval of linkup-period <0-30> down/up when MAB binding is changing no mac-authentication-bypass timeout into VLAN. linkup-period mac-authentication-bypass Enable the spoofing-garp-check function, spoofing-garp-check enable function will deal with no mac-authentication-bypass spoofing-garp more; spoofing-garp-check enable command disables the function.
Page 564 Figure 60-1 MAB application Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch. Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based function and configures guest vlan as vlan8. Ethernet 1/0/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables MAB function.
Page 565: Mab Troubleshooting
Switch(config)#interface ethernet 1/0/2 Switch(config-if-ethernet1/0/2)# switchport mode hybrid Switch(config-if-ethernet1/0/2)# switchport hybrid native vlan 1 Switch(config-if-ethernet1/0/2)# switchport hybrid allowed vlan 1;8;10 untag Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable Switch(config-if-ethernet1/0/2)# mac-authentication-bypass enable guest-vlan 8 Switch(config-if-ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(config-if-ethernet1/0/3)# switchport mode access Switch(config-if-ethernet1/0/3)# mac-authentication-bypass enable Switch(config-if-ethernet1/0/3)#exit Switch(config)#interface ethernet 1/0/4 Switch(config- if-ethernet1/0/4)# switchport mode trunk 60.4 MAB Troubleshooting...
Page 566: Chapter 61 Pppoe Intermediate Agent Configuration
Chapter 61 PPPoE Intermediate Agent Configuration 61.1 Introduction to PPPoE Intermediate Agent 61.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet. PPP protocol is a link layer protocol and supply a communication method of point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up.
Page 567 PADO packet match with the servce information needed by client). MAC address of the other end used for session will be known after server is selected, and send PADR (PPPoE Active Discovery Request) packet to it to announce server the session requirement. Server responds PADS packet: The fourth step, server establishes a session ID according to the received PADR packet, this session ID will be sent to client through PADS (PPPoE Active Discovery Session-confirmation) packet, hereto PPPoE discovery stage is completed, enter session stage.
Page 568 PPPoE data Version Type Code Session ID Length Field TLV1 …… TLV N TLV frame Type Length Data Each field meanings in the following: Type field (2 bytes) of Ethernet II frame: The protocol sets type field value of PPPoE protocol packet as 0x8863 (include 5 kinds of packets in PPPoE discovery stage only), type field value of session stage as 0x8864.
Page 569 61.1.2.3 PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function of PPPoE IA. Figure 61-2 PPPoE IA - vendor tag (4 bytes in each row) Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9 is “ADSL Forum”...
Page 570: Pppoe Intermediate Agent Configuration Task List
client as untrust port, trust port can receive all packets, untrust port can receive only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct, it must set the port connected server as trust port, each access device has a trust port at least. PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets.
Page 571: Pppoe Intermediate Agent Typical Application
61.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows: Figure 61-4 PPPoE IA typical application Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch enables PPPoE Intermediate Agent function. Typical configuration (1) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Page 572: Pppoe Intermediate Agent Troubleshooting
Typical configuration (2) in the following: Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f. Switch(config)#pppoe intermediate-agent Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag strip function. Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip Step3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function of port.
Page 573: Chapter 62 Savi Configuration
Chapter 62 SAVI Configuration 62.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port, MAC address information), namely, anchor information by monitoring the interaction process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS (Control Packet Snooping) mechanism.
Page 574 Command Explanation Global Mode savi enable Enable the global SAVI function, no no savi enable command disables the function. 2. Enable or disable application scene function for SAVI Command Explanation Global Mode savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for dhcp-slaac} enable SAVI, no command disables the function.
Page 575 6. Configure the global max-slaac-life for SAVI Command Explanation Global Mode savi max-slaac-life <max-slaac-life> Configure the lifetime period of the no savi max-slaac-life dynamic slaac binding at BOUND state, no command restores the default value. 7. Configure the lifetime period for SAVI bind-protect Command Explanation Global Mode...
Page 576 11. Configure the check mode for SAVI conflict binding Command Explanation Global Mode savi check binding <simple | probe> mode Configure the check mode for the conflict no savi check binding mode binding, no command deletes the check mode. 12. Enable or disable user authentication Command Explanation Port mode...
Page 577: Savi Typical Application
savi ipv6 binding num <limit-num> Configure the binding number of a port, no savi ipv6 binding num no command restores the default value. Note: The binding number only limits the dynamic binding, but does not limit the static binding number. 62.3 SAVI Typical Application In actual application, SAVI function is usually applied in access layer switch to check the validity of node source address on direct-link.
Page 578: Savi Troubleshooting
Ethernet1/0/12 of Switch1 and port Ethernet1/0/13 of Switch2, and enable the source address check function of SAVI. Ethernet1/0/1 and Ethernet1/0/2 are uplink ports of Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions. Aggregation Switch3 enables DHCPv6 server function and route advertisement function.
Page 579: Chapter 63 Web Portal Configuration
Chapter 63 Web Portal Configuration 63.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol. Use EAPOL encapsulation technique (encapsulate EAP packets within Ethernet frame) to process the communication between client and authentication proxy switch, but authentication proxy switch and authentication server use EAPOR encapsulation format (runn EAP packets on Radius protocol) to process the...
Page 580 2. Enable/disable web portal authentication of the port Command Explanation Port Mode webportal enable Enable/disable web portal authentication no webportal enable of the port. 3. Configure the max web portal binding number allowed by the port Command Explanation Port Mode webportal binding-limit <1-256>...
Page 581: Web Portal Authentication Typical Example
clear webportal binding {mac WORD | Delete the binding information of web interface <ethernet IFNAME | IFNAME> |} portal authentication. 63.3 Web Portal Authentication Typical Example Internet RADIUS Portal DHCP server server server server 192.168.40.100 192.168.40.99 Switch1 192.168.40.50 Ethernet1/0/4 Ethernet1/0/5 Ethernet1/0/2 Ethernet1/0/3 Ethernet1/0/1 Ethernet1/0/6...
Page 582: Web Portal Authentication Troubleshooting
The configuration of the common web portal authentication is as follows: Switch(config)#interface vlan 1 Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0 Switch(config)#webportal enable Switch(config)#webportal nas-ip 192.168.40.50 Switch(config)#webportal redirect 192.168.40.99 Switch(config)#interface ethernet 1/0/3 Switch(config-if-ethernet1/0/3)#webportal enable Web portal authentication associates with DHCP snooping binding to use, the configuration is as follows: Switch(config)#ip dhcp snooping enable Switch(config)#ip dhcp snooping binding enable Switch(config)#interface ethernet 1/0/2...
Page 583: Chapter 64 Vrrp Configuration
Chapter 64 VRRP Configuration 64.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
Page 584 （1） Configure the preemptive mode for VRRP （2） Configure VRRP priority （3） Configure VRRP Timer intervals （4） Configure VRRP interface monitor 1. Create/Remove the Virtual Router Command Explanation Global Mode router vrrp <vrid> Creates/Removes the Virtual Router. no router vrrp <vrid> 2.
Page 585: Vrrp Typical Examples
Command Explanation VRRP protocol configuration mode advertisement-interval <time> Configures VRRP timer value (in seconds). (4) Configure VRRP interface monitor Command Explanation VRRP protocol configuration mode circuit-failover {IFNAME | Vlan <ID> } Configures VRRP interface monitor, the "no circuit-failover" removes monitor to the <value_reduced>...
Page 586: Vrrp Troubleshooting
SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interface vlan 1 SwitchB(Config-Router-Vrrp)# enable 64.4 VRRP Troubleshooting In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: ...
Page 587: Chapter 65 Ipv6 Vrrpv3 Configuration
Chapter 65 IPv6 VRRPv3 Configuration 65.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on VRRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication between the devices which are not physically connected, routers should be specified.
Page 588: The Format Of Vrrpv3 Message
protocols. Compared with NDP, VRRP provides a fast default gateway switch. In VRRP, backup routers can take up the unavailable master router in about 3 seconds (default parameter), and this process needs no interaction with hosts, which means being transparent to hosts. 65.1.1 The Format of VRRPv3 Message VRRPv3 has its own message format, VRRP messages are used to communicate the priority of routers and the state of Master in the backup group, they are encapsulated in IPv6 messages to send, and are sent to the...
Page 589: Vrrpv3 Working Mechanism
65.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is mainly implemented via the interaction of VRRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MAC address outwardly, and the format of which is 00-00-5E-00-02-{VRID} (the format of virtual MAC address in VRRPv2 is 00-00-5E-00-01-{VRID}).
Page 590: Vrrpv3 Configuration
65.2 VRRPv3 Configuration 65.2.1 Configuration Task Sequence Create/delete the virtual router (necessary) Configure the virtual IPv6 address and interface of VRRPv3 (necessary) Enable/disable the virtual router (necessary) Configure VRRPv3 assistant parameters (optional) (1) Configure VRRPv3 preempt mode (2) Configure VRRPv3 priority (3) Configure the VRRPv3 advertisement interval (4) Configure the monitor interface of VRRPv3 1.
Page 591: Vrrpv3 Typical Examples
( 2 ) Configure VRRPv3 priority Command Explanation VRRPv3 Protocol Mode priority < priority > Configure VRRPv3 priority. ( 3 ) Configure the VRRPv3 advertisement interval Command Explanation VRRPv3 Protocol Mode Configure VRRPv3 advertisement advertisement-interval <time> interval (in cent seconds). (4 ) Configure the monitor interface of VRRPv3 Command Explanation...
Page 592: Vrrpv3 Troubleshooting
IPv6_A and IPv6_B are in the same segment), the virtual IPv6 address of backup group 1 and backup group are “V_IPv6_C” and “V_IPV6_D” respectively, and the default IPv6 gateway address are configured as “V_IPv6_C” and “V_IPv6_D” respectively (in reality, the IPv6 gateway address of hosts are usually learnt automatically via router advertisements, thus, the IPv6 next hop of the hosts will have some randomness).
Page 593: Chapter 66 Mrpp Configuration
Chapter 66 MRPP Configuration 66.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link.
Page 594: Mrpp Protocol Packet Types
Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration.
Page 595: Mrpp Protocol Operation System
66.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately. The primary node receives link down packet and immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of transfer nodes, refreshing own MAC address forward list.
Page 596 Configure MRPP ring Command Explanation Global Mode mrpp ring <ring-id> Create MRPP ring. The “no” command no mrpp ring <ring-id> deletes MRPP ring and its configuration. MRPP ring mode control-vlan <vid> Configure control VLAN ID, format “no” no control-vlan deletes configured control VLAN ID. Configure node type of MRPP ring (primary node-mode {master | transit} node or secondary node).
Page 597: Mrpp Typical Scenario
Clear receiving data packet statistic clear mrpp statistics {<ring-id>} information of MRPP ring. 66.3 MRPP Typical Scenario SWITCH A SWITCH B Master Node MRPP Ring 4000 SWITCH C SWITCH D MRPP typical configuration scenario Figure 66-2 The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes a single MRPP ring.
Page 598 Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH C configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit...
Page 599: Mrpp Troubleshooting
66.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm:  Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch configuration, then open the ring.
Page 600: Chapter 67 Ulpp Configuration
Chapter 67 ULPP Configuration 67.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state.
Page 601: Ulpp Configuration Task List
method of MSTP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3.
Page 602 1. Create ULPP group globally Command Expalnation Global mode ulpp group <integer> Configure and delete ULPP group no ulpp group <integer> globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode Configure the preemption mode of preemption mode ULPP group. The no operation no preemption mode deletes the preemption mode.
Page 603: Ulpp Typical Examples
ulpp group <integer> master Configure or delete the master port no ulpp group <integer> master of ULPP group. ulpp group <integer> slave Configure or delete the slave port of no ulpp group <integer> slave ULPP group. 3. Show and debug the relating information of ULPP Command Explanation Admin mode...
Page 604 SwitchD SwitchB E1/1 E1/2 SwitchC E1/1 E1/2 SwitchA Figure 67-3 ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring.
Page 605: Ulpp Typical Example2
Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp flush enable mac Switch(config-If-Ethernet1/0/1)# ulpp flush enable arp Switch(config-If-Ethernet1/0/1)# ulpp control vlan 10 SwitchC configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp flush enable mac...
Page 606 mutually backup, respectively forward the packets of different VLAN ranges. When port E1/0/1 has the problem, the traffic of VLAN 1-200 are forwarded by port E1/0/2. When port E1/0/1 is recovering the normal state, still port E1/0/2 forwards the data of VLAN 101-200, the data of VLAN 1-100 are switched to port E1/0/1 to forward.
Page 607: Ulpp Troubleshooting
67.4 ULPP Troubleshooting  At present, configuration of more than 2 multi-uplinks is allowed, but it may cause loopback, so is not recommended.  With the normal configuration, if the broadcast storm happen or the communication along the ring is broken, please enable the debug of ULPP, copy the debug information of 3 minutes and the configuration information, send them to our technical service center.
Page 608: Chapter 68 Ulsm Configuration
Chapter 68 ULSM Configuration 68.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group.
Page 609: Ulsm Configuration Task List
68.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group <group-id> Configure and delete ULSM group globally. no ulsm group <group-id>...
Page 610: Ulsm Typical Example
68.3 ULSM Typical Example SwitchD E1/0/3 E1/0/4 SwitchB E1/0/1 E1/0/2 SwitchC E1/0/1 E1/0/2 SwitchA Figure 68-2 ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use.
Page 611: Ulsm Troubleshooting
Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/3 Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/0/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/2)#exit Switch(Config)#interface ethernet 1/0/4 Switch(config-If-Ethernet1/0/4)#ulsm group 1 uplink Switch(config-If-Ethernet1/0/4)#exit 68.4 ULSM Troubleshooting  With the normal configuration, if the downlink port does not responds the down event of the uplink port, please enable the debug function of ULSM, copy the debug information of 3 minutes and the configuration information, and send them to our technical service center.
Page 612: Chapter 69 Mirror Configuration
At present, each box switch can set many mirror sessions.For XGS3 series box switches, many mirror sessions are not supported by XGS3-24042.There is no limitation on mirror source ports, one port or several ports is allowed. When there are more than one source ports, they can be in the same VLAN or in different VLAN.
Page 613: Mirror Examples
Command Explanation Global mode monitor session <session> source {interface <interface-list> | cpu [slot <slotnum> ]} {rx| tx| both} Specifies mirror source port; the no command no monitor session <session> source deletes mirror source port. {interface <interface-list> | cpu [slot <slotnum> ]} 3.
Page 614: Device Mirror Troubleshooting
Switch(config)#monitor session 4 source interface ethernet 1/0/15 access-list 120 rx 69.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes:  Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Page 615: Chapter 70 Rspan Configuration
Chapter 70 RSPAN Configuration 70.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
Page 616: Rspan Configuration Task List
For chassis switches, at most 4 mirror destination ports are supported, and source or destination port of one mirror session can be configured on each line card. For box switches, only one mirror session can be configured. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN.
Page 617 1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as remote-span RSPAN VLAN. The no command will no remote-span remove the configuration of RSPAN VLAN. 2. Configure mirror source port Command Explanation Global Mode monitor session <session> source {interface <interface-list>...
Page 618: Typical Examples Of Rspan
70.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the statistics of the network. However, with the help of RSPAN, the network administrators can configure and supervise the switches remotely, which brings more efficiency.
Page 619 Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch. Interface ethernet1/0/7 is the destination port which is connected to the intermediate switch. The native VLAN of this port cannot be configured as RSPAN VLAN, or the mirrored data may not be carried by the destination switch.
Page 620 Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode trunk Switch(Config-If-Ethernet1/0/2)#exit Switch(config)#interface ethernet 1/0/3 Switch(Config-If-Ethernet1/0/3)#switchport mode trunk Switch(Config-If-Ethernet1/0/3)#exit Switch(config)#monitor session 1 source interface ethernet1/0/1 rx Switch(config)#monitor session 1 reflector-port ethernet1/0/3 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch. Interface ethernet1/0/7 is the destination port which is connected to the destination switch.
Page 621: Rspan Troubleshooting
70.4 RSPAN Troubleshooting Due to the following reasons, RSPAN may not function:  Whether the destination mirror port is a member of the Port-channel group. If so, please change the Port-channel group configuration;  The throughput the destination port is less than the total throughput of the source mirror ports. If so, the destination cannot catch all the datagrams from every source ports.
Page 622: Chapter 71 Sflow Configuration
Chapter 62 ULSM Configuration Chapter 71 sFlow Configuration 71.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 623 Chapter 62 ULSM Configuration 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address <collector-address> Configure the source IP address applied by no sflow agent-address the sFlow proxy; the “no” form of the command deletes this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode...
Page 624: Sflow Examples
Chapter 62 ULSM Configuration Port Mode sflow counter-interval <interval-vlaue> Configure the max interval when sFlow no sflow counter-interval performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Port Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer.
Page 625: Sflow Troubleshooting
Chapter 62 ULSM Configuration 71.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following:  Ensure the physical connection is correct ...
Page 626: Chapter 72 Sntp Configuration
Chapter 72 SNTP Configuration 72.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
Page 627: Typical Examples Of Sntp Configuration
72.2 Typical Examples of SNTP Configuration SNTP/NTP SNTP/NTP SERVER SERVER … … SWITCH SWITCH SWITCH Typical SNTP Configuration Figure 72-2 All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers.
Page 628: Chapter 73 Ntp Function Configuration
Chapter 73 NTP Function Configuration 73.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305.
Page 629 ntp server {<ip-address> | <ipv6-address>} [version <version_no>] To enable the specified time server of time [key <key-id>] source. no ntp server {<ip-address> | <ipv6-address>} 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode...
Page 630 7. To specified some interface as NTP broadcast/multicast client interface Command Explication Interface Configuration Mode ntp broadcast client To configure specified interface to receive no ntp broadcast client NTP broadcast packets. ntp multicast client To configure specified interface to receive no ntp multicast client NTP multicast packets.
Page 631: Typical Examples Of Ntp Function
debug ntp sync To enable debug switch of time synchronize no debug ntp sync information. debug ntp events To enable debug switch of NTP event no debug ntp events information. 73.3 Typical Examples of NTP Function A client switch wanted to synchronize time with time server in network, there is two time server in network, the one is used as host, the other is used as standby, the connection and configuration as follows (Switch A and Switch B are the switch or route which support NTP server ): The configuration of Switch C is as follows: (Switch A and Switch B may have the different command because...
Page 632: Chapter 74 Dnsv4/V6 Configuration
Chapter 74 DNSv4/v6 Configuration 74.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
Page 633 74.2 DNSv4/v6 Configuration Task List To enable/disable DNS function To configure/delete DNS server To configure/delete domain name suffix To delete the domain entry of specified address in dynamic cache To enable DNS dynamic domain name resolution Enable/disable DNS SERVER function Configure the max number of client information in the switch queue Configure the timeout value of caching the client information on the switch Monitor and diagnosis of DNS function...
Page 634: Dns
5. To enable DNS dynamic domain name resolution Command Explanation Global Mode To enable DNS dynamic domain name dns lookup {ipv4 | ipv6} <hostname> resolution. 6. Enable/disable DNS SERVER function Command Explanation Global Mode ip dns server Enable/disable DNS SERVER function. no ip dns server 7.
Page 635: Typical Examples Of Dns
debug dns {all | packet [send | recv] | events | relay} To enable/disable DEBUG of DNS function. no debug dns {all | packet [send | recv] | events | relay} 74.3 Typical Examples of DNS DNS SERVER IP: 219.240.250.101 IPv6: 2001::1 ip domain-lookup dns-server 219.240.250.101...
Page 636: Dns Troubleshooting
request; otherwise, the switch will relay the request to the real DNS server, pass the reply from the DNS Server to the client and record the domain and its IP address for a faster lookup in the future. Switch configuration for DNS CLIENT: Switch(config)# ip domain-lookup Switch(config)# dns-server 219.240.250.101 Switch(config)# dns-server 2001::1...
Page 637: Chapter 75 Summer Time Configuration
Chapter 75 Summer Time Configuration 75.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country.
Page 638: Summer Time Troubleshooting
Configuration procedure is as follows: Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel.
Page 639: Chapter 76 Monitor And Debug
Chapter 76 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc.
Page 640: Show
and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a 「ICMPv6 time exceeded」...
Page 641: Debug
Display the operation information and the state of each task running on the switch. It is used by show tech-support the technicians to diagnose whether the switch operates properly. show version Display the version of the switch. show temperature Show CPU temperature of the switch. 76.6 Debug All the protocols switch supports have their corresponding debug commands.
Page 642 SDRAM (Synchronous Dynamic Random Access Memory) and NVRAM (Non Vulnerable Random Access Memory) is provided inside the switch as two part of the log buffer zone, The two buffer zone record the log information in a circuit working pattern, namely when log information need to be recorded exceeds the buffer size, the oldest log information will be erased and replaced by the new log information, information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounter an power failure.
Page 643: System Log Configuration
 Outputted information from the CLI command is classified informational  Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels with regard to respective severity levels. Amongst the debugging information can only be sent to the monitor. Those with the Informational level can only be sent to current monitor terminal, such as the information from the Telnet terminal configuration command can only be transmitted to the Telnet terminal.
Page 644: System Log Configuration Example
Command Description Global Mode Enable or disable the logging logging executed-commands {enable | disable} executed-commands Display the log source Command Description Admin and configuration mode Show the log information source of show logging source mstp MSTP module. Display executed-commands state Command Description Admin mode...
Page 645: Chapter 77 Reload Switch After Specified Time
Chapter 77 Reload Switch after Specified Time 77.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully.
Page 646: Chapter 78 Debugging And Diagnosis For Packets Received And Sent By Cpu
Chapter 78 Debugging and Diagnosis for Packets Received and Sent by CPU 78.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Page 647: Chapter 79 Mpls Overview
Chapter 79 MPLS Overview 79.1 MPLS Overview MPLS (Multiprotocol Label Switching), originating from IPv4, was first designed for improving the forwarding speed. Its core technology can be extended into multiple network protocols, including IPv6 (Internet Protocol version 6), IPX (Internet Packet Exchange), Appletalk, DECnet, CLNP (Connectionless Network Protocol) and etc, since the “Multiprotocol”...
Page 648 Label Figure 79-1 The Encapsulation Structure of a Label There are 4 fields in a label:  Label：The label value, whose length is 20 bits, a pointer for forwarding.  Exp：3bits, used by QoS.  S：1bit, the label’s layered structure supported by MPLS, that is, there are multiple label layers. The value 1 represents the bottom-most layer of label.
Page 649 LSP are separately called the upstream and downstream LSR, along the direction of data transmission. In the next figure, R2 is the downstream LSR of R1,while R1 is the upstream LSR of R2. Figure 79-2 Label Switched Path LSP The function of LSP, the same as the virtual circuit of ATM and Frame Relay, is a unidirectional path form the ingress of a MPLS network to its egress.
Page 650: Mpls Network Introduction
With the LSR mapping multiple incoming labels to the same FEC, all these incoming labels will correspond with the same outgoing label and egress port. As a result, when packets with different labels reach the LSR, all outgoing packets will carry the same label. This process is called Label Merging. Label Merging can decrease the label number in the MPSL domain, but maybe at the cost of losing ingress port information of the packets.
Page 651: Introduction To Mpls And Routing Protocols
Label Switched Path ( LSP ) Ingress Egress MPLS Core LSR MPLS Edge LSR （） Figure 79-3 The MPLS Network Structure The basic working process of MPLS based on the above figure : First, LDP, together with traditional routing protocols (like OSPF, ISIS, etc) create route tables and LIB (Label Information Base) for FEC demanding services;...
Page 652 However, combining the powerful L3 switching function of IP networks and efficient forwarding mechanism of traditional L2 networks, MPLS uses connection-oriented method at the forwarding plane, similar to the current L2 network. As a result, it can easily achieve seamless convergence of IP and L2 networks like ATM and Frame Relay, and provide better solutions for applications like QoS, TE and VPN.
Page 653: Mpls Php
pre-configured service policy to different services, ensuring the service quality. The service quality class mechanism and the label mechanism of Diff-Serv are similar to the label distribution mechanism of MPLS. In fact, the MPLS-based Diff-Serv is implemented via the combination of the DS distribution and MPLS label distribution.
Page 654: Chapter 80 Ldp
Chapter 80 LDP 80.1 LDP Introduction LDP protocol is used for label distribution in the MPLS label switching environment, and only applies to networks capable of label switching. LDP, integrated with traditional routing algorithm, distribute labels, advertise <label, FEC> map, create and maintain Label Forwarding Information Base and LSP, by transmitting various messages via TCP connections.
Page 655: Basic Concept Of Ldp
80.1.1 Basic Concept of LDP LDP Peer When distributing labels to FEC, LDP needs to advertise this label and its meaning in the MPLS network to create LSP. LSR is a LDP peer when switching label information via LDP. LDP peers obtain each other’s label map and other messages.
Page 656 TLV Encoding LDP encapsulates parameters in LDP messages via TLV (Type-Length-Value). The LDP TLV format is as follows: Figure 80-2 The TVL Format of LDP  U bit：Unknown flag, I bit. If the U flag is 0, LSR should notify the source LSR of the packet and ignore the whole message;...
Page 657: Ldp Label Management
Common Session Parameters 0x0500 ATM Session Parameters 0x0501 Frame Relay Session Parameters 0x0502 Label Request Message ID 0x0600 Vendor-Private 0x3E00- 0x3EFF Experimental 0x3F00- 0x3FFF 80.1.3 LDP Label Management In the MPLS system, the downstream LSR determines the distribution of label to specific FEC, and notifies the upstream.
Page 658 LSP1 Egress Ingress LSP2 Label Request Label Mapping MPLS LSR MPLS LER LDP Session Figure 80-3 The Process of Label Advertisement For example, as for LSP1 in the above figure, LSR B is the upstream LSR of LSR C, while LSR C is the downstream LSR of LSR B.
Page 659  Ordered Mode: For a FEC label mapping of a LSR, the LSR only advertise the mapping to its upstream when it already has the label mapping of the FEC next-hop, or when it is the egress router of the FEC. The label advertisement of a flow starts from the egress router of this FEC flow, binding routers from downstream to upstream, thus to guarantee the mapping between labels and the flow is complete and coherent in the whole network.
Page 660: Ldp Session
incoming labels.  LSR will map the labels of received packets to NHLFE;  LSR will find the corresponding NHLFE in the LIB based on the label, replace it with the new label and then forward the label packet. 80.1.4 LDP Session There are four steps to establish a LDP session: ...
Page 661: Ldp Loop Detection
downstream LSR, and specifies for which FEC this label request is. （2） The downstream receiving the label request message will save this message, finds the corresponding FEC next-hop according to the local route table and then sends a label request message to its downstream.
Page 662: Ldp Configuration
 The hop count of the path exceeds the configured maximum value. If no record of its LSR ID is found, a new one will be added. The maximum value of path vector is the same as that of the hop count. 80.2 LDP Configuration LDP Configuration Task Sequence: 1.
Page 663 2. Enable LDP It is easy to implement basic configurations of LDP in DCNOS. Usually users only have to enable the LDP switch, and enable it on the interface where the LDP will work. Please notice that, the interface with LDP enabled should enable label switching.
Page 664 Optional Configure the global label advertisement mode: downstream-on-demand advertisement-mode downstream-Unsolicited. This mode {downstream-on-demand|downstream-u relates with the other two. The change of it nsolicited} will change the label retention mode and the global label path control mode at the same time. It is downstream-unsolicited by default Optional Configure the global label retention mode:...
Page 665 optional Configure the maximum hop count of LDP [no] loop-detection-count <count> loop detection, whose default value is 255, the no operation will restore the default value. (3) Configure the LDP specified peers Command Explanation Router Configuration Mode optional [no] targeted-peer <ip-addr> Configure the remote peer of the LDP targeted destination.
Page 666 Optional Configure the LDP multicast peer hold [no] hold-time <hold-time > time, whose default value is 15 seconds; the no operation will restore the default value optional Configure the interval of sending HELLO to [no] targeted-peer-Hello-interval <Hello specified targets, whose default value is 15 -interval>...
Page 667 optional [no] ldp targeted-peer-hold-time Configure the LDP targeted peer hold time <hold-time> on a specified interface; the no operation will restore the default value router configuration mode optional Configure the LDP router ID, which is obtained automatically by default. The no [no] router-id <ip-addr>...
Page 668: Ldp Typical Instances
optional Configure the LDP to retry 5 times when [no] request-retry the label request is rejected, the no operation will disable the retry. optional Configure the retry interval, whose default [no] request-retry-timeout <time-val> value is 5 second, the no operation will restore the default value.
Page 669 Figure 80-4 MPLS VPN Typical Instance The above figure demonstrates a typical MPLS VPN instance, in which, PE1, P and PE2 form the public network area – the area switching via MPLS. CE-A1 and CE-A2 form VPN-A, CE-B1 and CE-B2 form VPN-B. Both VPNs communicate via the public network label switching, and need to configure LDP for distributing and advertising labels in the public network area.
Page 670: Ldp Troubleshooting
The LDP configuration of P is as follows: P#config P(config)#mpls enable P(config)# router ldp P(config-router)#exit P(config)#interface vlan 1 P(config-if-Vlan1)#ip address 202.200.1.1 255.255.255.0 P(config-if-Vlan1)#ldp enable P(config-if-Vlan1)#label-switching P(config-if-Vlan1)#exit P(config)#interface vlan 2 P(config-if-Vlan2)#ip address 202.200.2.1 255.255.255.0 P(config-if-Vlan2)#ldp enable P(config-if-Vlan2)#label-switching P(config-if-Vlan2)#exit P(config)#router ospf P(config-router)#network 202.200.1.0/24 area 0 P(config-router)#network 202.200.2.0/24 area 0 P(config-router)#exit The LDP configuration of PE2 is as follows:...
Page 671  Second, use the “show ldp interface” command to check whether the LDP has been enabled correctly on the interface after the connection succeeds. If the LDP has been correctly enabled but cannot be displayed, it is possible that the interface is not in the UP mode or not configured with interface label-switching.
Page 672: Chapter 81 Mpls Vpn
Chapter 81 MPLS VPN 81.1 BGP/MPLS VPN Introduction 81.1.1 BGP/MPLS VPN Network Structure BGP/MPLS VPN is a PE-based L3VPN technology in the VPN solutions provide by providers, using BGP to advertise VPN routes and MPLS to forward VPN messages in the provider backbone network. The BGP/MPLS VPN networking is flexible, extendible, and can support MPLS QoS and MPLS TE conveniently, resulting in its increasingly popular application.
Page 673: Basic Concept Of Bgp/Mpls Vpn
the local VPN route to PE, and learn the remote VPN route from PE. CE and PE use BGP/IGP to exchange route information or static routes. PE will exchange VPN route information with other PEs via BGP after learning the local VPN route form CE. It only maintains the VPN route directly connected with it rather than all VPN routes in the service provider network.
Page 674 route table and IFIL (Label Forwarding Information Base). To be specific, the information in VPN instances include: LFIB, IP route table, interfaces bound with VPN instance, and its management information (including RD, route filter policy, member interface list and etc). VPN-IPv4 Address The traditional BGP can’t correctly handle the VPN routes with overlapping address spaces.
Page 675: Forwarding Bgp/Mpls Vpn Messages
 Import Target Attribute: when receiving the VPN-IPv4 route advertised by other PE routers, PE will check their Export Target Attribute, and add the routes into corresponding VPN route table only when their Export Target attributes match the Import Target attributes of the VPN instances on it. In other words, VPN Target attribute defines which sites can accept a VPN-IPv4 route, and a PE router can receive routes from witch sites.
Page 676: Bgp/Mpls Vpn Networking Resolution
Layer1 Layer2 Layer2 1.1.1.2 1.1.1.2 1.1.1.2 1.1.1.2 site1 site2 1.1.1.1/24 1.1.1.2/24 Figure 81-3 Forwarding VPN Packets Site1 sends an IP packet with a destination address of 1.1.1.2, which is sent by CE1 to PE1. PE1 looks up VPN-instance entries according to the interface receiving the packet and the destination address, then forwards the packet after adding two layers of label (inner and outer) to it, if there is a match.
Page 677 VPN1 VPN2 VPN1: VPN2: Import: 1:1 Import: 2:1 Export: 1:1 Export: 2:1 site3 site1 VPN2 VPN1 VPN2: VPN1: Import: 2:1 Import: 1:1 Export: 2:1 Export: 1:1 site2 site4 Figure 81-4 Basic VPN Networking Resolution In the above figure, the VPN Target distributed by PE for VPN1 is 100:1; and that for VPN2 is 200:1. The sites of VPN1 can intercommunicate with each other, so do the two of VPN2.
Page 678 VPN1 VPN1: Import: Hub Export: Spoke site1 VPN1 VPN1-Hub: Export: Hub Hub-PE Spoke-PE CE-Hub site3 CE-Spoke Spoke-PE VPN1-Spoke: VPN1 Import: Spoke VPN1: Import: Hub Export: Spoke site2 Figure 81-5 Hub&Spoke Networking Resolution In the above figure, Spoke sites communicate with each other via Hub sites (the arrow in the figure is the route advertisement process from site2 to site1): ...
Page 679: Bgp/Mpls Vpn Route Advertisement
If a VPN user wants to provide some site resource of this VPN to outside users, the Extranet Networking resolution can solve the problem. In this networking if a VPN needs to access the sharing site, its Export Target should be included in the Import Target of the sharing site VPN instances, and its Import Target should be included in the Export Target of the sharing site VPN instances.
Page 680: Bgp Mpls Vpn Configuration
In real networking applications, multiple sites of a user VPN may connect to SP with different ASN, or to different AS of the same SP. Such applications of one VPN crossing multiple autonomy systems are called Multi-AS VPN. RFC 2547 provides three Multi-AS VPN resolutions: ...
Page 681 1. Enable globally MPLS (necessary) 2. Configure VPN instances (necessary) (1) Create VPN instances, and enter the VPN instance view. (2) RD Configure the VPN instance RD (3) Configure the VPN instance RT (4) Configure the VPN instance to relate with the interface 3.
Page 682 Necessary mpls enable Enable MPLS; the no operation will disable no mpls enable MPLS. 2. Configure VPN instances (necessary) (1) Create VPN instances and enter VPN instance view (2) Configure VPN instance RD (3) Configure VPN instance RT (4) Configure VPN instance to relate with the interface Command Explanation Global Configuration Mode...
Page 683 Command Explanation BGP Protocol Configuration Mode necessary Configure the remote PE as the public neighbor <ip-address> remote-as network VPNv4 neighbor. It’s suggest to <as-num> select loopback interface to set up the BGP neighbor among public network PE. neighbor <ip-address> update-source Point the local loopback interface for set up <as-num>...
Page 684 3) Enable OSPF in the segment between PE-CE 4) Configure to re-advertise BGP routes 5) Enter the BGP-VPN instance view 6) Configure to re-advertise OSPF routes 7) Advertise local private network routes Command Explanation BGP Protocol Configuration Mode necessary Configure the remote PE as the public neighbor <ip-address>...
Page 685 BGP-VPN instance view optional Configure to re-advertise the directly [no] redistribute {connected | ospf | rip | connected routes other protocol static} routes. No re-advertisement of any route by default. (3) Configure to use EBGP between PE-CE 1) Configure the remote PE as the public network VPNv4 neighbor 2) Enter the RIP VPN instance view 3) Enable RIP in the segment between PE-CE 4) Configure to re-advertise BGP routes...
Page 686 optional [no] redistribute { kernel | connected | Configure to re-advertise the BGP routes. static | ospf | isis | bgp} [metric <value>] No re-advertisement of any route by [route-map<word>] default. BGP Protocol Configuration Mode optional [no] address-family ipv4 {unicast| Create VPNv4 enter...
Page 687: Bgp Mpls Vpn Typical Instances
Global Configuration Mode [no] ip route vrf <vrf-name> {<ip- optional prefix> <mask>|<ip-prefix/<prefix- Manually configure the static VPN routes length>} {<gateway-address>|null0} between PE-CE. BGP Protocol Configuration Mode optional [no] address-family ipv4 {unicast| Create VPNv4 enter multicast|vrf <vrf-nam>} BGP-VPN instance view. No VPNv4 is created by default.
Page 688 AS 650003 AS 65001 VPN-A RT:100:1 VPN A RT:100:1 PE-CE USING EBGP VLAN1： VLAN3： 10.1.1.1/24 10.3.1.1/24 AS 100 VLAN1： Loopback 1： VLAN3： 10.1.1.2/24 172.3.3.3/32 10.3.1.2/24 VLAN100： VLAN200： Loopback1 100.1.1.1/24 200.1.1.1/24 Loopback1 172.1.1.1/3 VLAN100： VLAN200： 172.2.2.2./32 VLAN2： 100.1.1.2/24 200.1.1.2/24 VLAN4： 10.2.1.2/24 PE 1 10.4.1.2/24 MPLS backbone...
Page 689 PE1(config-if-Vlan1)# ip vrf forwarding vpna PE1(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 PE1(config-if-Vlan1)#exit PE1(config)# interface vlan 2 PE1(config-if-Vlan2)# ip vrf forwarding vpnb PE1(config-if-Vlan2)#ip address 10.2.1.2 255.255.255.0 PE1(config-if-Vlan2)#exit (3) Globally enable MPLS and LDP PE1(config)#mpls enable PE1(config)#router ldp PE1(config-router)#exit (4) LDP Configure the interface and enable LDP PE1(config)# interface loopback 1 PE1(config-if-Loopback1)# ip address 172.1.1.1 255.255.255.255 PE1(config-if-Loopback1)# exit...
Page 690 PE1(config-router-af)#neighbor 10.2.1.1 remote-as 65002 PE1(config-router-af)#redistribute connected PE1(config-router-af)#exit PE1(config-router)#exit The configuration of router P is as follows: (1) Globally enable MPLS and configure LDP on related interfaces. P#config P(config)#mpls enable P(config)#router ldp P(config-router)#exit P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.255 P(config-if-Loopback1)# exit P(config)#interface vlan 100 P(config-if-Vlan100)#ip address 100.1.1.2 255.255.255.0...
Page 691 (2) Configure to bind the interface with the VPN instances PE2(config)# interface vlan 3 PE2(config-if-Vlan3)# ip vrf forwarding vpna PE2(config-if-Vlan3)#ip address 10.3.1.2 255.255.255.0 PE2(config-if-Vlan3)#exit PE2(config)# interface vlan 4 PE2(config-if-Vlan4)# ip vrf forwarding vpnb PE2(config-if-Vlan4)#ip address 10.4.1.2 255.255.255.0 PE2(config-if-Vlan4)#exit (3) Globally enable MPLS and LDP PE2(config)#mpls enable PE1(config)#router ldp PE1(config-router)#exit...
Page 692: Create Bgp Mpls Vpn Between Pe-Ce Via Ospf
PE2(config-router-af)#exit PE2(config-router)# address-family ipv4 vrf vpnb PE2(config-router-af)#neighbor 10.4.1.1 remote-as 65004 PE2(config-router-af)#redistribute connected PE2(config-router-af)#exit PE2(config-router)#exit 81.3.2 Create BGP MPLS VPN between PE-CE via OSPF AS 650003 AS 65001 VPN-A RT:100:1(both) VPN A RT:100:1(both) PE-CE Using OSPF VPN-A AREA 0 VLAN1： VLAN3： 10.1.1.1/24 10.3.1.1/24 AS 100...
Page 693 PE1#config PE1(config)#ip vrf vpna PE1(config-vrf)#rd 100:1 PE1(config-vrf)#route-target both 100:1 PE1(config)#ip vrf vpnb PE1(config-vrf)#rd 100:2 PE1(config-vrf)#route-target both 100:2 (2) Configure to bind the interface with the VPN instances PE1(config)# interface vlan 1 PE1(config-if-Vlan1)# ip vrf forwarding vpna PE1(config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0 PE1(config-if-Vlan1)#exit PE1(config)# interface vlan 2 PE1(config-if-Vlan2)# ip vrf forwarding vpnb...
Page 694 PE1(config)#router ospf 1 vpna PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)#redistribute connected PE1(config-router)#redistribute bgp PE1(config-router)#exit PE1(config)#router ospf 1 vpnb PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)#redistribute connected PE1(config-router)#redistribute bgp PE1(config-router)#exit (7) Configure BGP PE1(config)# router bgp 100 PE1(config-router)#neighbor 172.2.2.2 remote-as 100 PE1(config-router)#neighbor 172.2.2.2 update-source 172.1.1.1 PE1(config-router)#address-family vpnv4 PE1(config-router-af)#neighbor 172.2.2.2 activate PE1(config-router-af)#exit...
Page 695: Create Bgp Mpls Vpn Between Pe-Ce Via Rip
P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.0 P(config-if-Vlan200)#label-switching P(config-if-Vlan200)#ldp enable P(config-if-Vlan200)#exit (2) Configure OSPF P(config)#router ospf P(config-router)# ospf router-id 172.3.3.3 P(config-router)# network 0.0.0.0/0 area 0 P(config-router)# redistribute connected 81.3.3 Create BGP MPLS VPN between PE-CE via RIP AS 650003 AS 65001 VPN-A RT:100:1 VPN A RTP:100:1 PE-CE USING RIP...
Page 696 CE1(config-router)#redistribute connect CE1(config-router)#exit The confiugraiton of MPLS BGP on switch PE1 is as follows : (the configuration of PE2 is similar) (1) Configure VPN instances PE1#config PE1(config)#ip vrf vpna PE1(config-vrf)#rd 100:1 PE1(config-vrf)#route-target both 100:1 PE1(config)#ip vrf vpnb PE1(config-vrf)#rd 100:2 PE1(config-vrf)#route-target both 100:2 (2) Configure to bind the interface with the VPN instances PE1(config)# interface vlan 1 PE1(config-if-Vlan1)# ip vrf forwarding vpna...
Page 697 PE1(config-router)# ospf router-id 172.1.1.1 PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)# redistribute connected PE1(config-router)#exit (6) Enable OSPF VRF to advertise the private network routes PE1(config)#router rip PE1(config-router)#address-family ipv4 vrf vpna PE1(config-router-af)#network 0.0.0.0/0 PE1(config-router-af)#redistribute connected PE1(config-router-af)#redistribute bgp PE1(config-router-af)#exit PE1(config-router)#address-family ipv4 vrf vpnb PE1(config-router-af)#network 0.0.0.0/0 PE1(config-router-af)#redistribute connected PE1(config-router-af)#redistribute bgp...
Page 698: Create Bgp Mpls Vpn Between Pe-Ce Via Static Routes
P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.255 P(config-if-Loopback1)# exit P(config)#interface vlan 100 P(config-if-Vlan100)#ip address 100.1.1.2 255.255.255.0 P(config-if-Vlan100)#label-switching P(config-if-Vlan100)#ldp enable P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.0 P(config-if-Vlan200)#label-switching P(config-if-Vlan200)#ldp enable P(config-if-Vlan200)#exit (2) Configure OSPF P(config)#router ospf P(config-router)# ospf router-id 172.3.3.3 P(config-router)# network 0.0.0.0/0 area 0 P(config-router)# redistribute connected 81.3.4 Create BGP MPLS VPN between PE-CE via Static Routes...
Page 699 The configuration of CE1 is as follows: (the configurations of CE2~CE4 are similar) CE1#config CE1(config)# interface vlan 1 CE1(config-if-Vlan1)#ip address 10.1.1.1 255.255.255.0 CE1(config-if-Vlan1)#exit CE1(config)# interface loopback 1 CE1(config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0 CE1(config-if-Vlan1)# exit CE1(config)# ip route vrf vpna 192.168.2.1/24 10.1.1.2 The confiugraiton of MPLS BGP on switch PE1 is as follows: (the configuration of PE2 is similar) (1) Configure VPN instances PE1#config...
Page 700 PE1(config-if-Vlan100)#ip address 100.1.1.1 255.255.255.0 PE1(config-if-Vlan100) #ldp enable PE1(config-if-Vlan100)#exit (5) Enable OSPF to advertise the inner network routes PE1(config)#router ospf PE1(config-router)# ospf router-id 172.1.1.1 PE1(config-router)# network 0.0.0.0/0 area 0 PE1(config-router)# redistribute connected PE1(config-router)#exit (6) Configure static private network routes PE1(config)# ip route vrf vpna 192.168.1.1/24 10.1.1.2 PE1(config)# ip route vrf vpnb 192.168.2.1/24 10.1.1.2 PE1(config-router)#address-family ipv4 vrf vpna PE1(config-router-af)#network 0.0.0.0/0...
Page 701: Mpls Bgp Vpn Troubleshooting
P(config-router)#exit P(config)# interface loopback 1 P(config-if-Loopback1)# ip address 172.3.3.3 255.255.255.255 P(config-if-Loopback1)# exit P(config)#interface vlan 100 P(config-if-Vlan100)#ip address 100.1.1.2 255.255.255.0 P(config-if-Vlan100)#ldp enable P(config-if-Vlan100)#exit P(config)#interface vlan200 P(config-if-Vlan200)#ip address 200.1.1.2 255.255.255.0 P(config-if-Vlan100)#ldp enable P(config-if-Vlan200)#exit (2) Configure OSPF P(config)#router ospf P(config-router)# ospf router-id 172.3.3.3 P(config-router)# network 0.0.0.0/0 area 0 P(config-router)# redistribute connected 81.4 MPLS BGP VPN Troubleshooting...
Page 702  Besides, if no remote CE device can be checked on CE after saving the correction configuration and rebooting the device, please be patience, since the establishing OSPF, LDP, BGP connections and advertising routes are time-consuming. 81-56...
Page 703: Chapter 82 Public Network Access Of Mpls Vpn
Chapter 82 Public Network Access of MPLS 82.1 Public Network Access Introduction Public network access of VPN means the ability of VPN sites to access public Internet. RFC4364 defines the basic protocol regulations, including some methods for VPN to access Internet: ...
Page 704: Public Network Access Configuration
82.1.2 VRF Internet Access Mode 3 In VRF Internet Access Mode 3, as demonstrated in the next figure, VPN site access the Internet via private network connections between PE and CE. The VRF route tabl eof PE routers contain Internet routes, which are learnt via the PE routers conencted with the Internet gateway (Internet PE).
Page 705: Public Network Access Typical Instances
(4) Configure proper filter policy on the public network interface, to filter the packets whose source and destination addresses are private network addresses. (5) Configure default routes IGW import the default routes to BGP PE advertise the default routes to CE via the public network connection CE advertise the default routes to PE via the private network connection, and then to other CE.
Page 706 Figure 82-3 Non-VRF Internet Access Mode The configuration of CE1 is as follows: CE1#config CE1(config)#access-list 1 deny 100.100.1.0 0.0.0.255 CE1(config)#access-list 1 deny 100.200.1.0 0.0.0.255 CE1(config)#access-list 1 permit any-source CE1(config)#access-list 2 permit 10.1.1.0 0.0.0.255 CE1(config)#access-list 2 permit 10.1.2.0 0.0.0.255 CE1(config)#access-list 2 deny any-source CE1(config)# interface vlan 1 CE1(config-if-Vlan1)#ip address 192.168.102.2 255.255.255.0 CE1(config-if-Vlan1)#exit...
Page 707 CE1(config-router)#network 10.1.2.0/24 CE1(config-router)#redistribute connected CE1(config-router)#neighbor 100.100.1.1 remote-as 100 CE1(config-router)#neighbor 100.100.1.1 distribute-list 2 out CE1(config-router)#neighbor 192.168.102.1 remote-as 100 CE1(config-router)#neighbor 192.168.102.1 default-originate CE1(config-router)#neighbor 192.168.102.1 distribute-list 1 out CE1(config-router)#exit CE1(config)# ip route 100.100.1.1 255.255.255.0 100.200.1.1 CE1(config)# ip route 0.0.0.0/0 100.200.1.1 CE1(config)# exit The configuration of PE1 is as follows: PE1#config PE1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 any-destination PE1(config)#access-list 100 deny ip 10.1.2.0 0.0.0.255 any-destination...
Page 708 PE1(config)#router bgp 100 PE1(config-router)#neighbor 100.200.1.2 remote-as 60102 PE1(config-router)#neighbor 200.200.1.1 remote-as 100 PE1(config-router)#neighbor 202.200.3.2 remote-as 100 PE1(config-router)#neighbor 202.200.3.2 next-hop-self PE1(config-router)#address-family vpnv4 unicast PE1(config-router-af)#neighbor 200.200.1.1 activate PE1(config-router-af)#exit-address-family PE1(config-router)#address-family ipv4 vrf VRF-A PE1(config-router-af)#neighbor 192.168.102.2 remote-as 60102 PE1(config-router-af)#no neighbor 192.168.102.2 send-community extended PE1(config-router-af)#exit-address-family PE1(config-router)#exit PE1(config)# router ldp PE1(config-router)#ip route 100.200.1.2 255.255.255.0 100.100.1.2 The configuration of P is as follows:...
Page 709 PE2(config-vrf)#exit PE2(config)#interface Vlan1 PE2(config-if-Vlan1)#ip vrf forwarding VRF-A PE2(config-if-Vlan1)#ip address 192.168.101.1 255.255.255.0 PE2(config-if-Vlan1)#exit PE2(config)#interface Vlan2 PE2(config-if-Vlan2)#label-switching PE2(config-if-Vlan2)#enable-ldp PE2(config-if-Vlan2)#ip address 202.200.1.2 255.255.255.0 PE2(config-if-Vlan2)#exit PE2(config)#interface Loopback1 PE2(config-if-loopback1)#ip address 200.200.1.1 255.255.255.255 PE2(config-if-loopback1)#exit PE2(config)#router ospf PE2(config-router)#network 200.200.1.1/32 area 0 PE2(config-router)#network 202.200.1.0/24 area 0 PE2(config-router)#exit PE2(config)#router bgp 100 PE2(config-router)#address-family vpnv4 unicast PE2(config-router-af)#neighbor 200.200.1.1 activate PE2(config-router-af)#exit-address-family...
Page 710: Public Network Access Troubleshooting
IGW(config-if-Vlan1)#ip address 202.200.3.2 255.255.255.0 IGW(config-if-Vlan1)#exit IGW(config)#interface Vlan2 IGW(config-if-Vlan2#ip address 150.1.1.1 255.255.255.0 IGW(config-if-Vlan2#exit IGW(config)#router ospf IGW(config-router)#network 202.200.3.0 0.0.0.255 area 0 IGW(config-router)#exit IGW(config)#router bgp 100 IGW(config-router)#neighbor 202.200.2.2 remote-as 100 IGW(config-router)#neighbor 202.200.2.2 default-originate 82.4 Public Network Access Troubleshooting When configuring and using Public Network Access, some problems like incorrect physical connections, configuration errors may cause it to fail, so please pay attention to the following notices to avoid them: ...
Page 711: Chapter 83 Switch Operation
Chapter 83 SWITCH OPERATION 83.1 Address Table The Switch is implemented with an address table. This address table composed of many entries. Each entry is used to store the address information of some node in network, including MAC address, port no, etc. This in-formation comes from the learning process of Ethernet Switch.
Page 712: Auto-Negotiation
The Switch performs "Store and forward" therefore, no error packets occur. More reliably, it reduces the re-transmission rate. No packet loss will occur. 83.5 Auto-Negotiation The STP ports on the Switch have built-in "Auto-negotiation". This technology automatically sets the best possible bandwidth when a connection is established with another network device (usually at Power On or Reset).
Page 713: Chapter 84 Trouble Shooting
Chapter 84 TROUBLE SHOOTING This chapter contains information to help you solve problems. If the Ethernet Switch is not functioning properly, make sure the Ethernet Switch was set up according to instructions in this manual. The Link LED is not lit Solution: Check the cable connection and remove duplex mode of the Ethernet Switch Some stations cannot talk to other stations located on the other port...
Page 714: Chapter 85 Appendex A
Chapter 85 APPENDEX A 85.1 A.1 Switch's RJ-45 Pin Assignments 1000Mbps, 1000Base T Contact MDI-X BI_DA+ BI_DB+ BI_DA- BI_DB- BI_DB+ BI_DA+ BI_DC+ BI_DD+ BI_DC- BI_DD- BI_DB- BI_DA- BI_DD+ BI_DC+ BI_DD- BI_DC- Implicit implementation of the crossover function within a twisted-pair cable, or at a wiring panel, while not expressly forbidden, is beyond the scope of this standard.
Page 715 The standard RJ-45 receptacle/connector There are 8 wires on a standard UTP/STP cable and each wire is color-coded. The following shows the pin allocation and color of straight cable and crossover cable connection: Straight Cable SIDE 1 SIDE2 SIDE 1 1 = White / Orange 1 = White / Orange 2 = Orange...
Page 716: Chapter 86 Glossary
Chapter 86 GLOSSARY Bandwidth Utilization The percentage of packets received over time as compared to overall bandwidth. BOOTP Boot protocol used to load the operating system for devices connected to the network. Distance Vector Multicast Routing Protocol (DVMRP) A distance-vector-style routing protocol used for routing multicast datagrams through the Internet. DVMRP combines many of the features of RIP with Reverse Path Broadcasting (RPB).
Page 717 Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign end-stations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 718 Multicast Switching A process whereby the switch filters incoming multicast frames for services no attached host has registered for, or forwards them to all ports contained within the designated multicast VLAN group. Open Shortest Path First (OSPF) OSPF is a link state routing protocol that functions better over a larger network such as the Internet, as opposed to distance vector routing protocols such as RIP.
Page 719 Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 720: Ec Declaration Of Conformity
*Model Number: XGS3-24242 * Produced by: Manufacturer‘s Name : Planet Technology Corp. Manufacturer‘s Address: 10F., No.96, Minquan Rd., Xindian Dist., New Taipei City 231, Taiwan (R.O.C.). is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive on (2004/108/EC).
Page 721 *Model Number: XGS3-24042 * Produced by: Manufacturer‘s Name : Planet Technology Corp. Manufacturer‘s Address: 10F., No.96, Minquan Rd., Xindian Dist., New Taipei City 231, Taiwan (R.O.C.). is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive on (2004/108/EC).

This manual is also suitable for:

Xgs3-24242

Planet XGS3-24042 User Manual

Chapter 1 Introdution

Chapter 2 Installation

Chapter 3 Switch Management

Chapter 4 Basic Switch Configuration

Chapter 5 File System Operations

Chapter 6 Cluster Configuration

Chapter 7 Port Configuration

Chapter 8 Port Isolation Function Configuration

Chapter 9 Port Loopback Detection Function Configuration

Chapter 10 Uldp Function Configuration

Chapter 11 Lldp Function Operation Configuration

Chapter 12 Port Channel Configuration

Chapter 13 Jumbo Configuration

Chapter 14 Efm Oam Configuration

Chapter 15 Vlan Configuration

Chapter 16 Mac Table Configuration

Chapter 17 Mstp Configuration

Chapter 18 Qos Configuration

Chapter 19 Flow-Based Redirection

Chapter 20 Egress Qos Configuration

Chapter 21 Flexible Qinq Configuration

Chapter 22 Layer 3 Forward Configuration

Chapter 23 Arp Scanning Prevention Function Configuration

Chapter 24 Prevent Arp, Nd Spoofing Configuration

Chapter 25 Arp Guard Configuration

Chapter 26 Arp Local Proxy Configuration

Chapter 27 Gratuitous Arp Configuration

Chapter 28 Keepalive Gateway Configuration

Chapter 29 Dhcp Configuration

Chapter 30 Dhcpv6 Configuration

Chapter 31 Dhcp Option 82 Configuration

Chapter 32 Dhcpv6 Option37, 38

Chapter 33 Dhcp Snooping Configuration

Chapter 34 Routing Protocol Overview

Chapter 35 Static Route

Chapter 36 Rip

Chapter 37 Ripng

Chapter 38 Ospf

Quick Links

Troubleshooting

Related Manuals for Planet XGS3-24042

Summary of Contents for Planet XGS3-24042