H3C S5600 Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. H3C S5600 Series
  6. Operation manual

H3C S5600 Series Operation Manual

Hide thumbs Also See for S5600 Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

See also: Operating Manual
H3C S5600 Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20100630-C-1.00
Product Version: Release 1702

Advertisement

Chapters

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S5600 Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S5600 Series

Summary of Contents for H3C S5600 Series

  • Page 1 H3C S5600 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20100630-C-1.00 Product Version: Release 1702...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: Table Of Contents

    Audience ·················································································································································1-1 Part Organization ····································································································································1-1 New Features··········································································································································1-4 Conventions ············································································································································1-6 Command conventions····················································································································1-6 GUI conventions ······························································································································1-6 Symbols···········································································································································1-7 2 H3C S5600 Series Documentation Guide································································································2-1 Obtaining the Documentation ·················································································································2-1 CD-ROM··········································································································································2-1 H3C Website ···································································································································2-1 Software Release Notes··················································································································2-1 Related Documentation ··························································································································2-1 Finding Documents at the H3C Website·································································································2-2 Documentation Feedback ·······················································································································2-2...

  • Page 4: About This Document

    About This Document The H3C S5600 Series Ethernet Switches Operation Manual, Release 1702 describes the software features available in the S5600 series software release 1702, and guides you through the software feature configuration procedures. Audience This document is for administrators who are configuring and maintaining the S5600 series switches.
  • Page 5 Part Contents Configuring a Manual Aggregation Group 09-Link Aggregation Configuring a Static LACP Aggregation Group Configuring a Dynamic LACP Aggregation Group 10-Port Isolation Configuring Port Isolation Group Setting the Maximum Number of Secure MAC Addresses Allowed on a Port Setting the Port Security Mode Configuring Port Security Features 11-Port Security-Port Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode...
  • Page 6 Part Contents Basic MAC Address Authentication 21-MAC Address Authentication Enhanced MAC Address Authentication Virtual Router Redundancy Protocol (VRRP) Basic Configuration 22-VRRP VRRP Tracking Gratuitous ARP ARP Attack Detection 23-ARP Proxy ARP Resilient ARP DHCP Server DHCP Relay Agent 24-DHCP DHCP Snooping DHCP Packet Rate Limit DHCP/BOOTP Client Basic ACLs...

  • Page 7: New Features

    Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS Service with an ACL New Features H3C S5600 Series Ethernet Switches Operation Manual-Release 1702 and H3C S5600 Series Ethernet Switches Command Manual-Release 1702 are for software release 1702. Table 1-2 for new features introduced in release 1702.
  • Page 8 05-IP Address and Canceling the system-defined ACLs for ICMP attack guard Performance Configuring QoS priority settings for voice traffic on an interface 06-Voice VLAN Configuring loopback port auto-shutdown and loopback detection on Ethernet ports in bulk 08-Port Basic Configuration Configuring storm suppression thresholds in kbps Various types of characters in port descriptions Extended LACP function 09-Link Aggregation...

  • Page 9: Conventions

    Many or none can be selected. &<1-n> The argument(s) before the ampersand (&) sign can be entered 1 to n times. A line starting with the # sign contains comments. Command line interface (CLI) commands of H3C products are case insensitive. GUI conventions Convention Description Window names, button names, field names, and menu items are in Boldface.

  • Page 10: Symbols

    Convention Description Multi-level menus are separated by angle brackets. For example, File > Create > > Folder. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful. Improper operation may cause data loss or damage to equipment.

  • Page 11: H3C S5600 Series Documentation Guide

    Software release notes CD-ROM H3C delivers a CD-ROM together with each device. The CD-ROM contains a complete set of electronic documents of the product, including operation manuals and command manuals. After installing the reader program provided by the CD-ROM, you can search for the desired contents in a convenient way through the reader interface.

  • Page 12: Finding Documents At The H3C Website

    For hardware specifications, installation, and troubleshooting, see H3C S5600 Series Ethernet Switches Installation Manual. For typical application scenarios, configuration examples, and configuration guidelines, see Low-End Ethernet Switches Configuration Guides. Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

  • Page 13: Product Overview

    (PSL480-AD48P) An S5600 series switch provides one 2-port fabric port and one expansion module slot on its rear panel. The available expansion modules you can select include: 8-port 1000 Mbps SFP module, 1-port 10G XENPAK module, and 2-port 10G XFP module.

  • Page 14: Application In Large-Scaled/Campus Networks

    (for example, S3600 series switches), and connected to Layer 3 core upstream switches through the GE expansion module slot. In this way, the S5600 series can provide a full solution for building enterprise networks in various size (from Gigabit backbone network, 100 Mbps network to...
  • Page 15 Figure 3-2 Application in large-scaled/campus networks Core Distribution S7500 Access S5600 S5600 S3600 S3600...
  • Page 16 What Is CLI? ···········································································································································1-1 Entering the CLI ······································································································································1-1 Entering CLI Through the Console Port ··························································································1-2 Entering CLI Through Telnet ···········································································································1-6 H3C Products CLI Descriptions ··············································································································1-7 Command Conventions ···················································································································1-7 CLI View Description ·······················································································································1-8 Tips on Using the CLI····························································································································1-12 Using the CLI Online Help·············································································································1-12 Command Line Error Information ··································································································1-13...

  • Page 17: Cli Configuration

    1-1. Figure 1-1 Schematic diagram for the CLI Entering the CLI The H3C S5600 Series Ethernet switches provide multiple methods of entering the CLI, as follows: Through the console port. For more information, see Entering CLI Through the Console Port.

  • Page 18: Entering Cli Through The Console Port

    Entering CLI Through the Console Port When you use the CLI of an H3C switch for the first time, you can log in to the switch and enter the CLI through the console port only. Follow these steps to log in to your H3C switch and enter the CLI through the console port: Use the console cable shipped with your switch to connect your PC to your switch.
  • Page 19 Figure 1-3 Connection description Then, the Connect To window as shown in Figure 1-4 appears. Select the serial port you want to use from the Connect using drop-down list, and then click OK. Figure 1-4 Specify the serial port used to establish the connection The COM1 Properties window as shown in Figure 1-5 appears.
  • Page 20 Figure 1-5 Set the properties of the serial port The HyperTerminal window as shown in Figure 1-6 appears. Figure 1-6 The HyperTerminal window...
  • Page 21 Select File > Properties on the HyperTerminal window, and the Switch Properties window appears. Select the Settings tab as shown in Figure 1-7, select VT100 from the Emulation drop-down list, and then click OK. Figure 1-7 Select the emulation terminal on the Switch Properties window Press Enter on the HyperTerminal window.

  • Page 22: Entering Cli Through Telnet

    Telnet login as soon as possible, so that you can use a remote terminal to configure and manage your switch. Telnet login authentication methods In order to restrict the login to your switch, H3C provides three Telnet login authentication methods. Select a proper method according to your network conditions. Table 1-1 Telnet login authentication methods...

  • Page 23: H3C Products Cli Descriptions

    An H3C switch provides multiple VTY user interfaces. At one time, only one user can telnet to a VTY user interface. Because a remote terminal cannot select the VTY user interface through which it logs in to the switch, it is recommended that you configure all VTY user interfaces with the same authentication method.

  • Page 24: Cli View Description

    The argument(s) before the ampersand (&) sign can be entered 1 to n times. A line starting with the # sign is comments. H3C command lines are case insensitive. Take the clock datetime time date command as an example to understand the command meaning...
  • Page 25 Table 1-3 lists the CLI views provided by S5600 Series Ethernet switches, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-3 CLI views...
  • Page 26 Available View Prompt example Enter method Quit method operation Execute the ftp Configure FTP FTP client view [ftp] command in user client parameters view. Execute the sftp Configure SFTP SFTP client view sftp-client> command in system client parameters view. Execute the stp Configure MST [Sysname-mst-regi region-configuratio...
  • Page 27 Available View Prompt example Enter method Quit method operation Execute the quit command to return to OSPF Execute the area view. Configure OSPF [Sysname-ospf-1-a OSPF area view command in OSPF area parameters rea-0.0.0.1] Execute the view. return command to return to user view.

  • Page 28: Tips On Using The Cli

    Available View Prompt example Enter method Quit method operation Execute the hwping Configure HWPing HWPing test group [Sysname-hwping- test group command in system view a123-a123] parameters view. Execute the Configure [Sysname-hwtacac hwtacacs scheme HWTACACS view HWTACACS s-a123] command in system parameters view.

  • Page 29: Command Line Error Information

    boot Set boot option Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Display current system information ..omitted..

  • Page 30: Typing And Editing Commands

    Typing and Editing Commands Fuzzy match The H3C S5600 series Ethernet switches support fuzzy match for efficient input of commands. If in the current view, the character string you have typed can already uniquely identify a keyword, you do not need to type the complete keyword.

  • Page 31: Undo Form Of A Command

    Table 1-6 Access history commands To do… Use the key/command… Result Displays valid history commands you Display history commands display history-command used Access the previous history Displays the previous history command, if Up arrow key or Ctrl+P command Access the next history Down arrow key or Ctrl+N Displays the next history command, if any command...

  • Page 32: Cli Configurations

    Action Function Press Space Displays the next screen. Press Enter Displays the next line. Press Ctrl+C Stops the display and the command execution. Press <Ctrl+E> Moves the cursor to the end of the current line. Press <PageUp> Displays the previous page. Press <PageDown>...

  • Page 33: Synchronous Information Output

    Synchronous Information Output Synchronous information output refers to the feature that if your input is interrupted by system output, then after the completion of system output the system displays a command line prompt and your input so far, and you can continue your operations from where you were stopped. Follow these steps to enable synchronous information output: To do…...
  • Page 34 Level Privilege Description Provides service configuration commands, including routing and commands at each level of the network for providing services. System By default, commands at this level include all configuration commands except for those at manage level. Involves commands that influence the basic operation of the system and the system support modules for service support.

  • Page 35: Saving Configurations

    TFTP server 192.168.0.1 and other TFTP servers. Saving Configurations Some commands in the CLI of H3C switches are one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. These commands are executed one-time only and are not saved when the switch reboots.
  • Page 36 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Logging In Through the Console Port ·····································································································2-1 Console Port Login Configuration ···········································································································2-4...
  • Page 37 4 Logging In Using a Modem·······················································································································4-1 Introduction ·············································································································································4-1 Configuration on the Switch Side············································································································4-1 Modem Configuration ······················································································································4-1 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 Logging In Through the Web-based Network Management System····················································5-1 Introduction ·············································································································································5-1 Establishing an HTTP Connection ··········································································································5-1 Configuring the Login Banner ·················································································································5-2 Configuration Procedure··················································································································5-2 Configuration Example ····················································································································5-3 Enabling/Disabling the WEB Server ·······································································································5-3...
  • Page 38 Configuration examples ··························································································································9-4 Super password authentication configuration example···································································9-4 HWTACACS authentication configuration example ········································································9-4...

  • Page 39: Logging In To An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the console port of an H3C low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.

  • Page 40: User Interface Index

    VTY user interfaces are numbered VTY0, VTY1, and so on. S5600 series Ethernet switches support Fabric. A Fabric can contain up to eight devices. Accordingly, the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7, through which all the console ports of the units in a Fabric can be identified.
  • Page 41 To do… Use the command… Remarks Optional By default, copyright displaying is Enable copyright information enabled. That is, the copy right copyright-info enable displaying information is displayed on the terminal after a user logs in successfully. user-interface [ type ] first-number Enter user interface view —...

  • Page 42: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction To log in through the console port is the most common way to log in to a switch.
  • Page 43 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...
  • Page 44 Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.

  • Page 45: Console Port Login Configuration

    Console Port Login Configuration Common Configuration Table 2-2 Common configuration of console port login Configuration Remarks Optional Baud rate The default baud rate is 9,600 bps. Optional Check mode By default, the check mode of the console port is set to Console port “none”, which means no check bit.

  • Page 46: Console Port Login Configurations For Different Authentication Modes

    Console Port Login Configurations for Different Authentication Modes Table 2-3 Console port login configurations for different authentication modes Authentication mode Console port login configuration Remarks Perform common Optional Perform common None configuration for console port configuration Refer to Table 2-2. login Configure the Configure the password for...
  • Page 47 To do… Use the command… Remarks Required Configure not to authenticate By default, users logging in through authentication-mode none users the console port (AUX user interface) are not authenticated. Optional Set the baud rate speed speed-value The default baud rate of a console port is 9,600 bps.

  • Page 48: Configuration Example

    Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet, and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface).

  • Page 49: Console Port Login Configuration With Authentication Mode Being Password

    Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure console port login with the authentication mode being password: To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface view user-interface aux 0 —...

  • Page 50: Configuration Example

    To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the Set the timeout time for the idle-timeout minutes connection to a user interface is terminated if user interface [ seconds ] no operation is performed in the user...

  • Page 51: Console Port Login Configuration With Authentication Mode Being Scheme

    # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19,200 bps. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30.
  • Page 52 To do… Use the command… Remarks Required The specified AAA scheme determines whether to authenticate authentication-mode scheme Configure to authenticate users users locally or remotely. locally or remotely [ command- authorization ] By default, users logging in through the console port (AUX user interface) are not authenticated.

  • Page 53: Configuration Example

    Configuration Example Network requirements Assume the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface). Configure the local user name as guest.
  • Page 54 [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in...

  • Page 55: Logging In Through Telnet/Ssh

    Telnet Configuration with Authentication Mode Being Password Introduction S5600 series Ethernet switches support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.

  • Page 56: Common Configuration

    Common Configuration Table 3-2 Common Telnet configuration Configuration Description Optional Configure the command level available to users logging in to By default, commands of level 0 are available to users the VTY user interface logging in to a VTY user interface. VTY user Optional Configure the protocols the user...

  • Page 57: Telnet Configuration With Authentication Mode Being None

    Authentication mode Telnet configuration Description Optional Perform common Perform common Telnet configuration configuration Refer to Table 3-2. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 58: Configuration Example

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of lines to 24 lines. screen-length screen-length the screen can contain You can use the screen-length 0 command to disable the function to display information in pages.

  • Page 59: Telnet Configuration With Authentication Mode Being Password

    [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.

  • Page 60: Configuration Example

    To do… Use the command… Remarks Optional Set the history command history-command max-size The default history command buffer size buffer size value is 10. That is, a history command buffer can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.

  • Page 61: Telnet Configuration With Authentication Mode Being Scheme

    # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20.
  • Page 62 To do… Use the command… Remarks Optional Configure the command level By default, commands of level 0 are available to users logging in to user privilege level level available to users logging in to the VTY the user interface user interfaces. Optional Configure the supported protocol inbound { all | ssh |...

  • Page 63: Configuration Example

    Scenario Command level Authentication User type Command mode The user privilege level level command is executed, and the service-type command Level 0 does not specify the available command level. The user privilege level level command is Determined by executed, and the service-type command the service-type specifies the available command level.

  • Page 64: Telnetting To A Switch

    Set the authentication password of the local user to 123456 (in plain text). Set the service type of VTY users to Telnet and the command level to 2. Configure to authenticate users logging in to VTY 0 in scheme mode. Only Telnet protocol is supported in VTY 0.
  • Page 65 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown in the following figure.
  • Page 66 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.

  • Page 67: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

  • Page 68: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 69: Switch Configuration

    The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 70 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 71 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.

  • Page 72: Introduction

    Logging In Through the Web-based Network Management System Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction An S5600 Ethernet switch has a Web server built in. It enables you to log in to an S5600 Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 73: Configuring The Login Banner

    [Sysname-luser-admin] password simple admin Establish an HTTP connection between your PC and the switch, as shown in Figure 5-1. Figure 5-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 74: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 5-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 75 To do… Use the command… Remarks Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 76: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.

  • Page 77: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure the source IP address for Telnet service packets for an S5600 switch operating as a Telnet client.

  • Page 78: Displaying Source Ip Address Configuration

    The IP address specified is that of a Layer 3 interface of the local device. Otherwise, the system prompts configuration failure. The source interface specified must exist. Otherwise, the system prompts configuration failure. Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets.

  • Page 79: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 80: Controlling Telnet Users By Source Ip Addresses

    Controlling Telnet Users by Source IP Addresses Controlling Telnet users by source IP addresses is achieved by applying basic ACLs, which are numbered from 2000 to 2999. Follow these steps to control Telnet users by source IP addresses: To do… Use the command…...

  • Page 81: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Follow these steps to control Telnet users by source MAC addresses: To do… Use the command…...

  • Page 82: Controlling Network Management Users By Source Ip Addresses

    Controlling Network Management Users by Source IP Addresses You can manage an S5600 Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.

  • Page 83: Controlling Web Users By Source Ip Address

    Network diagram Figure 8-2 Network diagram for controlling SNMP users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.

  • Page 84: Disconnecting A Web User By Force

    To do… Use the command… Remarks rule [ rule-id ] { deny | permit } Define rules for the ACL Required [ rule-string ] quit Quit to system view — Optional Apply the ACL to control Web ip http acl acl-number By default, no ACL is applied for users Web users.

  • Page 85: Switching User Level

    Switching User Level Overview Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters;...

  • Page 86: Adopting Super Password Authentication For User Level Switching

    To do… Use the command… Remarks user-interface [ type ] Enter user interface view — first-number [ last-number ] super authentication-mode Super password authentication super-password Optional These super authentication-mode HWTACACS authentication configurations will scheme take effect on the Specify the Super password authentication current user authentication...

  • Page 87: Adopting Hwtacacs Authentication For User Level Switching

    The super password is for level switching only and is different from the login password. Adopting HWTACACS authentication for user level switching To implement HWTACACS authentication for user level switching, a level-3 user must perform the commands listed in the following table to configure the HWTACACS authentication scheme used for low-to-high user level switching.

  • Page 88: Hwtacacs Authentication Configuration Example

    If no user level is specified in the super password command or the super command, level 3 is used by default. For security purpose, the password entered is not displayed when you switch to another user level. You will remain at the original user level if you have tried three times but failed to enter the correct authentication information.
  • Page 89 [Sysname-ui-vty0] quit # Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system. [Sysname] domain system [Sysname-isp-system] authentication super hwtacacs-scheme acs A VTY 0 user switches its level to level 3 after logging in. # Switch to user level 3 (assuming that you log into the switch as a VTY 0 user by Telnet).
  • Page 90 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-4 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 91: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 92: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.
  • Page 93 Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.

  • Page 94: Erasing The Startup Configuration File

    It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.

  • Page 95: Displaying Switch Configuration

    You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
  • Page 96 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 Protocol-Based VLAN ·····························································································································1-6 Introduction to Protocol-Based VLAN······························································································1-6...

  • Page 97: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 98: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
  • Page 99 A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100.

  • Page 100: Vlan Interface

    Link Types of Ethernet Ports The link type of an Ethernet port on the S5600 series can be one of the following: Access: An access port can belong to only one VLAN, and is generally connected to a user PC.

  • Page 101: Assigning An Ethernet Port To Specified Vlans

    Trunk: A trunk port can belong to more than one VLAN. It can forward packets for multiple VLANs, and is generally connected to another switch. Hybrid: A hybrid port can belong to more than one VLAN to forward packets for multiple VLANs. It can be connected to either a switch or a user PC.

  • Page 102: Protocol-Based Vlan

    Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the VLAN ID is one of the If the port has already been If the VLAN ID is just the VLAN IDs allowed to pass added to its default VLAN, tag the...
  • Page 103 The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two fields. The H3C S5600 series switches recognize packets with the value of the type field being in the range 0x05DD to 0x05FF as 802.2/802.3 encapsulated packets.
  • Page 104 Figure 1-7 802.2 LLC encapsulation format The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer protocol. For example, if the two fields are both 0xE0, the upper layer protocol is IPX protocol. 802.2 Sub-Network Access Protocol (SNAP) encapsulation: encapsulates packets according to the 802.3 standard packet format, including the length, DSAP, SSAP, control, organizationally unique identifier (OUI), and protocol-ID (PID) fields.

  • Page 105: Procedure For The Switch To Judge Packet Protocol

    Procedure for the Switch to Judge Packet Protocol Figure 1-9 Protocol identification procedure Encapsulation Formats Table 1-4 lists the encapsulation formats supported by some protocols. In brackets are type values of these protocols. Table 1-4 Encapsulation formats Encapsulation (left) Ethernet II 802.3 raw 802.2 LLC 802.2 SNAP...

  • Page 106: Implementation Of Protocol-Based Vlan

    Implementation of Protocol-Based VLAN S5600 series Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.

  • Page 107: Vlan Configuration

    VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required...

  • Page 108: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 109: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface Vlan-interface [ vlan-id ] information Available in any view.

  • Page 110: Assigning An Ethernet Port To A Vlan

    To change the link type of a port from trunk to hybrid or vice versa, you need to set the link type to access first. You can use the port link-type irf-fabric command to configure fabric ports. For information about this command, refer to the IRF Fabric module in this manual.

  • Page 111: Displaying And Maintaining Port-Based Vlan

    Follow these steps to configure the default VLAN for a port: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Trunk port port trunk pvid vlan vlan-id Optional Configure the default VLAN VLAN 1 is the default port hybrid pvid vlan vlan-id...

  • Page 112: Configuration Procedure

    Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/1 SwitchB Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...

  • Page 113: Configuring A Protocol-Based Vlan

    [SwitchB-vlan200] description Dept2 [SwotchB-vlan200] port GigabitEthernet1/0/11 GigabitEthernet 1/0/12 [SwitchB-vlan200] quit Configure the link between Switch A and Switch B. Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200, you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports.

  • Page 114: Associating A Port With A Protocol-Based Vlan

    To do... Use the command... Remarks Required protocol-vlan [ protocol-index ] { at | ip | ipx Configure the protocol { ethernetii | llc | raw | snap } | mode By default, no protocol template for the VLAN { ethernetii etype etype-id | llc dsap dsap-id template is configured for ssap ssap-id | snap etype etype-id } } the VLAN.

  • Page 115: Displaying Protocol-Based Vlan Configuration

    Configuration procedure Follow these steps to associate a port with the protocol-based VLAN: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter port view — interface-number Required port hybrid protocol-vlan vlan Associate the port with the vlan-id { protocol-index [ to By default, a port is not associated specified protocol-based VLAN...
  • Page 116 Network diagram Figure 2-2 Network diagram for protocol-based VLAN configuration IP Server AppleTalk Server GE1/0/11 GE1/0/12 GE1/0/10 IP Host AppleTalk Host Workroom Configuration procedure # Create VLAN 100 and VLAN 200, and add GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively. <Switch>...
  • Page 117 # Configure GigabitEthernet 1/0/10 as a hybrid port, which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets. [Switch-vlan100] quit [Switch] interface GigabitEthernet 1/0/10 [Switch-GigabitEthernet1/0/10] port link-type hybrid [Switch-GigabitEthernet1/0/10] port hybrid vlan 100 200 untagged # Associate GigabitEthernet 1/0/10 with protocol template 0 and 1 of VLAN 100, and protocol template 0 of VLAN 200.
  • Page 118 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example I ·······························································································1-4 IP Address Configuration Example II ······························································································1-5 2 IP Performance Configuration··················································································································2-1 IP Performance Overview ·······················································································································2-1...

  • Page 119: Ip Addressing Configuration

    IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary.

  • Page 120: Special Case Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address.

  • Page 121: Configuring Ip Addresses

    255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively. Configuring IP Addresses S5600 Series Ethernet Switches support assigning IP addresses to VLAN interfaces and loopback interfaces. Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives. If you change the way an interface obtains an IP address, from manual assignment to BOOTP for example, the IP address obtained from BOOTP will overwrite the old one manually assigned.

  • Page 122: Displaying Ip Addressing Configuration

    To do… Use the command… Remarks Required ip address ip-address { mask | Assign an IP address to the No IP address is assigned by Interface mask-length } [ sub ] default. You can assign at most seven IP address to an interface, among which one is the primary IP address and the others are secondary IP addresses.

  • Page 123: Ip Address Configuration Example Ii

    [Switch] interface Vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 IP Address Configuration Example II Network requirements As shown in Figure 1-4 VLAN-interface 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the switch, and the hosts on the LAN can communicate with each other, do the following: Assign two IP addresses to VLAN-interface 1 on the switch.
  • Page 124 --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from the switch to check the connectivity. <Switch>...

  • Page 125: Ip Performance Configuration

    IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by S5600 Series Ethernet Switches includes: Configuring TCP attributes Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network...

  • Page 126: Configuring Tcp Attributes

    Forwarding of directed broadcasts to a directly connected network is disabled on S5600 series Ethernet switches by default. However, you should enable the feature when: Using the UDP Helper function to convert broadcasts to unicasts and forward them to a specified server.

  • Page 127: Disabling Icmp To Send Error Packets

    Follow these steps to enable the switch to receive and Forwarding directed broadcasts: To do… Use the command… Remarks — Enter system view system-view Required Enable the device to receive ip forward-broadcast directed broadcasts Disabled by default. — interface Vlan-interface vlan-id Enter VLAN interface view Required Enable the device to forward...

  • Page 128: Canceling The System-Defined Acls For Icmp Attack Guard

    Canceling the System-Defined ACLs for ICMP Attack Guard ICMP attacks are common in networks. To guard against malicious ICMP attacks, the device pre-defines some ACLs to match the incoming ICMP packets and process them separately, thus reducing ICMP attacks’ impact on normal data packets and increasing network stability. In a secure network, you can cancel the system-defined ACLs for ICMP attack guard, and thus increase the available ACL resources.

  • Page 129: Ip Performance Configuration Example

    To do… Use the command… Remarks Display the FIB entries in the buffer which begin with, include or display fib | { begin | include | exclude the specified character exclude } regular-expression string. Display the FIB entries filtering display fib ip-prefix through a specific prefix list ip-prefix-name Display the total number of the FIB...
  • Page 130 <SwitchB> system-view [SwitchB] ip forward-broadcast # Configure a static route to Host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 2.2.2.1 24 After the above configurations, if you ping the subnet broadcast address 2.2.2.255 on Host, the ping packets can be received by VLAN-interface 2 of Switch B.
  • Page 131 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How S5600 Series Switches Identify Voice Traffic ·········································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-4 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6...

  • Page 132: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice traffic and voice quality.
  • Page 133 Refer to DHCP Operation for information about the Option184 field. Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission.

  • Page 134: How S5600 Series Switches Identify Voice Traffic

    NCP is reachable to the IP address to be set. How S5600 Series Switches Identify Voice Traffic S5600 series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the packet is considered as a voice packet.

  • Page 135: Setting The Voice Traffic Transmission Priority

    Number OUI address Vendor 00e0-bb00-0000 3Com phones Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice VLAN as follows: Set the CoS (802.1p) priority to 6. Set the DSCP value to 46.
  • Page 136 For different types of IP phones, the support for voice VLAN varies with port types and port configuration. For IP phones capable of acquiring IP address and voice VLAN automatically, the support for voice VLAN is described in Table 1-2. Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN...

  • Page 137: Security Mode Of Voice Vlan

    VLANs whose traffic is permitted by the access port. Security Mode of Voice VLAN On S5600 series Ethernet switches, a voice VLAN can operate in the security mode. Voice VLANs operating in this mode only permit voice data, enabling you to perform voice traffic-specific priority configuration.

  • Page 138: Configuring The Voice Vlan To Operate In Automatic Voice Vlan Assignment Mode

    To do... Use the command... Remarks Configure the interface to trust the Required QoS priority settings in incoming Use either command voice traffic, that is, not to modify voice vlan qos trust By default, an interface modifies the the CoS and DSCP values marked CoS value and the DSCP value for incoming traffic of the voice marked for voice VLAN traffic into 6...

  • Page 139: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    A port working in automatic voice VLAN assignment mode cannot be assigned to the voice VLAN manually. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN function cannot be bound with the port. For information about protocol-based VLANs, refer to VLAN Configuration in this manual.
  • Page 140 To do… Use the command… Remarks interface interface-type Enter port view Required interface-number Required Enable voice VLAN on a port voice vlan enable By default, voice VLAN is disabled on a port. Optional Enable the voice VLAN legacy function on the voice vlan legacy By default, voice VLAN port...

  • Page 141: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between H3C device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 142: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.

  • Page 143: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    # Configure VLAN 6 as the default VLAN of GigabitEthernet 1/0/1, and configure GigabitEthernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 6 [DeviceA-GigabitEthernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on GigabitEthernet 1/0/1. [DeviceA-GigabitEthernet1/0/1] voice vlan enable Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements...
  • Page 144 # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports. <DeviceA> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000...
  • Page 145 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 146: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 147 Through message exchange, all the attribute information to be registered can be propagated to all the GARP-enabled switches in the same LAN. GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 148 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two parts: Message — Attribute Type and Attribute List. Defined by the specific GARP Attribute Type The attribute type of GVRP is 0x01.

  • Page 149: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 150: Configuring Gvrp Timers

    Configuration procedure Follow these steps to enable GVRP: To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp...

  • Page 151: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer. This lower threshold is greater than or This upper threshold is less than one-half of equal to twice the timeout time of the Hold...

  • Page 152: Gvrp Configuration Example

    To do … Use the command … Remarks display garp timer [ interface Display the settings of the GARP timers interface-list ] display gvrp statistics Display GVRP statistics [ interface interface-list ] Display the global GVRP status display gvrp status reset garp statistics Clear GARP statistics [ interface interface-list ]...
  • Page 153 [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/2. [SwitchA-GigabitEthernet1/0/2] gvrp [SwitchA-GigabitEthernet1/0/2] quit # Configure GigabitEthernet1/0/3 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all...
  • Page 154 The following dynamic VLANs exist: Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registered on Switch A, Switch B, and Switch E. # Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode. [SwitchE] interface GigabitEthernet 1/0/1 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registered on Switch A.
  • Page 155 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-3 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-4 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-7...

  • Page 156: Port Basic Configuration

    Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration The configuration of loopback port auto-shutdown and loopback detection on Ethernet ports in bulk is added.

  • Page 157: Configuring Port Auto-Negotiation Speed

    To do... Use the command... Remarks Optional Set the medium dependent Be default, the MDI mode of the port is mdi { across | auto | normal } interface (MDI) mode of the auto. Ethernet port Currently, the devices do not support across or normal mode.

  • Page 158: Limiting Traffic On Individual Ports

    Only combo optical ports on the front panel of the device support the auto-negotiation speed configuration feature. And ports on the extended interface card do not support this feature currently. After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiation speed setting of the port restores to the default setting.

  • Page 159: Duplicating The Configuration Of A Port To Other Ports

    The peer switch will stop sending packets to the local switch or reduce the sending rate temporarily when it receives the message; and vice versa. By this way, packet loss is avoided and the network service operates normally. Follow these steps to enable flow control on a port: To do...
  • Page 160 If a loop is found on an access port, the system will set the port to the block state (ports in this state cannot forward data packets), send log and trap messages to the terminal, and remove the corresponding MAC forwarding entry. If you have additionally enabled the loopback port auto-shutdown function on the port, the system will shut down the port, and send log and trap messages to the terminal.

  • Page 161: Enabling Loopback Test

    Operation Command Remarks Optional Enable loopback port loopback-detection control control on the trunk or By default, the loopback port control enable hybrid port function is disabled on ports. Optional Enable the loopback port loopback-detection shutdown By default, the loopback port auto-shutdown function enable auto-shutdown function is disabled.

  • Page 162: Enabling The System To Test Connected Cable

    external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch (for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.). The external loop test can locate the hardware failures on the port.

  • Page 163: Enabling Giant-Frame Statistics Function

    during the specified interval and displays the average rates in the interval. For example, if you set this interval to 100 seconds, the displayed information is as follows: Last 100 seconds input: 0 packets/sec 0 bytes/sec Last 100 seconds output: 0 packets/sec 0 bytes/sec Follow these steps to set the interval to perform statistical analysis on port traffic: To do...

  • Page 164: Configuring Storm Control On A Port

    To do... Use the command... Remarks Required Disable a port from generating undo enable log updown By default, UP/Down log output is UP/Down log enabled. Configuring Storm Control on a Port The storm control function is used to control traffic received on an Ethernet port. With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast/unicast/ traffic on the port.

  • Page 165: Setting The Port State Change Delay

    If the fabric function is enabled on a port of a device, you cannot configure the storm control function on all ports of the device. If the broadcast-suppression command, multicast-suppression command or unicast suppression command is configured on a port, you cannot configure the storm control function on the port, and vice versa.

  • Page 166: Displaying And Maintaining Basic Port Configuration

    To do … Use the command … Remarks Required Set the port state change link-delay delay-time Defaults to 0, which indicates that no delay is delay introduced. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP.

  • Page 167: Troubleshooting Ethernet Port Configuration

    Allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass both GigabitEthernet1/0/1. Network diagram Figure 1-1 Network diagram for Ethernet port configuration Configuration procedure Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A.
  • Page 168 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Operational Key·······························································································································1-2 Consistency Considerations for the Ports in Aggregation·······························································1-2 Link Aggregation Classification···············································································································1-3 Manual Aggregation Group ·············································································································1-3 Static LACP Aggregation Group······································································································1-4 Dynamic LACP Aggregation Group·································································································1-5 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-7 Configuring a Manual Aggregation Group·······················································································1-7...

  • Page 169: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example The extended LACP function is added to this manual. For the detailed introduction, refer to Extended LACP function.

  • Page 170: Operational Key

    LACP multi-active detection (MAD) mechanism in an Intelligent Resilient Framework (IRF) stack. S5600 series that support extended LACP functions can be used as an IRF member device or an intermediate device in LACP MAD implementation. For details about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see the IRF Fabric operation.

  • Page 171: Link Aggregation Classification

    TPID on the ports State of inner-to-outer tag priority replication (enabled or disabled) The S5600 series Ethernet switches support cross-device link aggregation if IRF fabric is enabled. Link Aggregation Classification Depending on different aggregation modes, the following three types of link aggregation exist:...

  • Page 172: Static Lacp Aggregation Group

    Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed. The ports with their rate, duplex mode and link type being the same as that of the master port are selected ports, and the rest are unselected ports.

  • Page 173: Dynamic Lacp Aggregation Group

    Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot add/remove ports to/from it. Ports can be aggregated into a dynamic aggregation group only when they are connected to the same peer device and have the same speed, duplex mode, and basic configurations, and their peer ports have the same configurations.
  • Page 174 For IP packets, the system will implement load-sharing based on source IP address and destination IP address; For non-IP packets, the system will implement load-sharing based on source MAC address and destination MAC address. In general, the system only provides limited load-sharing aggregation resources, so the system needs to reasonably allocate the resources among different aggregation groups.

  • Page 175: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 176: Configuring A Static Lacp Aggregation Group

    Note that: When creating an aggregation group: If the aggregation group you are creating already exists but contains no port, its type will change to the type you set. If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static;...

  • Page 177: Configuring A Dynamic Lacp Aggregation Group

    For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group. For example, suppose port 1 of the local device is connected to port 2 of the peer device. To avoid cross-connecting cables, do not connect port 2 of the local device to port 1 of the peer device.

  • Page 178: Configuring A Description For An Aggregation Group

    Configuring a Description for an Aggregation Group To do… Use the command… Remarks — Enter system view system-view Optional Configure a description for an link-aggregation group agg-id By default, no description is aggregation group description agg-name configured for an aggregation group.
  • Page 179 Network diagram Figure 1-1 Network diagram for link aggregation configuration Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname>...
  • Page 180 Adopting dynamic LACP aggregation mode # Enable LACP on GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] lacp enable [Sysname-GigabitEthernet1/0/1] quit [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] lacp enable [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
  • Page 181 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 182: Port Isolation Configuration

    The ports in an isolation group must reside on the same switch or different units of an IRF fabric. Currently, you can create only one isolation group on an S5600 Series Ethernet switch. The number of Ethernet ports in an isolation group is not limited.

  • Page 183: Port Isolation Configuration Example

    S5600 series Ethernet switches support cross-device port isolation if IRF fabric is enabled. For S5600 series Ethernet switches belonging to the same IRF Fabric, the port isolation configuration performed on a port of a cross-device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units.
  • Page 184 Network diagram Figure 1-1 Network diagram for port isolation configuration Internet GE1/0/1 Switch Configuration procedure # Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface GigabitEthernet1/0/2 [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] port isolate...
  • Page 185 Table of Contents 1 Port Security Configuration ························································································· 1-1 Port Security Overview ······························································································· 1-1 Introduction ·········································································································· 1-1 Port Security Modes ····························································································· 1-2 Port Security Features ·························································································· 1-8 Port Security Configuration Task List··········································································· 1-9 Enabling Port Security ·························································································· 1-9 Setting the Maximum Number of Secure MAC Addresses Allowed on a Port ········· 1-10 Setting the Port Security Mode ············································································...

  • Page 186: Port Security Configuration

    Port Security Configuration The following new features are added: The port in the macAddressOrUserLoginSecure mode supports guest VLAN configuration. For more information, see Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode. The security MAC addresses that the port learns automatically supports aging. For more information, see Configuring an aging time for learned secure MAC address entries.

  • Page 187: Port Security Modes

    With port security enabled, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets; the events that cannot pass 802.1X authentication or MAC authentication are considered illegal. Upon detection of illegal frames or events, the switch takes the pre-defined action automatically.
  • Page 188 autoLearn mode vs. secure mode In autoLearn mode, a port can learn MAC addresses. These dynamically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the mac-address security command. A secure MAC addresses never ages out by default.
  • Page 189 Figure 1-1 Packet processing and mode transition in autoLearn mode and secure mode The port receives a packet Security mode? secure mode autoLearn mode Change the security mode to Is the source Is the MAC in the MAC source MAC in the MAC address table? address table? Save the source MAC as a...
  • Page 190 For description of 802.1X authentication, refer to 802.1x and System Guard Operation. MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication for users. For description of MAC authentication, refer to MAC Address Authentication Operation. Security modes with the And keyword macAddressAndUserLoginSecure: A port in this mode first performs MAC authentication for a user and then, if the user passes MAC authentication, performs 802.1X authentication.
  • Page 191 Figure 1-2 Packet processing in a security mode with the And keyword The port in a security mode with And receives a packet Is the source MAC in the MAC address table? Fail Perform MAC authentication Succeed Is it an 802.1X packet? Perform 802.1X authentication Fail...
  • Page 192 Figure 1-3 Packet processing in security modes with the Else keyword The port in a security mode with Else receives a packet Is the source Forward the packet MAC in the MAC address table? Succeed Perform MAC authentication Fail Is it an 802.1X packet? Succeed Fail Perform 802.1X...

  • Page 193: Port Security Features

    Figure 1-4 Packet processing in a security mode with the Or keyword Port Security Features The following port security features are provided: NTK (need to know) feature: Checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication. This prevents illegal devices from intercepting network traffic.

  • Page 194: Port Security Configuration Task List

    In userLogin mode, neither NTK nor intrusion protection will be triggered. In any other port security mode, the two features will be triggered upon detection of illegal frames. In userLoginWithOUI mode, intrusion protection will not be triggered even if the OUI value does not match.

  • Page 195: Setting The Maximum Number Of Secure Mac Addresses Allowed On A Port

    To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Enabling port security resets the following configurations on a port to the bracketed defaults. Then values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically.

  • Page 196: Setting The Port Security Mode

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Set the maximum number of Required port-security MAC addresses allowed on max-mac-count count-value Not limited by default the port Setting the Port Security Mode Follow these steps to set the port security mode: To do...

  • Page 197: Configuring Port Security Features

    Before setting the port to operate in the autoLearn mode, be sure to set the maximum number of secure MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autoLearn mode, you cannot change the maximum number of secure MAC addresses allowed on the port.

  • Page 198: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode

    Configuring intrusion protection Follow these steps to configure the intrusion protection feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Set the corresponding action Required port-security intrusion-mode to be taken by the switch when { blockmac | disableport | By default, intrusion intrusion protection is...
  • Page 199 A port in macAddressOrUserLoginSecure mode supports guest VLAN configurations. The port can connect multiple users; but services only one user at a time. 1) When the first user of the port initiates 802.1X or MAC authentication: If the user fails the authentication, the port is added to the guest VLAN, and all the other users of the port are authorized to access the guest VLAN.

  • Page 200: Ignoring The Authorization Information From The Radius Server

    To change the security mode from macAddressOrUserLoginSecure mode of a port that is assigned to a guest VLAN, execute the undo port-security guest-vlan command first to remove the guest VLAN configuration. For a port configured with both the port-security guest-vlan and port-security intrusion-mode disableport commands, when authentication of a user fails, only the intrusion detection feature is triggered.
  • Page 201 The manually configured secure MAC addresses are written to the configuration file; they will not get lost no matter whether the port is up or down. As long as the configuration file is saved, the secure MAC addresses can be restored after the switch restarts. Configuring a secure MAC address entry manually Before configuring a secure MAC address entry for a port manually, ensure that: Port security is enabled.

  • Page 202: Displaying And Maintaining Port Security Configuration

    To do... Use the command... Remarks Required Set the maximum number of port-security By default, there is no limit secure MAC addresses allowed max-mac-count count-value on the number of secure on the port MAC addresses. Required By default, a port operates in Set the security mode of the port port-security port-mode noRestriction mode, and...

  • Page 203: Port Security Mode Macaddresswithradius Configuration Example

    Network diagram Figure 1-5 Network diagram for port security mode autoLearn Configuration procedure # Enter system view. <Switch> system-view # Enable port security. [Switch] port-security enable # Enter GigabitEthernet1/0/1 port view. [Switch] interface gigabitethernet 1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [Switch-GigabitEthernet1/0/1] port-security max-mac-count 80 # Set the port security mode to autoLearn.
  • Page 204 Network diagram Figure 1-6 Network diagram for configuring port security mode macAddressWithRadius Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.

  • Page 205: Port Security Mode Userloginwithoui Configuration Example

    [Switch-isp-aabbcc.net] quit # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Configure the switch to use MAC addresses as usernames for authentication, specifying that the MAC addresses should be lowercase without separators. [Switch] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen...
  • Page 206 The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1. <Switch> system-view [Switch] radius scheme radius1 # Specify the primary RADIUS authentication server and primary RADIUS accounting server.

  • Page 207: Port Security Mode Macaddresselseuserloginsecureext Configuration Example

    # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Create a local user. [Switch] local-user localuser [Switch-luser-localuser] service-type lan-access [Switch-luser-localuser] password simple localpass Configure port security # Enable port security. [Switch] port-security enable # Add two OUI values. [Switch] port-security oui 1234-0100-1111 index 1 [Switch] port-security oui 1234-0200-1111 index 2 # Set the port security mode to userlogin-withoui.
  • Page 208 Network diagram Figure 1-8 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Authentication servers (192.168.1.2/24 192.168.1.3/24) GE1/0/1 Internet Host Switch Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.

  • Page 209: Port Security Mode Macaddressanduserloginsecureext Configuration Example

    # Set the timer for the switch to send real-time accounting packets to the RADIUS server to 15 minutes. [Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view.
  • Page 210 Network diagram Figure 1-9 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Authentication servers (192.168.1.2/24 192.168.1.3/24) GE1/0/1 Internet Host Switch Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.

  • Page 211: Guest Vlan Configuration Example

    # Set the timer for the switch to send real-time accounting packets to the RADIUS server to 15 minutes. [Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view.
  • Page 212 Figure 1-10 Network diagram for guest VLAN configuration Update server Authentication server VLAN 10 VLAN 2 VLAN 10 GE1/0/1 GE1/0/4 Guest VLAN 10 : VLAN 1 VLAN 1 GE1/0/2 GE1/0/3 Switch Internet Printer Configuration procedure The following configuration steps include configurations of AAA and RADIUS. For details about these commands, refer to AAA Command.
  • Page 213 [Switch] port-security enable # Specify the switch to trigger MAC authentication at an interval of 60 seconds. [Switch] port-security timer guest-vlan timer 60 # Create VLAN 10 and assign the port GE1/0/1 to it. [Switch] vlan 10 [Switch–vlan10] port gigabitethernet 1/0/1 # Set the security mode of the port GE1/0/2 to macAddressOrUserLoginSecure.

  • Page 214: Port Binding Configuration

    Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port.

  • Page 215: Displaying And Maintaining Port Binding Configuration

    Displaying and Maintaining Port Binding Configuration To do... Use the command... Remarks display am user-bind [ interface interface-type Display port binding Available in any interface-number | ip-addr ip-address | mac-addr information view mac-address ] Port Binding Configuration Example Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host...
  • Page 216 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction······································································································································1-1 DLDP Fundamentals ·······················································································································1-2 DLDP Configuration ································································································································1-8 Performing Basic DLDP Configuration ····························································································1-8 Resetting DLDP State ·····················································································································1-9 Displaying and Maintaining DLDP···································································································1-9 DLDP Configuration Example ···············································································································1-10...

  • Page 217: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example Overview Introduction A special kind of links, namely, unidirectional links, may occur in a network. When a unidirectional link appears, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.

  • Page 218: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Switch A GE1/0/50 GE1/0/51 GE1/0/50 GE1/0/51 Switch B Host DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. The auto-negotiation mechanism at the physical layer detects physical signals and faults.
  • Page 219 DLDP packet type Function RSY-Advertisement Advertisement packet with the RSY flag set to 1. RSY advertisement packets are packets (referred to as sent to request synchronizing the neighbor information when neighbor information RSY packets hereafter) is not locally available or a neighbor information entry ages out. Flush-Advertisement Advertisement packet with the flush flag set to 1.
  • Page 220 DLDP status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down This state indicates that: Active DLDP is enabled and the link is up.
  • Page 221 Timer Description In the enhanced mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP enables the enhanced timer for the neighbor. The enhanced timer length is 10 seconds The enhanced timer then sends one probe packet every second and eight packets successively to the neighbor.
  • Page 222 DLDP implementation If the DLDP-enabled link is up, DLDP sends DLDP packets to the peer device, and analyzes and processes the DLDP packets received from the peer device. DLDP in different states sends different types of packets. Table 1-5 Types of packets sent by DLDP DLDP state Packet type Active...
  • Page 223 Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the neighbor Processing procedure In normal mode, no echo packet is received when the DLDP switches to the disable state, outputs log and echo waiting timer expires.

  • Page 224: Dldp Configuration

    DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view system-view — Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter interface interface-type Enable...

  • Page 225: Resetting Dldp State

    When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.

  • Page 226: Dldp Configuration Example

    DLDP Configuration Example Network requirements As shown in Figure 1-3, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
  • Page 227 [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state. When a fiber is connected to a device correctly on one end with the other end connected to no device: If the device operates in the normal DLDP mode, the end that receives optical signals is in the advertisement state;...
  • Page 228 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 Configuring MAC Address Table Management ······················································································1-4 MAC Address Table Management Configuration Task List ····························································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6...

  • Page 229: Mac Address Table Management

    MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: Overview Configuring MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the part related to multicast protocol.
  • Page 230 MAC address learning Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmitted to GigabitEthernet 1/0/1.

  • Page 231: Managing Mac Address Table

    packet from User B is sent to GigabitEthernet 1/0/4, the switch records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch. Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5.

  • Page 232: Configuring Mac Address Table Management

    The MAC address aging timer only takes effect on dynamic MAC address entries. With the destination MAC address triggered update function enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.

  • Page 233: Configuring A Mac Address Entry

    Task Remarks Enabling Destination MAC Address Triggered Update Optional Assigning MAC Addresses for Ethernet Ports Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view.

  • Page 234: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.

  • Page 235: Enabling Destination Mac Address Triggered Update

    Follow these steps to set the maximum number of MAC addresses a port can learn: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Set the maximum number of MAC mac-address max-mac-count By default, the number of the MAC addresses the port can learn...

  • Page 236: Displaying Mac Address Table Information

    Ethernet port, that is, GigabitEthernet 1/0/1, and each of the following ports uses the MAC address of the preceding port plus 1 as its MAC address. For example, if you configure 000f-e200-0001 as the start port MAC address, then port GigabitEthernet 1/0/2 will take MAC address 000f-e200-0002, and so on.
  • Page 237 MAC address table of the switch, which then forwards packets destined for the server through GigabitEthernet 1/0/2. The MAC address of the server is 000f-e20f-dc71. Port GigabitEthernet 1/0/2 belongs to VLAN 1. Configuration procedure # Enter system view. <Sysname> system-view [Sysname] # Add a MAC address, with the VLAN, ports, and states specified.
  • Page 238 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VRRP ·····························································································1-3 Auto Detect Implementation in VLAN Interface Backup··································································1-4 Auto Detect Configuration Examples ······································································································1-6 Configuration Example for Auto Detect Implementation with Static Routing ··································1-6 Configuration Example for Auto Detect Implementation with VRRP···············································1-6...

  • Page 239: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.

  • Page 240: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VRRP Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and enter detect-group group-number Required...

  • Page 241: Auto Detect Implementation In Vrrp

    To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route. If the static route is valid, packets are forwarded according to the static route, and the other route is standby. If the static route is invalid, packets are forwarded according to the backup route.

  • Page 242: Auto Detect Implementation In Vlan Interface Backup

    Figure 1-1 The uplink of the master switch fails Using VRRP together with the Auto Detect function, you can change the priority of a switch according to the uplink status. On the master switch of the VRRP backup group, you can use the Auto Detect function to detect the paths between the master switch and other networks, and control the priority of the master switch according to the returned reachable/unreachable information, thus implementing automatic master/backup switchover and guaranteeing the communication is not interrupted.
  • Page 243 As shown in 0, Switch A has two VLAN interfaces: VLAN-interface 1 and VLAN-interface 2. The two VLAN-interfaces back up each other. Normally. VLAN-interface 1 transmits traffic, while VLAN-interface 2 stays standby. When VLAN-interface 1 or the link connected to VLAN-interface 1 fails and thus cannot transmit traffic normally, VLAN-interface 2 takes over to transmit traffic.

  • Page 244: Auto Detect Configuration Examples

    Auto Detect Configuration Examples Configuration Example for Auto Detect Implementation with Static Routing Network requirements Create detected group 8 on Switch A; detect the reachability of the IP address 10.1.1.4, with 192.168.1.2 as the next hop, and the detecting number set to 1. On switch A, configure a static route to Switch C.
  • Page 245 When the connection between Switch A and Switch C fails, Switch B becomes the master in VRRP group 1 automatically and the link from Switch B to Host B, the backup link, is enabled. Network diagram Figure 1-4 Network diagram for implementing the auto detect function in VRRP Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure...

  • Page 246: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    Configuration Example for Auto Detect Implementation with VLAN Interface Backup Network requirements Make sure the routes between Switch A, Switch B, and Switch C, and between Switch A, Switch D, and Switch C are reachable. Create detected group 10 on Switch A to detect the connectivity between Switch B and Switch C. Configure VLAN-interface 1 to be the active interface, which is enabled when the detected group 10 is reachable.
  • Page 247 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ························································································1-9 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-19...
  • Page 248 Configuring BPDU Dropping ·········································································································1-37 Configuring Digest Snooping ················································································································1-38 Introduction····································································································································1-38 Configuring Digest Snooping·········································································································1-38 Configuring Rapid Transition ················································································································1-39 Introduction····································································································································1-39 Configuring Rapid Transition·········································································································1-41 Configuring VLAN-VPN Tunnel·············································································································1-42 Introduction····································································································································1-42 Configuring VLAN-VPN tunnel ······································································································1-43 MSTP Maintenance Configuration ········································································································1-44 Introduction····································································································································1-44 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-44 Configuration Example ··················································································································1-44 Enabling Trap Messages Conforming to 802.1d Standard···································································1-44 Displaying and Maintaining MSTP ········································································································1-45...

  • Page 249: Mstp Configuration

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 250 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 251 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of an H3C device is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 252 Port ID A port ID used on an H3C device consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on H3C devices is 128. You can use commands to configure port priorities.
  • Page 253 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 254 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 255 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
  • Page 256 BPDU of port after Device Comparison process comparison By comparison: The configuration BPDUs of CP1 is elected as the optimum Root port CP1: configuration BPDU, so CP1 is identified as the root port, the {0, 0, 0, AP2} configuration BPDUs of which will not be changed. Designated port CP2: Device C compares the calculated designated port configuration BPDU {0, 10, 2, CP2} with the configuration BPDU of CP2, and CP2...

  • Page 257: Rapid Spanning Tree Protocol Overview

    The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time. If it is the root port that received the configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port, the device will increase message age carried in the configuration BPDU by a certain rule and start a timer to time the configuration BPDU while it sends out this configuration BPDU through the designated port.

  • Page 258: Multiple Spanning Tree Protocol Overview

    In RSTP, the state of a root port can transit fast under the following conditions: the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data. In RSTP, the state of a designated port can transit fast under the following conditions: the designated port is an edge port or a port connected with a point-to-point link.
  • Page 259 Figure 1-4 Basic MSTP terminologies Region A0: VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU BPDU Region B0: VLAN 1 mapped to MSTI 1 Region D0: VLAN 2 mapped to MSTI 2 VLAN 1 mapped to MSTI 1, B Other VLANs mapped to CIST as the regional root bridge...
  • Page 260 An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it is a branch of CIST in the MST region. Figure 1-4, each MST region has an IST, which is a branch of the CIST.
  • Page 261 port 4 on switch D connect downstream to other MST regions. This figure shows the roles these ports play. A port can play different roles in different MSTIs. The role a region boundary port plays in an MSTI is consistent with the role it plays in the CIST. The master port, which is a root port in the CIST while a master port in the other MSTIs, is an exception.

  • Page 262: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The S5600 series switches support MSTP. After MSTP is enabled on an S5600 series switch, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol,...

  • Page 263: Protocols And Standards

    Loop guard TC-BPDU attack guard BPDU packet drop Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol IEEE 802.1w: rapid spanning tree protocol IEEE 802.1s: multiple spanning tree protocol MSTP Configuration Task List Before configuring MSTP, you need to know the position of each device in each MSTI: root bridge or leave node.

  • Page 264: Configuring Root Bridge

    Task Remarks Required To prevent network topology jitter caused by Enabling MSTP other related configurations, you are recommended to enable MSTP after performing other configurations. Configuring an MST Region Required Configuring How a Port Recognizes and Sends Optional MSTP Packets Configuring Configuring the Timeout Time Factor Optional...
  • Page 265 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.

  • Page 266: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    Configuration example # Configure an MST region named info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10 [Sysname-mst-region] instance 2 vlan 20 to 30...

  • Page 267: Configuring The Bridge Priority Of The Current Switch

    A switch can play different roles in different MSTIs. That is, it can be the root bridges in an MSTI and be a secondary root bridge in another MSTI at the same time. But in the same MSTI, a switch cannot be the root bridge and the secondary root bridge simultaneously.

  • Page 268: Configuring How A Port Recognizes And Sends Mstp Packets

    Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more. During the selection of the root bridge, if multiple switches have the same bridge priority, the one with the smallest MAC address becomes the root bridge.

  • Page 269: Configuring The Mstp Operation Mode

    Configuration example # Configure GigabitEthernet 1/0/1 to recognize and send packets in dot1s format. <Sysname> system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] stp compliance dot1s # Restore the default mode for GigabitEthernet 1/0/1 to recognize/send MSTP packets. [Sysname-GigabitEthernet1/0/1] undo stp compliance Configuring the MSTP Operation Mode To make an MSTP-enabled switch compatible with STP/RSTP, MSTP provides the following three operation modes:...

  • Page 270: Configuring The Network Diameter Of The Switched Network

    With such a mechanism, the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree, which limits the size of the spanning tree in the current MST region. The switches that are not root bridges in the MST region adopt the maximum hop settings of their root bridges.

  • Page 271: Configuring The Mstp Time-Related Parameters

    Configuring the MSTP Time-related Parameters Three MSTP time-related parameters exist: forward delay, hello time, and max age. You can configure the three parameters to control the process of spanning tree calculation. Configuration procedure Follow these steps to configure MSTP time-related parameters: To do...

  • Page 272: Configuring The Timeout Time Factor

    You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command. After that, the three proper time-related parameters are determined automatically. Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge).

  • Page 273: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum stp interface interface-list The maximum transmitting rate of transmitting rate for specified ports transmit-limit packetnum all Ethernet ports on a switch defaults to 10. Configure the maximum transmitting rate in Ethernet port view Follow these steps to configure the maximum transmitting rate in Ethernet port view: To do...

  • Page 274: Setting The Link Type Of A Port To P2P

    Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as an edge port in Ethernet port view: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view —...

  • Page 275: Enabling Mstp

    To do... Use the command... Remarks Required Specify whether the link stp interface interface-list connected to a port is point-to-point { force-true | The auto keyword is adopted by point-to-point link force-false | auto } default. Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do...

  • Page 276: Configuring Leaf Nodes

    To do... Use the command... Remarks Required Enable MSTP stp enable MSTP is disabled by default. Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. Disable MSTP on stp interface To enable a switch to operate more flexibly, you can specified ports interface-list disable disable MSTP on specific ports.

  • Page 277: Configuring How A Port Recognizes And Sends Mstp Packets

    Configuring How a Port Recognizes and Sends MSTP Packets Refer to Configuring How a Port Recognizes and Sends MSTP Packets. Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port.
  • Page 278 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Half-duplex/Full-duplex 200,000 Aggregated link 2 ports 100,000 100 Mbps Aggregated link 3 ports 66,666 Aggregated link 4 ports 50,000 Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000...

  • Page 279: Configuring Port Priority

    Configuration example (A) # Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be 2,000. Perform this configuration in system view <Sysname> system-view [Sysname] stp interface GigabitEthernet 1/0/1 instance 1 cost 2000 Perform this configuration in Ethernet port view <Sysname>...

  • Page 280: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks Required. stp [ instance instance-id ] port Configure port priority for the port priority priority The default port priority is 128. Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port.

  • Page 281: Configuring Guard Functions

    Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command... Remarks Enter system view — system-view stp [ interface interface-list ] Perform the mCheck operation Required mcheck Perform the mCheck operation in Ethernet port view Follow these steps to perform the mCheck operation in Ethernet port view: To do...

  • Page 282: Configuring Root Guard

    You are recommended to enable BPDU guard for devices with edge ports configured. Configuration Prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to configure BPDU guard: To do... Use the command... Remarks Enter system view — system-view Required Enable the BPDU guard function...

  • Page 283: Configuring Loop Guard

    Configuration procedure Follow these steps to configure the root guard function in system view: To do... Use the command... Remarks Enter system view — system-view Required Enable the root guard function on stp interface interface-list The root guard function is disabled specified ports root-protection by default.

  • Page 284: Configuring Tc-Bpdu Attack Guard

    You are recommended to enable loop guard on the root port and alternate port of a non-root bridge. Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions enabled on a port, any of the other two functions cannot take effect even if you have configured it on the port.

  • Page 285: Configuring Bpdu Dropping

    receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for only 100 times within the period. Configuration prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to configure the TC-BPDU attack guard function: To do...

  • Page 286: Configuring Digest Snooping

    Configuration example # Enable BPDU dropping on GigabitEthernet 1/0/1. <Sysname>system-view [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] bpdu-drop any Configuring Digest Snooping Introduction According to IEEE 802.1s, two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them (A configuration ID contains information such as region ID and configuration digest).

  • Page 287: Configuring Rapid Transition

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable the digest snooping feature stp config-digest-snooping The digest snooping feature is disabled on a port by default. Return to system view — quit Required Enable the digest snooping feature stp config-digest-snooping The digest snooping feature is...
  • Page 288 Both RSTP and MSTP specify that the upstream switch can perform rapid transition operation on the designated port only when the port receives an agreement packet from the downstream switch. The difference between RSTP and MSTP are: For MSTP, the upstream switch sends agreement packets to the downstream switch; and the downstream switch sends agreement packets to the upstream switch only after it receives agreement packets from the upstream switch.

  • Page 289: Configuring Rapid Transition

    MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.

  • Page 290: Configuring Vlan-Vpn Tunnel

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Enable the rapid transition feature stp no-agreement-check By default, the rapid transition feature is disabled on a port. The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.

  • Page 291: Configuring Vlan-Vpn Tunnel

    Figure 1-9 VLAN-VPN tunnel network hierarchy Service provider network Packet input/output Packet input/output device device Network Customer networks Network A Network B Configuring VLAN-VPN tunnel Follow these steps to configure VLAN-VPN tunnel: To do... Use the command... Remarks Enter system view —...

  • Page 292: Mstp Maintenance Configuration

    MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently. In this case, maintenance personnel may expect that log/trap information is output to the log host when particular ports fail, so that they can check the status changes of those ports through alarm information.

  • Page 293: Displaying And Maintaining Mstp

    Configuration example # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of instance 1. <Sysname> system-view [Sysname] stp instance 1 dot1d-trap newroot enable Displaying and Maintaining MSTP To do...
  • Page 294 Network diagram Figure 1-10 Network diagram for MSTP configuration The word “permit” shown in Figure 1-10 means the corresponding link permits packets of specific VLANs. Configuration procedure Configure Switch A # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.

  • Page 295: Vlan-Vpn Tunnel Configuration Example

    [Sysname] stp instance 3 root primary Configure Switch C. # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] instance 4 vlan 40 [Sysname-mst-region] revision-level 0 # Activate the settings of the MST region manually.
  • Page 296 Network diagram Figure 1-11 Network diagram for VLAN-VPN tunnel configuration Configuration procedure Configure Switch A # Enable MSTP. <Sysname> system-view [Sysname] stp enable # Add Ethernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port Ethernet 1/0/1 Configure Switch B # Enable MSTP.
  • Page 297 [Sysname-GigabitEthernet1/0/2] port link-type trunk # Add the trunk port to all VLANs. [Sysname-GigabitEthernet1/0/2] port trunk permit vlan all Configure Switch D # Enable MSTP. <Sysname> system-view [Sysname] stp enable # Enable the VLAN-VPN tunnel function. [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/2 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/2 # Enable the VLAN VPN function on GigabitEthernet 1/0/2.
  • Page 298 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-4 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-5 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 299 4 OSPF Configuration ··································································································································4-1 OSPF Overview ······································································································································4-1 Introduction to OSPF ·······················································································································4-1 OSPF Route Calculation ·················································································································4-1 Basic OSPF Concepts·····················································································································4-2 OSPF Area Partition and Route Summarization ·············································································4-4 OSPF Network Type························································································································4-8 DR/BDR···········································································································································4-9 OSPF Features······························································································································4-11 OSPF Configuration Task List ··············································································································4-11 Basic OSPF Configuration ····················································································································4-12 Configuration Prerequisites ···········································································································4-12 Basic OSPF Configuration ············································································································4-12 OSPF Area Attribute Configuration·······································································································4-13...
  • Page 300 5 BGP Configuration ····································································································································5-1 BGP Overview·········································································································································5-1 BGP Message Type ························································································································5-2 BGP Route Attributes ······················································································································5-4 BGP Routing Policy ·························································································································5-9 Problems in Large-Scale BGP Networks ························································································5-9 MP-BGP ········································································································································5-13 Protocol Standard··························································································································5-13 BGP Configuration Task List·················································································································5-14 Basic BGP Configuration ······················································································································5-14 Configuration Prerequisites ···········································································································5-14 Configuring BGP Multicast Address Family ··················································································5-15 Configuring Basic BGP Functions ·································································································5-15 Configuring the Way to Advertise/Receive Routing Information···························································5-16 Configuration Prerequisites ···········································································································5-16...
  • Page 301 6 IP Routing Policy Configuration ··············································································································6-1 IP Routing Policy Overview·····················································································································6-1 Introduction to IP Routing Policy ·····································································································6-1 IP Routing Policy Configuration Task List·······························································································6-2 Routing Policy Configuration···················································································································6-3 Configuration Prerequisites ·············································································································6-3 Defining a Routing Policy ················································································································6-3 Defining if-match Clauses and apply Clauses·················································································6-4 IP-Prefix Configuration ····························································································································6-6 Configuration Prerequisites ·············································································································6-6 Configuring an ip-prefix list··············································································································6-6 AS Path List Configuration······················································································································6-6...

  • Page 302: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
  • Page 303 host or router resides. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the destination host or router resides is 129.102.0.0. A mask consists of some consecutive 1s, represented either in dotted decimal notation or by the number of the consecutive 1s in the mask.

  • Page 304: Routing Protocol Overview

    15.0.0.0 17.0.0.2 16.0.0.0 16.0.0.2 17.0.0.0 17.0.0.1 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 305: Routing Protocols And Routing Priority

    Routing Protocols and Routing Priority Different routing protocols may find different routes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol can uniquely determine the current optimal routing to the destination. For the purpose of route selection, each routing protocol (including static routes) is assigned a priority.

  • Page 306: Routing Information Sharing

    When the primary route recovers, the route selection process is performed again and the primary route is selected again to forward packets. Routing Information Sharing As different routing protocols use different algorithms to calculate routes, they may discover different routes. In a large network with multiple routing protocols, it is required for routing protocols to share their routing information.

  • Page 307: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 308: Default Route

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.

  • Page 309: Static Route Configuration Example

    To do... Use the command... Remarks Display the brief information of a display ip routing-table routing table Display the detailed information of a display ip routing-table verbose routing table display ip routing-table protocol static Display the information of static routes [ inactive | verbose ] Available in Delete all static routes...

  • Page 310: Troubleshooting A Static Route

    # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.2 # Approach 1: Configure static routes on Switch B.

  • Page 311: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 312: Rip Startup And Operation

    Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 1058, RIP is controlled by three timers: Period update, Timeout, and Garbage-collection.

  • Page 313: Basic Rip Configuration

    Task Remarks Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional Disabling the router from receiving host routes Optional Configuring RIP Configuring RIP to filter incoming/outgoing routes...

  • Page 314: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 315: Configuration Prerequisites

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 316 To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable RIP-2 automatic route summary summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 317 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.

  • Page 318: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 319 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero field checkzero...

  • Page 320: Displaying And Maintaining Rip Configuration

    To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Configure RIP to unicast When RIP runs on the link that does not support peer ip-address RIP packets broadcast or multicast, you must configure RIP to unicast RIP packets.

  • Page 321: Troubleshooting Rip Configuration

    Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP. <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.2.0 [SwitchA-rip] network 155.10.1.0...

  • Page 322: Ospf Configuration

    OSPF Configuration When configuring OSPF, go to these sections for information you are interested in: OSPF Overview OSPF Configuration Task List Displaying and Maintaining OSPF Configuration OSPF Configuration Examples Troubleshooting OSPF Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 323: Basic Ospf Concepts

    Each OSPF-supported router maintains a link state database (LSDB), which describes the topology of the whole AS. According to the network topology around itself, each router generates a link state advertisement (LSA). Routers on the network exchange LSAs with each other by transmitting protocol packets.
  • Page 324 which uniquely identifies the LSA. This reduces the size of traffic transmitted between the routers because the header of an LSA only occupies a small portion of the LSA. With the header, the peer router can judge whether it has the LSA or not. LSR packet: After exchanging DD packets, the two routers know which LSAs of the peer router are lacked in the local LSDB, and send link state request (LSR) packets requesting for the lacked LSAs to the peer.

  • Page 325: Ospf Area Partition And Route Summarization

    sends a hello packet through the OSPF interface, and the router that receives the hello packet checks parameters carried in the packet. If parameters of the two routers match, they become neighbors. Adjacency: A relationship formed between selected neighboring routers for the purpose of exchanging routing information.
  • Page 326 Area border router (ABR) An area border router belongs to more than two areas, one of which must be the backbone area. It connects the backbone area to a non-backbone area. The connection between an area border router and the backbone area can be physical or logical. Backbone router At least one interface of a backbone router must be attached to the backbone area.
  • Page 327 The backbone area itself must maintain connectivity. In practice, due to physical limitations, the requirements may not be satisfied. In this case, configuring OSPF virtual links is a solution. Virtual link A virtual link is established between two area border routers through a non-backbone area and is configured on both ABRs to take effect.
  • Page 328 The ABR in a stub area generates a default route into the area. Note the following when configuring a (totally) stub area: The backbone area cannot be a (totally) stub area The stub command must be configured on routers in a (totally) stub area A (totally) stub area cannot have an ASBR because AS external routes cannot be distributed into the stub area.

  • Page 329: Ospf Network Type

    Figure 4-6 Route summarization OSPF has two types of route summarization: ABR route summarization To distribute routing information to other areas, an ABR generates Type-3 LSAs on a per network segment basis for an attached non-backbone area. If contiguous network segments are available in the area, you can summarize them with a single network segment.

  • Page 330: Dr/Bdr

    Non-broadcast multi-access (NBMA): If Frame Relay, ATM, or X.25 is adopted, OSPF defaults the network type to NBMA. In an NBMA network, protocol packets are sent in unicast. Point-to-multipoint (P2MP): OSPF will not default the network type of any link layer protocol to P2MP.
  • Page 331 is needed and the adjacencies already exist, the switchover process is very short. Now, a new BDR should be elected. Although this election process will also take quite a long time, route calculation will not be affected. On an OSPF network, a router which is neither DR nor BDR is called DR Other. It establishes adjacencies with the DR and BDR, but not with other DR Others.

  • Page 332: Ospf Features

    OSPF Features The switches support the following OSPF features: Stub area: Stub area is defined to reduce the cost for the routers in the area to receive ASE routes. NSSA: NSSA is defined to remove the limit on the topology in a Stub area. OSPF multi-process: Multiple OSPF processes can be run on a router.

  • Page 333: Basic Ospf Configuration

    Task Remarks Configuring the LSA transmission delay Optional Configuring the SPF Calculation Interval Optional Disabling OSPF Packet Transmission on an Optional Interface Configuring OSPF Authentication Optional Configuring the MTU Field in DD Packets Optional Enabling OSPF Logging of Neighbor State Changes Optional Configuring OSPF Network Management Optional...

  • Page 334: Ospf Area Attribute Configuration

    To do... Use the command... Remarks Optional If multiple OSPF processes run on a router, Configure the router ID router id router-id you are recommended to use the router-id keyword in the ospf command to specify different router IDs for different processes. Required Enable OSPF and enter OSPF ospf [ process-id [ router-id...

  • Page 335: Configuring Ospf Area Attributes

    Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer Performing basic OSPF configuration Configuring OSPF Area Attributes Follow these steps to configure OSPF area attributes: To do... Use the command... Remarks Enter system view system-view...

  • Page 336: Configuration Prerequisites

    Configure the network type of an interface as P2MP if not all the routers are directly accessible on an NBMA network. You can also configure the network type of an interface to P2P if the router has only one peer on the NBMA network. In addition, when configuring a broadcast network or NBMA network, you can also specify DR election priority for each interface of a router to control the DR/BDR election in the network.

  • Page 337: Configuring The Dr Priority On An Ospf Interface

    Since the neighbor routers cannot be discovered by broadcasting Hello packets, you must manually specify the IP address of the neighbor router. For an NBMA network, you can determine whether the neighbor has the DR election right. Follow these steps to configure NBMA/P2MP neighbor: To do...

  • Page 338: Configuration Prerequisites

    Configuration Prerequisites Before configuring OSPF route control, perform the following tasks: Configuring the network layer addresses of interfaces so that the adjacent nodes are reachable to each other at the network layer Completing basic OSPF configuration Configuring matching rules for routing information Configuring OSPF Route Summarization The configuration of OSPF route summarization includes: Configuring ABR route summarization,...

  • Page 339: Configuring The Ospf Cost On An Interface

    OSPF is a dynamic routing protocol based on link state, with routing information hidden in LSAs. Therefore, OSPF cannot filter any advertised or received LSA. In fact, the filter-policy import command filters the routes calculated by SPF algorithm (namely, routes in the OSPF routing table); only the routes passing the filter can be added to the routing table.

  • Page 340: Configuring Ospf To Redistribute External Routes

    To do... Use the command... Remarks Optional Configure the maximum number of multi-path-number value OSPF ECMP routes 4 by default Configuring OSPF to Redistribute External Routes Follow these steps to configure OSPF to redistribute external routes: To do... Use the command... Remarks Enter system view system-view...

  • Page 341: Configuration Prerequisites

    By changing the OSPF packet timers, you can adjust the convergence speed of the OSPF network and the network load brought by OSPF packets. On some low-speed links, you need to consider the delay experienced when the interfaces transmit LSAs. By Adjusting SPF calculation interval, you can mitigate resource consumption caused by frequent network changes.

  • Page 342: Configuring The Lsa Transmission Delay

    Default Hello and Dead timer values will be restored once the network type is changed. Do not set an LSA retransmission interval that is too short. Otherwise, unnecessary retransmission will occur. LSA retransmission interval must be greater than the round trip time of a packet between two routers.

  • Page 343: Disabling Ospf Packet Transmission On An Interface

    Disabling OSPF Packet Transmission on an Interface To prevent OSPF routing information from being acquired by the routers on a certain network, use the silent-interface command to disable OSPF packet transmission on the corresponding interface. Follow these steps to disable OSPF packet transmission on an interface: To do...

  • Page 344: Configuring The Mtu Field In Dd Packets

    OSPF supports packet authentication and receives only those packets that are successfully authenticated. If packet authentication fails, no adjacencies will be established. The authentication modes for all routers in an area must be consistent. The authentication passwords for all routers on a network segment must also be consistent. Configuring the MTU Field in DD Packets By default, an interface uses value 0 instead of its actual MTU value when transmitting DD packets.

  • Page 345: Displaying And Maintaining Ospf Configuration

    To do... Use the command... Remarks snmp-agent trap enable ospf [ process-id ] Optional [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | You can configure OSPF to send Enable OSPF Trap lsdbapproachoverflow | lsdboverflow | diversified SNMP TRAP messages maxagelsa | nbrstatechange | originatelsa sending and specify a certain OSPF...

  • Page 346: Ospf Configuration Examples

    OSPF Configuration Examples Configuring DR/BDR Election Network requirements Use OSPF to realize interconnection between devices in a broadcast network. Devices with higher performance should become the DR and BDR to improve network performance. Devices with lower performance are forbidden to take part in DB/BDR election. Based on the customer requirements and networking environment, assign proper priorities to interfaces.

  • Page 347: Configuring Ospf Virtual Link

    <SwitchC> system-view [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip address 196.1.1.3 255.255.255.0 [SwitchC-Vlan-interface1] ospf dr-priority 2 [SwitchC-Vlan-interface1] quit [SwitchC] router id 3.3.3.3 [SwitchC] ospf [SwitchC-ospf-1] area 0 [SwitchC-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 # Configure Switch D. <SwitchD> system-view [SwitchD] interface Vlan-interface 1 [SwitchD-Vlan-interface1] ip address 196.1.1.4 255.255.255.0 [SwitchD-Vlan-interface1] quit [SwitchD] router id 4.4.4.4...
  • Page 348 Network diagram Figure 4-9 Network diagram for OSPF virtual link configuration Device Interface IP interface Router ID Switch A Vlan-int1 196.1.1.1/24 1.1.1.1 Switch B Vlan-int1 196.1.1.2/24 2.2.2.2 Vlan-int2 197.1.1.2/24 Switch C Vlan-int1 152.1.1.1/24 3.3.3.3 Vlan-int2 197.1.1.1/24 Configuration procedure # Configure Switch A. <SwitchA>...

  • Page 349: Troubleshooting Ospf Configuration

    [SwitchB-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 # Configure Switch C. <SwitchC> system-view [SwitchC] interface Vlan-interface 1 [SwitchC-Vlan-interface1] ip address 152.1.1.1 255.255.255.0 [SwitchC-Vlan-interface1] quit [SwitchC] interface Vlan-interface 2 [SwitchC-Vlan-interface2] ip address 197.1.1.1 255.255.255.0 [SwitchC-Vlan-interface2] quit [SwitchC] router id 3.3.3.3 [SwitchC] ospf [SwitchC-ospf-1] area 1 [SwitchC-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [SwitchC-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2...

  • Page 350: Unable To Learn A Complete Network Topology

    Unable to Learn a Complete Network Topology Symptom The router running OSPF is unable to learn a complete network topology. Analysis Perform the following procedure to make analyses: If multiple areas are configured on the router, check that one is specified as the backbone area. Check that the backbone area is fully meshed.

  • Page 351: Bgp Configuration

    BGP Configuration When configuring BGP, go to these sections for information you are interested in: BGP Overview BGP Configuration Task List Displaying and Maintaining BGP Configuration BGP Configuration Example Troubleshooting BGP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 352: Bgp Message Type

    In BGP, the routers that send BGP messages are known as BGP speakers. A BGP speaker receives and generates new routing information and advertises the information to other BGP speakers. When a BGP speaker receives a route from other AS, if the route is better than the existing routes or the route is new to the BGP speaker, the BGP speaker advertises the route to all other BGP speakers in the AS it belongs to.
  • Page 353 Figure 5-2 BGP Open message format The fields are described as follows. Version: BGP version. As for BGP-4, the value is 4. My Autonomous System: Local AS number. By comparing this filed of both sides, a router can determine whether the connection between itself and the BGP peer is of EBGP or IBGP. Hold time: Hold time is to be determined when two BGP speakers negotiate for the connection between them.

  • Page 354: Bgp Route Attributes

    Withdrawn Routes: Unreachable route list. Total Path Attribute Length: Length (in bytes) of the Path Attributes field. A value of 0 indicates that there is no Path Attributes filed in the message. Path Attributes: Attributes list of all the paths related to NLRI. Each path attribute is a TLV (Type-Length-Value) triplet.
  • Page 355 In fact, all the BGP route attributes can be classified into the following four categories. Well-known mandatory attributes, which can be identified by any BGP routers. Route attributes of this type are carried in Update messages. Without these attributes, routing information goes wrong. Well-known discretionary attributes, which can be identified by any BGP routers.
  • Page 356 AS numbers are listed by the distances between the ASs and the local AS. The number of the AS that is closest to the local AS is listed in the head, as shown in Figure 5-6. Figure 5-6 AS_PATH attribute 8.0.0.0 AS 10 D=8.0.0.0...
  • Page 357 When a BGP speaker sends a received route to one of its EBGP peer, it sets the NEXT_HOP attribute of the routing information to the address of its interface connecting to the EBGP peer. When a BGP speaker sends a route received from one of its EBGP peer to one of its IBGP neighbor, it does not change the NEXT_HOP attribute of the routing information.
  • Page 358 You can force BGP to compare MED values of routes coming from different ASs. LOCAL_PREF The LOCAL_PREF attribute is only valid among IBGP peers. It is not advertised to other ASs. It indicates the priority of a BGP router. LOCAL_PREF attribute is used to determine the optimal route for traffic leaving an AS. For multiple routes a BGP receives from different IBGP peers, if they have the same destination address but different next hops, the route with the smallest LOCAL_PREF value is chosen as the optimal route provided other conditions are the same.

  • Page 359: Bgp Routing Policy

    BGP Routing Policy BGP routing policy A BGP router filters routes in the following order. Drops the NEXT_HOP unreachable route. With Prefered-value specified, chooses the route with highest Prefered-value value. Prefers the route with highest LOCAL_PREF value. Prefers the routes starting from the local router. Prefers the route with the shortest AS path.
  • Page 360 In most cases, BGP is applied in complicated networks where route changes are frequent. In order to avoid the unfavorable affection caused by route flaps, BGP uses route dampening to suppress the instable routes. BGP route dampening uses penalty value to judge the stability of a route. A higher penalty value indicates a more instable route.
  • Page 361 Community Different form peer group, you can apply the same policy to BGP routers residing in different ASs through community. Community is a route attribute transmitted among BGP peers. It is independent of Before sending a route with the COMMUNITY attribute to its peers, a BGP router can change the original COMMUNITY attribute of the route.
  • Page 362 Figure 5-12 A cluster containing two RRs RR is unnecessary for clients that are already fully connected. You can disable routing information reflection using corresponding commands provided by the switches. The configuration to disable routing information reflection only applies to clients. That is, routing information can still be reflected between a client and a non-client even if you disable routing information reflection.

  • Page 363: Mp-Bgp

    To a BGP speaker that does not belong to any confederation, the sub-ASs of a confederation are a whole, and the information about the sub-ASs is invisible to the BGP speaker. The confederation ID, which is usually the corresponding AS number, uniquely identifies a confederation. In Figure 5-13, AS 200 is a confederation ID.

  • Page 364: Bgp Configuration Task List

    BGP Configuration Task List Complete the following tasks to configure BGP: Task Remarks Basic BGP Configuration Required Importing Routes Optional Configuring BGP Route Optional Enabling Default Route Advertising Optional Configuring the Way to Advertise/Receive Configuring BGP Route Distribution Filtering Policies Optional Routing Information Configuring BGP Route Reception Filtering Policies...

  • Page 365: Configuring Bgp Multicast Address Family

    Configuring BGP Multicast Address Family Follow these steps to configure BGP multicast address family To do… Use the command… Remarks system-view Enter system view — Enter BGP view bgp as-number — Enter multicast address family view ipv4-family multicast Required Configuration in multicast address family view is similar to that in BGP view. So, unless otherwise noted, refer to configuration in BGP view for information about the configuration in multicast address family view.

  • Page 366: Configuring The Way To Advertise/Receive Routing Information

    To configure basic functions of BGP peer group, you need to create the BGP peer group first. Refer to section “Configuring BGP Peer Group” for information about creating a BGP peer group. In order for route updating packets being sent even if problems occur on interfaces, you can configure the source interfaces of route update packets as a loopback interface.

  • Page 367: Configuring Bgp Route Summarization

    To do... Use the command... Remarks Enter system view system-view — Enter BGP view bgp as-number — Optional Enable redistribution of default default-route imported By default, BGP does not import routes to the BGP routing table default routes to BGP routing table. Enable route redistribution from import-route protocol Required...

  • Page 368: Enabling Default Route Advertising

    Follow these steps to configure BGP route summarization: To do... Use the command... Remarks Enter system view system-view — bgp as-number Enter BGP view — Enable automatic route summary summarization Required Configure BGP aggregate ip-address mask [ as-set | By default, route attribute-policy route-policy-name | routes are not...

  • Page 369: Configuring Bgp Route Reception Filtering Policies

    To do... Use the command... Remarks Specify an ACL-based BGP peer group-name filter-policy Required acl-number export route filtering policy By default, a peer group has for a peer group Filter the no peer group-based ACL routing BGP route filtering policy, AS information to Specify an AS path peer group-name as-path-acl...

  • Page 370: Disable Bgp-Igp Route Synchronization

    Routes received by a BGP router are filtered, and only those matching the specified ACLs are added to the routing table. A peer group member and the peer group can use different inbound routing policies, that is, peers of a peer group can use different route filtering policies for receiving routing information. Disable BGP-IGP Route Synchronization Follow these steps to disable BGP-IGP route synchronization: To do...

  • Page 371: Configuring Bgp Route Attributes

    To do... Use the command... Remarks Optional Not configured by default. The defaults are as follows: dampening [ half-life-reachable Configure BGP route half-life-unreachable reuse half-life-reachable: 15 (in minutes) dampening-related suppress ceiling ] [ route-policy parameters half-life-unreachable: 15 (in minutes) route-policy-name ] reuse: 750 suppress: 2000 ceiling: 16000...

  • Page 372: Tuning And Optimizing A Bgp Network

    To do... Use the command... Remarks Required In some network, to ensure an IBGP Configure the local address as the neighbor locates the correct next hop, peer group-name next hop address when a BGP you can configure the next hop next-hop-local router advertises a route.

  • Page 373: Configuration Prerequisites

    message from its peer in a specific period (know as Holdtime), the router considers the BGP connection operates improperly and thus disconnects the BGP connection. When establishing a BGP connection, the two routers negotiate for the Holdtime by comparing their Holdtime values and take the smaller one as the Holdtime.

  • Page 374: Configuring A Large-Scale Bgp Network

    To do... Use the command... Remarks seconds. The priority of the timer Configure the Keepalive peer { group-name | configured by the timer time and holdtime of a ip-address } timer keepalive command is lower than that of specified peer/peer keepalive-interval hold the timer configured by the peer group.

  • Page 375: Configuration Prerequisites

    Community can also be used to ease the routing policy management. And its management range is much wider than that of the peer group. It is AS-independent. It controls the routing policy of multiple BGP routers. In an AS, to ensure the connectivity among IBGP peers, you need to set up full connection among them. When there are too many IBGP peers, it will cost a lot in establishing a full connection network.

  • Page 376: Configuring Bgp Community

    It is not required to specify an AS number for creating an IBGP peer group. If there already exists a peer in a peer group, you can neither change the AS number of the peer group, nor delete a specified AS number through the undo command. In a hybrid EBGP peer group, you need to specify the AS number for all peers respectively.

  • Page 377: Configuring Bgp Confederation

    To do... Use the command... Remarks Optional Configure cluster ID of an RR reflector cluster-id cluster-id By default, an RR uses its own router ID as the cluster ID. Normally, full connection is not required between an RR and a client. A route is reflected by an RR from a client to another client.

  • Page 378: Displaying And Maintaining Bgp Configuration

    Displaying and Maintaining BGP Configuration Displaying BGP Configuration To do... Use the command... Remarks Display information about peer group display bgp [ multicast ] group [ group-name ] Display routing information exported display bgp [ multicast ] network by BGP Display information about AS path display bgp paths [ as-regular-expression ] Display information about a BGP...

  • Page 379: Clearing Bgp Information

    To do... Use the command... Remarks view Reset the BGP connection with a specified peer reset bgp ip-address [ flap-info ] Reset the BGP connection with a specified peer reset bgp group group-name group Clearing BGP Information To do... Use the command... Remarks Clear the route dampening information reset bgp dampening [ network-address...

  • Page 380: Network Requirements

    Configuration plan Split AS 100 into three sub-ASs: AS 1001, AS 1002, and AS 1003. Run EBGP between AS 1001, AS 1002, and AS 1003. AS 1001, AS 1002, and AS 1003 are each fully meshed by running IBGP. Run EBGP between AS 100 and AS 200. Configuration procedure # Configure Switch A.
  • Page 381 Network diagram Figure 5-15 shows the network diagram. Figure 5-15 Network diagram for BGP RR configuration Device Interface IP address Switch A Vlan-int 100 1.1.1.1/8 Vlan-int 2 192.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24 Vlan-int 3 193.1.1.2/24 Switch C Vlan-int 3 193.1.1.1/24 Vlan-int 4 194.1.1.1/24...

  • Page 382: Configuring Bgp Path Selection

    [SwitchB] bgp 200 [SwitchB-bgp] group ex external [SwitchB-bgp] peer 192.1.1.1 group ex as-number 100 [SwitchB-bgp] group in internal [SwitchB-bgp] peer 193.1.1.1 group in Configure Switch C. # Configure VLAN interface IP addresses. <SwitchC> system-view [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1.1.1 255.255.255.0 [SwitchC-Vlan-interface3] quit [SwitchC] interface vlan-Interface 4 [SwitchC-Vlan-interface4] ip address 194.1.1.1 255.255.255.0...
  • Page 383 Figure 5-16 Network diagram for BGP path selection Device Interface IP address Switch A Vlan-int 101 1.1.1.1/8 Vlan-int 2 192.1.1.1/24 Vlan-int 3 193.1.1.1/24 Switch B Vlan-int 2 192.1.1.2/24 Vlan-int 4 194.1.1.2/24 Switch C Vlan-int 3 193.1.1.2/24 Vlan-int 5 195.1.1.2/24 Switch D Vlan-int 4 194.1.1.1/24 Vlan-int 5...
  • Page 384 [SwitchA-bgp] peer 193.1.1.2 group ex193 as-number 200 [SwitchA-bgp] quit # Define ACL 2000 to permit the route 1.0.0.0/8. [SwitchA] acl number 2000 [SwitchA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [SwitchA-acl-basic-2000] rule deny source any [SwitchA-acl-basic-2000] quit # Create a routing policy named apply_med_50, and specify node 10 with the permit matching mode for the routing policy.

  • Page 385: Configure Ospf

    [SwitchB-bgp] peer 195.1.1.2 group in Configure Switch C. # Configure VLAN interface IP addresses. <SwitchC> system-view [SwitchC] interface Vlan-interface 3 [SwitchC-Vlan-interface3] ip address 193.1.1.2 255.255.255.0 [SwitchC-Vlan-interface3] quit [SwitchC] interface Vlan-interface 5 [SwitchC-Vlan-interface5] ip address 195.1.1.2 255.255.255.0 [SwitchC-Vlan-interface5] quit # Configure OSPF. [SwitchC] ospf [SwitchC-ospf-1] area 0 [SwitchC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255...

  • Page 386: Troubleshooting Bgp Configuration

    To make the configuration take effect, all BGP neighbors need to execute the reset bgp all command. After the above configuration, because the MED attribute value of the route 1.0.0.0 learnt by Switch C is smaller than that of the route 1.0.0.0 learnt by Switch B, Switch D will choose the route 1.0.0.0 coming from Switch C.
  • Page 387 If the neighbor is not physically directed, check whether the peer ebgp-max-hop command is configured. Check whether there is an available route of the neighbor in the routing table. Use the ping -a ip-address command to check the TCP connection. Check whether you have disabled the ACL of TCP port 179.

  • Page 388: Ip Routing Policy Configuration

    IP Routing Policy Configuration When configuring an IP routing policy, go to these sections for information you are interested in: IP Routing Policy Overview IP Routing Policy Configuration Task List Displaying IP Routing Policy IP Routing Policy Configuration Example Troubleshooting IP Routing Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 389: Ip Routing Policy Configuration Task List

    IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information. Moreover, with IP-prefix list, you can use the gateway option to specify that only routing information advertised by certain routers will be received.

  • Page 390: Routing Policy Configuration

    Routing Policy Configuration A routing policy is used to match given routing information or some attributes of routing information and change the attributes of the routing information if the conditions are met. The above-mentioned filtering lists can serve as the match conditions: A routing policy can comprise multiple nodes and each node comprises: if-match clause: Defines matching rules;...

  • Page 391: Defining If-Match Clauses And Apply Clauses

    The permit argument specifies the matching mode for a defined node in the routing policy to be in permit mode. If a route matches the rules for the node, the apply clauses for the node will be executed and the test of the next node will not be taken. If not, however, the route takes the test of the next node.
  • Page 392 To do... Use the command... Remarks Optional Define a rule to match the By default, no matching is performed on tag field of OSPF routing if-match tag value the tag field of OSPF routing information information. Add specified AS number for as-path in BGP routing apply as-path as-number&<1-10>...

  • Page 393: Ip-Prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...

  • Page 394: Community List Configuration

    To do... Use the command... Remarks Optional ip as-path-acl acl-number { permit | Configure AS path list By default, no AS path list is deny } as-regular-expression defined Community List Configuration In BGP, COMMUNITY attributes are optional transitive. Some COMMUNITY attributes are globally recognized and they are called standard COMMUNITY attributes.
  • Page 395 By configuring route filtering rules on Switch A make the three received static routes partially visible and partially shielded: the routes of network segments 20.0.0.0 and 40.0.0.0 are visible, and the route of network segment 30.0.0.0 is shielded. Network diagram Figure 6-1 Filter received routing information Configuration procedure Configure Switch A:...

  • Page 396: Controlling Rip Packet Cost To Implement Dynamic Route Backup

    # Apply routing policy when the static routes are imported. [SwitchA] ospf [SwitchA-ospf-1] import-route static route-policy ospf Configure Switch B: # Configure the IP address of the interface. <SwitchB> system-view [SwitchB] interface vlan-interface 100 [SwitchB-Vlan-interface100] ip address 10.0.0.2 255.0.0.0 [SwitchB-Vlan-interface100] quit # Enable the OSPF protocol and specify the ID of the area to which the interface belongs.
  • Page 397 Figure 6-2 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8 Vlan-int 10 1.1.1.253/8 Switch C Vlan-int 1 192.168.0.39/24 Vlan-int 2 2.2.2.2/8 Vlan-int 6 6.6.6.6/8 OA Server 1.1.1.1/32...
  • Page 398 [SwitchA-rip] network 3.0.0.0 Configure Switch B. # Create VLANs and configure IP addresses for the VLAN interfaces. The configuration procedure is omitted. # Configure RIP. <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] network 3.0.0.0 [SwitchB-rip] network 6.0.0.0 Configure Switch C. # Create VLANs and configure IP addresses for the VLAN interfaces.
  • Page 399 [SwitchC] route-policy in permit node 50 [SwitchC-route-policy] quit # Configure RIP and apply the routing policy in to the incoming routing information. [SwitchC] rip [SwitchC-rip] network 1.0.0.0 [SwitchC-rip] network 3.0.0.0 [SwitchC-rip] network 6.0.0.0 [SwitchC-rip] filter-policy route-policy in import Configuration verification Display data forwarding paths when the main link of the OA server between Switch A and Switch C works normally.

  • Page 400: Troubleshooting Ip Routing Policy

    You are recommended to configure a node to match all routes not passing the preceding nodes in a routing policy. If the cost of a received RIP route is equal to 16, the cost specified by the apply cost command in a routing policy will not be applied to the route, that is, the cost of the route is equal to 16.

  • Page 401: Route Capacity Configuration

    Route Capacity Configuration When configuring route capacity, go to these sections for information you are interested in: Route Capacity Configuration Overview Route Capacity Limitation Configuration Displaying and Maintaining Route Capacity Limitation Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 402: Route Capacity Limitation Configuration

    When the free memory of the switch is equal to or lower than the lower limit, OSPF or BGP connection will be disconnected and OSPF or BGP routes will be removed from the routing table. If automatic protocol connection recovery is enabled, when the free memory of the switch restores to a value larger than the safety value, the switch automatically re-establishes the OSPF or BGP connection.

  • Page 403: Displaying And Maintaining Route Capacity Limitation Configuration

    If automatic protocol recovery is disabled, the OSPF or BGP connection will not recover even when the free memory exceeds the safety value. Therefore, take cautions when disabling the function. Displaying and Maintaining Route Capacity Limitation Configuration To do... Use the command... Remarks display memory [ unit Display memory occupancy of a switch...
  • Page 404 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-3 Common Notations in Multicast·······································································································1-4 Advantages and Applications of Multicast·······················································································1-5 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Address ····························································································································1-6...
  • Page 405 Configuring Simulated Joining·······································································································3-10 Configuring IGMP Proxy················································································································3-11 Removing Joined IGMP Groups from an Interface ·······································································3-12 Displaying and Maintaining IGMP·········································································································3-12 4 PIM Configuration······································································································································4-1 PIM Overview··········································································································································4-1 Introduction to PIM-DM····················································································································4-2 How PIM-DM Works ························································································································4-2 Introduction to PIM-SM····················································································································4-5 How PIM-SM Works ························································································································4-5 Configuring PIM-DM······························································································································4-10 Enabling PIM-DM ··························································································································4-10 Configuring PIM-SM······························································································································4-10 Enabling PIM-SM···························································································································4-10 Configuring an RP ·························································································································4-11...
  • Page 406 Configuring RP Address in SA Messages·····················································································5-11 Configuring SA Message Cache ···································································································5-12 Configuring the Transmission and Filtering of SA Request Messages·········································5-12 Configuring a Rule for Filtering the Multicast Sources of SA Messages·······································5-13 Configuring a Rule for Filtering Received and Forwarded SA Messages·····································5-13 Displaying and Maintaining MSDP········································································································5-14 MSDP Configuration Example ··············································································································5-15 Anycast RP Configuration ·············································································································5-15...

  • Page 407: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.

  • Page 408: Information Transmission In The Broadcast Mode

    Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.

  • Page 409: Information Transmission In The Multicast Mode

    Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.

  • Page 410: Common Notations In Multicast

    Each receiver is a multicast group member (“Receiver” in Figure 1-3). All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.

  • Page 411: Advantages And Applications Of Multicast

    Advantages and Applications of Multicast Advantages of multicast Advantages of multicast include: Enhanced efficiency: Multicast decreases network traffic and reduces server load and CPU load. Optimal performance: Multicast reduces redundant traffic. Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission.

  • Page 412: Multicast Architecture

    multicast address range that is different from that of the ASM model, and dedicated multicast forwarding paths are established between receivers and the specified multicast sources. Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers.
  • Page 413 data sent to this group of addresses starts to be transported to the receivers. All the members in this group can receive the data packets. This group is a multicast group. A multicast group has the following characteristics: The membership of a group is dynamic. A host can join and leave a multicast group at any time. A multicast group can be either permanent or temporary.
  • Page 414 Class D address range Description 224.0.0.12 DHCP server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork bandwidth management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the...

  • Page 415: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 416: Multicast Packet Forwarding Mechanism

    Among a variety of mature intra-domain multicast routing protocols, Protocol Independent Multicast (PIM) is a popular one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs.

  • Page 417: Implementation Of The Rpf Mechanism

    need to forward multicast packets received on one incoming interface to multiple outgoing interfaces. Compared with a unicast model, a multicast model is more complex in the following aspects. In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast.
  • Page 418 When performing an RPF check, a router searches its unicast routing table. The specific process is as follows: The router automatically chooses an optimal unicast route by searching its unicast routing table, using the IP address of the “packet source” as the destination address. The outgoing interface in the corresponding routing entry is the RPF interface and the next hop is the RPF neighbor.

  • Page 419: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Enabling Multicast Packet Buffering...

  • Page 420: Enabling Multicast Routing

    Disabled by default. To guard against attacks on any socket not in use, S5600 series provide the following functions to achieve enhanced security: The system opens the RAW Socket used for multicast routing only if multicast routing is enabled.

  • Page 421: Configuring Suppression On The Multicast Source Port

    Configuring Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network. This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources. You can configure multicast source port suppression on certain ports to prevent unauthorized multicast servers attached to these ports from sending multicast traffic to the network.

  • Page 422: Configuring A Multicast Mac Address Entry

    Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC address entry by configuring a multicast MAC address entry manually. Generally, when receiving a multicast packet for a multicast group not yet registered on the switch, the switch will flood the packet within the VLAN to which the port belongs.

  • Page 423: Tracing A Multicast Path

    whose multicast address is not registered. Thus, the bandwidth is saved and the processing efficiency of the system is improved. Follow these steps to configure dropping unknown multicast packet: To do... Use the command... Remarks Enter system view system-view — Required Configure dropping unknown unknown-multicast drop...
  • Page 424 To do... Use the command... Remarks Display the information about the IP multicast Available in any groups and MAC multicast display mpm group [ vlan vlan-id ] view groups in a VLAN or all VLANs display mac-address multicast [ static Display the created Available in any { { { mac-address vlan vlan-id | vlan vlan-id } [ count ] } |...

  • Page 425: Igmp Configuration

    IGMP Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. When configuring IGMP, go to these sections for information you are interested in: IGMP Overview Configuring IGMP Displaying and Maintaining IGMP...
  • Page 426 Figure 3-1 Joining multicast groups IP network Router A Router B Ethernet Host A Host B Host C (G2) (G1) (G1) Query Report Assume that Host B and Host C are expected to receive multicast data addressed to multicast group G1, while Host A is expected to receive multicast data addressed to G2, as shown in Figure 3-1.

  • Page 427: Enhancements Provided By Igmpv2

    Enhancements Provided by IGMPv2 Compared with IGMPv1, IGMPv2 provides the querier election mechanism and Leave Group mechanism. Querier election mechanism In IGMPv1, the DR elected by the Layer 3 multicast routing protocol (such as PIM) serves as the querier among multiple routers on the same subnet. In IGMPv2, an independent querier election mechanism is introduced.
  • Page 428 If it does not expect multicast data from specific sources like S1, S2, …, it sends a report with the Filter-Mode denoted as “Exclude Sources (S1, S2, …). As shown in Figure 3-2, the network comprises two multicast sources, Source 1 (S1) and Source 2 (S2), both of which can send multicast data to multicast group G.

  • Page 429: Igmp Proxy

    If the change was to an Include source list, these are the addresses that were deleted from the list; if the change was to an Exclude source list, these are the addresses that were added to the list. Currently, only the IGMPv1 and IGMPv2 are supported on S5600 series Ethernet switches. IGMP Proxy A lot of stub networks (stub domains) are involved in the application of a multicast routing protocol (PIM-DM for example) over a large-scaled network.

  • Page 430: Configuring Igmp

    Figure 3-3 shows an IGMP Proxy diagram for a stub network. The upstream interface, VLAN-interface 1 of Switch B is the proxy interface for the downstream interface VLAN-interface 2. Configure Switch B as follows: Enable multicast routing, and then enable PIM and IGMP on VLAN-interface 1 and VLAN-interface 2. Run the igmp proxy command on VLAN-interface 1 to configure it as the proxy interface for VLAN-interface 2.

  • Page 431: Configuring Igmp Version

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Required Enable IGMP igmp enable Disabled by default Before performing the following configurations described in this chapter, you must enable multicast routing and enable IGMP on the specific interfaces. Configuring IGMP Version Follow these steps to configure IGMP version: To do...
  • Page 432 When the IGMP querier receives the message, it sends robust-value IGMP group-specific query messages at the interval of lastmember-queryinterval. If other hosts are interested in the group after receiving the IGMP group-specific query message from the querier, they must send IGMP report messages within the maximum response time specified in the query messages.

  • Page 433: Configuring The Maximum Allowed Number Of Multicast Groups

    To do... Use the command... Remarks Optional Configure the other querier present igmp timer The system default is 120 seconds, other-querier-present seconds timer namely twice the query interval. Optional igmp max-response-time Configure the maximum response time of IGMP general queries seconds 10 seconds by default.

  • Page 434: Configuring Simulated Joining

    Configuring a multicast group filter in interface view Follow these steps to configure a multicast group filter in VLAN interface view: To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — igmp group-policy In VLAN interface acl-number [ 1 | 2 | port view...

  • Page 435: Configuring Igmp Proxy

    Configuring simulated joining in interface view Follow these steps to configure simulated joining in interface view: To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — igmp host-join VLAN interface group-address port Configure one or more ports in the Required view...

  • Page 436: Removing Joined Igmp Groups From An Interface

    You must enable the PIM protocol on the interface before configuring the igmp proxy command. Otherwise, the IGMP Proxy feature does not take effect. One interface cannot serve as the proxy interface for two or more interfaces. Generally, an interface serving as an IGMP querier cannot act as an IGMP proxy interface. If it is necessary to configure an IGMP querier interface as an IGMP proxy interface, you must configure the port that belongs to the proxy interface and connects to the upstream multicast device as a static router port.

  • Page 437: Pim Configuration

    PIM Configuration When configuring PIM, go to these sections for information you are interested in: PIM Overview Configuring PIM-DM Configuring PIM-SM Configuring Common PIM Parameters Displaying and Maintaining PIM PIM Configuration Examples Troubleshooting PIM In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 438: Introduction To Pim-Dm

    Introduction to PIM-DM PIM-DM is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members. The basic implementation of PIM-DM is as follows: PIM-DM assumes that at least one multicast group member exists on each subnet of a network, and therefore multicast data is flooded to all nodes on the network.
  • Page 439 Then, nodes without receivers downstream are pruned: A router having no receivers downstream sends a prune message to the upstream node to “tell” the upstream node to delete the corresponding interface from the outgoing interface list in the (S, G) entry and stop forwarding subsequent packets addressed to that multicast group down to this node.
  • Page 440 Graft When a host attached to a pruned node joins a multicast group, to reduce the join latency, PIM-DM uses a graft mechanism to resume data forwarding to that branch. The process is as follows: The node that need to receive multicast data sends a graft message hop by hop toward the source, as a request to join the SPT again.

  • Page 441: Introduction To Pim-Sm

    Introduction to PIM-SM PIM-DM uses the “flood and prune” principle to build SPTs for multicast data distribution. Although an SPT has the shortest path, it is built with a low efficiency. Therefore the PIM-DM mod is not suitable for large- and medium-sized networks. PIM-SM is a type of sparse mode multicast protocol.
  • Page 442 DR election PIM-SM also uses hello messages to elect a designated router (DR) for a multi-access network. The elected DR will be the only multicast forwarder on this multi-access network. A DR must be elected in a multi-access network, no matter this network connects to multicast sources or to receivers.
  • Page 443 S5600 series Ethernet switches do not support DR priority. DR election is based on IP addresses. In a PIM-DM domain, a DR serves as an IGMPv1 querier. RP discovery The RP is the core of a PIM-SM domain. For a small-sized, simple network, one RP is enough for forwarding information throughout the network, and the position of the RP can be statically specified on each router in the PIM-SM domain.
  • Page 444 RPT building Figure 4-5 Building an RPT in PIM-SM As shown in Figure 4-5, the process of building an RPT is as follows: When a receiver joins a multicast group G, it uses an IGMP message to inform the directly connected DR.
  • Page 445 Figure 4-6 Multicast registration Host A Source Receiver Host B Server Receiver Join message Register message Host C Multicast packets As shown in Figure 4-6, the multicast source registers with the RP as follows: When the multicast source S sends the first multicast packet to a multicast group G, the DR directly connected with the multicast source, upon receiving the multicast packet, encapsulates the packet in a PIM register message, and sends the message to the corresponding RP by unicast.

  • Page 446: Configuring Pim-Dm

    Assert PIM-SM uses exactly the same assert mechanism as PIM-DM does. Refer to Assert. Configuring PIM-DM Enabling PIM-DM With PIM-DM enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from PIM neighbors. When deploying a PIM-DM domain, you are recommended to enable PIM-DM on all interfaces of non-border routers.

  • Page 447: Configuring An Rp

    To do... Use the command... Remarks interface interface-type Enter interface view — interface-number Required Enable PIM-SM pim sm Disabled by default Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job.

  • Page 448: Configuring A Bsr

    To do... Use the command... Remarks Optional Limit the range of valid crp-policy acl-number By default, the range of valid C-RPs is not set C-RPs for the switch. If the range of multicast groups that an RP serves is not specified when the RP is configured, the RP serves all multicast groups.
  • Page 449 value of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the entire network, all these routers will discard bootstrap messages from out of the legal address range.

  • Page 450: Filtering The Registration Packets From Dr To Rp

    After this feature is configured, Bootstrap messages cannot pass the border. However, the other PIM messages can pass the domain border. The network can be effectively divided into domains that use different BSRs. Filtering the Registration Packets from DR to RP Within a PIM-SM domain, the source-side DR sends register messages to the RP, and these register messages have different multicast source or group addresses.

  • Page 451: Configuring Common Pim Parameters

    Typically, you need to configure the above-mentioned parameters on the receiver-side DR and the RP only. Since both the DR and RP are elected, however, you should carry out these configurations on the routers that may win DR election and on the C-RPs that may win RP election. Configuring Common PIM Parameters Complete the following tasks to configure common PIM parameters: Task...

  • Page 452: Configuring The Hello Interval

    Configuring the Hello Interval In a PIM domain, a PIM router discovers PIM neighbors and maintains PIM neighboring relationships with other routers by periodically sending hello messages. Follow these steps to configure the Hello interval: To do... Use the command... Remarks Enter system view system-view...

  • Page 453: Configuring Multicast Source Lifetime

    The S5600 series Ethernet switches support prune delay configuration. Upon receiving a prune message from a downstream node, the upstream node does not take a prune action immediately;...

  • Page 454: Clearing The Related Pim Entries

    An appropriate PIM prune delay setting can reduce the number of prune/graft operations to downstream nodes and thus lessen the burden to the device itself and the network. Follow these steps to configure PIM prune delay: To do… Use the command… Remarks Enter system view system-view...

  • Page 455: Pim Configuration Examples

    PIM Configuration Examples PIM-DM Configuration Example Network requirements Receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire PIM domain operates in the dense mode. Host A and Host C are multicast receivers in two stub networks.

  • Page 456: Verifying The Configuration

    Configure the IP address and subnet mask for each interface as per Figure 4-7. Detailed configuration steps are omitted here. Configure the OSPF protocol for interoperation among the switches in the PIM-DM domain. Ensure the network-layer interoperation among Switch A, Switch B, Switch C and Switch D in the PIM-DM domain and enable dynamic update of routing information among the switches through a unicast routing protocol.

  • Page 457: Pim-Sm Configuration Example

    PIM-DM Routing Table Total 1 (S,G) entry (10.110.5.100, 225.1.1.1) Protocol 0x40: PIMDM, Flag 0xC: SPT NEG_CACHE Uptime: 00:00:23, Timeout in 187 sec Upstream interface: Vlan-interface103, RPF neighbor: 192.168.1.2 Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout Matched 1 (S,G) entry The information on Switch B and Switch C is similar to that on Switch A.
  • Page 458 Network diagram Figure 4-8 Network diagram for PIM-SM domain configuration Device Interface IP address Device Interface IP address Switch A Vlanint100 10.110.1.1/24 Switch D Vlanint300 10.110.5.1/24 Vlanint101 192.168.1.1/24 Vlanint101 192.168.1.2/24 Vlanint102 192.168.9.1/24 Vlanint105 192.168.4.2/24 Switch B Vlanint200 10.110.2.1/24 Switch E Vlanint104 192.168.3.2/24 Vlanint103...
  • Page 459 [SwitchA] interface vlan-interface 101 [SwitchA-Vlan-interface101] pim sm [SwitchA-Vlan-interface101] quit [SwitchA] interface vlan-interface 102 [SwitchA-Vlan-interface102] pim sm [SwitchA-Vlan-interface102] quit The configuration on Switch B and Switch C is similar to that on Switch A. The configuration on Switch D and Switch E is also similar to that on Switch A except that it is not necessary to enable IGMP on the corresponding interfaces on these two switches.
  • Page 460 PIM-SM Routing Table Total 1 (S,G) entries, 1 (*,G) entries, 0 (*,*,RP) entry (*, 225.1.1.1), RP 192.168.9.2 Protocol 0x20: PIMSM, Flag 0x2003: RPT WC NULL_IIF Uptime: 00:23:21, never timeout Upstream interface: Vlan-interface102, RPF neighbor: 192.168.9.2 Downstream interface list: Vlan-interface100, Protocol 0x1: IGMP, never timeout (10.110.5.100, 225.1.1.1) Protocol 0x20: PIMSM, Flag 0x80004: SPT Uptime: 00:03:43, Timeout in 199 sec...

  • Page 461: Troubleshooting Pim

    Matched 1 (S,G) entry, 1 (*,G) entry, 0 (*,*,RP) entry Troubleshooting PIM Symptom: The router cannot set up multicast routing tables correctly. Solution: You can troubleshoot PIM according to the following procedure. Make sure that the unicast routing is correct before troubleshooting PIM. Because PIM-SM needs the support of RP and BSR, you must execute the display pim bsr-info command to see whether BSR information exists.

  • Page 462: Msdp Configuration

    MSDP Configuration When configuring MSDP, go to these sections for information you are interested in: MSDP Overview Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers Configuring SA Message Transmission Displaying and Maintaining MSDP MSDP Configuration Example Troubleshooting MSDP Configuration In this manual, the term “router”...

  • Page 463: How Msdp Works

    MSDP achieves this objective. By establishing MSDP peer relationships among RPs of different PIM-SM domains, source active (SA) messages can be forwarded among domains and the multicast source information can be shared. MSDP is applicable only if the intra-domain multicast protocol is PIM-SM. MSDP is meaningful only for the any-source multicast (ASM) model.
  • Page 464 Intermediate MSDP peer: an MSDP peer with multicast remote MSDP peers, like RP 2. An intermediate MSDP peer forwards SA messages received from one remote MSDP peer to other remote MSDP peers, functioning as a relay of multicast source information. MSDP peers created on common PIM-SM routers (other than RPs) Router A and Router B are MSDP peers on common multicast routers.
  • Page 465 When the multicast source in PIM-SM 1 sends the first multicast packet to multicast group G, DR 1 encapsulates the multicast data within a register message and sends the register message to RP 1. Then, RP 1 gets aware of the information related to the multicast source. As the source-side RP, RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer.
  • Page 466 If only one MSDP peer exists in a PIM-SM domain, this PIM-SM domain is also called a stub domain. For example, autonomous system AS 4 in Figure 5-3 is a stub domain. The MSDP peer in a stub domain can have multiple remote MSDP peers at the same time. You can configure one or more remote MSDP peers as static RPF peers.
  • Page 467 Because the SA message is from a static RPF peer (RP 6), RP 7 accepts the SA message and forwards it to other peer (RP 8). When RP 8 receives the SA message from RP 7 An EBGP route exists between two MSDP peers in different ASs. Because the SA message is from an MSDP peer (RP 7) in a different AS, and the MSDP peer is the next hop on the EBGP route to the source-side RP, RP 8 accepts the message and forwards it to its other peer (RP 9).

  • Page 468: Protocols And Standards

    Receivers send join messages to the nearest RP to join in the RPT rooted as this RP. In this example, Receiver joins the RPT rooted at RP 2. RPs share the registered multicast information by means of SA messages. In this example, RP 1 creates an SA message and sends it to RP 2, with the multicast data from Source encapsulated in the SA message.

  • Page 469: Configuration Prerequisites

    In the case that all the peers use the rp-policy keyword: Multiple static RPF peers function at the same time. RPs in SA messages are filtered based on the configured prefix list, and only the SA messages whose RP addresses pass the filtering are received. If multiple static RPF peers using the same rp-policy keyword are configured, when any of the peers receives an SA message, it will forward the SA message to other peers.

  • Page 470: Configuration Prerequisites

    Configuration Prerequisites Before configuring an MSDP peer connection, you need to configure: A unicast routing protocol Basic functions of IP multicast PIM-SM basic functions MSDP basic functions Complete the following tasks to configure an MSDP peer connection: Task Remarks Configuring Description Information for MSDP Peers Optional Configuring an MSDP Mesh Group Optional...

  • Page 471: Configuring Msdp Peer Connection Control

    Before you configure an MSDP mesh group, make sure that the routers are fully connected with one another. The same group name must be configured on all the peers before they can join a mesh group. If you add the same MSDP peer to multiple mesh groups, only the latest configuration takes effect. Configuring MSDP Peer Connection Control The connection between MSDP peers can be flexibly controlled.

  • Page 472: Configuration Prerequisites

    To reduce the delay in obtaining the multicast source information, you can cache SA messages on the router. The number of SA messages cached must not exceed the system limit. The more messages are cached, the more router memory is occupied. Configuration Prerequisites Before you configure SA message transmission, perform the following tasks: Configuring a unicast routing protocol.

  • Page 473: Configuring Sa Message Cache

    Configuring SA Message Cache With the SA message caching mechanism enabled on the router, the group that a new member subsequently joins can obtain all active sources directly from the SA cache and join the corresponding SPT source tree, instead of waiting for the next SA message. You can configure the number of SA entries cached in each MSDP peer on the router by executing the following command, but the number must be within the system limit.

  • Page 474: Configuring A Rule For Filtering The Multicast Sources Of Sa Messages

    To do... Use the command... Remarks Optional Configure a rule for filtering the SA peer peer-address By default, a router receives all SA messages received by an MSDP sa-request-policy [ acl request messages from the MSDP peer acl-number ] peer. Configuring a Rule for Filtering the Multicast Sources of SA Messages An RP filters each registered source to control the information of active sources advertised in the SA message.

  • Page 475: Displaying And Maintaining Msdp

    To do... Use the command... Remarks Optional By default, no filtering is imposed peer peer-address sa-policy Configure to filter imported and on SA messages to be received or { import | export } [ acl exported SA messages forwarded, namely all SA acl-number ] messages from MSDP peers are received or forwarded.

  • Page 476: Msdp Configuration Example

    MSDP Configuration Example Anycast RP Configuration Network requirements The PIM-SM domain has multiple multicast sources and receivers. OSPF runs within the domain to provide unicast routes. It is required to configure the anycast RP feature so that the receiver-side DRs and the source-side DRs can initiate a Join message to their respective RPs that are the topologically nearest to them.
  • Page 477 Configure OSPF for interconnection between the switches. Ensure the network-layer interoperation among the switches, and ensure the dynamic update of routing information between the switches through a unicast routing protocol. Detailed configuration steps are omitted here. Enable IP multicast routing, and enable PIM-SM and IGMP # Enable IP multicast routing on Switch B, enable PIM-SM on each interface, and enable IGMP on the host-side interface VLAN-interface 100.

  • Page 478: Troubleshooting Msdp Configuration

    You can use the display msdp brief command to view the brief information of MSDP peering relationships between the switches. # View the brief MSDP peer information on Switch B. [SwitchB] display msdp brief MSDP Peer Brief Information Peer's Address State Up/Down time SA Count...

  • Page 479: No Sa Entry In The Sa Cache Of The Router

    Analysis An MSDP peer relationship between the locally configured connect-interface interface address and the configured peer address is based on a TCP connection. If the address of local connect-interface interface is inconsistent with the peer address configured on the peer router, no TCP connection can be established.

  • Page 480: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 481: Basic Concepts In Igmp Snooping

    Figure 6-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...

  • Page 482: Work Mechanism Of Igmp Snooping

    Member port: A member port is a port on the multicast group member side of the Ethernet switch. In the figure, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 of Switch A and GigabitEthernet 1/0/2 of Switch B are member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table.
  • Page 483 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.

  • Page 484: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional...

  • Page 485: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 486: Configuring Fast Leave Processing

    Follow these steps to configure timers: To do... Use the command... Remarks Enter system view system-view — Optional Configure the aging timer of igmp-snooping By default, the aging time of the router port is the router port router-aging-time seconds 105 seconds. Optional Configure the general query igmp-snooping...

  • Page 487: Configuring A Multicast Group Filter

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).

  • Page 488: Configuring The Maximum Number Of Multicast Groups On A Port

    A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.

  • Page 489: Configuring Igmp Snooping Querier

    Configuring IGMP Snooping Querier In an IP multicast network running IGMP, a multicast router is responsible for sending IGMP general queries, so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries, thus to forward multicast traffic correctly at the network layer. This router or Layer 3 switch is called IGMP querier.

  • Page 490: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    To do... Use the command... Remarks Configure the source IP igmp-snooping general-query Optional address of IGMP general source-ip { current-interface | 0.0.0.0 by default queries ip-address } Configure the source IP igmp-snooping special-query 0.0.0.0 by default address of IGMP source-ip { current-interface | group-specific queries ip-address } Suppressing Flooding of Unknown Multicast Traffic in a VLAN...

  • Page 491: Configuring A Static Router Port

    You can configure up to 200 static member ports on an S5600 series switch. If a port has been configured as an IRF fabric port or a reflect port, it cannot be configured as a static member port.

  • Page 492: Disabling A Port From Becoming A Router Port

    B may receive the IGMP membership report, and thus obtain other information of host A from the message. To avoid this, you can disable a port of the S5600 series switches from becoming a router port so that this port will not forward IGMP membership report messages.

  • Page 493: Configuring A Vlan Tag For Query Messages

    Configuring simulated joining in Ethernet port view Follow these steps to configure a port as a simulated group member: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Required Configure the current port as a igmp host-join group-address [ source-ip Simulated joining is source-address ] vlan vlan-id...

  • Page 494: Configuring Multicast Vlan

    Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth. In an IGMP Snooping environment, by configuring a multicast VLAN and adding ports to the multicast VLAN, you can allow users in different VLANs to share the same multicast VLAN.

  • Page 495: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Define the port as a trunk or hybrid port link-type { trunk | hybrid } Required port port hybrid vlan vlan-list { tagged Required | untagged } The multicast VLAN must be Specify the VLANs to be allowed to included, and the port must be pass the Ethernet port configured to forward tagged...

  • Page 496: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. As shown in Figure 6-3, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/2, and to Switch A through GigabitEthernet 1/0/1.

  • Page 497: Configuring Multicast Vlan

    # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port GigabitEthernet 1/0/1 to GigabitEthernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] quit Verify the configuration...
  • Page 498 Table 6-2 Network devices and their configurations Device Device description Networking description The interface IP address of VLAN 20 is 168.10.1.1. GigabitEthernet 1/0/1 is connected to the workstation and belongs to VLAN 20. Switch A Layer 3 switch The interface IP address of VLAN 10 is 168.10.2.1. GigabitEthernet 1/0/10 belongs to VLAN 10.
  • Page 499 [SwitchA] vlan 20 [SwitchA–vlan20]port GigabitEthernet 1/0/1 [SwitchA-vlan20] quit [SwitchA] interface Vlan-interface 20 [SwitchA-Vlan-interface20] ip address 168.10.1.1 255.255.255.0 [SwitchA-Vlan-interface20] pim dm [SwitchA-Vlan-interface20] quit # Configure VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 10, and configure the port to forward tagged packets for VLAN 10.

  • Page 500: Troubleshooting Igmp Snooping

    [SwitchB] interface GigabitEthernet 1/0/2 [SwitchB-GigabitEthernet1/0/2] port link-type hybrid [SwitchB-GigabitEthernet1/0/2] port hybrid vlan 3 10 untagged [SwitchB-GigabitEthernet1/0/2] port hybrid pvid vlan 3 [SwitchB-GigabitEthernet1/0/2] quit Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping.
  • Page 501 Encapsulation of EAPoL Messages ······································································· 1-4 802.1x Authentication Procedure··········································································· 1-6 Timers Used in 802.1x ·························································································· 1-9 802.1x Implementation on an S5600 Series Switch ·············································· 1-10 Introduction to 802.1x Configuration ·········································································· 1-13 Basic 802.1x Configuration ······················································································· 1-14 Configuration Prerequisites ················································································ 1-14 Configuring Basic 802.1x Functions ····································································...
  • Page 502 4 System Guard Configuration ························································································ 4-1 System Guard Overview······························································································ 4-1 Layer 3 Error Control ···························································································· 4-1 CPU Protection ···································································································· 4-1 System-Guard Transparent Feature ······································································ 4-1 Configuring System Guard ·························································································· 4-2 Enabling Layer 3 Error Control·············································································· 4-2 Configuring CPU Protection ·················································································· 4-2 Configuring System-Guard Transparent·································································...

  • Page 503: X Configuration

    Those fail to pass the authentication are denied when accessing the LAN. This section covers these topics: Architecture of 802.1x Authentication The Mechanism of an 802.1x Authentication System Encapsulation of EAPoL Messages 802.1x Authentication Procedure Timers Used in 802.1x 802.1x Implementation on an S5600 Series Switch...

  • Page 504: Architecture Of 802.1X Authentication

    The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.

  • Page 505: The Mechanism Of An 802.1X Authentication System

    By default, a controlled port is a unidirectional port. The way a port is controlled A port of a H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.

  • Page 506: Encapsulation Of Eapol Messages

    controlled port according to the instructions (accept or reject) received from the RADIUS server. Encapsulation of EAPoL Messages The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs, EAP protocol packets are encapsulated in EAPoL format.
  • Page 507 encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by authenticator systems. The format of an EAP packet For an EAPoL packet with the value of the Type field being EAP-packet, its Packet body field is an EAP packet, whose format is illustrated in Figure 1-4.

  • Page 508: 802.1X Authentication Procedure

    Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure A H3C S5600 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. EAP relay mode This mode is defined in 802.1x.
  • Page 509 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 510 packet) to the RADIUS server through the switch. (Normally, the encryption is irreversible.) The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated.

  • Page 511: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 512: 802.1X Implementation On An S5600 Series Switch

    802.1x Implementation on an S5600 Series Switch In addition to the earlier mentioned 802.1x features, an S5600 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
  • Page 513 IE proxies through messages after the supplicant system passes the authentication. The client-checking function needs the support of H3C’s 802.1x client program. To implement the proxy detecting function, you need to enable the function on both the 802.1x client program and the CAMS server in addition to enabling the client version...
  • Page 514 The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way. The guest VLAN function enables supplicant systems that do not have 802.1x client installed to access specific network resources.

  • Page 515: Introduction To 802.1X Configuration

    Figure 1-10 802.1x re-authentication Internet Switch RADIUS Server 802.1x re-authentication can be enabled in one of the following two ways: The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1.

  • Page 516: Basic 802.1X Configuration

    Figure 1-11 802.1x configuration Local Local authentication authentication ISP domain ISP domain 802.1x 802.1x AAA scheme AAA scheme configuration configuration configuration configuration RADIUS RADIUS scheme scheme 802.1x users use domain names to associate with the ISP domains configured on switches Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be adopted in the ISP domain.
  • Page 517 To do… Use the command… Remarks specified ports. interface interface-type ports interface-number In port view dot1x quit dot1x port-control In system { authorized-force | unauthorized-force | auto } view [ interface interface-list ] Set port Optional access interface interface-type control mode interface-number By default, an 802.1x-enabled port for specified...

  • Page 518: Timer And Maximum User Number Configuration

    With the support of the H3C proprietary client, handshake packets are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshake acknowledgement packets from them in handshaking periods.

  • Page 519: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: 15 handshake-period-value | seconds quiet-period quiet-period-value quiet-period-value: | server-timeout seconds Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds...
  • Page 520 domain for authentication, authorization, and accounting of all 802.1X users on the port, thus to prevent those users from using other accounts to access the network. Meanwhile, for EAP relay mode 802.1X authentication that uses certificates, the certificate of a user determines the authentication domain of the user. However, you can specify different mandatory authentication domains for different ports even if the user certificates are from the same certificate authority (that is, the user domain names are the same).

  • Page 521: Configuring Proxy Checking

    { logoff | trap } quit The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.

  • Page 522: Configuring The Unicast Trigger Function

    To do... Use the command... Remarks dot1x version-check quit Optional Set the maximum number of retires to send dot1x retry-version-max By default, the maximum number version checking request max-retry-version-value of retires to send version checking packets request packets is 3. Optional Set the client version dot1x timer ver-period...

  • Page 523: Enabling Dhcp-Triggered Authentication

    The unicast trigger function is used for clients that cannot initiate authentication unsolicitedly and is suitable for networks not requiring all the clients to be authenticated. The unicast trigger function can be used in combination with port security function, but can not take effect in mac-else-userlogin-secure and mac-else-userlogin-secure-ext modes.

  • Page 524: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case.

  • Page 525: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 526 accounting RADIUS servers to exchange message is “money”. The switch sends another packet to the RADIUS servers again if it sends a packet to the RADIUS server and does not receive response for 5 seconds, with the maximum number of retries of 5.
  • Page 527 # Assign IP addresses to the secondary authentication and accounting RADIUS server. [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages.

  • Page 528: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S5600 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.

  • Page 529: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the access mode to auto for 802.1x-enabled ports. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 530: Displaying And Maintaining Quick Ead Deployment

    will be released. When a large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer.

  • Page 531: Troubleshooting

    Network diagram Figure 2-1 Network diagram for quick EAD deployment Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.
  • Page 532 Solution: If a user enters an IP address in a format other than the dotted decimal notation, the user may not be redirected. This is related with the operating system used on the PC. In this case, the PC considers the IP address string a name and tries to resolve the name.

  • Page 533: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 534: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 535: System Guard Configuration

    System Guard Configuration The CPU protection function is added. For more information, see CPU Protection Configuring CPU Protection. The system-guard transparent function is added. For more information, see System-Guard Transparent Feature Configuring System-Guard Transparent. When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration...

  • Page 536: Configuring System Guard

    At present, the S5600 series switches support the system-guard transparent function, which can solve the previously mentioned problem. With this function, you can configure the switch not to deliver OSPF, PIM, RIP, or VRRP multicast packets to the CPU. For...

  • Page 537: Displaying And Maintaining System Guard Configuration

    Enable the system-guard Required system-guard transparent transparent function for a { ospf | pim | rip | vrrp } Disabled by default specific protocol If OSPF, PIM, RIP, or VRRP is enabled on the switch, do not enable the system-guard transparent function for the protocol.
  • Page 538 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-2 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-3 Introduction to RADIUS ···················································································································1-3 Introduction to HWTACACS ············································································································1-7 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Configuration introduction ···············································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3...
  • Page 539 AAA Configuration Examples················································································································2-29 Per User Type AAA Configuration Example··················································································2-29 Remote RADIUS Authentication of Telnet/SSH Users ·································································2-30 Local Authentication of FTP/Telnet Users·····················································································2-31 HWTACACS Authentication and Authorization of Telnet Users ···················································2-32 Auto VLAN Configuration Example ·······························································································2-33 Troubleshooting AAA ····························································································································2-35 Troubleshooting RADIUS Configuration························································································2-35 Troubleshooting HWTACACS Configuration ················································································2-36 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1...

  • Page 540: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction...

  • Page 541: Authorization

    convenient centralized management and is feature-rich. However, to implement remote authentication, a server is needed and must be configured properly. Authorization AAA supports the following authorization methods: Direct authorization: Users are trusted and directly authorized. Local authorization: Users are authorized according to the related attributes configured for their local accounts on this device.

  • Page 542: Introduction To Aaa Services

    Figure 1-1 Network diagram of per user type AAA configuration Introduction to AAA Services Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for AAA is RADIUS. What is RADIUS RADIUS (remote authentication dial-in user service) is a distributed service based on client/server structure.
  • Page 543 Figure 1-2 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 544 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 545 Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the Accounting-Request accounting is determined by the Acct-Status-Type attribute in the message).

  • Page 546: Introduction To Hwtacacs

    Type field Type field value Attribute type Attribute type value Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 547 Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. Table 1-3 lists the primary differences between HWTACACS and RADIUS. Table 1-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network transmission. Adopts UDP.
  • Page 548 Figure 1-7 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 549 The TACACS server returns an authorization response, indicating that the user has passed the authorization. After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.

  • Page 550: Aaa Configuration

    AAA Configuration AAA Configuration Task List Configuration introduction You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...
  • Page 551 Note that: On an S5600 series switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the user name, the switch assumes that the user belongs to the default ISP domain.

  • Page 552: Configuring An Aaa Scheme For An Isp Domain

    A server installed with self-service software is called a self-service server. H3C's CAMS Server is a service management system used to manage networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
  • Page 553 To do… Use the command… Remarks Optional scheme lan-access { local | none | Specify an AAA scheme for LAN radius-scheme radius-scheme-name [ local Not configured by users | none ] } default. scheme login { local | none | Optional Specify an AAA scheme for login radius-scheme radius-scheme-name...
  • Page 554 Configuring separate AAA schemes Authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting. The separate method allows you to configure the authentication, authorization, and accounting schemes separately by using the authentication, authorization, and accounting commands respectively.

  • Page 555: Configuring Dynamic Vlan Assignment

    If a combined AAA scheme is configured as well as the separate authentication, authorization and accounting schemes, the separate ones will be adopted in precedence. If you configure separate AAA schemes, the authentication, authorization, and accounting scheme switching processes do not affect each other. For example, if scheme switching occurs during authentication, the primary HWTACACS authorization scheme is still used though the authorization hwtacacs-scheme hwtacacs-scheme-name local command is configured.
  • Page 556 RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails the authentication. VLAN list: For users connected to an authentication port to access resources in different VLANs, on the RADIUS server, you can configure a VLAN list, assign the port to all the VLANs in the VLAN list, and specify the tagging mode in which the port joins a VLAN, that is, specify whether the port sends the data frames of that VLAN with the VLAN tag attached.
  • Page 557 Because the switch needs to assign a port to multiple VLANs specified in a VLAN list, only hybrid and trunk ports support the Auto VLAN feature. For a trunk port, the issued VLAN list must include a default VLAN ID, that is, the VLAN IDs in the VLAN list cannot be all followed by suffix t or T.

  • Page 558: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch assigns the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).

  • Page 559: Cutting Down User Connections Forcibly

    To do… Use the command… Remarks Optional Set the privilege level of the level level By default, the privilege level of the user is user Required Configure the authorized authorization vlan string By default, no authorized VLAN is VLAN for the local user configured for the local user.

  • Page 560: Radius Configuration Task List

    RADIUS Configuration Task List H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. RADIUS configuration tasks (the switch functions as a RADIUS client)

  • Page 561: Enabling Sending Trap Message When A Radius Server Goes Down

    Task Remarks Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent to RADIUS Servers Optional Configuring the Local RADIUS Server Required...
  • Page 562 To do… Use the command… Remarks Optional Enable RADIUS radius client enable By default, RADIUS authentication port is authentication port enabled. Required Create a RADIUS scheme radius scheme By default, a RADIUS scheme named and enter its view radius-scheme-name "system" has already been created in the system.
  • Page 563 The authentication response sent from the RADIUS server to the RADIUS client carries authorization information. Therefore, you need not (and cannot) specify a separate RADIUS authorization server. In an actual network environment, you can specify one server as both the primary and secondary authentication/authorization servers, as well as specifying two RADIUS servers as the primary and secondary authentication/authorization servers respectively.
  • Page 564 Follow these steps to configure the RADIUS authorization attribute ignoring function: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS By default, a RADIUS scheme named scheme and enter its radius scheme radius-scheme-name "system" has already been created in the view system.
  • Page 565 To do… Use the command… Remarks Optional By default, the maximum allowed Set the maximum allowed retry realtime-accounting number of continuous real-time number of continuous real-time retry-times accounting failures is five. If five accounting failures continuous failures occur, the switch cuts down the user connection.
  • Page 566 To do… Use the command… Remarks Required Set a shared key for RADIUS key accounting string By default, no shared key is accounting messages created. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
  • Page 567 If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be restored to the defaults. When the third party RADIUS server is used, you can select standard or extended as the server-type in a RADIUS scheme; when the CAMS server is used, you can select extended as the server-type in a RADIUS scheme.
  • Page 568 To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme named enter its view radius-scheme-name "system" has already been created in the system. Optional Set the format of the user user-name-format { with-domain | By default, the user names sent from names to be sent to RADIUS...

  • Page 569: Configuring Timers For Radius Servers

    Configuring the Local RADIUS Server The switch provides the local RADIUS server function (including authentication and authorization), also known as the local RADIUS server function, in addition to RADIUS client service, where separate authentication/authorization server and the accounting server are used for user authentication. Follow these steps to configure the local RADIUS server function: To do…...
  • Page 570 When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server. After the primary server remains in the block state for a specific time (set by the timer quiet command), the switch will try to communicate with the primary server again when it has a RADIUS request.

  • Page 571: Enabling The User Re-Authentication At Restart Function

    This configuration takes effect on all RADIUS schemes. The switch considers a RADIUS server as being down if it has tried the configured maximum times to send a message to the RADIUS server but does not receive any response. Enabling the User Re-Authentication at Restart Function The user re-authentication at restart function applies only to the environment where the RADIUS authentication/authorization and accounting server is CAMS.

  • Page 572: Hwtacacs Configuration Task List

    The switch can automatically generate the main attributes (NAS-ID, NAS-IP-address and session ID) contained in Accounting-On messages. However, you can also manually configure the NAS-IP-address with the nas-ip command. If you choose to manually configure the attribute, be sure to configure an appropriate valid IP address.

  • Page 573: Configuring Tacacs Authentication Servers

    To do… Use the command… Remarks Required hwtacacs scheme Create a HWTACACS scheme and By default, no HWTACACS enter its view hwtacacs-scheme-name scheme exists. The system supports up to 16 HWTACACS schemes. You can delete a HWTACACS scheme only when it is not referenced. Configuring TACACS Authentication Servers Follow these steps to configure TACACS authentication servers: To do…...

  • Page 574: Configuring Tacacs Accounting Servers

    To do… Use the command… Remarks Required Create a HWTACACS scheme and hwtacacs scheme By default, no HWTACACS scheme enter its view hwtacacs-scheme-name exists. Required Set the IP address and port primary authorization By default, the IP address of the number of the primary TACACS ip-address [ port ] primary authorization server is...

  • Page 575: Configuring Shared Keys For Hwtacacs Messages

    You are not allowed to configure the same IP address for both primary and secondary accounting servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending accounting messages.

  • Page 576: Configuring The Timers Regarding Tacacs Servers

    To do… Use the command… Remarks HWTACACS scheme view Optional Set the source IP address of nas-ip ip-address By default, no source IP address is outgoing HWTACACS set; the IP address of the System view messages corresponding outbound interface is used as the source IP address. hwtacacs nas-ip ip-address Generally, the access users are named in the userid@isp-name or userid.isp-name format.

  • Page 577: Displaying And Maintaining Aaa Configuration

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific or all ISP display domain [ isp-name ] domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac Display information about user mac-address | radius-scheme radius-scheme-name |...

  • Page 578: Aaa Configuration Examples

    To do… Use the command… Remarks reset stop-accounting-buffer Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name AAA Configuration Examples Per User Type AAA Configuration Example Network Requirements As shown in Figure 2-2, Host A, serving as an 802.1X user, accesses the network through Ethernet 1/0/1 of Switch, and Host B, serving as a telnet user, accesses the network through Ethernet 1/0/2 of Switch.

  • Page 579: Remote Radius Authentication Of Telnet/Ssh Users

    [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radius-radius1] primary accounting 10.110.91.164 1813 [Switch-radius-radius1] key authentication aabbcc [Switch-radius-radius1] server-type extended [Switch-radius-radius1] user-name-format with-domain [Switch-radius-radius1] quit # In the test domain, specify the authentication method for 802.1X users as radius1, and that for telnet users as local.

  • Page 580: Local Authentication Of Ftp/Telnet Users

    Network diagram Figure 2-3 Remote RADIUS authentication of Telnet users Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain. [Sysname] domain cams [Sysname-isp-cams] access-limit enable 10 [Sysname-isp-cams] quit...

  • Page 581: Hwtacacs Authentication And Authorization Of Telnet Users

    Network requirements In the network environment shown in Figure 2-4, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally. Network diagram Figure 2-4 Local authentication of Telnet users Configuration procedure Method 1: Using local authentication scheme.

  • Page 582: Auto Vlan Configuration Example

    A TACACS server with IP address 10.110.91.164 is connected to the switch. This server will be used as the authentication and authorization server. On the switch, set both authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc. Configure the switch to strip domain names off usernames before sending usernames to the TACACS server.
  • Page 583 Network diagram Figure 2-6 Network diagram for Auto VLAN configuration IP network L2 switch Eth1/0/2 IP phone Switch Eth1/0/1 RADIUS server IP phone Configuration procedure Configuration on the RADIUS server The configuration may vary on different RADIUS servers. Configure VLAN lists on the RADIUS server by referring to Configuring dynamic VLAN list assignment.

  • Page 584: Troubleshooting Aaa

    [Switch] dot1x # Enable port-based 802.1X authentication on Ethernet 1/0/1. [Switch] interface Ethernet1/0/1 [Switch-Ethernet1/0/1] dot1x [Switch-Ethernet1/0/1] dot1x port-method portbased # Enable port-based 802.1X authentication on Ethernet 1/0/2. [Switch] interface Ethernet1/0/2 [Switch-Ethernet1/0/2] dot1x [Switch-Ethernet1/0/2] dot1x port-method portbased Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite.

  • Page 585: Troubleshooting Hwtacacs Configuration

    The switch requests that both the authentication/authorization server and the accounting server use the same device (with the same IP address), but in fact they are not resident on the same device — Be sure to configure the RADIUS servers on the switch according to the actual situation. Troubleshooting HWTACACS Configuration See the previous section if you encounter an HWTACACS fault.

  • Page 586: Ead Configuration

    EAD Configuration Introduction to EAD Endpoint (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.

  • Page 587: Ead Configuration

    After the client is patched and compliant with the required security standard, the security policy server reissues an ACL to the switch, which then assigns access right to the client so that the client can access more network resources. EAD Configuration The EAD configuration includes: Configuring the attributes of access users (such as username, user type, and password).
  • Page 588 Network diagram Figure 3-2 EAD configuration Authentication Servers 10.110.91.164 Ethernet1/0/1 Internet User Security Policy Servers Virus Patch Servers 10.110.91.166 10.110.91.168 Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname>...
  • Page 589 Table of Contents 1 Web Authentication Configuration ··············································································· 1-1 Introduction to Web Authentication ·············································································· 1-1 Web Authentication Configuration ··············································································· 1-1 Configuration Prerequisites ··················································································· 1-1 Configuring Web Authentication ············································································ 1-2 Configuring HTTPS Access for Web Authentication ······················································ 1-3 Configuration Prerequisites ··················································································· 1-3 Configuration Procedure ·······················································································...

  • Page 590: Web Authentication Configuration

    Web Authentication Configuration Support of setting the maximum online time for Web authentication users is added. See Configuring Web Authentication. Support of HTTPS access for Web Authentication is added. See Configuring HTTPS Access for Web Authentication. Support of customizing Web Authentication pages is added. See Customizing Web Authentication Pages.

  • Page 591: Configuring Web Authentication

    Web authentication can use only a RADIUS authentication scheme; it does not support local authentication. The user number limit configured under an AAA scheme does not take effect for Web authentication. Web authentication does not support accounting. Configure accounting for the AAA scheme as optional. Configuring Web Authentication Follow these steps to configure Web authentication: To do…...

  • Page 592: Configuring Https Access For Web Authentication

    To do… Use the command… Remarks web-authentication max-connection number Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and IRF. You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect.

  • Page 593: Customizing Web Authentication Pages

    To do… Use the command… Remarks Enter system view system-view — Required web-authentication protocol { http | Specify the access protocol HTTP is used by https server-policy policy-name } default. You must configure this command before enabling Web authentication. That is, after enabling Web authentication, you cannot change the access protocol for Web authentication.

  • Page 594: Customizing Page Elements

    Customizing Authentication Pages The device also supports Web authentication pages totally developed by third parties as long as the authentication pages comply with rules of customizing the authentication page file. You can load such customized authentication pages to the device, providing authentication pages with richer contents and flexible styles.
  • Page 595 Main authentication page File name Online page online.htm Pushed for online state notification System busy page busy.htm Pushed when the system is busy or the user is in the login process Authentication-free page freeUser.htm logout success page logoutSuccess.htm You can define the names of the files other than the main authentication page files. The file names and directory names are case-insensitive.

  • Page 596: Displaying And Maintaining Web Authentication

    3) Authentication pages loginSuccess.htm and online.htm must contain the Logout Post request. The following example shows part of the script in page online.htm. <form action=login.cgi method = post > <p><input type=SUBMIT value="Logout" name="WaButton" style="width:60px;"> </form> Rules on page file compression and saving A set of authentication page files must be compressed into a standard zip file.
  • Page 597 Network diagram Figure 1-1 Web authentication for user DHCP server Authentication server 10. 10. 10. 166/24 10. 10. 10. 164/ 24 Internet GE 1/0/1 Switch User Free resource 10. 20. 20.1/ 24 Configuration procedure # Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.) # Set the IP address and port number of the Web authentication server.
  • Page 598 [Switch] domain default enable aabbcc.net # Reference scheme radius1 in domain aabbcc.net. [Switch-isp-aabbcc.net] scheme radius-scheme radius1 # Enable Web authentication globally. (It is recommended to take this step as the last step, so as to avoid the case that a valid user cannot access the network due to that some other related configurations are not finished.) [Switch] web-authentication enable Now, Web authentication takes effect.
  • Page 599 Table of Contents 1 MAC Address Authentication Configuration ································································ 1-1 MAC Address Authentication Overview ········································································ 1-1 Performing MAC Address Authentication on a RADIUS Server ······························· 1-1 Performing MAC Address Authentication Locally···················································· 1-2 Related Concepts ······································································································· 1-2 MAC Address Authentication Timers ····································································· 1-2 Quiet MAC Address ······························································································...

  • Page 600: Mac Address Authentication Configuration

    MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually. For S5600 Series Ethernet switches, MAC address authentication can be implemented locally or on a RADIUS server.

  • Page 601: Performing Mac Address Authentication Locally

    to the RADIUS server as the user names and uses the configured fixed password as the password. In fixed mode, the switch sends the user name and password previously configured for the user to the RADIUS server for authentication. The RADIUS authentication process is the same as that of the 802.1x PAP authentication method.

  • Page 602: Configuring Basic Mac Address Authentication Functions

    If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the quiet function is not effective. Configuring Basic MAC Address Authentication Functions Follow these steps to configure basic MAC address authentication functions: To do... Use the command...

  • Page 603: Mac Address Authentication Enhanced Function Configuration

    To do... Use the command... Remarks Enter interface view interface interface-type interface-number — Optional Configure MAC mac-authentication timer offline-detect By default, the authentication offline offline-detect-value offline detect time detect timer is 300 seconds If MAC address authentication is enabled on a port, you cannot configure the maximum number of dynamic MAC address entries for that port (through the mac-address max-mac-count command), and vice versa.
  • Page 604 Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a switch, this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords.
  • Page 605 To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the Guest VLAN for mac-authentication By default, no Guest VLAN is the current port guest-vlan vlan-id configured for a port by default.

  • Page 606: Displaying And Maintaining Mac Address Authentication Configuration

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum mac-authentication By default, the maximum number number of MAC address max-auth-num of MAC address authentication authentication users allowed user-number users allowed to access a port is to access a port...
  • Page 607 Network Diagram Figure 1-1 Network diagram for MAC address authentication configuration Configuration Procedure # Enable MAC address authentication on port GigabitEthernet 1/0/2. <Sysname> system-view [Sysname] mac-authentication interface gigabitethernet 1/0/2 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
  • Page 608 Table of Contents 1 VRRP Configuration ··································································································································1-1 VRRP Overview ······································································································································1-1 Introduction to VRRP Group············································································································1-2 Virtual Router Overview···················································································································1-3 VRRP Timer ····································································································································1-5 VRRP Tracking································································································································1-5 Operation Procedure of VRRP ········································································································1-6 Periodical sending of ARP packets in a VRRP Group ····································································1-7 VRRP Configuration································································································································1-7 Configuring Basic VRRP Functions·································································································1-7 Configuring Advanced VRRP Functions ·························································································1-8 Displaying and Maintaining VRRP ··········································································································1-9 VRRP Configuration Examples·············································································································1-10...

  • Page 609: Vrrp Configuration

    VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: VRRP Overview VRRP Configuration Displaying and Maintaining VRRP VRRP Configuration Examples Troubleshooting VRRP VRRP Overview As shown in Figure 1-1, the following occasions may occur in a stable network: All the hosts in a network set the same gateway as their next hop, whose IP address is also known as the next hop address of the default route (for example, the next hop address of the default route is 10.100.10.1 in...

  • Page 610: Introduction To Vrrp Group

    establishing backup links without modifying the configuration of dynamic routing protocols and router discovery protocols. Introduction to VRRP Group VRRP allows you to combine a group of LAN switches (including a master and several backups) into a VRRP group. The VRRP group functions as a virtual router, forwarding packets as a gateway. Figure 1-2 VRRP network diagram Network Actual IP address...

  • Page 611: Virtual Router Overview

    If two switches have the same VRRP priority, the one whose VLAN interface takes effect earlier becomes the master. Preemptive mode and preemption delay of a switch in a VRRP group You can configure an S5600 Ethernet switch to operate in preemptive mode. In non-preemptive mode, as long as a switch in a VRRP group becomes the master, it stays as the master as long as it operates normally, even if a backup is assigned a higher priority later.
  • Page 612 IP address of a virtual router is successful. For S5600 series Ethernet switches, you can specify whether the switches in a VRRP group respond to the ping operations destined for the virtual router IP addresses.

  • Page 613: Vrrp Timer

    Virtual router IP address-to-real MAC address mapping. When there is an IP address owner in the VRRP group, a virtual router IP address may correspond to two MAC addresses, a real MAC address of the IP address owner and a virtual MAC address created by default. In this case, you can map virtual router IP addresses to the real MAC address.

  • Page 614: Operation Procedure Of Vrrp

    If an IP address owner exists in a VRRP group, you can configure a priority for the IP address owner. However your configuration will not take effect and the IP address owner will still be the master of the VRRP group because the system considers the priority of the IP address owner to be 255 always.

  • Page 615: Periodical Sending Of Arp Packets In A Vrrp Group

    after the timer expires, it considers that the master fails and starts the election process to elect a new master for forwarding packets. Periodical sending of ARP packets in a VRRP Group If a VRRP group exists on a network, the master sends gratuitous ARP packets periodically to hosts on the network, which then update their local ARP tables, ensuring that no device on this network uses the same IP address with the VRRP virtual router.

  • Page 616: Configuring Advanced Vrrp Functions

    To do… Use the command… Remarks Optional Configure the priority of the VRRP vrrp vrid virtual-router-id priority group priority 100 by default. It is not recommended to configure features related to VRRP group on the Layer 3 interface of a remote-probe VLAN.

  • Page 617: Displaying And Maintaining Vrrp

    Configuring VRRP timer To do… Use the command… Remarks Enter system view system-view — interface Vlan-interface vlan-id Enter VLAN interface view — Configure a virtual router IP vrrp vrid virtual-router-id virtual-ip Required address virtual-address Optional vrrp vrid virtual-router-id timer Configure the VRRP timer advertise adver-interval 1 second by default.

  • Page 618: Vrrp Configuration Examples

    To do… Use the command… Remarks display vrrp [ verbose ] [ interface Display VRRP state information vlan-interface vlan-id [ vrid virtual-router-id ] ] reset vrrp statistics [ interface vlan-interface Clear VRRP statistics information Available in user view vlan-id [ vrid virtual-router-id ] ] VRRP Configuration Examples Single-VRRP Group Configuration Network requirements...
  • Page 619 Network diagram Figure 1-3 Network diagram for single-VRRP group configuration Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.3/24 10.100.10.2/24 LSW A LSW B Vlan-int2 Vlan-int2 Virtual IP address 202.38.160.111/24 202.38.160.1/24 202.38.160.2/24 202.38.160.3/24 Host A Configuration procedure Configure Switch A. # Configure VLAN 3. <LSW-A>...

  • Page 620: Vrrp Tracking Interface Configuration

    By default, a VRRP group adopts the preemptive mode. Configure Switch B. # Configure VLAN 3. <LSW-B> system-view [LSW-B] vlan 3 [LSW-B-vlan3] port GigabitEthernet1/0/10 [LSW-B-vlan3] quit [LSW-B] interface Vlan-interface 3 [LSW-B-Vlan-interface3] ip address 10.100.10.3 255.255.255.0 [LSW-B-Vlan-interface3] quit # Configure VLAN 2. [LSW-B] vlan 2 [LSW-B-Vlan2] port GigabitEthernet 1/0/5 [LSW-B-vlan2] quit...
  • Page 621 Network diagram Figure 1-4 Network diagram for interface tracking configuration Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.3/24 10.100.10.2/24 LSW A LSW B Vlan-int2 Vlan-int2 Virtual IP address 202.38.160.1/24 202.38.160.111/24 202.38.160.2/24 202.38.160.3/24 Host A Configuration procedure Configure Switch A. # Configure VLAN 3. <LSW-A>...

  • Page 622: Multiple-Vrrp Group Configuration

    # Configure the master to send VRRP packets every 5 seconds. [LSW-A-Vlan-interface2] vrrp vrid 1 timer advertise 5 # Set the tracked VLAN interface. [LSW-A-Vlan-interface2] vrrp vrid 1 track interface Vlan-interface 3 reduced 30 Configure switch B. # Configure VLAN 3. <LSW-B>...
  • Page 623 Network diagram Figure 1-5 Network diagram for multiple-VRRP group configuration Host B 10.2.3.1/24 Internet Vlan-int3 Vlan-int3 10.100.10.2/24 10.100.10.3/24 Switch A Switch B Vlan-int2 VLAN-int2 202.38.160.1/24 202.38.160.2/24 VRRP group 1 VRRP group 2 Virtual IP address 202.38.160.112/24 Virtual IP address 202.38.160.111/24 202.38.160.3/24 202.38.160.4/24 Host A...

  • Page 624: Port Tracking Configuration Examples

    <LSW-B> system-view [LSW-B] vlan 3 [LSW-B-vlan3] port GigabitEthernet1/0/10 [LSW-B-vlan3] quit [LSW-B] interface Vlan-interface 3 [LSW-B-Vlan-interface3] ip address 10.100.10.3 255.255.255.0 [LSW-B-Vlan-interface3] quit # Configure VLAN 2. [LSW-B] vlan 2 [LSW-B-vlan2] port GigabitEthernet 1/0/6 [LSW-B-vlan2] quit [LSW-B] interface Vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 # Create VRRP group 1.
  • Page 625 Network diagram Figure 1-6 Network diagram for VRRP port tracking configuration Network Vlan-int3 10.100.10. 2/24 Master Backup Virtual IP address Virtual IP address 202.38.160.111/24 202.38.160.111/24 Actual IP address Actual IP address Vlan-int2 Vlan-int2 202.38.160. 1/24 202.38.160.2/24 Layer 2 Switch Configuration procedure Configure the master switch.

  • Page 626: Troubleshooting Vrrp

    Troubleshooting VRRP You can locate VRRP problems through the configuration and debugging information. Here are some possible symptoms you might meet and the corresponding troubleshooting methods. Symptom 1: Frequent prompts of configuration errors on the console This indicates that incorrect VRRP packets are received. It may be because of the inconsistent configuration of the switches within the VRRP group, or the attempt of other devices sending illegal VRRP packets.
  • Page 627 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to Gratuitous ARP········································································································1-4 Configuring ARP ·····································································································································1-5 Configuring Gratuitous ARP····················································································································1-5 Displaying and Debugging ARP··············································································································1-6 ARP Configuration Examples ·················································································································1-6 2 ARP Attack Defense Configuration ·········································································································2-1 ARP Attack Defense Configuration·········································································································2-1 Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn·············2-1...
  • Page 628 4 Resilient ARP Configuration ····················································································································4-1 Introduction to Resilient ARP ··················································································································4-1 Configuring Resilient ARP ······················································································································4-1 Resilient ARP Configuration Example ····································································································4-2 5 MFF Configuration·····································································································································5-1 MFF Overview·········································································································································5-1 Application Background···················································································································5-1 Basic Concepts of MFF ···················································································································5-2 How MFF Works······························································································································5-3 Protocols and Standards ·················································································································5-4 MFF Configuration ··································································································································5-4 Enabling MFF ··································································································································5-4 Specifying the IP Addresses of Servers ··························································································5-5 Configuring User Port ······················································································································5-5...

  • Page 629: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples Support for ARP attack defense is added. For details, refer to ARP Attack Defense Configuration.
  • Page 630 As for an ARP reply, all the fields are set. Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits)

  • Page 631: Arp Table

    S5600 series Ethernet switches provide the display arp command to display the information about ARP mapping entries. ARP entries in an S5600 series Ethernet switch can either be static entries or dynamic entries, as described in Table 1-3.

  • Page 632: Introduction To Gratuitous Arp

    ARP table. To address this issue, by default, the S5600 series allow VLAN interfaces to send gratuitous ARP packets periodically. That is, as long as a VLAN interface is in the Up state, it sends gratuitous ARP packets at an interval of 30 seconds so that the receiving host can refresh the MAC address of the switch in the ARP table timely, thereby preventing traffic interruption mentioned above.

  • Page 633: Configuring Arp

    If the IP address of the virtual router corresponds to an actual MAC address, the source MAC address in the gratuitous ARP packet will be the VLAN interface’s MAC address of the master switch in the VRRP backup group. For details about VRRP backup group. Refer to the part discussing VRRP in this manual for details. Configuring ARP Follow these steps to configure ARP basic functions: To do…...

  • Page 634: Displaying And Debugging Arp

    To do… Use the command… Remarks Enable the master switch of a Optional VRRP backup group to send arp send-gratuitous enable vrrp gratuitous ARP packets Enabled by default. periodically interface Vlan-interface vlan-id Enter VLAN interface view — Enable the VLAN interface to send Optional gratuitous-arp period-resending gratuitous ARP packets...
  • Page 635 Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being GigabitEthernet 1/0/10 of VLAN 1. Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 GigabitEthernet 1/0/10...

  • Page 636: Arp Attack Defense Configuration

    To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on S5600 series Ethernet switches (operating as gateways). That is, you can set the maximum number of dynamic ARP entries that a VLAN interface can learn. If the number of ARP entries learned by the VLAN interface exceeds the specified upper limit, the VLAN interface stops learning ARP entries, thus to avoid ARP flood attacks.
  • Page 637 Figure 2-1 Network diagram for ARP man-in-the-middle attack ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, S5600 series Ethernet switches support the ARP attack detection function. After you enable ARP attack detection for a VLAN, When receiving an ARP request or response packet from an ARP untrusted port, the device delivers the ARP packet to the CPU to check the validity of the packet.

  • Page 638: Introduction To Arp Packet Rate Limit

    To guard against such attacks, S5600 series Ethernet switches support the ARP packets rate limit function, which will shut down the attacked port, thus preventing serious impact on the CPU.

  • Page 639: Configuring Arp Attack Defense

    Figure 2-2 Gateway spoofing attack To prevent gateway spoofing attacks, an S5600 series Ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter ARP packets based on the gateway’s address.

  • Page 640: Configuring The Maximum Number Of Dynamic Arp Entries That A Vlan Interface Can Learn

    Task Remarks Optional ARP Packet Filtering Based on Gateway’s Address The switch serves as an access device. Optional Configuring ARP Attack Detection The switch serves as a gateway or an access device. Optional Configuring the ARP Packet Rate Limit Function The switch serves as a gateway or an access device.

  • Page 641: Configuring Arp Attack Detection

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required arp filter binding ip-address based on the gateway’s IP and mac-address Not configured by default. MAC addresses The arp filter source and arp filter binding commands are mutually exclusive on an Ethernet port. That is, you can only configure ARP packet filtering based on gateway’s IP address, or based on gateway’s IP and MAC addresses on an Ethernet port.

  • Page 642: Configuring The Arp Packet Rate Limit Function

    MAC-based 802.1x authentication and ARP attack detection. Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S5600 series Ethernet switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is different from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack detection based on the IP-to-MAC bindings.

  • Page 643: Arp Attack Defense Configuration Example

    To do… Use the command… Remarks Optional By default, when the port state arp protective-down recover Configure the port state auto-recovery function is enabled, auto-recovery interval interval interval the port state auto-recovery interval is 300 seconds. You need to enable the port state auto-recovery feature before you can configure the port state auto-recovery interval.
  • Page 644 Network diagram Figure 2-3 ARP attack detection and packet rate limit configuration Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchA-GigabitEthernet1/0/1] arp detection trust...

  • Page 645: Arp Attack Defense Configuration Example Iii

    ARP Attack Defense Configuration Example II Network Requirements As shown in Figure 2-4, Host A and Host B are connected to Gateway through an access switch (Switch). The IP and MAC addresses of Gateway are 192.168.100.1/24 and 000D-88F8-528C. To prevent gateway spoofing attacks from Host A and Host B, configure ARP packet filtering based on the gateway’s IP and MAC addresses on Switch.

  • Page 646: Arp Attack Defense Configuration Example Iv

    Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header. Limit the number of dynamic ARP entries learned on VLAN-interface 1. Network Diagram Figure 2-5 Network diagram for ARP attack defense Switch A (Gateway)

  • Page 647: Configuration Procedures

    Network Diagram Figure 2-6 Network diagram for 802.1x based ARP attack defense Configuration Procedures # Enter system view. <Switch> system-view # Enable 802.1x authentication globally. [Switch] dot1x # Enable ARP attack detection for VLAN 1. [Switch] vlan 1 [Switch-vlan1] arp detection enable [Switch-vlan1] quit # Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as ARP trusted ports.

  • Page 648: Proxy Arp Configuration

    Proxy ARP Configuration When configuring proxy ARP, go to these sections for information you are interested in: Proxy ARP Overview Configuring Proxy ARP Proxy ARP Configuration Examples Proxy ARP Overview Introduction to Proxy ARP If a host sends an ARP request for the MAC address of another host that actually resides on another network (but the sending host considers the requested host is on the same network according to the destination IP address and mask), the device in between must be able to respond to the request with the MAC address of the receiving interface to allow Layer 3 communication between the two hosts.

  • Page 649: Local Proxy Arp

    Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3. After Isolate-user-VLAN function is configured on a device attached to a S5600 series Ethernet switch, hosts belonging to different secondary VLANs need to communicate at Layer 3.

  • Page 650: Configuring Proxy Arp

    Configuring Proxy ARP Follow these steps to configure proxy ARP: To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface vlan-interface vlan-id — Required Enable common proxy ARP arp proxy enable Disabled by default. Required local-proxy-arp enable Enable local proxy ARP...

  • Page 651: Local Proxy Arp Configuration In Port Isolation Application

    Local Proxy ARP Configuration in Port Isolation Application Network requirements Switch A (a S5600 series Ethernet switch) is connected to Switch B through GigabitEthernet 1/0/1. GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 on Switch B belong to VLAN 1, and are connected to Host A and Host B respectively.
  • Page 652 [SwitchB-GigabitEthernet1/0/3] quit Configure Switch A # Configure local proxy ARP on VLAN-interface 1, enabling Host A and Host B to communicate at Layer <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] local-proxy-arp enable [SwitchA-Vlan-interface1] quit...

  • Page 653: Resilient Arp Configuration

    Resilient ARP Configuration When configuring resilient ARP, go to these sections for information you are interested in: Introduction to Resilient ARP Configuring Resilient ARP Resilient ARP Configuration Example Introduction to Resilient ARP In intelligent resilient framework (IRF) network application, normally you need to connect redundancy links between the fabric and other devices to support the resilient network.

  • Page 654: Resilient Arp Configuration Example

    To do… Use the command… Remarks Optional Configure the VLAN interface resilient-arp interface By default, Resilient ARP packets through which Resilient packets vlan-interface vlan-id are sent through the interface of are sent VLAN 1 (VLAN-interface 1). Display information about the display resilient-arp [ unit unit-id ] Available in any view Resilient ARP state...
  • Page 655 MFF Configuration MFF Overview Application Background In traditional Ethernet networking, typically VLANs are created on a switch to implement Layer 2 isolation and provide Layer 3 interoperability among clients. If a large number of users are to be isolated at Layer 2, however, this type of networking consumes many VLAN resources. Moreover, to provide Layer 3 interoperability among clients, you need to plan a different IP network segment for each VLAN and configure an IP address for each VLAN interface.

  • Page 656: Basic Concepts Of Mff

    port isolation, IP filtering, and ARP intrusion detection, refer to the sections covering port isolation, DHCP, and ARP in this manual. Basic Concepts of MFF User port An MFF user port is directly connected to a host; it processes packets as follows: Allows DHCP packets and multicast packets to pass.

  • Page 657: How Mff Works

    If a VLAN interface and its IP address are configured incorrectly, or the IP address of the gateway is not on the same network segment as that of the VLAN interface, the gateway’s MAC address may not be learned correctly. How MFF Works Manual mode If a host’s IP address is manually assigned, you can enable the MFF manual mode on the access layer...

  • Page 658: Enabling Mff

    After receiving an ARP request from a host, the MFF device sends the MAC address of the corresponding gateway to the host. In this way, hosts in the network have to communicate at Layer 3 through a gateway. After receiving an ARP request from a gateway, the MFF device sends the requested host’s MAC address to the gateway if the corresponding entry is available;...

  • Page 659: Specifying The Ip Addresses Of Servers

    Specifying the IP Addresses of Servers For communication between hosts connected to an MFF enabled switch and a server, you need to specify the server’s IP address in either manual or automatic MFF mode. The server can be a DHCP server or a server providing some other service.

  • Page 660: Configuring Network Port

    Operation Command Remarks interface interface-type Enter Ethernet port view — interface-number Required ip check source ip-address Enable IP filtering on the port [ mac-address ] Disabled by default Required Add the port to the isolation group port isolate By default, an Ethernet port is not added to any isolation group.

  • Page 661: Displaying Mff Configuration

    Configuration procedure Follow these steps to configure an MFF network port: Operation Command Remarks Enter system view system-view — Required Enable DHCP snooping dhcp-snooping Disabled by default vlan vlan-id Enter VLAN view — Required Enable ARP intrusion detection arp detection enable Disabled by default Return to system view quit...
  • Page 662 Network diagram Figure 5-2 MFF network diagram Configuration procedure Configure Gateway. # Configure the VLAN interface IP address of the gateway. <Gateway> system-view [Gateway] interface Vlan-interface 1 [Gateway-Vlan-interface1] ip address 10.1.1.1 16 Configure the DHCP server <DHCPServer> system-view [DHCPServer] dhcp enable [DHCPServer] dhcp server ip-pool 1 [DHCPServer-dhcp-poop-1] network 10.1.1.0 mask 255.255.0.0 [DHCPServer-dhcp-poop-1] gateway-list 10.1.1.1...
  • Page 663 [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] arp detection trust [SwitchA-GigabitEthernet1/0/2] dhcp-snooping trust # Configure GigabitEthernet 1/0/2 as an MFF network port. [SwitchA-GigabitEthernet1/0/2] arp mac-forced-forwarding network-port # Enable IP filtering on GigabitEthernet 1/0/1, add it to the port isolation group, and then configure it as an MFF user port.
  • Page 664 [SwitchC] dhcp-snooping # Enable ARP detection in VLAN 1. [SwitchC] vlan 1 [SwitchC-vlan-1] arp detection enable # Enable MFF. [SwitchC-vlan-1] arp mac-forced-forwarding default-gateway 10.1.1.1 # Specify the IP address of the DHCP server. [SwitchC-vlan-1] arp mac-forced-forwarding server 10.1.1.2 # Configure GigabitEthernet 1/0/3 as an ARP detection trusted port. [SwitchC] interface GigabitEthernet 1/0/3 [SwitchC-GigabitEthernet1/0/3] arp detection trust # Configure GigabitEthernet 1/0/3 as a DHCP snooping trusted port.

  • Page 665: Troubleshooting Mff Configuration

    Troubleshooting MFF Configuration Hosts configured with static IP addresses cannot access the network. This is because MFF manual mode is not enabled on the corresponding VLAN of the device connected to these hosts. Hosts configured with static IP addresses cannot access the network. This is because the static bindings of the hosts are not configured on the port of the device connected to these hosts.
  • Page 666 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-2 IP Address Assignment Policy ········································································································1-2 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-3 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
  • Page 667 Configuring DHCP Server Security Functions ······················································································2-24 Prerequisites··································································································································2-24 Enabling Unauthorized DHCP Server Detection···········································································2-24 Configuring IP Address Detecting ·································································································2-24 Configuring DHCP Accounting Functions ·····························································································2-25 Introduction to DHCP Accounting··································································································2-25 DHCP Accounting Fundamentals··································································································2-25 DHCP Accounting Configuration ···································································································2-25 Enabling the DHCP Server to Process Option 82 ················································································2-26 Displaying and Maintaining the DHCP Server ······················································································2-26 DHCP Server Configuration Examples ·································································································2-27 DHCP Server Configuration Example ···························································································2-27...
  • Page 668 5 DHCP Packet Rate Limit Configuration···································································································5-1 Introduction to DHCP Packet Rate Limit·································································································5-1 Configuring DHCP Packet Rate Limit ·····································································································5-1 Configuring DHCP Packet Rate Limit······························································································5-1 Rate Limit Configuration Example ··········································································································5-2 6 DHCP/BOOTP Client Configuration ·········································································································6-1 Introduction to DHCP Client····················································································································6-1 Introduction to BOOTP Client ·················································································································6-1 Configuring a DHCP/BOOTP Client········································································································6-2 DHCP Client Configuration Example·······························································································6-2 BOOTP Client Configuration Example ····························································································6-3...

  • Page 669: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification The function of removing DHCP snooping entries is added in this manual. For details, refer to Displaying and Maintaining DHCP Snooping Configuration.

  • Page 670: Dhcp Ip Address Assignment

    Figure 1-1 Typical DHCP application DHCP IP Address Assignment IP Address Assignment Policy Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server.

  • Page 671: Updating Ip Address Lease

    Acknowledge: In this phase, the DHCP servers acknowledge the IP address. Upon receiving the DHCP-REQUEST packet, only the selected DHCP server returns a DHCP-ACK packet to the DHCP client to confirm the assignment of the IP address to the client, or returns a DHCP-NAK packet to refuse the assignment of the IP address to the client.

  • Page 672: Protocol Specification

    Figure 1-2 DHCP packet format The fields are described as follows: op: Operation types of DHCP packets, 1 for request packets and 2 for response packets. htype, hlen: Hardware address type and length of the DHCP client. hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent that the DHCP request packet passes, the field value increases by 1.
  • Page 673 RFC3046: DHCP Relay Agent Information option...

  • Page 674: Dhcp Server Configuration

    DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Based DHCP Server Configuring DHCP Server Security Functions Configuring DHCP Accounting Functions Enabling the DHCP Server to Process Option 82...
  • Page 675 picks an IP address from the pool and sends the IP address and other related parameters (such as the IP address of the DNS server, and the lease time of the IP address) to the DHCP client. Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool.

  • Page 676: Dhcp Ip Address Preferences

    The DHCP server assigns an IP address to the client in the following order from an interface address pool or a global address pool: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client.

  • Page 677: Dhcp Server Configuration Task List

    When you merge two or more IRF systems into one IRF system, a new master unit is elected, and the new IRF system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new IRF system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.

  • Page 678: Configuring The Global Address Pool Based Dhcp Server

    To improve security and avoid malicious attacks to unused sockets, S5600 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...

  • Page 679: Creating A Dhcp Global Address Pool

    Follow these steps to configure the global address pool mode on interface(s): To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current Configure the Optional interface dhcp select global specified interface(s) or all By default, the quit the interfaces to...
  • Page 680 address, the DHCP server will find the corresponding IP address based on the client ID and assign it to the DHCP client. Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID.
  • Page 681 To improve security and avoid malicious attack to the unused sockets, S5600 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

  • Page 682: Configuring A Domain Name Suffix For The Dhcp Client

    In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.

  • Page 683: Configuring Wins Servers For The Dhcp Client

    Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.

  • Page 684: Configuring Gateways For The Dhcp Client

    Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
  • Page 685 Meanings of the sub-options for Option 184 Table 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option The NCP-IP sub-option When used in Option 184 is intended for NCP-IP carries the IP address of...
  • Page 686 Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients. Supposing that the DHCP clients are on the same segment as the DHCP server, the mechanism of Option 184 on the DHCP server is as follows: A DHCP client sends to the DHCP server a request packet carrying Option 55, which indicates the client requests the configuration parameters of Option 184.

  • Page 687: Configuring A Self-Defined Dhcp Option

    When a switch starts up without loading any configuration file, the system sets the specified interface (VLAN-interface 1) as the DHCP client to request from the DHCP server parameters such as the IP address and name of a TFTP server, and bootfile name. After getting related parameters, the DHCP client will send a TFTP request to obtain the configuration file from the specified TFTP server for system initialization.

  • Page 688: Configuring The Interface Address Pool Based Dhcp Server

    Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. Configuring the Interface Address Pool Based DHCP Server In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the network segment of the interface address pool and assigns them to the DHCP clients.

  • Page 689: Enabling The Interface Address Pool Mode On Interface

    Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring the static IP address Configuring an One of the two options is required. And allocation mode Address Allocation these two options can be configured at the Mode for an Interface Configuring the dynamic IP address same time.

  • Page 690: Configuring An Address Allocation Mode For An Interface Address Pool

    To improve security and avoid malicious attack to the unused sockets, S5600 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
  • Page 691 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

  • Page 692: Configuring A Domain Name Suffix For The Dhcp Client

    The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.

  • Page 693: Configuring Wins Servers For The Dhcp Client

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the dhcp server dns-list ip-address&<1-8> Required current interface Configure By default, no quit DNS server DNS server addresses for address is Configure DHCP clients dhcp server dns-list ip-address&<1-8> { interface configured.

  • Page 694: Configuring Bims Server Information For The Dhcp Client

    To do… Use the command… Remarks DHCP clients interface WINS server quit address is configured. Configure dhcp server nbns-list ip-address&<1-8> { interface multiple interface-type interface-number [ to interface-type interfaces in interface-number ] | all } system view interface interface-type interface-number Configure the dhcp server netbios-type { b-node | h-node | current...

  • Page 695: Configuring The Tftp Server And Bootfile Name For The Dhcp Client

    Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Specify the primary Required dhcp server voice-config ncp-ip network calling ip-address Not specified by default.

  • Page 696: Configuring A Self-Defined Dhcp Option

    To do… Use the command… Remarks address and dhcp server tftp-server ip-address Specify the TFTP server name of the ip-address TFTP server Optional and the Specify the TFTP server dhcp server tftp-server domain-name Not specified by bootfile name name domain-name default.

  • Page 697: Enabling Unauthorized Dhcp Server Detection

    Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service. Prerequisites Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration). Enabling Unauthorized DHCP Server Detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the client.

  • Page 698: Configuring Dhcp Accounting Functions

    Follow these steps to configure IP address detecting: To do… Use the command… Remarks Enter system view system-view — Optional dhcp server ping packets Specify the number of ping packets number Two ping packets by default. Optional Configure a timeout waiting for dhcp server ping timeout ping responses milliseconds...

  • Page 699: Displaying And Maintaining The Dhcp Server

    The DHCP server is configured and operates properly. Address pools and lease time are configured. DHCP clients are configured and DHCP service is enabled. The network operates properly. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do… Use the command…...

  • Page 700: Dhcp Server Configuration Examples

    To do… Use the command… Remarks display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | Display information about address binding interface [ interface-type interface-number ] | all } Display the statistics on a DHCP display dhcp server statistics server display dhcp server tree { pool Display information about DHCP...
  • Page 701 In the address pool 10.1.1.128/25, the address lease duration is five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2, and gateway address 10.1.1.254, and there is no WINS server address. If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool;...

  • Page 702: Dhcp Server With Option 184 Support Configuration Example

    A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. An H3C series switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool. The sub-options of Option 184 are as follows: NCP-IP: 3.3.3.3...

  • Page 703: Dhcp Accounting Configuration Example

    Network diagram Figure 2-2 Network diagram for Option 184 support configuration DHCP client DHCP client DHCP Server IP:10.1.1.1/24 DHCP client 3COM VCX Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184.
  • Page 704 The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0. The DHCP server operates as a RADIUS client and adopts AAA for authentication.

  • Page 705: Troubleshooting A Dhcp Server

    # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.

  • Page 706: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 707: Option 82 Support On Dhcp Relay Agent

    Option 82 has no unified definition in RFC 3046. Its padding information varies with vendors. Currently, S5600 Series Ethernet Switches that operate as DHCP relay agents support the extended padding format of Option 82 sub-options. By default, the sub-options of Option 82 are padded as follows, as...

  • Page 708: Dhcp Inform Message Handling Feature Used In Irf System

    Figure 3-2 Padding contents for sub-option 1 of Option 82 Figure 3-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 709: Configuring The Dhcp Relay Agent

    If an S5600 series switch belongs to a fabric, you need to enable UDP Helper and then DHCP relay agent on it. Then, upon receiving a DHCP Inform message from a DHCP client, the switch will replace the XID (Transaction ID, a random value selected by the client to uniquely identify an address allocation process) in the message, and then forward the message to the DHCP server.

  • Page 710: Correlating A Dhcp Server Group With A Relay Agent Interface

    Enabling DHCP Make sure to enable DHCP before you perform other DHCP relay-related configurations, since other DHCP-related configurations cannot take effect with DHCP disabled. Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view system-view —...

  • Page 711: Configuring Dhcp Relay Agent Security Functions

    You can configure up to eight DHCP server IP addresses in a DHCP server group. You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group. If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites the previous one.
  • Page 712 By default, auto is adopted, that is, relay agent dynamically updates auto } the interval is automatically the client address entries calculated. Currently, the DHCP relay agent handshake function on a S5600 series switch can only interoperate with a Windows 2000 DHCP server.

  • Page 713: Configuring The Dhcp Relay Agent To Support Option 82

    Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client. With this feature enabled, upon receiving a DHCP message with the siaddr field (IP addresses of the servers offering IP addresses to the client) not being 0 from a client, the DHCP relay agent will record the value of the siaddr field and the receiving interface.

  • Page 714: Configuring Dhcp Inform Message Handling Feature Used In Irf System

    By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy to process the request packets containing Option 82. However, if other strategies are configured before, then enabling the 82 support on the DHCP relay agent will not change the configured strategies.

  • Page 715: Dhcp Relay Agent Configuration Example

    DHCP Relay Agent Configuration Example Network requirements VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is 10.1.1.2/24 that communicates with the DHCP server 10.1.1.1/24. As shown in the figure below, Switch A forwards messages between DHCP clients and the DHCP server to assign IP addresses in subnet 10.10.1.0/24 to the clients.
  • Page 716 Analysis This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command.) Solution Check if DHCP is enabled on the DHCP server and the DHCP relay agent.

  • Page 717: Dhcp Snooping Configuration

    Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses. Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S5600 series Ethernet switch.

  • Page 718: Introduction To Dhcp-Snooping Option

    Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as required. By default, the sub-options of Option 82 for S5600 Series Ethernet Switches (enabled with DHCP snooping) are padded as follows: sub-option 1 (circuit ID sub-option): Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request.
  • Page 719 Figure 4-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S5600 Series Ethernet Switches support Option 82 in the standard format. Refer to...
  • Page 720 The DHCP Snooping device Handling policy Sub-option configuration will… Forward the packet after replacing the original Option 82 with the default content. The storage format of Option 82 Neither of the two sub-options is content is the one specified with configured the dhcp-snooping information format command or the default...

  • Page 721: Introduction To Ip Filtering

    Introduction to IP Filtering A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged address requests with different source IP addresses to the server so that the network cannot work normally. The specific effects are as follows: The resources on the server are exhausted, so the server does not respond to other requests.

  • Page 722: Configuring Dhcp Snooping

    Configuring DHCP Snooping Configuring DHCP Snooping Follow these steps to configure DHCP snooping: To do… Use the command… Remarks system-view Enter system view — Required Enable DHCP snooping dhcp-snooping By default, the DHCP snooping function is disabled. interface interface-type Enter Ethernet port view —...
  • Page 723 Configuring the storage format of Option 82 S5600 Series Ethernet Switches support the HEX or ASCII format for the Option 82 field. Follow these steps to configure a storage format for the Option 82 field: To do…...
  • Page 724 To do… Use the command… Remarks Optional Configure a storage format for the dhcp-snooping information Option 82 field format { hex | ascii } By default, the format is hex. The dhcp-snooping information format command applies only to the default content of the Option 82 field.

  • Page 725: Configuring Ip Filtering

    Follow these steps to configure the remote ID sub-option in Option 82: To do… Use the command… Remarks Enter system view system-view — Optional By default, the remote ID dhcp-snooping information Configure the remote ID sub-option sub-option is the MAC address of remote-id { sysname | string in system view the DHCP snooping device that...
  • Page 726 To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional ip source static binding ip-address By default, no IP static ip-address [ mac-address Create a static binding binding entry is mac-address ] created.

  • Page 727: Displaying And Maintaining Dhcp Snooping Configuration

    Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-to-MAC display dhcp-snooping [ unit address mapping entries recorded unit-id ] by the DHCP snooping function Display the (enabled/disabled) Available in any view state of the DHCP snooping display dhcp-snooping trust function and the trusted ports display ip source static binding...

  • Page 728: Ip Filtering Configuration Example

    Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/5 as the trusted port. [Switch] interface GigabitEthernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 support. [Switch] dhcp-snooping information enable # Set the remote ID sub-option in Option 82 to the system name (sysname) of the DHCP snooping device.
  • Page 729 Network diagram Figure 4-7 Network diagram for IP filtering configuration Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the trusted port. [Switch] interface GigabitEthernet 1/0/1 [Switch-GigabitEthernet1/0/1] dhcp-snooping trust [Switch-GigabitEthernet1/0/1] quit # Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses.

  • Page 730: Dhcp Packet Rate Limit Configuration

    S5600 series Ethernet switches support ARP and DHCP packet rate limit on a port and shut down the port under attack to prevent hazardous impact on the device CPU. For details about ARP packet rate limit, refer to ARP Operation in this manual.

  • Page 731: Rate Limit Configuration Example

    To do… Use the command… Remarks interface interface-type Enter port view — interface-number Required Enable the DHCP packet rate limit dhcp rate-limit enable By default, DHCP packet rate limit function is disabled. Optional Configure the maximum DHCP dhcp rate-limit rate By default, the maximum rate is 15 packet rate allowed on the port pps.
  • Page 732 Networking diagram Figure 5-1 Network diagram for DHCP packet rate limit configuration DHCP server GE1/0/1 DHCP snooping GE1/0/11 GE1/0/2 ClientA ClientB Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the trusted port. [Switch] interface GigabitEthernet 1/0/1 [Switch-GigabitEthernet1/0/1] dhcp-snooping trust [Switch-GigabitEthernet1/0/1] quit...

  • Page 733: Introduction To Dhcp Client

    DHCP client dynamically obtains an IP address through DHCP. For S5600 series Ethernet switches (operating as DHCP clients), the vendor and device information contained in Option 60 of DHCP requests is not configurable; instead, it is populated by the application program of the switches in the format of vendor-name.

  • Page 734: Dhcp Client Configuration Example

    Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface vlan-interface vlan-id — Required Configure the VLAN interface to ip address { bootp-alloc | obtain IP address through DHCP By default, no IP address is dhcp-alloc }...

  • Page 735: Bootp Client Configuration Example

    [SwitchB-Vlan-interface1] ip address dhcp-alloc BOOTP Client Configuration Example Network requirement Switch B’s port belonging to VLAN1 is connected to the LAN. VLAN-interface 1 obtains an IP address from the DHCP server by using BOOTP. Network diagram Figure 2-1. Configuration procedure The following describes only the configuration on Switch B serving as a client.
  • Page 736 ACL Overview ············································································································· 1-1 ACL Matching Order ····························································································· 1-2 Ways to Apply an ACL on a Switch ········································································ 1-3 Types of ACLs Supported by S5600 Series Ethernet Switches ······························· 1-3 ACL Configuration Task List ························································································ 1-4 Configuring Time Range ······················································································· 1-4 Configuring Basic ACL ··························································································...

  • Page 737: Acl Configuration

    ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware The feature of IPv6 ACL is newly added, which is described in Configuring IPv6 ACL.

  • Page 738: Acl Matching Order

    User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings. It defines the byte it begins to perform “and” operation with the mask on the basis of packet headers. IPv6 ACL: An ACL of this type matches IPv6 packets by matching information such as the source IP address, destination IP address, source MAC address, destination MAC address, traffic class, next header information, destination TCP or UDP port number, and VLAN tag.

  • Page 739: Ways To Apply An Acl On A Switch

    In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL. For S5600 series Ethernet switches, the later the rule applies, the higher the match priority.

  • Page 740: Acl Configuration Task List

    Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur. An absolute time range on an H3C S5600 Series Ethernet Switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
  • Page 741 To do... Use the command... Remarks Enter system view system-view — time-range time-name { start-time to end-time days-of-the-week [ from start-time Create a time range start-date ] [ to end-time end-date ] | from Required start-time start-date [ to end-time end-date ] | to end-time end-date } Note that: If only a periodic time section is defined in a time range, the time range is active only...
  • Page 742 From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration prerequisites To configure a time range-based basic ACL rule, you need to create the corresponding time range first.

  • Page 743: Configuring Time Range

    Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's step is 1 rule 0 deny source 192.168.0.1 0...
  • Page 744 To do... Use the command... Remarks Optional Assign a description rule rule-id comment text string to the ACL rule No description by default Optional Assign a description description text string to the ACL No description by default Note that: With the config match order specified for the advanced ACL, you can modify any existent rule.
  • Page 745 A Layer 2 ACL can be numbered from 4000 to 4999. Configuration prerequisites To configure a time range-based Layer 2 ACL rule, you need to create the corresponding time ranges first. For information about time range configuration, refer Configuring Time Range.
  • Page 746 [Sysname-acl-ethernetframe-4000] rule deny source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff # Display the configuration information of ACL 4000. [Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule Acl's step is 1 rule 0 deny cos excellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e ffff-ffff-ffff Configuring User-defined ACL A user-defined ACL filters packets by comparing specific bytes in packet headers with...
  • Page 747 You can match IPv6 packets by IPv6 ACLs to process IPv6 data flows as required. The number of an IPv6 ACL is in the range from 5000 to 5999. S5600 Series Ethernet switches support matching the following fields: cos: Matches the CoS field in IPv6 packets.
  • Page 748 icmpv6-type: Matches the ICMPv6 type field in IPv6 packets. icmpv6-code: Matches the ICMPv6 code field in IPv6 packets. vlan: Matches the VLAN tag field in IPv6 packets. IPv6 ACLs do not match IPv6 packets with extension headers. When configuring IPv6 ACL rules, note that: To specify the src-port or dest-port keyword for a rule, you need to specify the ip-protocol rule-string rule-mask combination as TCP or UDP, that is, 0x06 or 0x11.
  • Page 749 Operation Command Description [ ipv6-type ] [ src-ip To specify the icmpv6-type ipv6-address prefix-length ] or icmpv6-code keyword, [ src-mac rule-string you need to specify the rule-mask ] [ vlan ip-protocol rule-string rule-string rule-mask ] rule-mask combination as [ [ src-port rule-string ICMPv6, that is, 0x3a.

  • Page 750: Configuring Basic Acl

    User defined ACL 5000, 1 rule Acl's step is 1 rule 0 deny src-ip 3001::1 64 dest-ip 3002::1 64 Applying ACL Rules on Ports By applying ACL rules on ports, you can filter packets on the corresponding ports. Configuration prerequisites You need to define an ACL before applying it on a port.

  • Page 751: Displaying And Maintaining Acl Configuration

    Configuration prerequisites Before applying ACL rules to ports in a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced ACL, Configuring Layer 2 ACL, Configuring User-defined ACL Configuring IPv6 ACL.

  • Page 752: Example For Controlling Web Login Users By Source Ip

    Network diagram Figure 1-1 Network diagram for controlling Telnet login users by source IP Internet Switch 10.110.100.52 Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for Controlling Web Login Users by Source IP...

  • Page 753: Examples For Applying Acls To Hardware

    [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 Examples for Applying ACLs to Hardware Basic ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through GigabitEthernet 1/0/1. PC1’s IP address is 10.1.1.1.

  • Page 754: Advanced Acl Configuration Example

    Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to GigabitEthernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

  • Page 755: User-Defined Acl Configuration Example

    Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012.

  • Page 756: Ipv6 Acl Configuration Example

    Network diagram Figure 1-6 Network diagram for user-defined ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1 from 8:00 to 18:00 everyday.

  • Page 757: Example For Applying An Acl To A Vlan

    Network diagram Figure 1-7 Network diagram for IPv6 ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Create an IPv6 ACL and configure a rule for the ACL, denying packets from 3001::1/64 to 3002::1/64.
  • Page 758 Network diagram Figure 1-8 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 GE1/0/1 GE1/0/3 GE1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...
  • Page 759 Traditional Packet Forwarding Service ·································································· 1-1 New Applications and New Requirements ······························································ 1-1 Major Traffic Control Techniques ·········································································· 1-2 QoS Supported by the S5600 Series Ethernet Switches ··············································· 1-3 Introduction to QoS Functions ····················································································· 1-4 Traffic Classification ····························································································· 1-4 Priority Trust Mode ······························································································· 1-4 Protocol Priority ···································································································...
  • Page 760 Introduction to QoS Profile ··················································································· 2-1 QoS Profile Application Mode ··············································································· 2-1 QoS Profile Configuration Task List············································································· 2-2 Configuring a QoS Profile ····················································································· 2-2 Applying a QoS Profile ························································································· 2-3 Displaying and Maintaining QoS Profile Configuration ·················································· 2-4 Configuration Example ································································································ 2-4 QoS Profile Configuration Example ·······································································...

  • Page 761: Qos Configuration

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported by the S5600 Series Ethernet Switches QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 762: Major Traffic Control Techniques

    regional branches together using VPN techniques for coping with daily business, for instance, accessing databases or manage remote equipments through Telnet. All these new applications have one thing in common, that is, they have special requirements for bandwidth, delay, and jitter. For instance, bandwidth, delay, and jitter are critical for videoconference and VoD.

  • Page 763: Qos Supported By The S5600 Series Ethernet Switches

    They are occurrences of differentiated services. QoS Supported by the S5600 Series Ethernet Switches The S5600 series Ethernet switches support the QoS features listed in Table 1-1: Table 1-1 QoS features supported by the S5600 series Ethernet switches...

  • Page 764: Introduction To Qos Functions

    The S5600 series support SP and WRR queue scheduling algorithms and support the following three queue scheduling For information about SP Congestion modes: and WRR, refer to Queue management Scheduling. SP+WRR Introduction to QoS Functions Traffic Classification Traffic here refers to service traffic; that is, all the packets passing the switch.
  • Page 765 Table 1-2 Description on IP Precedence IP Precedence (decimal) IP Precedence (binary) Description Routine priority immediate flash flash-override critical internet network In a network providing differentiated services, traffics are grouped into the following four classes, and packets are processed according to their DSCP values. Expedited Forwarding (EF) class: In this class, packets can be forwarded regardless of link share of other traffic.
  • Page 766 DSCP value (decimal) DSCP value (binary) Description 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 2) 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control...
  • Page 767 802.1p priority (decimal) 802.1p priority (binary) Description excellent-effort controlled-load video voice network-management The precedence is called 802.1p priority because the related applications of this precedence are defined in detail in the 802.1p specifications. 3) Local precedence Local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to one of the eight hardware output queues.

  • Page 768: Protocol Priority

    Table 1-5 802.1p priority-to-local precedence mapping table 802.1p priority Local precedence Protocol Priority Protocol packets generated by a switch carry their own priority. You can set a new IP precedence or DSCP precedence for the specific type of protocol packets to implement QoS.
  • Page 769 Token bucket The token bucket can be considered as a container with a certain capacity to hold tokens. The system puts tokens into the bucket at the set rate. When the token bucket is full, the extra tokens will overflow and the number of tokens in the bucket stops increasing. Figure 1-5 Evaluate the traffic with the token bucket Put tokens in the bucket at the set rate...

  • Page 770: Line Rate

    Queue Scheduling When the network is congested, the problem that many packets compete for resources must be solved, usually through queue scheduling. The S5600 series switches support Strict Priority (SP) queuing and Weighted Round Robin (WRR) queuing. 1) SP queuing...
  • Page 771 Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0.

  • Page 772: Flow-Based Traffic Accounting

    WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.

  • Page 773: Traffic Mirroring

    Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the matched packets to the destination mirroring port or CPU depending on your configuration. For information about port mirroring, refer to the Mirroring module of this manual. QoS Configuration Complete the following tasks to configure QoS: Task Remarks Configuring Priority Trust Mode...

  • Page 774: Configuring The Mapping Between 802.1P Priority And Local Precedence

    Follow these steps to configure to trust packet priority: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure to trust packet priority trust By default, the switch trusts priority port priority.

  • Page 775: Setting The Priority Of Protocol Packets

    Configuration example # Configure these mappings between 802.1p priority and local precedence: 0 to 2, 1 to 3, 2 to 4, 3 to 1, 4 to 7, 5 to 0, 6 to 5, and 7 to 6. Then, display the configuration. <Sysname>...
  • Page 776 When configuring traffic policing, you can define the action of marking the DSCP precedence for packets exceeding the traffic specification. Refer to section Configuring Traffic Policing. Through the traffic-priority command You can use the traffic priority command to mark the IP precedence, 802.1p priority, DSCP precedence, and local precedence of the packets.

  • Page 777: Configuring Traffic Policing

    [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] traffic-priority inbound ip-group 2000 dscp 56 2) Method II <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-priority vlan 2 inbound ip-group 2000 dscp 56 Configuring Traffic Policing Refer to section Traffic Policing...

  • Page 778: Configuring Line Rate

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] traffic-limit inbound ip-group 2000 128 exceed remark-dscp 56 Configuring Line Rate Refer to section Line Rate for information about line rate. Configuration prerequisites The port on which line rate configuration is to be performed has been determined. The target rate has been determined.

  • Page 779: Configuring Vlan Mapping

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number traffic-redirect inbound acl-rule { cpu | { interface Required interface-type Configure traffic redirecting By default, traffic redirecting is interface-number | not configured. link-aggregation-group agg-id } [ untagged ] } Packets redirected to the CPU are not forwarded.

  • Page 780: Configuring Queue Scheduling

    Configuration procedure Follow these steps to configure VLAN mapping: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required traffic-remark-vlanid Configure VLAN mapping inbound acl-rule remark-vlan By default, VLAN mapping is remark-vlanid not configured.
  • Page 781 To do… Use the command… Remarks Required By default, the queue queue-scheduler wrr scheduling algorithm adopted queue0-weight queue1-weight on all the ports is WRR. The Configure queue scheduling queue2-weight queue3-weight default weights of the eight queue4-weight queue5-weight output queues of a port are 1, queue6-weight queue7-weight 2, 3, 4, 5, 9, 13, and 15 (in the order queue 0 through queue...

  • Page 782: Configuring Traffic Accounting

    [Sysname] queue-scheduler wrr 2 2 3 3 4 4 5 5 [Sysname] display queue-scheduler Queue scheduling mode: weighted round robin weight of queue 0: 2 weight of queue 1: 2 weight of queue 2: 3 weight of queue 3: 3 weight of queue 4: 4 weight of queue 5: 4 weight of queue 6: 5...

  • Page 783: Configuring Traffic Mirroring

    Configuration prerequisites You have determined that the burst function is required. Configuration procedure Follow these steps to enable the burst function: To do… Use the command… Remarks — Enter system view system-view Required Enable the burst function burst-mode enable By default, the burst function is disabled.

  • Page 784: Displaying And Maintaining Qos

    To do… Use the command… Remarks as the Use either approach. interface interface-type destination interface-number In Ethernet mirroring port port view monitor-port For information about the mirroring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example # Assume that GigabitEthernet 1/0/1 is connected to the 10.1.1.0/24 network segment.

  • Page 785: Qos Configuration Examples

    To do… Use the command… Remarks Display queue scheduling display queue-scheduler configuration display qos-interface { interface-type Display traffic accounting interface-number | unit-id } configuration traffic-statistic Display traffic mirroring display qos-interface { interface-type configuration interface-number | unit-id } mirrored-to Display all the QoS display qos-interface { interface-type configuration interface-number | unit-id } all...

  • Page 786: Configuration Example Of Priority Marking And Queue Scheduling

    [Sysname-acl-basic-2000] quit 2) Configure traffic policing and rate limiting # Set the maximum rate of outbound packets sourced from the marketing department to 64 kbps. [Sysname] interface GigabitEthernet1/0/2 [Sysname-GigabitEthernet1/0/2] line-rate outbound 64 [Sysname-GigabitEthernet1/0/2] quit # Set the maximum rate of outbound IP packets sent by PC 1 in the R&D department to 640 kbps.

  • Page 787: Vlan Mapping Configuration Example

    # Create ACL 3000 and enter advanced ACL view. <Sysname> system-view [Sysname] acl number 3000 # Define ACL rules for identifying packets based on destination IP addresses. [Sysname-acl-adv-3000] rule 0 permit ip destination 192.168.0.1 0 [Sysname-acl-adv-3000] rule 1 permit ip destination 192.168.0.2 0 [Sysname-acl-adv-3000] rule 2 permit ip destination 192.168.0.3 0 [Sysname-acl-adv-3000] quit 2) Configure priority marking...
  • Page 788 Network diagram Figure 1-10 Network diagram for VLAN mapping configuration Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit...

  • Page 789: Configuring Traffic Mirroring And Redirecting Traffic To A Port

    [SwitchA-GigabitEthernet1/0/12] quit # Configure GigabitEthernet 1/0/10 of Switch A as a trunk port, and assign it to VLAN 100, VLAN 200, VLAN 500, and VLAN 600. [SwitchA] interface GigabitEthernet 1/0/10 [SwitchA-GigabitEthernet1/0/10] port link-type trunk [SwitchA-GigabitEthernet1/0/10] port trunk permit vlan 100 200 500 600 [SwitchA-GigabitEthernet1/0/10] quit # Configure Layer-2 ACLs on Switch A.
  • Page 790 The marketing department is connected to GigabitEthernet 1/0/1 of the switch. The IP address segment for the hosts of the marketing department is 192.168.1.0/25, and the hosts access the Internet through the switch. The R&D department is connected to GigabitEthernet 1/0/2 of the switch. The IP address segment for the hosts of the R&D department is 192.168.2.0/25, and the hosts access the Internet through the switch.
  • Page 791 [Switch-GigabitEthernet1/0/1] mirrored-to inbound ip-group 2000 monitor-interface [Switch-GigabitEthernet1/0/1] quit [Switch] interface GigabitEthernet 1/0/3 [Switch-GigabitEthernet1/0/3] monitor-port [Switch-GigabitEthernet1/0/3] quit 3) Configure a policy for the traffic of the R&D department # Create basic ACL 2001 to permit the traffic of the hosts in the R&D department during the specified time range.

  • Page 792: Qos Profile Configuration

    QoS Profile Configuration When configuring QoS profile, go to these sections for information you are interested in: Overview QoS Profile Configuration Task List Displaying and Maintaining QoS Profile Configuration Configuration Example Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration.

  • Page 793: Qos Profile Configuration Task List

    A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information). Manual application mode You can use the apply command to manually apply a QoS profile to a port. QoS Profile Configuration Task List Complete the following tasks to configure QoS profile: Operation...

  • Page 794: Applying A Qos Profile

    To do… Use the command… Remarks traffic-limit inbound acl-rule [ union-effect ] target-rate Configure traffic policing [ burst-bucket Optional burst-bucket-size ] [ exceed action ] Optional Refer to the ACL module of Configure packet filtering packet-filter inbound acl-rule this manual for information about packet filtering.

  • Page 795: Displaying And Maintaining Qos Profile Configuration

    Follow these steps to apply a QoS profile manually: To do… Use the command… Remarks — Enter system view system-view apply qos-profile In system view profile-name interface interface-list Select either of the Apply a operations. Enter interface interface-type profile to Ethernet port By default, a port has interface-number...
  • Page 796 Network diagram Figure 2-1 Network diagram for QoS profile configuration Network Switch AAA Server GE1/0/1 User Configuration procedure 1) Configuration on the AAA server # Configure the user authentication information and the matching relationship between the user name and the QoS profile. Refer to the user manual of the AAA server for detailed configuration.
  • Page 797 # Define a QoS profile named “example” to limit the rate of matched packets to 128 kbps and configuring to drop the packets exceeding the target packet rate. [Sysname] qos-profile example [Sysname-qos-profile-example] traffic-limit inbound ip-group 3000 128 exceed drop # Enable 802.1x. [Sysname] dot1x [Sysname] dot1x interface GigabitEthernet 1/0/1 After the configuration, the QoS profile named example will be applied to the user with...
  • Page 798 Table of Contents 1 Mirroring Configuration································································································ 1-1 Mirroring Overview······································································································ 1-1 Local Port Mirroring ······························································································ 1-1 Remote Port Mirroring ·························································································· 1-2 Traffic Mirroring ···································································································· 1-3 Port Mirroring – STP Collaboration Overview ························································· 1-3 Mirroring Configuration ······························································································· 1-4 Configuring Local Port Mirroring············································································ 1-4 Configuring Remote Port Mirroring ········································································...

  • Page 799: Mirroring Configuration

    Figure 1-1 Mirroring The S5600 series Ethernet switches support three types of port mirroring: Local Port Mirroring Remote Port Mirroring Traffic Mirroring They are described in the following sections.

  • Page 800: Remote Port Mirroring

    Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.

  • Page 801: Traffic Mirroring

    Switch Ports involved Function Sends mirrored packets to the intermediate switch or Trunk port the destination switch. Sends mirrored packets to the destination switch. Intermediate Two trunk ports are necessary for the intermediate Trunk port switch switch to connect the devices at the source switch side and the destination switch side.

  • Page 802: Configuring Local Port Mirroring

    Optional Configuring Remote Port Mirroring Optional On an S5600 series Ethernet switch, only one destination port for local port mirroring or one reflector port for remote port mirroring can be configured, and the two kinds of ports cannot both exist.

  • Page 803: Configuring Remote Port Mirroring

    To do… Use the command… Remarks Required This configuration applies to all Enable port mirroring – STP mirroring stp-collaboration ports of the current device. collaboration By default, port mirroring – STP collaboration is not enabled. mirroring-group group-id In system mirroring-port view mirroring-port-list { both | Use either approach...
  • Page 804 An S5600 series Ethernet switch can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on a switch acting as a source switch 1) Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined.
  • Page 805 To do… Use the command… Remarks Configure the remote-probe mirroring-group group-id VLAN for the remote source remote-probe vlan Required mirroring group remote-probe-vlan-id When configuring the source switch, note that: All ports of a remote source mirroring group are on the same device. Each remote source mirroring group can be configured with only one reflector port.
  • Page 806 Required remote-probe-vlan-id remote-probe VLAN Note that an S5600 series Ethernet switch acting as the intermediate switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). Configuration on a switch acting as a destination switch 1) Configuration prerequisites The destination port and the remote-probe VLAN are determined.

  • Page 807: Displaying And Maintaining Port Mirroring

    When configuring a destination switch, note that: An S5600 series Ethernet switch acting as the destination switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a fabric port, a member port of an aggregation group, or a port enabled with LACP or STP.

  • Page 808: Remote Port Mirroring Configuration Example

    Network requirements The departments of a company connect to each other through S5600 Ethernet switches: Switch A, Switch B, and Switch C are S5600 series switches. Department 1 is connected to GigabitEthernet 1/0/1 of Switch A. Department 2 is connected to GigabitEthernet 1/0/2 of Switch A.
  • Page 809 The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source switch, Switch B as the intermediate switch, and Switch C as the destination switch.
  • Page 810 # Configure GigabitEthernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface GigabitEthernet 1/0/3 [Sysname-GigabitEthernet1/0/3] port link-type trunk [Sysname-GigabitEthernet1/0/3] port trunk permit vlan 10 [Sysname-GigabitEthernet1/0/3] quit # Display configuration information about remote source mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-source...
  • Page 811 [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: GigabitEthernet1/0/2 remote-probe vlan: 10 After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device. 1-13...
  • Page 812 Table of Contents 1 IRF Fabric Configuration ··························································································································1-1 Introduction to IRF···································································································································1-1 Advantages······································································································································1-1 Application and Advantages············································································································1-1 Establishment of an IRF Fabric ·······································································································1-2 How IRF Works ·······························································································································1-5 IRF Fabric Configuration ·························································································································1-6 IRF Fabric Configuration Task List··································································································1-6 Specifying the Fabric Port of a Switch·····························································································1-6 Setting a Unit ID for a Switch ··········································································································1-7 Assigning a Unit Name to a Switch ·································································································1-9 Assigning an IRF Fabric Name to a Switch·····················································································1-9...

  • Page 813: Irf Fabric Configuration

    IRF Fabric Configuration Example Introduction to IRF Intelligent Resilient Framework (IRF), a feature particular to H3C S5600 series switches, is a new technology for building the core of a network. This feature allows you to build an IRF fabric by interconnecting several S5600 series switches to provide more ports for network devices and improve the reliability of your network.

  • Page 814: Establishment Of An Irf Fabric

    Given a switch, its UP port is connected to the DOWN port of another switch, and its DOWN port is connected to the UP port of a third one. Port connection mode for S5600 series ring topology IRF fabric is shown in Figure...
  • Page 815 Figure 1-4 Network diagram for IRF fabric with a bus topology Fabric ports On an S5600 series Ethernet switch, only the two cascade ports on its rear panel can be configured as the fabric ports. The two cascade ports are:...
  • Page 816 IRF fabric, the local device cannot be added to the fabric. In this case, you have to manually download and load the software, and then restart the device, or manually change the fabric name to add the device to the fabric. H3C S5600 series switches provide the IRF automatic fabric function, which...

  • Page 817: How Irf Works

    enables a candidate switch to automatically download the software and change the fabric name in case that the software version and fabric name of the candidate device and that of the device in the fabric are different, thus reducing the manual maintenance workload. With IRF automatic fabric enabled, if inconsistency in software version or fabric name occurs when a switch is added to a fabric, the system automatically performs the following operations: If the software version of the local device is inconsistent with that of the device in the fabric, the...

  • Page 818: Irf Fabric Configuration

    The master in a fabric collects the newest configurations of the user and the slaves periodically synchronize the configurations from the master. In this way, the entire fabric can operate with the same configurations. Distributed Redundancy Routing (DRR) is used to implement redundancy routing backup. The devices in a fabric run their independent routing protocols and maintain their own routing tables.

  • Page 819: Setting A Unit Id For A Switch

    To do… Use the command… Remarks Required fabric-port interface-type Specify the fabric port of a switch interface-number enable Not specified by default Establishing an IRF system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the IRF for other ports or globally.
  • Page 820 To do… Use the command… Remarks Enter system view system-view — change unit-id unit-id1 to { unit-id2 | Set a unit ID to a new value Optional auto-numbering } Unit IDs in an IRF fabric are not always arranged in order of 1 to 8. Unit IDs of an IRF fabric can be inconsecutive.

  • Page 821: Assigning A Unit Name To A Switch

    Assign a fabric name to the switch sysname sysname By default, the IRF fabric name is H3C. Configuring IRF Automatic Fabric for a Switch Configuration prerequisites Make sure that the Flash of the candidate device has enough space to download software used on the device in the fabric.

  • Page 822: Displaying And Maintaining Irf Fabric

    Configuration procedure Follow these steps to configure IRF automatic fabric for a switch: To do… Use the command… Remarks Enter system view system-view — Required fabric member-auto-update Configure IRF automatic fabric for a switch software enable Disabled by default You need to enable the IRF automatic fabric function on all the devices including the candidate device in the fabric to enable the candidate device to download software and discovery neighbors and thus be added to the fabric normally.

  • Page 823: Irf Fabric Configuration Example

    IRF Fabric Configuration Example Network Requirements Configure unit ID, unit name, and IRF fabric name for four switches to enable them to form an IRF fabric as shown in Figure 1-5. The configuration details are as follows: Unit IDs: 1, 2, 3, 4 Unit names: unit 1, unit 2, unit 3, unit 4 Fabric name: hello Network Diagram...
  • Page 824 [Sysname] sysname hello Configurations on Switch C and Switch D are similar with the above configurations. 1-12...
  • Page 825 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-4 Cluster Configuration Task List···············································································································1-9 Cluster Configuration ····························································································································1-10 Configuring the Management Device ····························································································1-10 Configuring Member Devices ········································································································1-14 Managing a Cluster through the Management Device··································································1-16 Configuring the Enhanced Cluster Features ·················································································1-16 Configuring the Cluster Synchronization Function ········································································1-18 Displaying and Maintaining Cluster Configuration ················································································1-23...

  • Page 826: Cluster

    Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Cluster Configuration Displaying and Maintaining Cluster Configuration Cluster Configuration Examples The cluster synchronization function is added. For the configuration, refer to Configuring the Cluster Synchronization Function.

  • Page 827: Roles In A Cluster

    Figure 1-1 A cluster implementation Network Management Station Network 69.110.1. 100 69. 110 . 1.1 Management device Member device Cluster Member device Member device HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster;...
  • Page 828 Table 1-1 Description on cluster roles Role Configuration Function Provides interface managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Discovers neighbors, collects Management device address the information about network topology,...

  • Page 829: How A Cluster Works

    A management device becomes a candidate device only after the cluster is removed. After you create a cluster on an S5600 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster. The interval for a management device to collect network topology information is determined by the NTDP timer.
  • Page 830 carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated. Introduction to NTDP NTDP is a protocol used to collect network topology information. NTDP provides information required for cluster management: it collects topology information about the switches within the specified hop count, so as to provide the information of which devices can be added to a cluster.
  • Page 831 To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
  • Page 832 Figure 1-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
  • Page 833 Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.

  • Page 834: Cluster Configuration Task List

    After finding out the port connected with the downstream switch, the switch will send a multicast packet with the VLAN ID and specified hops to the port. Upon receiving the packet, the downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command.

  • Page 835: Cluster Configuration

    Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5600 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 836 To do… Use the command… Remarks Enable NDP ndp enable on the port Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of NDP ndp timer aging aging-in-seconds By default, the holdtime of NDP information...
  • Page 837 To do… Use the command… Remarks Launch topology information ntdp explore Optional collection manually Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view — Required Enable the cluster function globally cluster enable By default, the cluster function is enabled.
  • Page 838 To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — Configure the IP address range for ip-pool administrator-ip-address Required the cluster { ip-mask | ip-mask-length } Required Start automatic cluster auto-build [ recover ] Follow prompts to establish a establishment cluster.

  • Page 839: Configuring Member Devices

    Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5600 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 840 Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports: To do… Use the command… Remarks Enter system view system-view — Required Enable NDP globally ndp enable By default, NDP is enabled globally.

  • Page 841: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks Optional Download a file from the shared tftp cluster get source-file TFTP server of the cluster [ destination-file ] Available in user view Optional Upload a file to the shared TFTP tftp cluster put source-file server of the cluster [ destination-file ] Available in user view...
  • Page 842 When errors occur to the cluster topology, you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash memory, so that the devices in the cluster can resume normal operation. With the display cluster current-topology command, the switch can display the topology of the current cluster in a tree structure.

  • Page 843: Configuring The Cluster Synchronization Function

    To do… Use the command… Remarks Restore the standard topology from the Flash memory of the topology restore-from local-flash Optional administrative device Display the detailed information display ntdp single-device mac-address about a single device mac-address display cluster current-topology [ mac-address mac-address1 Display the topology of the current [ to-mac-address mac-address2 ] | cluster...
  • Page 844 SNMP configuration synchronization With this function, you can configure the public SNMP community name, SNMP group, SNMP users and MIB views. These configurations will be synchronized to the member devices of the cluster automatically, which not only simplifies the configurations on the member devices, but also enables the network management station (NMS) to access any member device of the cluster conveniently.
  • Page 845 Perform the above operations on the management device of the cluster. Configuring the public SNMP information is equal to executing these configurations on both the management device and the member devices (refer to the SNMP-RMON Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.
  • Page 846 Member 1 succeeded in the usm-user configuration. Finish to synchronize the command. # After the above configuration, you can see that the public SNMP configurations for the cluster are saved to the management device and member devices by viewing the configuration files. Configuration file content on the management device (only the SNMP-related information is displayed) [test_0.Sysname-cluster] display current-configuration...
  • Page 847 Perform the following operations on the management device to synchronize local user configurations: To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — cluster-local-user username Required Create a public local user passward { cipher | simple } Not configured by default.

  • Page 848: Displaying And Maintaining Cluster Configuration

    Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: An S5600 series switch serves as the management device. The rest are member devices. Serving as the management device, the S5600 switch manages the two member devices. The...
  • Page 849 The NMS and logging host use the same IP address: 69.172.55.4. Network diagram Figure 1-4 Network diagram for HGMP cluster configuration Configuration procedure Configure the member devices (taking one member as an example) # Enable NDP globally and on Ethernet 1/0/1. <Sysname>...
  • Page 850 [Sysname-GigabitEthernet1/0/1] undo ntdp enable [Sysname-GigabitEthernet1/0/1] quit # Enable NDP on GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] ndp enable [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet 1/0/3 [Sysname-GigabitEthernet1/0/3] ndp enable [Sysname-GigabitEthernet1/0/3] quit # Set the hold time of NDP information to 200 seconds. [Sysname] ndp timer aging 200 # Set the interval between sending NDP packets to 70 seconds.

  • Page 851: Network Management Interface Configuration Example

    # Configure VLAN-interface 2 as the network management interface. [aaa_0.Sysname-cluster] nm-interface Vlan-interface 2 # Configure the shared FTP server, TFTP server, logging host and SNMP host for the cluster. [aaa_0.Sysname-cluster] ftp-server 63.172.55.1 [aaa_0.Sysname-cluster] tftp-server 63.172.55.1 [aaa_0.Sysname-cluster] logging-host 69.172.55.4 [aaa_0.Sysname-cluster] snmp-host 69.172.55.4 Perform the following operations on the member devices (taking one member as an example) After adding the devices attached to the management device to the cluster, perform the following operations on a member device.
  • Page 852 Table 1-2 Connection information of the management switch VLAN IP address Connection port VLAN 3 (connected to Switch B) 192.168.5.30/24 GigabitEthernet 1/0/1 VLAN 2 (connected to FTP server) 192.168.4.22/24 GigabitEthernet 1/0/2 Network diagram Figure 1-5 Network diagram for network management interface configuration Configuration procedure # Enter system view and configure VLAN 3 as the management VLAN.

  • Page 853: Enhanced Cluster Feature Configuration Example

    [Sysname-cluster] ip-pool 192.168.5.1 255.255.255.224 # Name and build the cluster. [Sysname-cluster] build aaa [aaa_0.Sysname-cluster] # Configure VLAN-interface 2 as the network management interface. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] nm-interface Vlan-interface 2 Enhanced Cluster Feature Configuration Example Network requirements The cluster operates properly. Add the device with the MAC address 0001-2034-a0e5 to the cluster blacklist, that is, prevent the device from being managed and maintained by the cluster.
  • Page 854 1-29...
  • Page 855 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by S5600·································································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-4 Setting PoE Management Mode and PoE Priority of a Port····························································1-4 Setting the PoE Mode on a Port······································································································1-5 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 856: Poe Overview

    PDs conform to the 802.3af standard, including IP phones, Wireless APs, network cameras and so PI: PIs are RJ45 interfaces which connect PSE/PDs to network cables. PoE Features Supported by S5600 PoE-enabled S5600 series Ethernet switches include: S5600-26C-PWR S5600-50C-PWR A PoE-enabled S5600 switch has the following features: As the PSE, it supports the IEEE802.3af standard.

  • Page 857: Poe Configuration Task List

    It can deliver data and current simultaneously through data wires (1,2,3,and 6) of category-3/5 twisted pairs. Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD.

  • Page 858: Enabling The Poe Feature On A Port

    Task Remarks Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Configuring PoE Over-Temperature Protection on the Switch Optional Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Software Online The online upgrading of PSE processing software can update the processing software or repair the software if it is damaged.

  • Page 859: Setting The Maximum Output Power On A Port

    When a switch is close to its full load in supplying power, you can adjust the power supply of the switch through the cooperation of the PoE management mode and the port PoE priority settings. S5600 series switches support two PoE management modes, auto and manual. The auto mode is adopted by default.

  • Page 860: Setting The Poe Mode On A Port

    Spare mode: DC power is carried over the spare pairs (4,5,7,and 8) of category-3/5 twisted pairs. Currently, S5600 series Ethernet switches do not support the spare mode. After the PoE feature is enabled on the port, perform the following configuration to set the PoE mode on a port.

  • Page 861: Upgrading The Pse Processing Software Online

    Follow these steps to configure PoE over-temperature protection on the switch: To do… Use the command… Remarks Enter system view — system-view Optional Enable PoE over-temperature poe temperature-protection protection on the switch enable Enabled by default. When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports.

  • Page 862: Upgrading The Pse Processing Software Of Fabric Switches Online

    PoE Configuration Example Network requirements Switch A is an S5600 series Ethernet switch supporting PoE, Switch B can be PoE powered. The GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 ports of Switch A are connected to Switch B and an AP respectively; the GigabitEthernet 1/0/8 port is intended to be connected with an important AP.
  • Page 863 Network diagram Figure 1-1 Network diagram for PoE Network Switch A GE1/0/1 GE1/0/8 GE1/0/2 Switch B Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/1, and set the PoE maximum output power of GigabitEthernet 1/0/1 to 12,000 mW.

  • Page 864: Poe Profile Configuration

    On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, S5600 series Ethernet switches provide the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.

  • Page 865: Displaying Poe Profile Configuration

    To do… Use the command… Remarks Quit system view — quit apply poe-profile profile-name interface interface-type In system view interface-number [ to interface-type interface-number ] Apply the existing PoE Enter interface interface-type profile to the Use either approach. Ethernet interface-number specified port view In Ethernet...

  • Page 866: Poe Profile Configuration Example

    PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is an S5600 series Ethernet switch supporting PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use.
  • Page 867 # In Profile 1, add the PoE policy configuration applicable to GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 ports for users of group A. [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configuration information for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable...
  • Page 868 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-3 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 869: Udp Helper Configuration

    TTL field being 0 or 1. In some cases, however, you may need to enable UDP Helper to forward broadcasts with the TTL field being 1. To meet this need, S5600 series Ethernet switches provide the UDP Helper TTL-keep feature, which allows forwarding of broadcasts with the TTL field being 1 without decrementing the TTL value by one.

  • Page 870: Configuring Udp Helper

    By default, with UDP Helper enabled, the device forwards broadcast packets with the six UDP destination port numbers listed in Table 1-1. Table 1-1 List of default UDP ports Protocol UDP port number DNS (Domain Name System) NetBIOS-DS (NetBIOS Datagram Service) NetBIOS-NS (NetBIOS Name Service) TACACS (Terminal Access Controller Access Control System)

  • Page 871: Displaying And Maintaining Udp Helper

    On an S5600 Series Ethernet Switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, UDP Helper is available only when the ip forward-broadcast command is configured in system view. For details about the ip forward-broadcast command, refer to the IP Address and Performance part of this manual.
  • Page 872 Network diagram Figure 1-1 Network diagram for UDP Helper configuration Configuration procedure # Enable Switch A to receive directed broadcasts to a directly connected network. <SwitchA> system-view [SwitchA] ip forward-broadcast # Enable UDP Helper on Switch A. [SwitchA] udp-helper enable # Configure the switch to forward broadcasts containing the destination UDP port number 137.
  • Page 873 Table of Contents 1 SNMP Configuration ····································································································· 1-1 SNMP Overview ·········································································································· 1-1 SNMP Operation Mechanism················································································· 1-1 SNMP Versions ···································································································· 1-1 Supported MIBs ···································································································· 1-2 Configuring Basic SNMP Functions ············································································· 1-3 Configuring Trap-Related Functions ············································································ 1-6 Configuring Basic Trap Functions·········································································· 1-6 Configuring Extended Trap Function ·····································································...

  • Page 874: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 875: Supported Mibs

    SNMPv3 adopts user name and password authentication. SNMPv1 and SNMPv2c adopt community name authentication. The SNMP packets containing invalid community names are discarded. SNMP community name is used to define the relationship between SNMP NMS and SNMP agent. Community name functions as password.

  • Page 876: Configuring Basic Snmp Functions

    Table 1-1 Common MIBs MIB attribute MIB content Related RFC MIB II based on TCP/IP RFC 1213 network device RFC 1493 BRIDGE MIB RFC 2675 RIP MIB RFC 1724 Public MIB RMON MIB RFC 2819 Ethernet MIB RFC 2665 OSPF MIB RFC 1253 IF MIB RFC 1573...
  • Page 877 Set system information, and specify { contact sys-contact | "Hangzhou H3C to enable SNMPv1 or SNMPv2c on location sys-location | Technologies Co., Ltd.", the switch version { { v1 | v2c | v3 }* |...
  • Page 878 Set system information and { contact sys-contact | maintenance is "Hangzhou specify to enable SNMPv3 on location sys-location | H3C Technologies Co., Ltd.", the switch version { { v1 | v2c | v3 }* | the system location is all } } "Hangzhou China", and the...

  • Page 879: Configuring Trap-Related Functions

    Configuring Trap-Related Functions Configuring Basic Trap Functions traps refer to those sent by managed devices to the NMS without request. They are used to report some urgent and important events (for example, the rebooting of managed devices). Note that basic SNMP configuration is performed before you configure basic trap function. Follow these steps to configure basic trap function: To do…...

  • Page 880: Enabling Logging For Network Management

    Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the linkUp/linkDown Configure the extended trap snmp-agent trap ifmib trap adopts the standard format function link extended defined in IF-MIB. For details, refer to RFC 1213.

  • Page 881: Snmp Configuration Example

    To do… Use the command… Remarks Display trap list information display snmp-agent trap-list Display the currently display snmp-agent community [ read | configured community name write ] Display the currently display snmp-agent mib-view [ exclude | configured MIB view include | viewname view-name ] SNMP Configuration Example SNMP Configuration Example Network requirements...
  • Page 882 Configuring the NMS The S5600 series Ethernet switches support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.

  • Page 883: Rmon Configuration

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF).

  • Page 884: Commonly Used Rmon Groups

    An H3C S5600 Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S5600 Ethernet switch can serve as a network device with the RMON probe function. Through the RMON-capable SNMP agents running on the Ethernet switch,...

  • Page 885: Rmon Configuration

    history group can provide the history data of the statistics on network segment traffic, error packets, broadcast packets, and bandwidth utilization. With the history data management function, you can configure network devices to collect history data, sample and store data of a specific port periodically. Statistics group Statistics group contains the statistics of each monitored port on a switch.

  • Page 886: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 887 [Sysname-GigabitEthernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by GigabitEthernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 888 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-8 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 889: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 890: Implementation Principle Of Ntp

    To perform incremental backup operations between a backup server and a host, you must make sure they adopt the same time. NTP has the following advantages: Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control...
  • Page 891 Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 892 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer Network Clock synchronization Works in passive peer request packet mode automatically Response packet In peer mode, both sides can be synchronized to Synchronize each other In the symmetric peer mode, the local S5600 Ethernet switch serves as the symmetric-active peer and...
  • Page 893 Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on H3C S5600 series Ethernet switches. Table 1-1 NTP implementation modes on H3C S5600 series Ethernet switches NTP implementation mode Configuration on S5600 series switches...

  • Page 894: Ntp Implementation Modes

    When an H3C S5600 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the H3C S5600 Ethernet switch has been synchronized.

  • Page 895: Configuring Ntp Server/Client Mode

    To protect unused sockets against attacks by malicious users and improve security, H3C S5600 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled.

  • Page 896: Configuring The Ntp Symmetric Peer Mode

    NTP broadcast messages to the broadcast address 255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a broadcast server or a broadcast client.

  • Page 897: Configuring Ntp Multicast Mode

    NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5600 series Ethernet switch can work as a multicast server or a multicast client. A multicast server can synchronize multicast clients only after its clock has been synchronized.

  • Page 898: Configuring Access Control Right

    To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — ntp-service multicast-server [ ip-address ] Required Configure the switch to work in the [ authentication-keyid keyid | ttl ttl-number NTP multicast server mode Not configured by default. | version number ]* Configuring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode:...

  • Page 899: Configuring Ntp Authentication

    To do… Use the command… Remarks Enter system view system-view — Configure the NTP service ntp-service access { peer | Optional access-control right to the local server | synchronization | query } peer by default switch for peer devices acl-number The access-control right mechanism provides only a minimum degree of security protection for the local switch.

  • Page 900: Configuration Procedure

    The local clock of the client is only synchronized to the server that provides a trusted key. In addition, for the server/client mode and the symmetric peer mode, you need to associate a specific key on the client (the symmetric-active peer in the symmetric peer mode) with the corresponding NTP server (the symmetric-passive peer in the symmetric peer mode);...

  • Page 901: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required ntp-service authentication-keyid Configure an NTP authentication key-id authentication-mode md5 By default, no NTP value authentication key is configured. Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key authentication-keyid key-id authentication key is configured.

  • Page 902: Configuring The Number Of Dynamic Sessions Allowed On The Local Switch

    If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.

  • Page 903: Configuration Examples

    To do… Use the command… Remarks Display the information about the display ntp-service sessions sessions maintained by NTP [ verbose ] Display the brief information about NTP servers along the path from the display ntp-service trace local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...

  • Page 904: Configuring Ntp Symmetric Peer Mode

    Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.

  • Page 905: Configuring Ntp Broadcast Mode

    [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration. Device B works in symmetric active mode, while Device C works in symmetric passive mode.
  • Page 906 Network diagram Figure 1-8 Network diagram for the NTP broadcast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A.

  • Page 907: Configuring Ntp Multicast Mode

    The output information indicates that Device D is synchronized to Device C, with the clock stratum level of 3, one level lower than that of Device C. # View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C.

  • Page 908: Configuring Ntp Server/Client Mode With Authentication

    [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device D respectively listen to multicast messages through their own VLAN-interface 2, and Device C advertises multicast messages through VLAN-interface 2. Because Device A and Device C do not share the same network segment, Device A cannot receive multicast messages from Device C, while Device D is synchronized to Device C after receiving multicast messages from Device C.
  • Page 909 # Enter system view. <DeviceB> system-view # Enable the NTP authentication function. [DeviceB] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 910 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-6 Configuring the SSH Management Functions·················································································1-7 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-8 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ······················································1-9...

  • Page 911: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 912: Ssh Operating Process

    Symmetric key algorithm The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 913 Currently, the switch that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the switch that serves as an SSH client supports only SSH2. Unless otherwise noted, SSH refers to SSH2 throughout this document. Version negotiation The server opens port 22 to listen to connection requests from clients.

  • Page 914: Ssh Server And Client

    The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

  • Page 915: Configuring The Ssh Server

    Figure 1-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: The switch acts as the SSH server to cooperate with software that supports the SSH client functions. The switch acts as the SSH server to cooperate with another switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients: Server side Server...

  • Page 916: Configuring The User Interfaces For Ssh Clients

    Task Remarks Configuring the User Interfaces for SSH Required Clients Preparation Configuring the SSH Management Optional Functions Optional This task determines which SSH versions Configuring the SSH Server to Be Version the server should support. Compatible with SSH1 Clients By default, the SSH server is compatible with SSH1 clients.
  • Page 917 To do... Use the command... Remarks Required authentication-mode scheme Configure the authentication mode By default, the user interface as scheme [ command-authorization ] authentication mode is password. Optional Specify the supported protocol(s) protocol inbound { all |ssh } By default, both Telnet and SSH are supported.
  • Page 918 To do... Use the command... Remarks Optional Specify a source interface for the ssh-server source-interface By default, no source interface is SSH server interface-type interface-number configured. You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User on the Server.
  • Page 919 To do... Use the command... Remarks Generate a DSA key public-key local create dsa pair The command for generating a key pair can survive a reboot. You only need to configure it once. It takes more time to encrypt and decrypt data with a longer key, which, however, ensures higher security.
  • Page 920 For remote authentication, the user information is saved on an authentication server (such as a RADIUS server) and authentication is implemented through the cooperation of the SSH server and the authentication server. For AAA details, refer to AAA Operation. Publickey authentication Publickey authentication provides more secure SSH connections than password authentication does.
  • Page 921 For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.

  • Page 922: Assigning A Public Key To An Ssh User

    Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication.

  • Page 923: Exporting The Host Public Key To A File

    This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Follow these steps to assign a public key for an SSH user: To do...

  • Page 924: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA or DSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format.
  • Page 925 Task Remarks Opening an SSH connection with password Required for password authentication; unnecessary authentication for publickey authentication Opening an SSH connection with publickey Required for publickey authentication; unnecessary authentication for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1;...
  • Page 926 Figure 1-3 Generate a client key (1) Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 927 After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-5 Generate the client keys (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution.
  • Page 928 Figure 1-7 Generate the client keys (5) Specifying the IP address of the Server Launch PuTTY.exe. The following window appears. 1-18...
  • Page 929 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 930 Figure 1-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 931: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 932 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.

  • Page 933: Displaying And Maintaining Ssh Configuration

    To do... Use the command... Remarks Enter system view system-view — Optional Specify a source IP address for the ssh2 source-ip ip-address By default, no source IP address is SSH client configured. Optional Specify a source interface for the ssh2 source-interface By default, no source interface is SSH client...

  • Page 934: Comparison Of Ssh Commands With The Same Functions

    To do... Use the command... Remarks Display information about locally display public-key peer [ brief | name saved public keys of SSH peers pubkey-name ] Display information about SSH status and about sessions of active display ssh server { session | status } connections with SSH clients Display information about all SSH display ssh user-information [ username ]...

  • Page 935: Ssh Configuration Examples

    Operation Original commands Current commands Create an SSH user and specify publickey ssh user username ssh user username authentication as its authentication-type rsa authentication-type publickey authentication type After RSA key pairs are generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the switch is working in SSH1-compatible mode, but only one public key (the host public key) when the switch is working in SSH2 mode.
  • Page 936 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 937 Figure 1-12 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-13 appears.

  • Page 938: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 939 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 940 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 941 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 942 Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.

  • Page 943: When Switch Acts As Server For Password And Hwtacacs Authentication

    Figure 1-18 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.
  • Page 944 Network diagram Figure 1-19 Switch acts as server for password and HWTACACS authentication Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign it an IP address. This address will be used as the IP address of the SSH server for SSH connections.
  • Page 945 [Switch-isp-bbb] scheme hwtacacs-scheme hwtac [Switch-isp-bbb] quit # Configure an SSH user, specifying the switch to perform password authentication for the user. [Switch] ssh user client001 authentication-type password Configure the SSH client # Configure an IP address (192.168.1.1 in this case) for the SSH client. This IP address and that of the VLAN interface on the switch must be in the same network segment.

  • Page 946: When Switch Acts As Server For Publickey Authentication

    Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the HWTACACS server.
  • Page 947 Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 948 Configure the SSH client (taking PuTTY version 0.58 as an example) # Generate an RSA key pair. Run PuTTYGen.exe, choose SSH2(RSA) and click Generate. Figure 1-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-24.
  • Page 949 Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-25 Generate a client key pair (3) 1-39...
  • Page 950 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case). Figure 1-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
  • Page 951 Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. 1-41...

  • Page 952: When Switch Acts As Client For Password Authentication

    Figure 1-29 SSH client configuration interface (3) Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username.
  • Page 953 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.

  • Page 954: When Switch Acts As Client For Publickey Authentication

    When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 1-31, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
  • Page 955 [SwitchB-ui-vty0-4] quit # Specify the authentication type of user client001 as publickey. [SwitchB] ssh user client001 authentication-type publickey Before doing the following steps, you must first generate a DSA public key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to “Configure Switch A”.

  • Page 956: When Switch Acts As Client And First-Time Authentication Is Not Supported

    When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-32, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
  • Page 957 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
  • Page 958 When first-time authentication is not supported, you must first generate a DSA key pair on the server and save the key pair in a file named Switch002, and then upload the file to the SSH client through FTP or TFTP. For details, refer to the above part “Configure Switch B”. # Import the public key pair named Switch002 from the file Switch002.
  • Page 959 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-4 File System Configuration Examples ······························································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6...

  • Page 960: File System Management Configuration

    File System Configuration Introduction to File System To facilitate management on the switch memory, S5600 series Ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.

  • Page 961: Directory Operations

    Directory Operations The file system provides directory-related functions, such as: Creating/deleting a directory Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations: To do… Use the command… Remarks Optional Create a directory mkdir directory Available in user view Optional...

  • Page 962: Flash Memory Operations

    To do… Use the command… Remarks Optional Rename a file rename fileurl-source fileurl-dest Available in user view Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...

  • Page 963: Prompt Mode Configuration

    The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration You can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, deleting or overwriting a file.

  • Page 964: File Attribute Configuration

    1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30 hostkey -rwh Apr 02 2000 00:47:38 serverkey -rw- 1220 Apr 02 2000 00:06:57 song.cfg -rw- 5026103 Jan 01 1970 00:04:34 testv1r1.bin -rwh Apr 01 2000 23:55:53...

  • Page 965: Booting With The Startup File

    The device selects the main startup file as the preferred startup file. If the device fails to boot with the main startup file, it boots with the backup startup file. For the Web file and configuration file, Hangzhou H3C Technologies Co., Ltd (referred to as H3C hereinafter) may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order.

  • Page 966: Configuration File Backup And Restoration

    To do… Use the command… Remarks Configure the app file with the Optional boot boot-loader backup attribute for the next backup-attribute file-url [ fabric ] Available in user view startup Optional Configure the Web file and its boot web-package webfile attribute { backup | main } Available in user view...

  • Page 967: File Backup And Restoration

    The configurations of different units in the fabric system can be saved in different .cfg configuration files on the TFTP server. These configuration files form the startup configuration of the whole fabric. File Backup and Restoration Configuration prerequisites Before performing the following operations, you must first ensure that: The relevant units support TFTP client.
  • Page 968 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 969: Ftp And Sftp Configuration

    Binary mode for program file transfer ASCII mode for text file transfer An H3C S5600 series Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that an H3C S5600 series Ethernet switch acts as in FTP...

  • Page 970: Introduction To Sftp

    downloading files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 1-1. Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to a switch to manage and transmit files, providing a securer guarantee for data transmission.
  • Page 971 Disabled by default. Only one user can access an H3C S5600 series Ethernet switch at a given time when the latter operates as an FTP server. Operating as an FTP server, an H3C S5600 series Ethernet switch cannot receive a file whose size exceeds its storage space.
  • Page 972 To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time for ftp timeout minutes the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 973 Required specified user from the FTP server With an H3C S5600 series Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the S5600 Ethernet switch will disconnect the user after the data transmission is completed.

  • Page 974: Ftp Configuration: A Switch Operating As An Ftp Client

    Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. Configure a shell banner header shell text By default, no banner is configured.
  • Page 975 To do… Use the command… Remarks Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred in Specify to transfer files in binary ASCII characters. binary streams Optional Set the data transfer mode to passive passive passive by default.
  • Page 976 To do… Use the command… Remarks Download a remote file from the get remotefile [ localfile ] FTP server Upload a local file to the remote put localfile [ remotefile ] FTP server rename remote-source Rename a file on the remote server remote-dest Log in with the specified user user username [ password ]...

  • Page 977: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 978 <Sysname> system-view [Sysname] ftp server enable [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.

  • Page 979: Ftp Banner Display Configuration Example

    Boot ROM menu. H3C series switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 980: Ftp Configuration: A Switch Operating As An Ftp Client

    Network diagram Figure 1-5 Network diagram for FTP banner display configuration Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server.
  • Page 981 Network diagram Figure 1-6 Network diagram for FTP configurations: a switch operating as an FTP client Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello.

  • Page 982: Sftp Configuration: A Switch Operating As An Sftp Server

    [ftp] quit <Sysname> # After downloading the file, use the boot boot-loader command to specify the downloaded file (switch.bin) to be the application for next startup, and then restart the switch. Thus the switch application is upgraded. <Sysname> boot boot-loader switch.bin <Sysname>...

  • Page 983: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default. Supported SFTP client software An H3C S5600 series Ethernet switch operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 984 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { 3des | des | Enter SFTP client view aes128 } | prefer_stoc_cipher Required { 3des | des | aes128 } |...

  • Page 985: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 986 # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 987 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z Received status: End of file Received status: Success sftp-client>...
  • Page 988 Remote file:/pubkey2 ---> Local file: public.. Received status: End of file Received status: Success Downloading file successfully ended # Upload file pu to the server and rename it as puk, and then verify the result. sftp-client> put pu puk This operation may take a long time, please wait... Local file: pu --->...

  • Page 989: Tftp Configuration

    An H3C S5600 series Ethernet switch can act as a TFTP client only. When an S5600 series Ethernet switch serving as a TFTP client downloads files from the TFTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise, and it stops rotating...

  • Page 990: Tftp Configuration

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP client — TFTP Configuration: A Switch Specifying the source interface or source IP Operating as a TFTP Client Optional address for an FTP client TFTP server configuration For details, see the corresponding manual —...

  • Page 991: Tftp Configuration Example

    To do… Use the command… Remarks Specify an interface as the source tftp source-interface interface a TFTP client uses every interface-type interface-number time it connects to a TFTP server Use either command Specify an IP address as the Not specified by default. source IP address a TFTP client tftp source-ip ip-address uses every time it connects to a...
  • Page 992 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 993 <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 994 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 995: Information Center Overview

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 996 If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output. Ten channels and six output destinations of system information The system supports six information output destinations, including the Console, Monitor terminal (monitor), logbuffer, loghost, trapbuffer and SNMP.
  • Page 997 Module name Description Access control list module ADBM Address base module Access management module Address resolution protocol module Command line module Device management module DHCP Dynamic host configuration protocol module Domain name system module Ethernet module Forwarding module Fabric topology management module FTMCMD Fabric topology management command module FTPS...

  • Page 998: System Information Format

    Module name Description TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VRRP Virtual router redundancy protocol module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output destinations.
  • Page 999 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 1000 %Dec 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “H3C”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.

This manual is also suitable for:

S5600-26cS5600-26c-pwrS5600-26fS5600-50cS5600-50c-pwr

Table of Contents