H3C S5810 Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. S5810 Series
  6. Operation manual
H3C S5810 Series Operation Manual

H3C S5810 Series Operation Manual

Ethernet switches
Hide thumbs Also See for S5810 Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S5810 Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 6W100-20090626
Product Version: Release 1102

Advertisement

Table of Contents
loading

Related Manuals for H3C S5810 Series

Summary of Contents for H3C S5810 Series

  • Page 1 H3C S5810 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 6W100-20090626 Product Version: Release 1102...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

  • Page 3: About This Manual

    About This Manual Organization H3C S5810 Series Ethernet Switches Operation Manual is organized as follows: Volume Features 00-Product Product Overview Acronyms Overview Loopback Interface Ethernet Interface Link Aggregation Port Isolation and Null Interface 01-Access Volume DLDP LLDP MSTP Smart Link...
  • Page 4 Means a complementary description. Means techniques helpful for you to make configuration with ease. Related Documentation In addition to this manual, each H3C S5810 Series Ethernet Switch documentation set includes the following: Manual Description It introduces the installation procedure,...
  • Page 5 Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at this URL: http://www.h3c.com. The following are the columns from which you can obtain different categories of product documentation: [Products & Solutions]: Provides information about products and technologies, as well as solutions.

  • Page 6: Table Of Contents

    Table of Contents 1 Obtaining the Documentation ··················································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Product Features ·······································································································································2-1 Introduction to Product ····························································································································2-1 Feature Lists ···········································································································································2-1 3 Features······················································································································································3-1 Access Volume ·······································································································································3-1 IP Services Volume·································································································································3-3 IP Routing Volume ··································································································································3-4 IP Multicast Volume ································································································································3-4 QoS Volume············································································································································3-5...

  • Page 7: Obtaining The Documentation

    Obtaining the Documentation H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways:...

  • Page 8: Product Features

    Product Features Introduction to Product The H3C S5810 series switches (hereinafter referred to as the S5810 series) are Gigabit Ethernet switches developed by H3C Technologies Co., Ltd. The S5810 series provide rich features. They provide the enhanced forwarding function and 10GE ports. Optimized for data center applications, the...

  • Page 9: Features

    Features The following sections provide an overview of the main features of each module supported by the S5810 series. Access Volume Table 3-1 Features in Access volume Features Description This document describes: Basic Ethernet Interface Configuration Combo Port Configuration Configuring Flow Control on an Ethernet Interface...
  • Page 10 Features Description In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode DLDP Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication...

  • Page 11: Ip Services Volume

    Features Description Port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. This document describes: Port Mirroring Port Mirroring overview Local port mirroring configuration Remote port mirroring configuration IP Services Volume Table 3-2 Features in the IP Services volume...

  • Page 12: Ip Routing Volume

    IP Routing Volume Table 3-3 Features in the IP Routing volume Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.

  • Page 13: Qos Volume

    QoS Volume Table 3-5 Features in the QoS ACL volume Features Description This document describes: QoS overview QoS policy configuration Priority mapping configuration Traffic policing Configuration Traffic shaping Configuration Aggregation CAR Configuration Congestion management Traffic mirroring configuration Port buffer configuration Security Volume Table 3-6 Features in the Security volume Features...

  • Page 14: System Volume

    Features Description An ACL is used for identifying traffic based on a series of preset matching criteria. This document describes: ACL overview and ACL types ACL configuration ACL Application for Packet Filtering System Volume Table 3-7 Features in the System volume Features Description Upon logging into a device, you can configure user interface properties...
  • Page 15 Features Description Simple network management protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite. This document describes: SNMP overview SNMP Basic SNMP function configuration SNMP log configuration Trap configuration MIB style configuration RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive and effective way.
  • Page 16 Features Description Virtual Router Redundancy Protocol (VRRP) combines a group of switches (including a master and multiple backups) on a LAN into a virtual router called VRRP group. VRRP streamlines host configuration while providing high reliability. This document describes: VRRP VRRP overview IPv4-Based VRRP configuration IPv6-Based VRRP configuration...
  • Page 17 Appendix A Acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z Acronyms Full spelling Return 10GE Ten-GigabitEthernet Return Authentication, Authorization and Accounting Activity Based Costing Area Border Router Alternating Current ACKnowledgement...
  • Page 18 Acronyms Full spelling Border Gateway Protocol BIMS Branch Intelligent Management System BOOTP Bootstrap Protocol BPDU Bridge Protocol Data Unit Basic Rate Interface Bootstrap Router BitTorrent Burst Tolerance Return Call Appearance Certificate Authority Committed Access Rate Committed Burst Size Class Based Queuing Constant Bit Rate Core-Based Tree International Telephone and Telegraph Consultative...
  • Page 19 Acronyms Full spelling Connectivity Verification Return Deeper Application Recognition Data Circuit-terminal Equipment Database Description Digital Data Network DHCP Dynamic Host Configuration Protocol Designated IS DLCI Data Link Connection Identifier DLDP Device Link Detection Protocol Domain Name System Downstream on Demand Denial of Service Designated Router DSCP...
  • Page 20 Acronyms Full spelling Forward Defect Indication Forwarding Equivalence Class Fast Failure Detection Forwarding Group Forwarding information base FIFO First In First Out FQDN Full Qualified Domain Name Frame Relay Fast ReRoute FRTT Fairness Round Trip Time Functional Test File Transfer Protocol Return GARP Generic Attribute Registration Protocol...
  • Page 21 Acronyms Full spelling International Business Machines ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol for IPv6 IDentification/IDentity IEEE Institute of Electrical and Electronics Engineers IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGMP-Snooping Internet Group Management Protocol Snooping Interior Gateway Protocol Incoming Label Map Internet Locator Service...
  • Page 22 Acronyms Full spelling LACP Link Aggregation Control Protocol LACPDU Link Aggregation Control Protocol Data Unit Local Area Network Link Control Protocol LDAP Lightweight Directory Access Protocol Label Distribution Protocol Label Edge Router LFIB Label Forwarding Information Base Label Information Base Link Layer Control LLDP Link Layer Discovery Protocol...
  • Page 23 Acronyms Full spelling Multicast Listener Discovery Protocol MLD-Snooping Multicast Listener Discovery Snooping Meet-Me Conference MODEM MOdulator-DEModulator Multilink PPP MP-BGP Multiprotocol extensions for BGP-4 Middle-level PE MP-group Multilink Point to Point Protocol group MPLS Multiprotocol Label Switching MPLSFW Multi-protocol Label Switch Forward Multicast Port Management Mobile Switching Center MSDP...
  • Page 24 Acronyms Full spelling Network Management Station NPDU Network Protocol Data Unit Network Provider Edge Network Quality Analyzer NSAP Network Service Access Point NetStream Collector N-SEL NSAP Selector NSSA Not-So-Stubby Area NTDP Neighbor Topology Discovery Protocol Network Time Protocol Return Operation Administration and Maintenance OAMPDU OAM Protocol Data Units OC-3...
  • Page 25 Acronyms Full spelling Power over Ethernet Point Of Presence Packet Over SDH Point-to-Point Protocol PPTP Point to Point Tunneling Protocol PPVPN Provider-provisioned Virtual Private Network Priority Queuing Primary Reference Clock Primary Rate Interface Protection Switching Power Sourcing Equipment PSNP Partial SNP Permanent Virtual Channel Pseudo wires Return...
  • Page 26 Acronyms Full spelling Resilient Packet Ring Rendezvous Point Tree RRPP Rapid Ring Protection Protocol Reservation State Block RSOH Regenerator Section Overhead RSTP Rapid Spanning Tree Protocol RSVP Resource ReserVation Protocol RTCP Real-time Transport Control Protocol Route Table Entry Real-time Transport Protocol Real-time Transport Protocol Return Source Active...
  • Page 27 Acronyms Full spelling Shortest Path First Shortest Path Tree Secure Shell Synchronization Status Marker Source-Specific Multicast Shared Tree STM-1 SDH Transport Module -1 STM-16 SDH Transport Module -16 STM-16c SDH Transport Module -16c STM-4c SDH Transport Module -4c Spanning Tree Protocol Signalling Virtual Connection Switch-MDT Switch-Multicast Distribution Tree...
  • Page 28 Acronyms Full spelling Return Variable Bit Rate Virtual Channel Identifier Virtual Ethernet Virtual File System VLAN Virtual Local Area Network Virtual Leased Lines Video On Demand VoIP Voice over IP Virtual Operate System VPDN Virtual Private Dial-up Network VPDN Virtual Private Data Network Virtual Path Identifier VPLS Virtual Private Local Switch...

  • Page 29: Manual Version

    Access Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The Access Volume is organized as follows: Features Description This document describes: Basic Ethernet Interface Configuration Combo Port Configuration Configuring Flow Control on an Ethernet Interface Configuring the Suppression Time of Physical-Link-State Change on an Ethernet Interface Configuring Loopback Testing on an Ethernet Interface Ethernet Interface...
  • Page 30 Features Description This document describes: Introduction to Loopback Interface Loopback Interface and Configuring a Loopback Interface Null Interface Introduction to Null Interface Configuring Null 0 Interface In the use of fibers, link errors, namely unidirectional links, are likely to occur. DLDP is designed to detect such errors. This document describes: DLDP Introduction Enabling DLDP Setting DLDP Mode...
  • Page 31 Features Description Using the VLAN technology, you can partition a LAN into multiple logical LANs. This document describes: Introduction to VLAN VLAN Types of VLAN Isolate-user-vlan configuration Introduction and Configuration of Voice VLAN GVRP is a GARP application. This document describes: GARP overview GVRP GVRP configuration...
  • Page 32 Table of Contents 1 Ethernet Interface Configuration ·············································································································1-1 General Ethernet Interface Configuration ·······························································································1-1 Combo Port Configuration ···············································································································1-1 Management Ethernet Interface Configuration ···············································································1-1 Basic Ethernet Interface Configuration····························································································1-2 Configuring Flow Control on an Ethernet Interface ·········································································1-3 Configuring Loopback Testing on an Ethernet Interface·································································1-4 Enabling Auto Power Down on an Ethernet Interface·····································································1-4 Configuring a Port Group·················································································································1-5 Configuring Storm Suppression ······································································································1-5...

  • Page 33: Ethernet Interface Configuration

    Ethernet Interface Configuration When configuring Ethernet interfaces, go to these sections for information you are interested in: General Ethernet Interface Configuration Displaying and Maintaining an Ethernet Interface General Ethernet Interface Configuration Combo Port Configuration Introduction to Combo ports A Combo port comprises an optical (fiber) port or an electrical (copper) port. The two ports share one forwarding interface and thus they cannot work at the same time.

  • Page 34: Basic Ethernet Interface Configuration

    connection speed than a common Ethernet interface when used for operations such as software loading and network management. Configuring a management Ethernet interface Follow these steps to configure a management Ethernet interface: To do… Use the command… Remarks Enter system view system-view —...

  • Page 35: Configuring Flow Control On An Ethernet Interface

    To do… Use the command… Remarks Optional auto by default. The optical interface of a Combo Set the duplex mode duplex { auto | full | half } port and the electrical interface of an Ethernet port whose port rate is configured as 1000 Mbps do not support the half keyword.

  • Page 36: Configuring Loopback Testing On An Ethernet Interface

    Configuring Loopback Testing on an Ethernet Interface You can enable loopback testing to check whether the Ethernet interface functions properly. Note that no data packets can be forwarded during the testing. Loopback testing falls into the following two categories: Internal loopback testing, which is performed within switching chips to test the functions related to the Ethernet interfaces.

  • Page 37: Configuring A Port Group

    For an S5810 series Ethernet switch, the configuration of auto power down does not take effect on GigabitEthernet 1/0/45 through GigabitEthernet 1/0/48. Configuring a Port Group The devices allow you to configure some functions on multiple interfaces at a time by assigning the interfaces to a port group in addition to configuring them on a per-interface basis.

  • Page 38: Setting The Interval For Collecting Ethernet Interface Statistics

    To do… Use the command… Remarks Enter system view system-view — Enter Use either command. Ethernet interface interface-type If configured in Ethernet Enter interface interface-number interface view, this feature Ethernet view takes effect on the current interface port only; if configured in port view or port group view, this feature takes Enter port...

  • Page 39: Enabling Forwarding Of Jumbo Frames

    Enabling Forwarding of Jumbo Frames Due to tremendous amount of traffic occurring on an Ethernet interface, it is likely that some frames greater than the standard Ethernet frame size are received. Such frames (called jumbo frames) will be dropped. With forwarding of jumbo frames enabled, the system does not drop all the jumbo frames. Instead, it continues to process jumbo frames with a size greater than the standard Ethernet frame size and yet within the specified parameter range.

  • Page 40: Configuring The Mdi Mode For An Ethernet Interface

    To do… Use the command… Remarks Required Enable loopback detection on a loopback-detection enable port Disabled by default Enable loopback detection Optional loopback-detection control control on a trunk port or a enable Disabled by default hybrid port Optional Enable loopback detection in all loopback-detection per-vlan Enabled only in the default the VLANs to which trunk or...

  • Page 41: Enabling Bridging On An Ethernet Interface

    When crossover cables are used, the local MDI mode must be the same as the remote MDI mode, or the MDI mode of at least one end must be set to auto. Follow these steps to configure the MDI mode for an Ethernet interface: To do…...

  • Page 42: Configuring The Storm Constrain Function On An Ethernet Interface

    To do… Use the command… Remarks Test the cable connected to the virtual-cable-test Required Ethernet interface once Configuring the Storm Constrain Function on an Ethernet Interface The storm constrain function suppresses packet storms in an Ethernet. With this function enabled on an interface, the system detects the unicast traffic, multicast traffic, or broadcast traffic passing through the interface periodically and takes corresponding actions (that is, blocking or shutting down the interface and sending trap messages and logs) when the traffic detected exceeds the threshold.

  • Page 43: Displaying And Maintaining An Ethernet Interface

    To do… Use the command… Remarks Optional Specify to send trap messages By default, the system sends when the traffic detected trap messages when the traffic exceeds the upper threshold or detected exceeds the upper storm-constrain enable trap drops down below the lower threshold or drops down below threshold from a point higher the lower threshold from a point...
  • Page 44 To do… Use the command… Remarks display storm-constrain [ broadcast | Display the information about multicast| unicast ] [ interface Available in any view storm constrain interface-type interface-number ] 1-12...
  • Page 45 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··················································································································1-3 Load Sharing Mode of an Aggregation Group ················································································1-5 Link Aggregation Configuration Task List ·······························································································1-5 Configuring an Aggregation Group ·········································································································1-5 Configuring a Static Aggregation Group··························································································1-6 Configuring a Dynamic Aggregation Group·····················································································1-6 Configuring an Aggregate Interface ········································································································1-7 Configuring the Description of an Aggregate Interface ···································································1-7...

  • Page 46: Link Aggregation Configuration

    If the aggregate interface is a Layer-3 interface, a Layer-3 aggregation group is created. You can assign only Layer-3 Ethernet interfaces to the group. The H3C S5810 series switches support only Layer-2 aggregation groups. States of the member ports in an aggregation group...
  • Page 47 Selected: a selected port can forward user traffic. Unselected: an unselected port cannot forward user traffic. The rate of an aggregate interface is the sum of the selected member ports’ rates. The duplex mode of an aggregate interface is consistent with that of the selected member ports. Note that all selected member ports use the same duplex mode.

  • Page 48: Link Aggregation Modes

    Some configurations are called class-one configurations. Such configurations, for example, GVRP and MSTP, can be configured on aggregate interfaces and member ports but will not affect the select state of link aggregation member ports. The change of a class-two configuration setting may affect the select state of link aggregation member ports and thus the ongoing service.
  • Page 49 A port that joins the aggregation group after the limit on the number of selected ports has been reached will not be placed in the selected state even if it should be in normal cases. This can prevent the ongoing traffic on the current selected ports from being interrupted.

  • Page 50: Load Sharing Mode Of An Aggregation Group

    Load Sharing Mode of an Aggregation Group The link aggregation groups created on the S5810 series Ethernet switches always operate in load sharing mode, even when they contain only one member port. Link Aggregation Configuration Task List...

  • Page 51: Configuring A Static Aggregation Group

    Configuring a Static Aggregation Group Follow these steps to configure a Layer-2 static aggregation group: To do... Use the command... Remarks Enter system view system-view — Required Create a Layer-2 When you create a Layer-2 aggregate interface and interface bridge-aggregation aggregate interface, a Layer-2 enter the Layer-2 interface-number...

  • Page 52: Configuring An Aggregate Interface

    To do... Use the command... Remarks Required Configure the aggregation group to By default, an aggregation group link-aggregation mode dynamic work in dynamic works in static aggregation aggregation mode mode. Exit to system view quit — Enter Ethernet interface interface interface-type Required view interface-number...

  • Page 53: Enabling Linkup/Linkdown Trap Generation For An Aggregate Interface

    To do... Use the command... Remarks Optional By default, the description of an interface is Configure the description of description text interface-name Interface, the aggregate interface such as Bridge-Aggregation1 Interface. Enabling LinkUp/LinkDown Trap Generation for an Aggregate Interface To enable an aggregate interface to generate linkUp/linkDown trap messages when the state of the interface changes, you should enable linkUp/linkDown trap generation on the aggregate interface.

  • Page 54: Configuring A Load Sharing Mode For Load-Sharing Link Aggregation Groups

    You are recommended not to run the shutdown command and then the undo shutdown command on a member port of the aggregation group corresponding to an aggregate interface that is already shut down. Otherwise, when the member port is brought up, the selected state of the remote port will be affected.

  • Page 55: Link Aggregation Configuration Examples

    To do... Use the command... Remarks display link-aggregation Display link aggregation details member-port [ interface-type Available in any view of ports interface-number [ to interface-type interface-number ] ] Display the summary display link-aggregation information of all aggregation Available in any view summary groups display link-aggregation...

  • Page 56: Layer-2 Dynamic Aggregation Configuration Example

    Figure 1-1 Network diagram for Layer-2 static aggregation Device A Link aggregation Device B Configuration procedure Configure Device A # Configure the device to perform load sharing based on source and destination MAC addresses for link aggregation groups. <DeviceA> system-view [DeviceA] link-aggregation load-sharing mode source-mac destination-mac # Create Layer-2 aggregate interface Bridge-aggregation 1.

  • Page 57: Configuration Procedure

    Figure 1-2 Network diagram for Layer-2 dynamic aggregation Device A Link aggregation Device B Configuration procedure Configure Device A # Configure the device to perform load sharing based on source and destination MAC addresses for link aggregation groups. <DeviceA> system-view [DeviceA] link-aggregation load-sharing mode source-mac destination-mac # Create a Layer-2 aggregate interface Bridge-Aggregation 1 and configure the interface to work in dynamic aggregation mode.
  • Page 58 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Introduction to Port Isolation ···················································································································1-1 Configuring the Isolation Group for a Isolation-Group Device ································································1-2 Assigning a Port to the Isolation Group···························································································1-2 Specifying the Uplink Port for the Isolation Group ··········································································1-2 Displaying and Maintaining Isolation Groups··························································································1-3 Port Isolation Configuration Example······································································································1-4...

  • Page 59: Port Isolation Configuration

    Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: Introduction to Port Isolation Configuring the Isolation Group for a Isolation-Group Displaying and Maintaining Isolation Groups Port Isolation Configuration Example Introduction to Port Isolation Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs.

  • Page 60: Configuring The Isolation Group For A Isolation-Group Device

    Figure 1-1 Layer 2 traffic forwarding for an isolation group The arrows in the above figure indicate the move direction of Layer 2 traffic. In the same VLAN, the Layer 2 traffic of an isolated port in an isolation group cannot reach a port outside the isolation group.

  • Page 61: Displaying And Maintaining Isolation Groups

    To do… Use the command… Remarks Enter system view system-view — interface Required Enter Ethernet interface-type Use either command. interface view interface-numb In Ethernet interface view, subsequent configurations apply to the current port Layer aggregate interface view, only the Layer 2 aggregate interface is configured as the uplink Enter Ethernet or Layer 2 port of the isolation group.

  • Page 62: Port Isolation Configuration Example

    Port Isolation Configuration Example Network requirements Users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3 of Device. Device is connected to the Internet through GigabitEthernet 1/0/4. GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 belong to VLAN 2.
  • Page 63 Port-isolate group information: Uplink port support: YES Group ID: 1 Uplink port: GigabitEthernet1/0/4 Group members: GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3...
  • Page 64 Table of Contents 1 Logical Interface Configuration ···············································································································1-1 Loopback Interface··································································································································1-1 Introduction to Loopback Interface ··································································································1-1 Configuring a Loopback Interface ···································································································1-1 Null Interface ···········································································································································1-2 Introduction to Null Interface ···········································································································1-2 Configuring Null 0 Interface·············································································································1-2 Displaying and Maintaining Logical Interfaces························································································1-3...

  • Page 65: Logical Interface Configuration

    Logical Interface Configuration When configuring logical interfaces, go to these sections for information you are interested in: Loopback Interface Null Interface Displaying and Maintaining Logical Interfaces Loopback Interface Introduction to Loopback Interface A loopback interface is a software-only virtual interface. The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down.

  • Page 66: Null Interface

    To do… Use the command… Remarks Create a Loopback interface interface loopback and enter Loopback interface — interface-number view Optional Set a description for the By default, the description of an description text loopback interface interface is the interface name followed by the “Interface”...

  • Page 67: Displaying And Maintaining Logical Interfaces

    To do… Use the command… Remarks Required The Null 0 interface is the default null Enter null interface view interface null 0 interface on your device. It cannot be manually created or removed. Optional Set a description for the By default, the description of an interface description text null interface is the interface name followed by the...
  • Page 68 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Introduction ···························································································································1-2 DLDP Fundamentals ·······················································································································1-2 DLDP Configuration Task List·················································································································1-8 Enabling DLDP········································································································································1-9 Setting DLDP Mode ································································································································1-9 Setting the Interval for Sending Advertisement Packets·······································································1-10 Setting the DelayDown Timer ···············································································································1-10 Setting the Port Shutdown Mode ··········································································································1-11 Configuring DLDP Authentication ·········································································································1-11 Resetting DLDP State ···························································································································1-12 Resetting DLDP State in System View··························································································1-12...

  • Page 69: Dldp Configuration

    DLDP Configuration When performing DLDP configuration, go to these sections for information you are interested in: Overview DLDP Configuration Task List Enabling DLDP Setting DLDP Mode Setting the Interval for Sending Advertisement Packets Setting the DelayDown Timer Setting the Port Shutdown Mode Configuring DLDP Authentication Resetting DLDP State Displaying and Maintaining DLDP...

  • Page 70: Dldp Introduction

    Figure 1-2 Unidirectional fiber link: a fiber not connected or disconnected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B DLDP Introduction The Device Link Detection Protocol (DLDP) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, DLDP, as configured, can shut down the related port automatically or prompt users to take actions to avoid network problems.
  • Page 71 State Indicates… DLDP enters this state if it receives a packet from an unknown neighbor. In this state, DLDP sends packets to check whether the Probe link is unidirectional. As soon as DLDP transits to this state, a probe timer starts and an echo timeout timer starts for each neighbor to be probed.
  • Page 72 DLDP timer Description In the enhanced mode, this timer is triggered if no packet is received from a neighbor when the entry aging timer expires. Enhanced timer is set to 1 second. Enhanced timer After the Enhanced timer is triggered, the device sends up to eight probe packets to the neighbor at a frequency of one packet per second.
  • Page 73 Figure 1-3 A case for Enhanced DLDP mode In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 1-1).
  • Page 74 Table 1-4 DLDP packet types and DLDP states DLDP state Type of DLDP packets sent Active Advertisement packet with RSY tag Advertisement Normal Advertisement packet Probe Probe packet Disable Disable packet and RecoverProbe packet When a device transits from a DLDP state other than Inactive state or Disable state to Initial state, it sends Flush packets.
  • Page 75 Packet type Processing procedure If the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the Entry timer, and transits to Probe state. If the neighbor information it carries conflicts with the corresponding locally Retrieves the maintained neighbor entry, drops the Echo packet neighbor packet.

  • Page 76: Dldp Configuration Task List

    The DLDP down port sends out a RecoverProbe packet, which carries only information about the local port, every two seconds. Upon receiving the RecoverProbe packet, the remote end returns a RecoverEcho packet. Upon receiving the RecoverEcho packet, the local port checks whether neighbor information in the RecoverEcho packet is the same as the local port information.

  • Page 77: Enabling Dldp

    To ensure unidirectional links can be detected, make sure these settings are the same on the both sides: DLDP state (enabled/disabled), the interval for sending Advertisement packets, authentication mode, and password. Keep the interval for sending Advertisement packets adequate to enable unidirectional links to be detected in time.

  • Page 78: Setting The Interval For Sending Advertisement Packets

    To do… Use the command… Remarks Enter system view system-view — Optional dldp work-mode { enhance | Set DLDP mode normal } Normal by default Setting the Interval for Sending Advertisement Packets You can set the interval for sending Advertisement packets to enable unidirectional links to be detected in time.

  • Page 79: Setting The Port Shutdown Mode

    To do… Use the command… Remarks Optional 1 second by default Set the DelayDown timer dldp delaydown-timer time DelayDown timer setting applies to all the DLDP-enabled ports. Setting the Port Shutdown Mode On detecting a unidirectional link, the ports can be shut down in one of the following two modes. Manual mode.

  • Page 80: Resetting Dldp State

    To enable DLDP to operate properly, make sure the DLDP authentication modes and the passwords of the both sides of a link are the same. Resetting DLDP State After DLDP detects a unidirectional link on a port, the port enters Disable state. In this case, DLDP prompts you to shut down the port manually or shuts down the port automatically depending on the user-defined port shutdown mode.

  • Page 81: Displaying And Maintaining Dldp

    To do… Use the command… Remarks Reset DLDP state dldp reset Required Displaying and Maintaining DLDP To do… Use the command… Remarks Display the DLDP configuration display dldp [ interface-type Available in any view of a port interface-number ] Display the statistics on DLDP display dldp statistics Available in any view packets passing through a port...
  • Page 82 [DeviceA-GigabitEthernet1/0/50] dldp enable [DeviceA-GigabitEthernet1/0/50] quit # Set the interval for sending Advertisement packets to 6 seconds. [DeviceA] dldp interval 6 # Set the DelayDown timer to 2 seconds. [DeviceA] dldp delaydown-timer 2 # Set the DLDP mode as enhanced mode. [DeviceA] dldp work-mode enhance # Set the port shutdown mode as auto mode.

  • Page 83: Troubleshooting

    [DeviceA] display dldp DLDP global status : enable DLDP interval : 6s DLDP work-mode : enhance DLDP authentication-mode : none DLDP unidirectional-shutdown : auto DLDP delaydown-timer : 2s The number of enabled ports is 2. Interface GigabitEthernet1/0/49 DLDP port state : advertisement DLDP link state : up The neighbor number of the port is 1.
  • Page 84 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 Operating Modes of LLDP···············································································································1-6 How LLDP Works ····························································································································1-6 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-8 Setting the LLDP Re-Initialization Delay ·························································································1-8 Enable LLDP Polling························································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-9...

  • Page 85: Lldp Configuration

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
  • Page 86 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed Destination MAC address to 0x0180-C200-000E, a multicast MAC address.
  • Page 87 Table 1-2 Description of the fields in a SNAP-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed Destination MAC address to 0x0180-C200-000E, a multicast MAC address. The MAC address of the sending port. If the port does not have Source MAC address a MAC address, the MAC address of the sending bridge is used.
  • Page 88 Port And Protocol VLAN ID Port and protocol VLAN IDs VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, H3C devices support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs...
  • Page 89 Table 1-5 IEEE 802.3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port, support for auto negotiation, enabling status of auto MAC/PHY Configuration/Status negotiation, and the current rate and duplex mode. Power Via MDI Contains Power supply capability of the port.

  • Page 90: Operating Modes Of Lldp

    Management address The management address of a device is used by the network management system to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV. Operating Modes of LLDP LLDP can operate in one of the following modes: TxRx mode.

  • Page 91: Performing Basic Lldp Configuration

    Task Remarks Enabling LLDP Required Setting LLDP Operating Mode Optional Setting the LLDP Re-Initialization Delay Optional Enable LLDP Polling Optional Performing Basic LLDP Configuring the TLVs to Be Advertised Optional Configuration Configuring the Management Address and Its Optional Encoding Format Setting the TTL Multiplier Optional Configuring the Parameters Concerning LLDPDU...

  • Page 92: Setting Lldp Operating Mode

    Setting LLDP Operating Mode LLDP can operate in one of the following modes. TxRx mode. A port in this mode sends and receives LLDPDUs. Tx mode. A port in this mode only sends LLDPDUs. Rx mode. A port in this mode only receives LLDPDUs. Disable mode.

  • Page 93: Configuring The Tlvs To Be Advertised

    To do… Use the command… Remarks Required Enable LLDP polling and set lldp check-change-interval interval the polling interval Disabled by default Configuring the TLVs to Be Advertised Follow these steps to configure advertisable TLVs: To do… Use the command… Remarks —...

  • Page 94: Setting The Ttl Multiplier

    To do… Use the command… Remarks Optional By default, the management address is sent through LLDPDUs, Enable management address and the management advertisement in LLDPDUs, lldp management-address-tlv address is the main IP and optionally, configure a [ ip-address ] address of the lowest-ID management IP address if VLAN carried on the needed.

  • Page 95: Configuring The Encapsulation Format For Lldpdus

    To do… Use the command… Remarks Optional Set the number of fast sent lldp fast-count count LLDPDUs 3 by default Both the LLDPDU transmit interval and delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDP frames to update information about the device you are configuring before it is aged out.

  • Page 96: Displaying And Maintaining Lldp

    To prevent excessive LLDP traps from being sent when topology is unstable, you can set a minimum trap sending interval for LLDP. Follow these steps to configure LLDP trap: To do… Use the command… Remarks — Enter system view system-view Enter Ethernet interface interface-type Enter Ethernet...
  • Page 97 Figure 1-4 Network diagram for basic LLDP configuration Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, setting the LLDP operating mode to [SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] lldp enable [SwitchA-GigabitEthernet1/0/1] lldp admin-status rx [SwitchA-GigabitEthernet1/0/1] quit...
  • Page 98 Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [GigabitEthernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV...
  • Page 99 Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [GigabitEthernet1/0/2]: Port status of LLDP : Enable Admin status : Rx_Only...
  • Page 100 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Why STP? ·······································································································································1-1 Protocol Packets of STP··················································································································1-1 Basic concepts in STP·····················································································································1-2 How STP works ·······························································································································1-3 Introduction to RSTP·······························································································································1-9 Introduction to MSTP ····························································································································1-10 Why MSTP ····································································································································1-10 Basic concepts in MSTP················································································································1-11 How MSTP works ··························································································································1-14 Implementation of MSTP on devices·····························································································1-15 Protocols and Standards ···············································································································1-15...
  • Page 101 Configuration Prerequisites ···········································································································1-33 Configuration Procedure················································································································1-33 Configuration Example ··················································································································1-34 Configuring the VLAN Ignore Feature···································································································1-34 Configuration Procedure················································································································1-34 Configuration Example ··················································································································1-35 Configuring Digest Snooping ················································································································1-35 Configuration Prerequisites ···········································································································1-36 Configuration Procedure················································································································1-36 Configuration Example ··················································································································1-36 Configuring No Agreement Check ········································································································1-37 Configuration Prerequisites ···········································································································1-38 Configuration Procedure················································································································1-38 Configuration Example ··················································································································1-39 Configuring Protection Functions··········································································································1-39 Configuration prerequisites ···········································································································1-40...

  • Page 102: Mstp Configuration

    MSTP Configuration When configuring MSTP, go to these sections for information you are interested in: Overview Introduction to STP Introduction to RSTP Introduction to MSTP Configuration Task List Configuring the Root Bridge Configuring Leaf Nodes Configuring the VLAN Ignore Feature Configuring Digest Snooping Configuring No Agreement Check Configuring Protection Functions...

  • Page 103: Basic Concepts In Stp

    STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient information for the network devices to complete spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used for calculating a spanning tree and maintaining the spanning tree topology.

  • Page 104: How Stp Works

    Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Path cost Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
  • Page 105 For simplicity, the descriptions and examples below involve only four fields of configuration BPDUs: Root bridge ID (represented by device priority) Root path cost (related to the rate of the link connected to the port) Designated bridge ID (represented by device priority) Designated port ID (represented by port name) Calculation process of the STP algorithm Initial state...
  • Page 106 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Selection of the root port and designated ports on a non-root device The process of selecting the root port and designated ports is as follows: Table 1-3 Selection of the root port and designated ports...
  • Page 107 Figure 1-2 Network diagram for the STP algorithm Initial state of each device The following table shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1}...
  • Page 108 BPDU of port Device Comparison process after comparison Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 109 BPDU of port Device Comparison process after comparison After comparison: Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...

  • Page 110: Introduction To Rstp

    If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. In this case, the device will generate a configuration BPDU with itself as the root and send out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

  • Page 111: Introduction To Mstp

    Introduction to MSTP Why MSTP Weaknesses of STP and RSTP STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

  • Page 112: Basic Concepts In Mstp

    Basic concepts in MSTP Figure 1-4 Basic concepts in MSTP Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST BPDU BPDU BPDU Region D0 Region B0 VLAN 1 mapped to instance 1, VLAN 1 mapped to instance 1 B as regional root bridge.
  • Page 113 As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 1-4, for example, the VLAN-to-MSTI mapping table of region A0 is as follows: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-MSTI mapping table.
  • Page 114 MSTP calculation involves these port roles: root port, designated port, master port, alternate port, backup port, and so on. Root port: a port responsible for forwarding data to the root bridge. Designated port: a port responsible for forwarding data to the downstream network segment or device.

  • Page 115: How Mstp Works

    Learning: the port learns MAC addresses but does not forward user traffic; Discarding: the port neither learns MAC addresses nor forwards user traffic. When in different MSTIs, a port can be in different states. A port state is not exclusively associated with a port role. Table 1-6 lists the port state(s) supported by each port role (“√”...

  • Page 116: Implementation Of Mstp On Devices

    Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation. In addition to basic MSTP functions, many special functions are provided for ease of management, as follows: Root bridge hold Root bridge backup...
  • Page 117 Task Remarks Configuring an MST Region Required Configuring the Work Mode of an MSTP Device Optional Configuring the Timeout Factor Optional Configuring the Maximum Port Rate Optional Configuring Ports as Edge Ports Optional Configuring Leaf Configuring Path Costs of Ports Optional Nodes Configuring Port Priority...

  • Page 118: Configuring The Root Bridge

    Configuring the Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Optional Configure the MST region region-name name The MST region name is the name...

  • Page 119: Specifying The Root Bridge Or A Secondary Root Bridge

    Configuration example # Configure the MST region name to be “info”, the MSTP revision level to be 1, and VLAN 2 through VLAN 10 to be mapped to MSTI 1 and VLAN 20 through VLAN 30 to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10...

  • Page 120: Configuring The Work Mode Of An Mstp Device

    There is one and only one root bridge in effect in a spanning tree instance. If two or more devices have been designated to be root bridges of the same spanning tree instance, MSTP will select the device with the lowest MAC address as the root bridge. You can specify multiple secondary root bridges for the same instance.

  • Page 121: Configuring The Priority Of The Current Device

    <Sysname> system-view [Sysname] stp mode stp Configuring the Priority of the Current Device The priority of a device determines whether it can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. By setting the priority of a device to a low value, you can specify the device as the root bridge of the spanning tree.

  • Page 122: Configuring The Network Diameter Of A Switched Network

    Configuration procedure Follow these steps to configure the maximum number of hops of the MST region: To do... Use the command... Remarks Enter system view — system-view Optional Configure the maximum hops stp max-hops hops of the MST region 20 by default A larger maximum hops setting means a larger size of the MST region.

  • Page 123: Configuring Timers Of Mstp

    Configuration example # Set the network diameter of the switched network to 6. <Sysname> system-view [Sysname] stp bridge-diameter 6 Configuring Timers of MSTP MSTP involves three timers: forward delay, hello time and max age. You can configure these three parameters for MSTP to calculate spanning trees. Configuration procedure Follow these steps to configure the timers of MSTP: To do...

  • Page 124: Configuring The Timeout Factor

    The length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer the forward delay time should be. Note that if the forward delay setting is too small, temporary redundant paths may be introduced; if the forward delay setting is too big, it may take a long time for the network to converge.

  • Page 125: Configuring The Maximum Port Rate

    Configuration procedure Follow these steps to configure the timeout factor: To do... Use the command... Remarks Enter system view — system-view Optional Configure the timeout factor of the device stp timer-factor number 3 by default Timeout time = timeout factor × 3 × hello time. Typically, we recommend that you set the timeout factor to 5, or 6, or 7 for a stable network.

  • Page 126: Configuring Ports As Edge Ports

    If the maximum rate setting of a port is too big, the port will send a large number of MSTP packets within each hello time, thus using excessive network resources. We recommend that you use the default setting. Configuration example # Set the maximum transmission rate of port GigabitEthernet 1/0/1 to 5.

  • Page 127: Setting The Link Type Of A Port To P2P

    With BPDU guard disabled, when a port set as an edge port receives a BPDU from another port, it will become a non-edge port again. To restore the edge port, re-enable it. If a port directly connects to a user terminal, configure it as an edge port and enable BPDU guard for it.

  • Page 128: Configuring The Mode A Port Uses To Recognize/Send Mstp Packets

    A Layer-2 aggregate interface can be configured to connect to a point-to-point link. If a port works in auto-negotiation mode and the negotiation result is full duplex, this port can be configured as connecting to a point-to-point link. If a port is configured as connecting to a point-to-point link, the setting takes effect for the port in all MSTIs.

  • Page 129: Enabling The Output Of Port State Transition Information

    MSTP provides the MSTP packet format incompatibility guard function. In MSTP mode, if a port is configured to recognize/send MSTP packets in a mode other than auto, and if it receives a packet in a format different from the specified type, the port will become a designated port and remain in the discarding state to prevent the occurrence of a loop.

  • Page 130: Configuring Leaf Nodes

    To do... Use the command... Remarks Enter Ethernet Required interface view, or interface interface-type Use either command. Layer-2 aggregate interface-number Enter Configurations made in interface view interface view interface view will take effect on or port group the current port only; view Enter port group configurations made in port...

  • Page 131: Configuring The Maximum Transmission Rate Of Ports

    Configuring the Maximum Transmission Rate of Ports Refer to Configuring the Maximum Port Rate in the section about root bridge configuration. Configuring Ports as Edge Ports Refer to Configuring Ports as Edge Ports in the section about root bridge configuration. Configuring Path Costs of Ports Path cost is a parameter related to the rate of a port.
  • Page 132 Duplex state Link speed 802.1d-1998 802.1t Private standard Single Port 20,000 Aggregate Link 2 Ports 10,000 1000 Mbps Aggregate Link 3 Ports 6,666 Aggregate Link 4 Ports 5,000 Single Port 2,000 Aggregate Link 2 Ports 1,000 10 Gbps Aggregate Link 3 Ports Aggregate Link 4 Ports When calculating path cost for an aggregate interface, 802.1d-1998 does not take into account the number of member ports in its aggregation group as 802.1t does.

  • Page 133: Configuring Port Priority

    Configuring Port Priority The priority of a port is an important factor in determining whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority will be elected as the root port.

  • Page 134: Configuring The Mode A Port Uses To Recognize/Send Mstp Packets

    Configuring the Mode a Port Uses to Recognize/Send MSTP Packets Refer to Configuring the Mode a Port Uses to Recognize/Send MSTP Packets in the section about root bridge configuration. Enabling Output of Port State Transition Information Refer to Enabling the Output of Port State Transition Information in the section about root bridge configuration.

  • Page 135: Configuration Example

    To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface view, or interface interface-type — Layer-2 aggregate interface view interface-number Perform mCheck Required stp mcheck Configuration Example # Perform mCheck on port GigabitEthernet 1/0/1. Method 1: Perform mCheck globally. <Sysname>...

  • Page 136: Configuration Example

    Configuration Example Network requirements Device A and Device B are directly connected; GigabitEthernet 1/0/1 on Device A and GigabitEthernet 1/0/1 on Device B allow the traffic of VLAN 1 to pass through. GigabitEthernet 1/0/2 on Device A and GigabitEthernet 1/0/2 on Device B allow the traffic of VLAN 2 to pass through.

  • Page 137: Configuration Prerequisites

    Configuration Prerequisites Associated devices of different vendors are interconnected and run MSTP. Configuration Procedure Follow these steps to configure Digest Snooping: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, Use either command. interface interface-type or Layer-2 interface-number...

  • Page 138: Configuring No Agreement Check

    Enable Digest Snooping on Device A and Device B so that the three routers can communicate with one another. Figure 1-8 Digest Snooping configuration Configuration procedure Enable Digest Snooping on Device A. # Enable Digest Snooping on GigabitEthernet 1/0/2. <DeviceA> system-view [DeviceA] interface gigabitethernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] stp config-digest-snooping [DeviceA-GigabitEthernet1/0/2] quit...

  • Page 139: Configuration Prerequisites

    Figure 1-9 Rapid state transition of an MSTP designated port Figure 1-10 shows rapid state transition of an RSTP designated port. Figure 1-10 Rapid state transition of an RSTP designated port If the upstream device comes from another vendor, the rapid state transition implementation may be limited.

  • Page 140: Configuration Example

    To do... Use the command... Remarks Enter system view — system-view Enter Ethernet Required interface view, Use either command. interface interface-type or Layer-2 Enter interface-number Configurations made in aggregate interface or interface view will take effect interface view port group on the current port only;...

  • Page 141: Configuration Prerequisites

    TC-BPDU attack guard Among loop guard, root guard and edge port settings, only one function can take effect on the same port at the same time. Configuration prerequisites MSTP has been correctly configured on the device. Enabling BPDU Guard We recommend that you enable BPDU guard on your device. For access layer devices, the access ports generally connect directly with user terminals (such as PCs) or file servers.

  • Page 142: Enabling Root Guard

    BPDU Guard does not take effect on loopback test-enabled ports. For information about loopback test, refer to Ethernet Interface Configuration in the Access Volume. Enabling Root Guard We recommend that you enable root guard on your device. The root bridge and secondary root bridge of a panning tree should be located in the same MST region. Especially for the CIST, the root bridge and secondary root bridge are generally put in a high-bandwidth core region during network design.

  • Page 143: Enabling Loop Guard

    Enabling Loop Guard We recommend that you enable loop guard on your device. By keeping receiving BPDUs from the upstream device, a device can maintain the state of the root port and blocked ports. However, due to link congestion or unidirectional link failures, these ports may fail to receive BPDUs from the upstream devices.

  • Page 144: Displaying And Maintaining Mstp

    To do... Use the command... Remarks Enter system view — system-view Optional Enable the TC-BPDU attack stp tc-protection enable guard function Enabled by default Configure the maximum number of forwarding address Optional entry flushes that the device stp tc-protection threshold can perform within a specific number 6 by default...

  • Page 145: Mstp Configuration Example

    MSTP Configuration Example Network requirements All devices on the network are in the same MST region. Device A and Device B work on the distribution layer, while Device C and Device D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different spanning trees: Packets of VLAN 10 are forwarded along MSTI 1, those of VLAN 30 are forwarded along MSTI 3, those of VLAN 40 are forwarded along MSTI 4, and those of VLAN 20 are forwarded along MSTI 0.
  • Page 146 # Activate MST region configuration. [DeviceA-mst-region] active region-configuration [DeviceA-mst-region] quit # Specify the current device as the root bridge of MSTI 1. [DeviceA] stp instance 1 root primary # Enable MSTP globally. [DeviceA] stp enable Configuration on Device B # Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0.
  • Page 147 # Enable MSTP globally. [DeviceC] stp enable Configuration on Device D. # Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0.
  • Page 148 MSTID Port Role STP State Protection GigabitEthernet1/0/1 DESI FORWARDING NONE GigabitEthernet1/0/2 ROOT FORWARDING NONE GigabitEthernet1/0/3 DESI FORWARDING NONE GigabitEthernet1/0/1 ROOT FORWARDING NONE GigabitEthernet1/0/2 ALTE DISCARDING NONE GigabitEthernet1/0/3 DESI FORWARDING NONE # Display brief spanning tree information on Device D. [DeviceD] display stp brief MSTID Port Role...
  • Page 149 Table of Contents 1 Smart Link Configuration ·························································································································1-2 Smart Link Overview ·······························································································································1-2 Terminology·····································································································································1-3 Operating Mechanism of Smart Link ·······························································································1-4 Smart Link Configuration Task List ·········································································································1-4 Configuring a Smart Link Device ············································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuring Protected VLANs for a Smart Link Group····································································1-5 Configuring Member Ports for a Smart Link Group·········································································1-6 Configuring Role Preemption for a Smart Link Group·····································································1-6 Enabling the Sending of Flush Messages ·······················································································1-7...

  • Page 150: Smart Link Configuration

    Smart Link Configuration When configuring Smart Link, go to these sections for information that you are interested in: Smart Link Overview Configuring a Smart Link Device Configuring an Associated Device Displaying and Maintaining Smart Link Smart Link Configuration Examples Smart Link Overview In most cases, Spanning Tree Protocol (STP) is used to remove network loops while delivering link redundancy in a dual uplink network.

  • Page 151: Terminology

    Terminology Smart link group A smart link group consists of only two member ports: the master and the slave. At a time, only one port is active for forwarding, and the other port is blocked, that is, in the standby state. When link failure occurs on the active port due to port shutdown or presence of unidirectional link for example, the standby port becomes active to take over while the original active port transits to the blocked state.

  • Page 152: Operating Mechanism Of Smart Link

    Operating Mechanism of Smart Link Link backup mechanism As shown in Figure 1-1, the link on GE1/0/1 of Device C is the active link, and the link on GE1/0/2 of Device C is the standby link. Normally, GE1/0/1 is in the forwarding state, while GE1/0/2 is in the standby state.

  • Page 153: Configuring A Smart Link Device

    Task Remarks Configuring an Enabling the Receiving of Flush Messages Required Associated Device A smart link device is a device that supports Smart Link and is configured with a smart link group and a transmit control VLAN for flush message transmission. Device C and Device E in Figure 1-1 are two examples of smart link devices.

  • Page 154: Configuring Member Ports For A Smart Link Group

    Configuring Member Ports for a Smart Link Group You can configure member ports for a smart link group either in smart link group view or in interface view. The configurations made in these two views have the same effect. In smart link group view Follow these steps to configure member ports for a smart link group in smart link group view: To do…...

  • Page 155: Enabling The Sending Of Flush Messages

    Enabling the Sending of Flush Messages Follow these steps to enable the sending of flush messages: To do… Use the command… Remarks Enter system view system-view — Create a smart link group and enter smart-link group group-id Required smart link group view Optional By default, flush Enable flush update in the specified...

  • Page 156: Configuring An Associated Device

    [Sysname-GigabitEthernet1/0/2] port trunk permit vlan 20 [Sysname-GigabitEthernet1/0/2] quit [Sysname] smart-link group 1 [Sysname-smlk-group1] protected-vlan reference-instance 0 to 8 [Sysname-smlk-group1] port gigabitethernet1/0/1 master [Sysname-smlk-group1] port gigabitethernet1/0/2 slave [Sysname-smlk-group1] flush enable control-vlan 20 [Sysname-smlk-group1] quit Configuring an Associated Device Enabling the Receiving of Flush Messages You do not need to enable all ports on the associated devices to receive flush messages sent from the transmit control VLAN, only those on the active and standby links between the smart link device and the destination device.

  • Page 157: Associated Device Configuration Example

    Associated Device Configuration Example Network requirements Configure GigabitEthernet 1/0/1 to receive and process flush messages in VLAN 20. Configuration procedure <Sysname> system-view [Sysname] vlan 20 [Sysname-vlan20] quit [Sysname] interface gigabitethernet1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk permit vlan 20 [Sysname-GigabitEthernet1/0/1] smart-link flush enable control-vlan 20 Displaying and Maintaining Smart Link To do...
  • Page 158 Configuration procedure Configuration on Device C # Disable STP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. <DeviceC> system-view [DeviceC] interface gigabitethernet 1/0/1 [DeviceC-GigabitEthernet1/0/1] undo stp enable [DeviceC-GigabitEthernet1/0/1] quit [DeviceC] interface gigabitethernet 1/0/2 [DeviceC-GigabitEthernet1/0/2] undo stp enable [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure all VLANs mapped to MSTIs 0 through 15 as the protected VLANs.

  • Page 159: Multiple Smart Link Groups Load Sharing Configuration Example

    [DeviceB-GigabitEthernet1/0/1] smart-link flush enable [DeviceB-GigabitEthernet1/0/1] quit [DeviceB] interface gigabitethernet 1/0/2 [DeviceB-GigabitEthernet1/0/2] smart-link flush enable [DeviceB-GigabitEthernet1/0/2] quit [DeviceB] interface gigabitethernet 1/0/3 [DeviceB-GigabitEthernet1/0/3] smart-link flush enable Configuration on Device D # Configure VLAN 1 as the receive control VLAN for GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3.
  • Page 160 Figure 1-3 Multiple smart link groups load sharing configuration Device A GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/1 GE1/0/2 GE1/0/2 Device B Device D GE1/0/1 GE1/0/2 Device C Configuration procedure Configuration on Device C # Create VLANs and configure VLAN-to-MSTI mappings. <DeviceC> system-view [DeviceC] vlan 1 to 200 [DeviceC] stp region-configuration [DeviceC-mst-region] instance 0 vlan 1 to 100...
  • Page 161 [DeviceC-smlk-group1] preemption mode role # Configure VLAN 10 as the transmit control VLAN of smart link group 1. [DeviceC-smlk-group-1] flush enable control-vlan 10 [DeviceC-smlk-group-1] quit # Create smart link group 2. [DeviceC] smart-link group 2 # Configure protected VLANs for smart link group 2. [DeviceC-smlk-group2] protected-vlan reference-instance 2 # Configure GigabitEthernet 1/0/1 as the slave port and GigabitEthernet 1/0/2 as the master port.
  • Page 162 Configuration on Device A # Configure VLAN 10 and VLAN 101 as the receive control VLANs of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. <DeviceA> system-view [DeviceA] vlan 1 to 200 [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 1 to 200 [DeviceA-GigabitEthernet1/0/1] smart-link flush enable control-vlan 10 101 [DeviceA-GigabitEthernet1/0/1] quit [DeviceA] interface gigabitethernet 1/0/2...
  • Page 163 Table of Contents 1 Monitor Link Configuration ······················································································································1-1 Overview ·················································································································································1-1 Terminology·····································································································································1-1 How Monitor Link Works··················································································································1-1 Configuring Monitor Link ·························································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Monitor Link Configuration Example ·······························································································1-2 Displaying and Maintaining Monitor Link ································································································1-3 Monitor Link Configuration Example ·······································································································1-3...

  • Page 164: Monitor Link Configuration

    Monitor Link Configuration When configuring monitor link, go to these sections for information you are interested in: Overview Configuring Monitor Link Displaying and Maintaining Monitor Link Monitor Link Configuration Example Overview Monitor link is a port collaboration function. Monitor link is usually used in conjunction with Layer 2 topology protocols.

  • Page 165: Configuring Monitor Link

    Configuring Monitor Link Configuration Prerequisites Before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group. Configuration Procedure Follow these steps to configure monitor link: To do… Use the command… Remarks —...

  • Page 166: Monitor Link Configuration Example

    [Sysname-mtlk-group1] port gigabitethernet 1/0/2 downlink Displaying and Maintaining Monitor Link To do… Use the command… Remarks Display monitor link group display monitor-link group Available in any view information { group-id | all } Monitor Link Configuration Example Network requirements As shown in Figure 1-1: Device C is dually uplinked to Device A through a smart link group.
  • Page 167 [DeviceC-GigabitEthernet1/0/2] quit # Create smart link group 1 and configure the smart link group to protect all the VLANs mapped to MSTIs 0 through 15. [DeviceC] smart-link group 1 [DeviceC-smlk-group1] protected-vlan reference-instance 0 to 15 # Configure GigabitEthernet 1/0/1 as the master port and GigabitEthernet 1/0/2 as the slave port. [DeviceC-smlk-group1] port gigabitethernet 1/0/1 master [DeviceC-smlk-group1] port gigabitethernet 1/0/2 slave # Enable the smart link group to transmit flush messages in VLAN 1.
  • Page 168 [DeviceD-mtlk-group1] quit [DeviceD] interface gigabitethernet 1/0/1 [DeviceD-GigabitEthernet1/0/1] smart-link flush enable [DeviceD-GigabitEthernet1/0/1] quit [DeviceD] interface gigabitethernet 1/0/2 [DeviceD-GigabitEthernet1/0/2] smart-link flush enable...
  • Page 169 Table of Contents 1 VLAN Configuration ··································································································································1-1 Introduction to VLAN ·······························································································································1-1 VLAN Overview ·······························································································································1-1 VLAN Fundamentals ·······················································································································1-2 Types of VLAN ································································································································1-3 Configuring Basic VLAN Settings ···········································································································1-3 Configuring Basic Settings of a VLAN Interface ·····················································································1-4 Port-Based VLAN Configuration ·············································································································1-5 Introduction to Port-Based VLAN ····································································································1-5 Assigning an Access Port to a VLAN ······························································································1-6 Assigning a Trunk Port to a VLAN···································································································1-7 Assigning a Hybrid Port to a VLAN ·································································································1-8...

  • Page 170: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: Introduction to VLAN Configuring Basic VLAN Settings Configuring Basic Settings of a VLAN Interface Port-Based VLAN Configuration Displaying and Maintaining VLAN VLAN Configuration Example Introduction to VLAN VLAN Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism.

  • Page 171: Vlan Fundamentals

    Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2. To enable communication between VLANs, routers or Layer 3 switches are required. Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations, network construction and maintenance is much easier and more flexible.

  • Page 172: Types Of Vlan

    The Ethernet II encapsulation format is used here. Besides the Ethernet II encapsulation format, other encapsulation formats, including 802.2 LLC, 802.2 SNAP, and 802.3 raw, are also supported by Ethernet. The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification.

  • Page 173: Configuring Basic Settings Of A Vlan Interface

    As the default VLAN, VLAN 1 cannot be created or removed. You cannot manually create or remove VLANs reserved for special purposes. Dynamic VLANs cannot be removed with the undo vlan command. A VLAN with a QoS policy applied cannot be removed. A VLAN operating as a probe VLAN for remote port mirroring or an RRPP protected VLAN cannot be removed with the undo vlan command.

  • Page 174: Port-Based Vlan Configuration

    Before creating a VLAN interface for a VLAN, create the VLAN first. Port-Based VLAN Configuration Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.

  • Page 175: Assigning An Access Port To A Vlan

    You are recommended to set the same default VLAN ID for the local and remote ports. Ensure that a port is assigned to its default VLAN. Otherwise, when the port receives frames tagged with the default VLAN ID or untagged frames (including protocol packets such as STP BPDUs), the port filters out these frames.

  • Page 176: Assigning A Trunk Port To A Vlan

    In VLAN view, you only assign the access ports to the current VLAN. In interface or port group view Follow these steps to assign an access port (in interface view) or multiple access ports (in port group view) to a VLAN: To do…...

  • Page 177: Assigning A Hybrid Port To A Vlan

    To do… Use the command… Remarks Enter Required interface interface-type Ethernet Use either command. interface-number interface view In Ethernet interface view, the subsequent configurations Enter Layer-2 interface bridge-aggregation apply to the current port. aggregate interface-number interface view port group view, Enter subsequent configurations...

  • Page 178: Displaying And Maintaining Vlan

    To do… Use the command… Remarks port group view, subsequent configurations apply to all ports in the port group. Enter port port-group manual In Layer-2 aggregate interface group view port-group-name view, subsequent configurations apply to the Layer-2 aggregate interface and all its member ports. Configure the link type of the port link-type hybrid Required...

  • Page 179: Vlan Configuration Example

    VLAN Configuration Example Network requirements Device A connects to Device B through a trunk port GigabitEthernet 1/0/1; The default VLAN ID of GigabitEthernet 1/0/1 is 100; GigabitEthernet 1/0/1 allows packets from VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through.
  • Page 180 <DeviceA> display interface GigabitEthernet 1/0/1 GigabitEthernet1/0/1 current state: UP IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 0000-5600-0000 Description: GigabitEthernet1/0/1 Interface Loopback is not set Media type is twisted pair, Port hardware type is 1000_BASE_T Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 1500 Broadcast MAX-ratio: 100%...
  • Page 181 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocols and Standards ·················································································································1-4 GVRP Configuration Task List ················································································································1-4 Configuring GVRP Functions··················································································································1-4 Configuring GARP Timers·······················································································································1-5 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Examples···············································································································1-7 GVRP Configuration Example I·······································································································1-7 GVRP Configuration Example II······································································································1-8 GVRP Configuration Example III···································································································1-10...

  • Page 182: Gvrp Configuration

    GVRP Configuration The GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network. When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Task List Configuring GVRP Functions...
  • Page 183 GARP timers GARP uses the following four timers to set the interval for sending GARP messages: Hold timer –– When a GARP application entity receives the first registration request, it starts a Hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message.
  • Page 184 GARP message format Figure 1-1 GARP message format Figure 1-1 illustrates the GARP message format. Table 1-1 describes the GARP message fields. Table 1-1 Description on the GARP message fields Field Description Value Protocol ID Protocol identifier for GARP One or multiple messages, each containing Message ––...

  • Page 185: Gvrp

    GVRP GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registration information from other devices to its local database about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information.

  • Page 186: Configuring Garp Timers

    To do… Use the command… Remarks Enter system view system-view –– Required Enable GVRP globally gvrp Globally disabled by default Enter Ethernet interface view or Layer interface interface-type Enter Ethernet 2 aggregate interface interface-number interface view, Required view Layer 2 aggregate Perform either of the interface view,...
  • Page 187 To do… Use the command… Remarks Optional Configure the GARP LeaveAll garp timer leaveall The default is 1000 timer timer-value centiseconds. Enter Required Enter Ethernet or Ethernet Layer 2 interface interface-type Perform either of the interface aggregate interface-number commands. view, Layer interface view Depending on the view you 2 aggregate...

  • Page 188: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do… Use the command… Remarks display garp statistics [ interface Display statistics about GARP Available in any view interface-list ] Display GARP timers for specified display garp timer [ interface Available in any view or all ports interface-list ] Display the local VLAN information display gvrp local-vlan interface...

  • Page 189: Gvrp Configuration Example Ii

    [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 1/0/1. [DeviceA-GigabitEthernet1/0/1] gvrp [DeviceA-GigabitEthernet1/0/1] quit # Create VLAN 2 (a static VLAN). [DeviceA] vlan 2 Configure Device B # Enable GVRP globally. <DeviceB> system-view [DeviceB] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceB] interface gigabitethernet 1/0/1 [DeviceB-GigabitEthernet1/0/1] port link-type trunk [DeviceB-GigabitEthernet1/0/1] port trunk permit vlan all...
  • Page 190 Configuration procedure Configure Device A # Enable GVRP globally. <DeviceA> system-view [DeviceA] gvrp # Configure port GigabitEthernet 1/0/1 as a trunk port, allowing all VLANs to pass through. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] port link-type trunk [DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/1 and set the GVRP registration type to fixed on the port.

  • Page 191: Gvrp Configuration Example Iii

    GVRP Configuration Example III Network requirements To prevent dynamic VLAN information registration and update among devices, set the GVRP registration mode to forbidden on Device A and normal on Device B. Figure 1-4 Network diagram for GVRP configuration Configuration procedure Configure Device A # Enable GVRP globally.
  • Page 192 # Display dynamic VLAN information on Device A. [DeviceA] display vlan dynamic No dynamic vlans exist! # Display dynamic VLAN information on Device B. [DeviceB] display vlan dynamic No dynamic vlans exist! 1-11...
  • Page 193 Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Classification of Port Mirroring ········································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Local Port Mirroring ·············································································································1-4 Configuring Remote Port Mirroring ·········································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuring a Remote Source Mirroring Group (on the Source Device)·········································1-5 Configuring a Remote Destination Mirroring Group (on the Destination Device) ···························1-7 Displaying and Maintaining Port Mirroring ······························································································1-8 Port Mirroring Configuration Examples ···································································································1-8...

  • Page 194: Port Mirroring Configuration

    Port Mirroring Configuration When configuring port mirroring, go to these sections for information you are interested in: Introduction to Port Mirroring Configuring Local Port Mirroring Configuring Remote Port Mirroring Displaying and Maintaining Port Mirroring Port Mirroring Configuration Examples Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
  • Page 195 Local port mirroring In local port mirroring, all packets (including protocol packets and data packets) passing through a port can be mirrored. Local port mirroring is implemented through a local mirroring group. As shown in Figure 1-1, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze.
  • Page 196 Source device The source device is the device where the mirroring ports are located. On it, you must create a remote source mirroring group to hold the mirroring ports. The source device copies the packets passing through the mirroring ports, broadcasts the packets in the remote probe VLAN for remote mirroring, and transmits the packets to the next device, which could be an intermediate device (if any) or the destination device.

  • Page 197: Configuring Local Port Mirroring

    An S5810 series switch supports up to two mirroring groups. These two mirroring groups can be: A local mirroring group and a remote destination mirroring group. A remote source mirroring group and a remote destination mirroring group. Configuring Local Port Mirroring Configuring local port mirroring is to configure local mirroring groups.

  • Page 198: Configuring Remote Port Mirroring

    A local mirroring group takes effect only after you configure a monitor port and mirroring ports for it. To ensure the smooth operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. A port can belong to only one mirroring group. You are recommended to use a monitor port only for port mirroring.
  • Page 199 To do… Use the command… Remarks Enter system view system-view — Create a remote source mirroring-group groupid Required mirroring group remote-source mirroring-group groupid Required In system view mirroring-port mirroring-port-list In system view, you can { both | inbound | outbound } configure a list of mirroring ports to the mirroring interface interface-type...

  • Page 200: Configuring A Remote Destination Mirroring Group (On The Destination Device)

    The port must not be a mirroring port in the mirroring group or a monitor port for traffic mirroring. The port must be an access port that belongs to the default VLAN. Do not configure port loopback on the port. You can configure a port as a reflector port only when the port is operating with the default duplex mode, port rate, and MDI setting.

  • Page 201: Displaying And Maintaining Port Mirroring

    To do… Use the command… Remarks probe VLAN commands For a trunk port port trunk permit vlan rprobe-vlan-id depending on the link type of the For a hybrid port hybrid vlan rprobe-vlan-id { tagged | monitor port. port untagged } When configuring the probe VLAN, use the following guidelines: A VLAN can be the remote probe VLAN of only one port mirroring group.
  • Page 202 Data monitoring device is connected to Switch C through GigabitEthernet 1/0/3 As shown in Figure 1-3, the administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data monitoring device. Use the local port mirroring function to meet the requirement.

  • Page 203: Remote Port Mirroring Configuration Example

    Remote Port Mirroring Configuration Example Network requirements On the network shown in Figure 1-4, Department 1 is connected to port GigabitEthernet 1/0/1 of Device A. Department 2 is connected to port GigabitEthernet 1/0/2 of Device A. The trunk port GigabitEthernet 1/0/3 on Device A connects to the trunk port GigabitEthernet 1/0/1 on Device B.
  • Page 204 # Configure VLAN 2 as the remote probe VLAN, ports GigabitEthernet 1/0/1 and GigabitEthernet1/0/2 as mirroring ports, and port Ethernet 1/0 as the reflector port in the mirroring group. [DeviceA] mirroring-group 1 remote-probe vlan 2 [DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 both [DeviceA] mirroring-group 1 reflector-port Ethernet gigabitethernet 1/0/4 # Configure port GigabitEthernet 1/0/3 as a trunk port that permits the packets of VLAN 2 to pass through.
  • Page 205 After finishing the configuration, you can monitor all the packets received and sent by Department 1 and Department 2 on the Server. 1-12...
  • Page 206 IP Services Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The IP Services Volume is organized as follows: Features Description An IP address is a 32-bit address allocated to a network interface on a device that is attached to the Internet. This document describes: IP Address Introduction to IP addresses IP address configuration...
  • Page 207 Features Description The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network. The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP and TFTP FTP. This document describes: FTP Configuration TFTP Configuration...
  • Page 208 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Assigning an IP Address to an Interface ·························································································1-3 IP Addressing Configuration Example·····························································································1-4 Displaying and Maintaining IP Addressing······························································································1-5...

  • Page 209: Ip Addressing Configuration

    IP Addressing Configuration When assigning IP addresses to interfaces on your device, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying and Maintaining IP Addressing IP Addressing Overview This section covers these topics: IP Address Classes Special IP Addresses IP Address Classes...

  • Page 210: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.

  • Page 211: Configuring Ip Addresses

    In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts.

  • Page 212: Ip Addressing Configuration Example

    The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP, DHCP. IP Addressing Configuration Example Network requirements As shown in Figure 1-3, a port in VLAN 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.

  • Page 213: Displaying And Maintaining Ip Addressing

    Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms...
  • Page 214 Table of Contents 1 IP Performance Optimization Configuration···························································································1-1 IP Performance Optimization Overview ··································································································1-1 Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network ············1-1 Enabling Reception of Directed Broadcasts to a Directly Connected Network·······························1-1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network ·····························1-2 Configuration Example ····················································································································1-2 Configuring TCP Attributes ·····················································································································1-3 Enabling the SYN Cookie Feature ··································································································1-3...

  • Page 215: Ip Performance Optimization Configuration

    Enable the device to receive ip forward-broadcast By default, the device is enabled directed broadcasts from receiving directed broadcasts. Currently, this command is ineffective on the S5810 series Ethernet switches. That is, the switches cannot be disabled from receiving directed broadcasts.

  • Page 216: Enabling Forwarding Of Directed Broadcasts To A Directly Connected Network

    Enabling Forwarding of Directed Broadcasts to a Directly Connected Network Follow these steps to enable the device to forward directed broadcasts: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Enable the interface to forward ip forward-broadcast [ acl By default, the device is...

  • Page 217: Configuring Tcp Attributes

    [SwitchA-Vlan-interface2] ip address 2.2.2.2 24 # Enable VLAN-interface 2 to forward directed broadcasts. [SwitchA-Vlan-interface2] ip forward-broadcast Configure Switch B <SwitchB> system-view # Configure a static route to the host. [SwitchB] ip route-static 1.1.1.1 24 2.2.2.2 # Configure an IP address for VLAN-interface 2. [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 2.2.2.1 24 After the above configurations, if you ping the subnet broadcast address (2.2.2.255) of VLAN-interface...

  • Page 218: Enabling Protection Against Naptha Attacks

    If MD5 authentication is enabled, the SYN Cookie feature will not function after enabled. Then, if you disable MD5 authentication, the SYN Cookie feature will be enabled automatically. With the SYN Cookie feature enabled, only the MSS, instead of the window’s zoom factor and timestamp, is negotiated during TCP connection establishment.

  • Page 219: Configuring Tcp Optional Parameters

    With the protection against Naptha attack enabled, the device will periodically check and record the number of TCP connections in each state. With the protection against Naptha attack enabled, if the device detects that the number of TCP connections in a state exceeds the maximum number, the device will consider that as Naptha attacks and accelerate the aging of these TCP connections.

  • Page 220: Configuring Icmp To Send Error Packets

    Configuring ICMP to Send Error Packets Sending error packets is a major function of ICMP. In case of network abnormalities, ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management. Advantages of sending ICMP error packets There are three kinds of ICMP error packets: redirect packets, timeout packets and destination unreachable packets.

  • Page 221: Displaying And Maintaining Ip Performance Optimization

    Disadvantages of sending ICMP error packets Although sending ICMP error packets facilitates network control and management, it still has the following disadvantages: Sending a lot of ICMP packets will increase network traffic. If a device receives a lot of malicious packets that cause it to send ICMP error packets, its performance will be reduced.
  • Page 222 Clear statistics of UDP traffic reset udp statistics Available in user view Currently, the S5810 series Ethernet switches do not support the display fib ip-prefix ip-prefix-name command. That is, they do not display FIB entries matching a specified IP prefix list.
  • Page 223 Table of Contents 1 ARP Configuration·····································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Address Resolution Process···································································································1-2 ARP Table ·······································································································································1-3 Configuring ARP ·····································································································································1-3 Configuring a Static ARP Entry ·······································································································1-3 Configuring the Maximum Number of ARP Entries for an Interface ···············································1-4 Setting the Aging Time for Dynamic ARP Entries ···········································································1-4 Enabling the ARP Entry Check ·······································································································1-5 ARP Configuration Example············································································································1-5...

  • Page 224: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: ARP Overview Configuring ARP Configuring Gratuitous ARP Displaying and Maintaining ARP ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).

  • Page 225: Arp Address Resolution Process

    OP: Operation code. This field specifies the type of the ARP message. The value “1” represents an ARP request and “2” represents an ARP reply. Sender hardware address: This field specifies the hardware address of the device sending the message. Sender protocol address: This field specifies the protocol address of the device sending the message.

  • Page 226: Arp Table

    ARP Table After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table. This mapping is used for forwarding packets with the same destination in future. An ARP table contains ARP entries, which fall into one of two categories: dynamic or static. Dynamic ARP entry A dynamic entry is automatically created and maintained by ARP.

  • Page 227: Configuring The Maximum Number Of Arp Entries For An Interface

    To do… Use the command… Remarks Enter system view system-view — Required arp static ip-address Configure a long static mac-address vlan-id No long static ARP entry is configured ARP entry interface-type interface-number by default. Required Configure a short static arp static ip-address No short static ARP entry is configured ARP entry mac-address...

  • Page 228: Enabling The Arp Entry Check

    Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.

  • Page 229: Configuring Gratuitous Arp

    [Switch] interface GigabitEthernet 1/0/1 [Switch-GigabitEthernet1/0/1] port access vlan 10 [Switch-GigabitEthernet1/0/1] quit # Create interface VLAN-interace 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.2 8 [Switch-vlan-interface10] quit # Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The outgoing interface corresponding to the static ARP entry is GigabitEthernet1/0/1 belonging to VLAN 10.

  • Page 230: Displaying And Maintaining Arp

    Displaying and Maintaining ARP To do… Use the command… Remarks display arp [ [ all | dynamic | static ] | vlan vlan-id | Display ARP entries in the interface interface-type interface-number ] [ [ | Available in ARP table any view { begin | exclude | include } regular-expression ] | count ]...

  • Page 231: Arp Attack Defense Configuration

    ARP Attack Defense Configuration When configuring ARP attack defense, go to these sections for information you are interested in: Configuring ARP Source Suppression Configuring ARP Active Acknowledgement Configuring Source MAC Address Based ARP Attack Detection Configuring ARP Packet Source MAC Address Consistency Check Configuring ARP Packet Rate Limit Configuring ARP Detection Although ARP is easy to implement, it provides no security mechanism and thus is prone to network...

  • Page 232: Configuring Arp Source Suppression

    Configuring ARP Source Suppression Introduction to ARP Source Suppression If a device receives large numbers of IP packets from a host to unreachable destinations, The device sends large numbers of ARP requests to the destination subnets, which increases the load of the destination subnets. The device continuously resolves destination IP addresses, which increases the load of the CPU.

  • Page 233: Configuring Source Mac Address Based Arp Attack Detection

    To do… Use the command… Remarks Enter system view system-view — Required Enable the ARP active arp anti-attack active-ack acknowledgement function enable Disabled by default. Configuring Source MAC Address Based ARP Attack Detection Introduction to Source MAC Address Based ARP Attack Detection This feature allows the device to check the source MAC address of ARP packets.

  • Page 234: Configuring Arp Packet Source Mac Address Consistency Check

    A protected MAC address is no longer excluded from detection after the specified aging time expires. Configuring ARP Packet Source MAC Address Consistency Check Introduction to ARP Packet Source MAC Address Consistency Check This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message, so that the gateway device can learn correct ARP entries.

  • Page 235: Configuring Arp Detection

    Configuring ARP Detection For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume. Introduction to ARP Detection The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence preventing man-in-the-middle attacks. Man-in-the-middle attack According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender to its ARP mapping table even if the MAC address is not the requested one.

  • Page 236: Enabling Arp Detection Based On Dhcp Snooping Entries/Static Ip-To-Mac Bindings

    ARP detection mechanism With ARP detection enabled for a specific VLAN, ARP messages arriving on any interface in the VLAN are redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the check are forwarded, and other ARP messages are discarded. Enabling ARP Detection Based on DHCP Snooping Entries/Static IP-to-MAC Bindings With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet...

  • Page 237: Configuring Arp Detection Based On Specified Objects

    If access clients are small in number and use static IP addresses, it is recommended that you configure static IP Source Guard binding entries and enable ARP detection based on DHCP snooping entries on your access device. Follow these steps to enable ARP detection for a VLAN and specify a trusted port: To do…...

  • Page 238: Displaying And Maintaining Arp Detection

    dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded. ip: Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
  • Page 239 Figure 2-2 Network diagram for ARP detection configuration Configuration procedure Add all the ports on Switch A to VLAN 10 (the configuration procedure is omitted). Configure DHCP server (the configuration procedure is omitted). Configure Host A and Host B as DHCP clients (the configuration procedure is omitted). Configure Switch A # Enable DHCP snooping.
  • Page 240 [SwitchA] arp detection mode static-bind # Enable the checking of the MAC addresses and IP addresses of ARP packets. [SwitchA] arp detection validate dst-mac ip src-mac After the preceding configurations are completed, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, their MAC and IP addresses are checked, and then the packets are checked against the IP-to-MAC binding and finally DHCP snooping entries.
  • Page 241 Table of Contents 1 DHCP Client Configuration·······················································································································1-1 Introduction to DHCP Client····················································································································1-1 Enabling the DHCP Client on an Interface ·····························································································1-1 Displaying and Maintaining the DHCP Client ·························································································1-2 DHCP Client Configuration Example ······································································································1-2 2 DHCP Snooping Configuration ················································································································2-1 DHCP Snooping Overview······················································································································2-1 Functions of DHCP Snooping ·········································································································2-1 Application Environment of Trusted Ports ·······················································································2-2 DHCP Snooping Support for Option 82···························································································2-3 Configuring DHCP Snooping Basic Functions························································································2-4...

  • Page 242: Dhcp Client Configuration

    This document is organized as follows: DHCP Client Configuration DHCP Snooping Configuration BOOTP Client Configuration DHCP Client Configuration When configuring the DHCP client, go to these sections for information you are interested in: Introduction to DHCP Client Enabling the DHCP Client on an Interface Displaying and Maintaining the DHCP Client DHCP Client Configuration Example When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a...

  • Page 243: Displaying And Maintaining The Dhcp Client

    An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. After the DHCP client is enabled on an interface, no secondary IP address can be configured for the interface.

  • Page 244: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Basic Functions Configuring DHCP Snooping to Support Option 82 Displaying and Maintaining DHCP Snooping DHCP Snooping Configuration Examples The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 245: Application Environment Of Trusted Ports

    clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following: ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details, refer to ARP Configuration in the IP Services Volume.

  • Page 246: Dhcp Snooping Support For Option

    Figure 2-2 Configure trusted ports in a cascaded network Table 2-1 describes roles of the ports shown in Figure 2-2. Table 2-1 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3...

  • Page 247: Configuring Dhcp Snooping Basic Functions

    If a client’s Handling Padding requesting The DHCP snooping device will… strategy format message has… Forward the message after replacing the normal original Option 82 with the Option 82 padded in normal format. Forward the message after replacing the Replace verbose original Option 82 with the Option 82 padded in verbose format.

  • Page 248: Prerequisites

    You need to specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports.

  • Page 249: Displaying And Maintaining Dhcp Snooping

    To do… Use the command… Remarks Optional dhcp-snooping Configure the code hex by default. information remote-id type for the remote The code type configuration format-type { ascii | ID sub-option applies to non-user-defined hex } Option 82 only. Optional Configure the dhcp-snooping padding content for information [ vlan...

  • Page 250: Dhcp Snooping Configuration Examples

    DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements As shown in Figure 2-3, Switch A is connected to a DHCP server through GigabitEthernet1/0/1, and to two DHCP clients through GigabitEthernet1/0/2 and GigabitEthernet1/0/3. GigabitEthernet1/0/1 forwards DHCP server responses while the other two do not. Switch A records clients’...

  • Page 251: Enable Dhcp Snooping

    Configuration procedure # Enable DHCP snooping. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify GigabitEthernet1/0/1 as trusted. [SwitchA] interface GigabitEthernet1/0/1 [SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchA-GigabitEthernet1/0/1] quit # Configure GigabitEthernet1/0/2 to support Option 82. [SwitchA] interface GigabitEthernet1/0/2 [SwitchA-GigabitEthernet1/0/2] dhcp-snooping information enable [SwitchA-GigabitEthernet1/0/2] dhcp-snooping information strategy replace [SwitchA-GigabitEthernet1/0/2] dhcp-snooping information circuit-id string company001 [SwitchA-GigabitEthernet1/0/2] dhcp-snooping information remote-id string device001 [SwitchA-GigabitEthernet1/0/2] quit...

  • Page 252: Bootp Client Configuration

    BOOTP Client Configuration While configuring a BOOTP client, go to these sections for information you are interested in: Introduction to BOOTP Client Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP Displaying and Maintaining BOOTP Client Configuration If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

  • Page 253: Obtaining An Ip Address Dynamically

    Obtaining an IP Address Dynamically A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition. A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps: The BOOTP client broadcasts a BOOTP request, which contains its own MAC address. The BOOTP server receives the request and searches the configuration file for the corresponding IP address and other information according to the MAC address of the BOOTP client.

  • Page 254: Bootp Client Configuration Example

    BOOTP Client Configuration Example Network requirement As shown in,Figure 3-1 Switch A’s port belonging to VLAN 1 is connected to the LAN. VLAN-interface 1 obtains an IP address from the DHCP server by using BOOTP. Figure 3-1 BOOTP network diagram Client WINS server 10.1.1.4/25...
  • Page 255 Table of Contents 1 IPv4 DNS Configuration ····························································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring the IPv4 DNS Client·············································································································1-3 Configuring Static Domain Name Resolution ··················································································1-3 Configuring Dynamic Domain Name Resolution·············································································1-3 Displaying and Maintaining IPv4 DNS ····································································································1-4 IPv4 DNS Configuration Examples ·········································································································1-4 Static Domain Name Resolution Configuration Example································································1-4 Dynamic Domain Name Resolution Configuration Example···························································1-5...

  • Page 256: Ipv4 Dns Configuration

    IPv4 DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring the IPv4 DNS Client Displaying and Maintaining IPv4 DNS IPv4 DNS Configuration Examples Troubleshooting IPv4 DNS Configuration DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses.
  • Page 257 Figure 1-1 Dynamic domain name resolution Figure 1-1 shows the relationship between the user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client can run on the same device or different devices, while the DNS server and the DNS client usually run on different devices.

  • Page 258: Configuring The Ipv4 Dns Client

    Configuring the IPv4 DNS Client Configuring Static Domain Name Resolution Configuring static domain name resolution refers to specifying the mappings between host names and IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. Follow these steps to configure static domain name resolution: To do…...

  • Page 259: Displaying And Maintaining Ipv4 Dns

    You can configure up to six DNS servers. You can specify up to ten DNS suffixes. Displaying and Maintaining IPv4 DNS To do… Use the command… Remarks Display the static IPv4 domain name display ip host Available in any view resolution table Display IPv4 DNS server information display dns server [ dynamic ]...

  • Page 260: Dynamic Domain Name Resolution Configuration Example

    Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=128 time=3 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/2/4 ms Dynamic Domain Name Resolution Configuration Example Network requirements As shown in...
  • Page 261 As shown in Figure 1-4, right click Forward Lookup Zones, select New zone, and then follow the instructions to create a new zone named com. Figure 1-4 Create a zone # Create a mapping between host name and IP address. Figure 1-5 Add a host Figure 1-5, right click zone com, and then select New Host to bring up a dialog box as shown in...
  • Page 262 Figure 1-6 Add a mapping between domain name and IP address Configure the DNS client # Enable dynamic domain name resolution. <Sysname> system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Configuration verification # Use the ping host command on the device to verify that the communication between the device and...

  • Page 263: Troubleshooting Ipv4 Dns Configuration

    Troubleshooting IPv4 DNS Configuration Symptom After enabling the dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns dynamic-host command to verify that the specified domain name is in the cache. If the specified domain name does not exist, check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server.
  • Page 264 Table of Contents 1 FTP Configuration ·····································································································································1-1 FTP Overview ·········································································································································1-1 Introduction to FTP ··························································································································1-1 Operation of FTP ·····························································································································1-1 Configuring the FTP Client······················································································································1-3 Establishing an FTP Connection ·····································································································1-3 Operating the Directories on an FTP Server ···················································································1-4 Operating the Files on an FTP Server·····························································································1-5 Using Another Username to Log In to an FTP Server ····································································1-5 Maintaining and Debugging an FTP Connection ············································································1-6 Terminating an FTP Connection ·····································································································1-6...

  • Page 265: Ftp Configuration

    FTP Configuration When configuring FTP, go to these sections for information you are interested in: FTP Overview Configuring the FTP Client Configuring the FTP Server Displaying and Maintaining FTP FTP Overview Introduction to FTP The File Transfer Protocol (FTP) is an application layer protocol for sharing files between server and client over a TCP/IP network.
  • Page 266 Table 1-1 Configuration when the device serves as the FTP client Device Configuration Remarks If the remote FTP server supports anonymous FTP, the Use the ftp command to device can log in to it directly; if Device (FTP client) establish the connection to the not, the device must obtain the remote FTP server FTP username and password...

  • Page 267: Configuring The Ftp Client

    Configuring the FTP Client Only users with the manage level can use the ftp command to log in to an FTP server, enter FTP client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the FTP server. Establishing an FTP Connection To access an FTP server, an FTP client must establish a connection with the FTP server.

  • Page 268: Establishing An Ftp Connection

    To do… Use the command… Remarks ftp [ server-address [ service-port ] [ source Log in to the remote FTP server { interface interface-type Use either approach. directly in user view interface-number | ip The ftp command is available source-ip-address } ] ] in user view;...

  • Page 269: Operating The Files On An Ftp Server

    Operating the Files on an FTP Server After the device serving as the FTP client has established a connection with an FTP server (For how to establish an FTP connection, refer to Establishing an FTP Connection.), you can upload a file to or download a file from the FTP server under the authorized directory of the FTP server by following these steps: Use the dir or ls command to display the directory and the location of the file on the FTP server.

  • Page 270: Maintaining And Debugging An Ftp Connection

    This feature allows you to switch to different user levels without affecting the current FTP connection (namely, the FTP control connection, data connection and connection status are not changed); if you input an incorrect username or password, the current connection will be terminated, and you must return to user view and log in with the ftp command again.

  • Page 271: Ftp Client Configuration Example

    FTP Client Configuration Example Network requirements As shown in Figure 1-2, use Device as an FTP client and PC as the FTP server. Their IP addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between Device and PC. Device downloads a startup file from PC for device upgrade, and uploads the configuration file to PC for backup.

  • Page 272: Configuring The Ftp Server

    125 ASCII mode data connection already open, transfer starting for /config.cfg. 226 Transfer complete. FTP: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # Specify newest.bin as the main startup file to be used at the next startup. <Sysname>...

  • Page 273: Configuring Authentication And Authorization On The Ftp Server

    To do… Use the command… Remarks Optional 30 minutes by default. Within the idle-timeout time, if there is no information Configure the idle-timeout timer ftp timeout minutes interaction between the FTP server and client, the connection between them is terminated. Optional Set the file update mode for the ftp update { fast | normal }...

  • Page 274: Ftp Server Configuration Example

    To do… Use the command… Remarks Optional authorization-attribute { acl acl-number | callback-number By default, the FTP/SFTP callback-number | idle-cut users can access the root Configure user properties minute | level level | directory of the device, and the user-profile profile-name | user level is 0.
  • Page 275 [Sysname-luser-ftp] quit # Enable FTP server. [Sysname] ftp server enable [Sysname] quit # Check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. <Sysname> dir Directory of flash:/ drw- Dec 07 2005 10:00:57 filename drw- Jan 02 2006 14:27:51...

  • Page 276: Displaying And Maintaining Ftp

    <Sysname> reboot You can take the same steps to upgrade configuration file with FTP. When upgrading the configuration file with FTP, put the new file under the root directory of the storage medium. After you finish upgrading the Boot ROM program through FTP, you must execute the bootrom update command to upgrade the Boot ROM.

  • Page 277: Tftp Configuration

    TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: TFTP Overview Configuring the TFTP Client Displaying and Maintaining the TFTP Client TFTP Client Configuration Example TFTP Overview Introduction to TFTP The Trivial File Transfer Protocol (TFTP) provides functions similar to those provided by FTP, but it is less complex than FTP in interactive access interface and authentication.

  • Page 278: Configuring The Tftp Client

    When the device serves as the TFTP client, you need to perform the following configuration: Table 2-1 Configuration when the device serves as the TFTP client Device Configuration Remarks Configure the IP address and routing function, and ensure that route between the device and the TFTP server is available.

  • Page 279: Displaying And Maintaining The Tftp Client

    If you use the tftp client source command and the tftp command to specify a source address respectively, the source address configured with the tftp command is used to communicate with a TFTP server. The source address specified with the tftp client source command is valid for all TFTP connections and the source address specified with the tftp command is valid only for the current tftp connection.

  • Page 280: Tftp Client Configuration Example

    TFTP Client Configuration Example Network requirements As shown in Figure 2-2, use a PC as the TFTP server and Device as the TFTP client. Their IP addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between Device and PC. Device downloads a startup file from PC for upgrading and uploads a configuration file named config.cfg to PC for backup.
  • Page 281 The startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to Device Management Commands in the System Volume.
  • Page 282 IP Routing Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The IP Routing Volume is organized as follows: Features Description This document describes: IP Routing Overview Introduction to IP routing and routing table Routing protocol overview A static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
  • Page 283 Table of Contents 1 IP Routing Overview··································································································································1-1 IP Routing and Routing Table·················································································································1-1 Routing ············································································································································1-1 Routing Table ··································································································································1-1 Displaying and Maintaining a Routing Table···························································································1-3...

  • Page 284: Ip Routing Overview

    IP Routing Overview Go to these sections for information you are interested in: IP Routing and Routing Table Displaying and Maintaining a Routing Table The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. IP Routing and Routing Table Routing Routing in the Internet is achieved through routers.
  • Page 285 made of a certain number of consecutive 1s. It can be expressed in dotted decimal format or by the number of the 1s. Outbound interface: Specifies the interface through which the IP packets are to be forwarded. IP address of the next hop: Specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the IP address of the next hop.

  • Page 286: Displaying And Maintaining A Routing Table

    Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ verbose | the active routes in the routing | { begin | exclude | include } Available in any view table regular-expression ] Display information about...
  • Page 287 Table of Contents 1 Static Routing Configuration····················································································································1-1 Introduction ·············································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Application Environment of Static Routing ······················································································1-2 Configuring a Static Route ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Procedure··················································································································1-2 Displaying and Maintaining Static Routes·······························································································1-3 Static Route Configuration Example ·······································································································1-3 Basic Static Route Configuration Example······················································································1-3...

  • Page 288: Static Routing Configuration

    Static Routing Configuration When configuring a static route, go to these sections for information you are interested in: Introduction Configuring a Static Route Displaying and Maintaining Static Routes Static Route Configuration Example The term “router” in this document refers to a router in a generic sense or a Layer 3 switch. Introduction Static Route A static route is a manually configured.

  • Page 289: Configuring A Static Route

    Application Environment of Static Routing Before configuring a static route, you need to know the following concepts: Destination address and mask In the ip route-static command, an IPv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of mask length (the digits of consecutive 1s in the mask).

  • Page 290: Displaying And Maintaining Static Routes

    When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface, such as VLAN interface. If you do not specify the preference when configuring a static route, the default preference will be used.
  • Page 291 Figure 1-1 Network diagram for static route configuration Configuration procedure Configuring IP addresses for interfaces (omitted) Configuring static routes # Configure a default route on Switch A. <SwitchA> system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Switch B. <SwitchB>...
  • Page 292 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 # Display the IP routing table of Switch B. [SwitchB] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Cost NextHop Interface 1.1.2.0/24 Static 60 1.1.4.1 Vlan500 1.1.3.0/24 Static 60 1.1.5.6 Vlan600 1.1.4.0/30...
  • Page 293 IP Multicast Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The IP Multicast Volume is organized as follows: Features Description This document describes the main concepts in multicast: Introduction to Multicast Multicast Overview Multicast Models Multicast Architecture Multicast Packets Forwarding Mechanism Running at the data link layer, IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control.
  • Page 294 Table of Contents 1 Multicast Overview ····································································································································1-1 Introduction to Multicast ··························································································································1-1 Comparison of Information Transmission Techniques··································································· 1-1 Features of Multicast ······················································································································ 1-4 Common Notations in Multicast······································································································ 1-5 Advantages and Applications of Multicast······················································································ 1-5 Multicast Models ·····································································································································1-6 Multicast Architecture······························································································································1-6 Multicast Addresses ······················································································································· 1-7 Multicast Protocols ·························································································································...

  • Page 295: Multicast Overview

    Multicast Overview This manual chiefly focuses on the IP multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to IP multicast. Introduction to Multicast As a technique coexisting with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission.
  • Page 296 Figure 1-1 Unicast transmission Host A Receiver Host B Source Host C Receiver Host D IP network Receiver Packets for Host B Host E Packets for Host D Packets for Host E Assume that Host B, Host D and Host E need the information. A separate transmission channel needs to be established from the information source to each of these hosts.
  • Page 297 Figure 1-2 Broadcast transmission Assume that only Host B, Host D, and Host E need the information. If the information is broadcast to the subnet, Host A and Host C also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet.

  • Page 298: Features Of Multicast

    Figure 1-3 Multicast transmission The multicast source (Source in the figure) sends only one copy of the information to a multicast group. Host B, Host D and Host E, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the information based on the distribution of the group members.

  • Page 299: Common Notations In Multicast

    manage multicast group memberships on stub subnets with attached group members. A multicast router itself can be a multicast group member. For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of TV programs, as shown in Table 1-1.

  • Page 300: Multicast Models

    Multicast Models Based on how the receivers treat the multicast sources, there are three multicast models: any-source multicast (ASM), source-filtered multicast (SFM), and source-specific multicast (SSM). ASM model In the ASM model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group.

  • Page 301: Multicast Addresses

    Multicast Addresses To allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast IP addresses must be provided. In addition, a technique must be available to map multicast IP addresses to link-layer multicast MAC addresses. IP multicast addresses Internet Assigned Numbers Authority (IANA) assigned the Class D address space (224.0.0.0 to 239.255.255.255) for IPv4 multicast.

  • Page 302: Multicast Protocols

    Address Description 224.0.0.7 Shared Tree (ST) routers 224.0.0.8 ST hosts 224.0.0.9 Routing Information Protocol version 2 (RIPv2) routers 224.0.0.11 Mobile agents 224.0.0.12 Dynamic Host Configuration Protocol (DHCP) server/relay agent 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All Core-Based Tree (CBT) routers 224.0.0.16...
  • Page 303 Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MBGP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping, and multicast VLAN.

  • Page 304: Multicast Packet Forwarding Mechanism

    one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs.
  • Page 305 To ensure multicast packet transmission in the network, unicast routing tables or multicast routing tables specially provided for multicast must be used as guidance for multicast forwarding. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a reverse path forwarding (RPF) check on the incoming interface.
  • Page 306 Table of Contents 1 IGMP Snooping Configuration ·················································································································1-1 IGMP Snooping Overview·······················································································································1-1 Principle of IGMP Snooping ············································································································1-1 Basic Concepts in IGMP Snooping ·································································································1-2 How IGMP Snooping Works············································································································1-3 IGMP Snooping Proxying ················································································································1-5 Protocols and Standards ·················································································································1-6 IGMP Snooping Configuration Task List·································································································1-7 Configuring Basic Functions of IGMP Snooping·····················································································1-8 Configuration Prerequisites ·············································································································1-8 Enabling IGMP Snooping ················································································································1-8 Configuring the Version of IGMP Snooping ····················································································1-9...
  • Page 307 Configured Multicast Group Policy Fails to Take Effect ································································1-32...

  • Page 308: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP Snooping, go to the following sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups.

  • Page 309: Basic Concepts In Igmp Snooping

    Reducing Layer 2 broadcast packets, thus saving network bandwidth. Enhancing the security of multicast traffic. Facilitating the implementation of per-host accounting. Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 1-2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and Switch B, and Host A and Host C are receiver hosts (namely, multicast group members).

  • Page 310: How Igmp Snooping Works

    Whenever mentioned in this document, a router port is a port on the switch that leads the switch to a Layer 3 multicast device, rather than a port on a router. Unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports.
  • Page 311 When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers (224.0.0.1) on the local subnet to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a dynamic router port existing in its router port list, the switch resets the aging timer of this dynamic router port.

  • Page 312: Igmp Snooping Proxying

    When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave message to the multicast router. When the switch receives an IGMP leave message on a dynamic member port, the switch first checks whether a forwarding table entry for the group address in the message exists, and, if one exists, whether the outgoing port list contains the port.

  • Page 313: Protocols And Standards

    Figure 1-3 Network diagram for IGMP Snooping Proxying As shown in Figure 1-3, Switch A works as an IGMP Snooping proxy. It represents its attached hosts to send membership reports and leave messages to Router A. Table 1-2 describes how an IGMP Snooping proxy processes IGMP messages. Table 1-2 IGMP message processing on an IGMP Snooping proxy IGMP message Actions...

  • Page 314: Igmp Snooping Configuration Task List

    IGMP Snooping Configuration Task List Complete these tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring Basic Functions of IGMP Snooping Configuring the Version of IGMP Snooping Optional Configuring Aging Timers for Dynamic Ports Optional Configuring Static Ports Optional Configuring IGMP Snooping Configuring Simulated Joining...

  • Page 315: Configuring Basic Functions Of Igmp Snooping

    Configurations made in IGMP Snooping view are effective for all VLANs, while configurations made in VLAN view are effective only for ports belonging to the current VLAN. For a given VLAN, a configuration made in IGMP Snooping view is effective only if the same configuration is not made in VLAN view.

  • Page 316: Configuring The Version Of Igmp Snooping

    IGMP Snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP Snooping in a specified VLAN, this function takes effect for the ports in this VLAN only. Configuring the Version of IGMP Snooping By configuring an IGMP Snooping version, you actually configure the version of IGMP messages that IGMP Snooping can process.

  • Page 317: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no IGMP general queries or PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no IGMP reports for a multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer of the port for that group expires.

  • Page 318: Configuring Simulated Joining

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet interface/Layer interface-number Required 2 aggregate interface view or Use either approach port-group manual port group view port-group-name Required igmp-snooping static-group Configure the port(s) as static group-address [ source-ip No static member ports by member port(s)

  • Page 319: Configuring Fast Leave Processing

    To do... Use the command... Remarks port group view Use either approach port-group manual port-group-name igmp-snooping host-join Required Configure simulated (*, G) or group-address [ source-ip (S, G) joining Disabled by default source-address ] vlan vlan-id Each simulated host is equivalent to an independent host. For example, when receiving an IGMP query, the simulated host corresponding to each configuration responds respectively.

  • Page 320: Configuring Igmp Snooping Querier

    To do... Use the command... Remarks interface/Layer 2 aggregate Use either approach interface view or port group port-group manual port-group-name view Required Enable fast leave processing igmp-snooping fast-leave [ vlan vlan-list ] Disabled by default Configuring IGMP Snooping Querier Configuration Prerequisites Before configuring IGMP Snooping querier, complete the following task: Enable IGMP Snooping in the VLAN.

  • Page 321: Configuring Igmp Queries And Responses

    Configuring IGMP Queries and Responses You can tune the IGMP general query interval based on actual condition of the network. Upon receiving an IGMP query (general query or group-specific query), a host starts a timer for each multicast group it has joined. This timer is initialized to a random value in the range of 0 to the maximum response time (the host obtains the value of the maximum response time from the Max Response Time field in the IGMP query it received).

  • Page 322: Configuring Source Ip Address Of Igmp Queries

    In the configuration, make sure that the IGMP general query interval is larger than the maximum response time for IGMP general queries. Otherwise, multicast group members may be deleted by mistake. Configuring Source IP Address of IGMP Queries Upon receiving an IGMP query whose source IP address is 0.0.0.0 on a port, the switch does not enlist that port as a dynamic router port.

  • Page 323: Configuring A Source Ip Address For The Igmp Messages Sent By The Proxy

    Follow these steps to enable IGMP Snooping Proxying in a VLAN: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Enable IGMP Snooping igmp-snooping proxying Proxying in the VLAN enable Disabled by default. Configuring a Source IP Address for the IGMP Messages Sent by the Proxy You can set the source IP addresses in the IGMP reports and leave messages sent by the IGMP Snooping proxy on behalf of its attached hosts.

  • Page 324: Configuring The Function Of Dropping Unknown Multicast Data

    Any multicast data that has failed the ACL check will not be sent to this port. In this way, the service provider can control the VOD programs provided for multicast users. Configuring a multicast group filter globally Follow these steps to configure a multicast group filter globally: To do...

  • Page 325: Configuring Igmp Report Suppression

    To do... Use the command... Remarks Required Enable the function of dropping igmp-snooping unknown multicast data drop-unknown Disabled by default Configuring IGMP Report Suppression When a Layer 2 device receives an IGMP report from a multicast group member, the device forwards the message to the Layer 3 device directly connected with it.

  • Page 326: Configuring Multicast Group Replacement

    To do... Use the command... Remarks Optional Configure the maximum igmp-snooping group-limit By default, the maximum number of multicast groups limit [ vlan vlan-list ] number of multicast groups allowed on the port(s) allowed on the port(s) is 1000 When the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the IGMP Snooping forwarding table, and the hosts on this port need to join the multicast groups again.

  • Page 327: Configuring 802.1P Precedence For Igmp Messages

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet interface/Layer interface-number Required 2 aggregate interface view or Use either approach port-group manual port group view port-group-name igmp-snooping Required Enable multicast group overflow-replace [ vlan replacement Disabled by default vlan-list ]...

  • Page 328: Displaying And Maintaining Igmp Snooping

    Displaying and Maintaining IGMP Snooping To do... Use the command... Remarks Display IGMP Snooping multicast display igmp-snooping group [ vlan Available in group information vlan-id ] [ verbose ] any view Display the statistics information of Available in IGMP messages learned by IGMP display igmp-snooping statistics any view Snooping...
  • Page 329 Figure 1-4 Network diagram for group policy simulated joining configuration Configuration procedure Configure IP addresses Configure an IP address and subnet mask for each interface as per Figure 1-4. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1.
  • Page 330 # Configure a multicast group filter so that the hosts in VLAN 100 can join only the multicast group 224.1.1.1. [SwitchA] acl number 2001 [SwitchA-acl-basic-2001] rule permit source 224.1.1.1 0 [SwitchA-acl-basic-2001] quit [SwitchA] igmp-snooping [SwitchA-igmp-snooping] group-policy 2001 vlan 100 [SwitchA-igmp-snooping] quit # Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 as simulated hosts for multicast group 224.1.1.1.

  • Page 331: Static Port Configuration Example

    Static Port Configuration Example Network requirements As shown in Figure 1-5, Router A connects to a multicast source (Source) through GigabitEthernet 1/0/2, and to Switch A through GigabitEthernet 1/0/1. IGMPv2 is to run on Router A, and IGMPv2 Snooping is to run on Switch A, Switch B and Switch C, with Router A acting as the IGMP querier.
  • Page 332 Configure an IP address and subnet mask for each interface as per Figure 1-5. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1. <RouterA> system-view [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] igmp enable...
  • Page 333 [SwitchC] igmp-snooping [SwitchC-igmp-snooping] quit # Create VLAN 100, assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchC] vlan 100 [SwitchC-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/5 [SwitchC-vlan100] igmp-snooping enable [SwitchC-vlan100] quit # Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/5 as static member ports for multicast group 224.1.1.1.

  • Page 334: Igmp Snooping Querier Configuration Example

    Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/2 (D) ( 00:01:23 ) IP group(s):the following ip group(s) match to one mac group.
  • Page 335 Figure 1-6 Network diagram for IGMP Snooping querier configuration Configuration procedure Configure switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 100 and assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 # Enable IGMP Snooping and the function of dropping unknown multicast traffic in VLAN 100.

  • Page 336: Igmp Snooping Proxying Configuration Example

    [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # Enable IGMP Snooping and the function of dropping unknown multicast traffic in VLAN 100. [SwitchB-vlan100] igmp-snooping enable [SwitchB-vlan100] igmp-snooping drop-unknown [SwitchB-vlan100] quit Configurations on Switch C and Switch D are similar to the configuration on Switch B. Verify the configuration After the IGMP Snooping querier starts to work, all the switches but the querier can receive IGMP general queries.
  • Page 337 Figure 1-7 Network diagram for IGMP Snooping Proxying configuration Receiver Host A Source Receiver GE1/0/4 GE1/0/2 GE1/0/1 10.1.1.1/24 GE1/0/1 GE1/0/3 1.1.1.2/24 Switch A Host B GE1/0/2 1.1.1.1/24 Router A Proxy & Querier IGMP querier Host C Configuration procedure Configure IP addresses for interfaces Configure an IP address and subnet mask for each interface as per Figure 1-7.
  • Page 338 Verify the configuration After the configuration is completed, Host A and Host B send IGMP join messages for group 224.1.1.1. Receiving the messages, Switch A sends a join message for the group out port GigabitEthernet 1/0/1 (a router port) to Router A. Use the display igmp-snooping group command and the display igmp group command to display information about IGMP Snooping multicast groups and IGMP multicast groups.

  • Page 339: Troubleshooting Igmp Snooping Configuration

    Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 (D) ( 00:01:23 ) IP group(s):the following ip group(s) match to one mac group.
  • Page 340 The function of dropping unknown multicast data is not enabled, so unknown multicast data is flooded. Solution Use the display acl command to check the configured ACL rule. Make sure that the ACL rule conforms to the multicast group policy to be implemented. Use the display this command in IGMP Snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied.
  • Page 341 Table of Contents 1 Multicast VLAN Configuration··················································································································1-1 Introduction to Multicast VLAN················································································································1-1 Multicast VLAN Configuration Task List··································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN ······················································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring Sub-VLAN-Based Multicast VLAN···············································································1-3 Configuring Port-Based Multicast VLAN ·································································································1-4 Configuration Prerequisites ·············································································································1-4 Configuring User Port Attributes······································································································1-5 Configuring Multicast VLAN Ports ···································································································1-5 Displaying and Maintaining Multicast VLAN ···························································································1-6 Multicast VLAN Configuration Examples ································································································1-7...

  • Page 342: Multicast Vlan Configuration

    Multicast VLAN Configuration When configuring multicast VLAN, go to these sections for information you are interested in: Introduction to Multicast VLAN Multicast VLAN Configuration Task List Configuring Sub-VLAN-Based Multicast VLAN Configuring Port-Based Multicast VLAN Displaying and Maintaining Multicast VLAN Multicast VLAN Configuration Example Introduction to Multicast VLAN As shown in Figure...
  • Page 343 Sub-VLAN-based multicast VLAN As shown in Figure 1-2, Host A, Host B and Host C are in three different user VLANs. On Switch A, configure VLAN 10 as a multicast VLAN, configure all the user VLANs as sub-VLANs of this multicast VLAN, and enable IGMP Snooping in the multicast VLAN.

  • Page 344: Multicast Vlan Configuration Task List

    After the configuration, upon receiving an IGMP message on a user port, Switch A tags the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP Snooping can uniformly manage the router ports and member ports in the multicast VLAN. When forwarding multicast data to Switch A, Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the traffic to all the member ports in the multicast VLAN.

  • Page 345: Configuring Port-Based Multicast Vlan

    The VLANs to be configured as sub-VLANs of the multicast VLAN must exist and must not be sub-VLANs of any other multicast VLAN. S5810 series Ethernet switch supports up to 16 multicast VLANs, and supports up to 1024 sub-VLANs for each multicast VLAN. The total number of sub-VLANs for all multicast VLANs on the switch cannot exceed 1024..

  • Page 346: Configuring User Port Attributes

    Configuring User Port Attributes Configure the user ports as hybrid ports that permit packets of the specified user VLAN to pass, and configure the user VLAN to which the user ports belong as the default VLAN. Configure the user ports to permit packets of the multicast VLAN to pass and untag the packets. Thus, upon receiving multicast packets tagged with the multicast VLAN ID from the upstream device, the Layer 2 device untags the multicast packets and forwards them to its downstream device.

  • Page 347: Displaying And Maintaining Multicast Vlan

    To do... Use the command... Remarks Required Configure the specified VLAN as a multicast VLAN and enter multicast-vlan vlan-id Not a multicast VLAN by multicast VLAN view default Required Assign ports to the multicast port interface-list By default, a multicast VLAN VLAN has no ports.

  • Page 348: Multicast Vlan Configuration Examples

    Multicast VLAN Configuration Examples Sub-VLAN-Based Multicast VLAN Configuration Network requirements Router A connects to a multicast source through GigabitEthernet1/0/1 and to Switch A, through GigabitEthernet 1/0/2. IGMPv2 is required on Router A, and IGMPv2 Snooping is required on Switch A. Router A is the IGMP querier.
  • Page 349 <RouterA> system-view [RouterA] multicast routing-enable [RouterA] interface GigabitEthernet 1/0/1 [RouterA-GigabitEthernet1/0/1] pim dm [RouterA-GigabitEthernet1/0/1] quit [RouterA] interface GigabitEthernet 1/0/2 [RouterA-GigabitEthernet1/0/2] pim dm [RouterA-GigabitEthernet1/0/2] igmp enable Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping [SwitchA-igmp-snooping] quit # Create VLAN 2 and assign GigabitEthernet 1/0/2 to this VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] port GigabitEthernet 1/0/2 [SwitchA-vlan2] quit...
  • Page 350 Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):2. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 0 port. IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 1 port. GE1/0/2 MAC group(s): MAC group address:0100-5e01-0101...

  • Page 351: Port-Based Multicast Vlan Configuration

    Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 0 port. MAC group(s): MAC group address:0100-5e01-0101 Host port(s):total 0 port.
  • Page 352 Network diagram Figure 1-5 Network diagram for port-based multicast VLAN configuration Configuration procedure Configure IP addresses Configure the IP address and subnet mask for each interface as per Figure 1-5. The detailed configuration steps are omitted here. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on the host-side interface GigabitEthernet 1/0/2.
  • Page 353 [SwitchA-vlan10] quit # Create VLAN 2 and enable IGMP Snooping in the VLAN. [SwitchA] vlan 2 [SwitchA-vlan2] igmp-snooping enable [SwitchA-vlan2] quit The configuration for VLAN 3 and VLAN 4 is similar. The detailed configuration steps are omitted. # Configure GigabitEthernet 1/0/2 as a hybrid port. Configure VLAN 2 as the default VLAN. Configure GigabitEthernet 1/0/2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them.
  • Page 354 Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. GE1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address:224.1.1.1 (0.0.0.0, 224.1.1.1): Host port(s):total 3 port. GE1/0/2 GE1/0/3 Eth1/4...
  • Page 355 QoS Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The QoS Volume is organized as follows: Features Description This document describes: QoS overview QoS policy configuration Priority mapping configuration Traffic policing Configuration Traffic shaping Configuration Aggregation CAR Configuration Congestion management Traffic mirroring configuration Port buffer configuration...
  • Page 356 Table of Contents 1 QoS Overview ············································································································································1-1 Introduction to QoS ·································································································································1-1 Networks Without QoS Guarantee··········································································································1-1 QoS Requirements of New Applications·································································································1-1 Congestion: Causes, Impacts, and Countermeasures ···········································································1-2 Causes ············································································································································1-2 Impacts ············································································································································1-2 Countermeasures ····························································································································1-3 QoS Technology Implementations··········································································································1-3 End-to-End QoS ······························································································································1-3 Traffic Classification ························································································································1-4 Packet Precedences························································································································1-4 2 QoS Policy Configuration ·························································································································2-1 QoS Policy Overview ······························································································································2-1...
  • Page 357 Configuration Example ····················································································································3-6 Displaying and Maintaining Priority Mapping ··························································································3-7 4 Traffic Policing and Traffic Shaping Configuration ···············································································4-1 Traffic Policing and Traffic Shaping Overview ························································································4-1 Traffic Evaluation and Token Bucket·······························································································4-1 Traffic Policing ·································································································································4-2 Traffic Shaping ································································································································4-3 Traffic Policing, GTS and Line Rate Configuration ·················································································4-4 Configuring Traffic Policing ·············································································································4-5 Configuring GTS······························································································································4-5 Displaying and Maintaining Traffic Policing, GTS and Line Rate ···························································4-7...
  • Page 358 Configuring the Burst Function to Automatically Set the Shared Buffer ·········································8-1 Configuring the Shared Buffer Manually ·························································································8-2 Displaying and Maintaining Port Buffer···································································································8-2 Burst Configuration Example ··················································································································8-3 Network Requirements ····················································································································8-3 Configuration Procedure··················································································································8-3...

  • Page 359: Qos Overview

    QoS Overview This chapter covers the following topics: Introduction to QoS Networks Without QoS Guarantee QoS Requirements of New Applications Congestion: Causes, Impacts, and Countermeasures QoS Technology Implementations Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services.

  • Page 360: Congestion: Causes, Impacts, And Countermeasures

    The emerging applications demand higher service performance of IP networks. Better network services during packets forwarding are required, such as providing dedicated bandwidth, reducing packet loss ratio, managing and avoiding congestion, and regulating network traffic. To meet these requirements, networks must provide more improved services. Congestion: Causes, Impacts, and Countermeasures Network congestion is a major factor contributed to service quality degrading on a traditional network.

  • Page 361: Countermeasures

    Countermeasures A simple solution for congestion is to increase network bandwidth, however, it cannot solve all the problems that cause congestion because you cannot increase network bandwidth infinitely. A more effective solution is to provide differentiated services for different applications through traffic control and resource allocation.

  • Page 362: Traffic Classification

    Congestion avoidance monitors the usage status of network resources and is usually applied in the outbound direction of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets. Among these QoS technologies, traffic classification is the basis for providing differentiated services. Traffic policing, traffic shaping, congestion management, and congestion avoidance manage network traffic and resources in different ways to realize differentiated services.
  • Page 363 As shown in Figure 1-3, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7; the subsequent four bits (3 to 6) represent a ToS value from 0 to 15. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63.
  • Page 364 DSCP value (decimal) DSCP value (binary) Description 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p precedence 802.1p precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
  • Page 365 The priority in the 802.1Q tag header is called 802.1p precedence, because its use is defined in IEEE 802.1p. Table 1-3 presents the values for 802.1p precedence. Table 1-3 Description on 802.1p precedence 802.1p precedence (decimal) 802.1p precedence (binary) Description best-effort background spare...

  • Page 366: Qos Policy Configuration

    QoS Policy Configuration When configuring a QoS policy, go to these sections for information you are interested in: QoS Policy Overview Configuring a QoS Policy Applying the QoS Policy Displaying and Maintaining QoS Policies QoS Policy Overview A QoS policy involves three components: class, traffic behavior, and policy. You can associate a class with a traffic behavior using a QoS policy.
  • Page 367 Follow these steps to define a class: To do… Use the command… Remarks Enter system view system-view — Required Create a class and enter class traffic classifier tcl-name By default, the relation between view [ operator { and | or } ] match criteria is and.

  • Page 368: Defining A Traffic Behavior

    Form Description Specifies to match the packets of a specified protocol. The protocol protocol-name protocol-name argument can be IP. Specifies to match packets by 802.1p precedence of the service service-dot1p 8021p-list provider network. The 8021p-list argument is a list of CoS values in the range of 0 to 7.
  • Page 369 To do… Use the command… Remarks car cir Optional committed-information-rate [ cbs committed-burst-size For detailed information about Configure a CAR policy [ ebs excess-burst-size ] ] [ pir CAR, refer to Traffic Policing peak-information-rate ] [ green and Traffic Shaping action ] [ yellow action ] [ red Configuration.

  • Page 370: Defining A Policy

    If both a QoS policy referencing CAR and the qos car command are configured on an interface, the QoS policy takes effect. To ensure that a policy can be applied successfully, follow these guidelines when configuring a traffic behavior: Do not configure the redirect to CPU, redirect to interface, and redirect to next hop in the same traffic behavior, because they are conflicting.

  • Page 371: Applying The Qos Policy

    Configuration procedure # Create a class test_class to match the packets with IP precedence 6. <Sysname> system-view [Sysname] traffic classifier test_class [Sysname-classifier-test_class] if-match ip-precedence 6 [Sysname-classifier-test_class] quit # Create a traffic behavior test_behavior and configure the action of limiting the traffic rate to 100 kbps for it.

  • Page 372: Applying The Qos Policy To A Vlan

    To do… Use the command… Remarks group view settings in port group view take Enter port port-group manual effect on all ports in the port group view port-group-name group. Apply the policy to the qos apply policy policy-name Required interface/port group { inbound | outbound } If a QoS policy is applied in the outbound direction of an interface, the QoS policy cannot influence local packets (local packets refer to the important protocol packets that maintain the normal operation of the...

  • Page 373: Applying The Qos Policy Globally

    Configuration example # Apply QoS policy test_policy to the inbound direction of VLAN 200, VLAN 300, VLAN 400, and VLAN 500. <Sysname> system-view [Sysname] qos vlan-policy test_policy vlan 200 300 400 500 inbound Applying the QoS Policy Globally You can apply the QoS policy globally to the inbound or outbound direction of all ports. Configuration procedure Follow these steps to apply a QoS policy globally: To do…...

  • Page 374: Displaying And Maintaining Qos Policies

    Direction (right) Inbound Outbound Action (below) Marking IP precedence Supported Not supported Marking local precedence Supported Not supported Marking service VLAN IDs Supported Supported Follow these rules when configuring a behavior. Otherwise the corresponding QoS policy cannot be applied successfully. The nest action is mutually exclusive with the remark service-vlan-id action.

  • Page 375: Priority Mapping Configuration

    Priority Mapping Configuration When configuring priority mapping, go to these sections for information you are interested in: Priority Mapping Overview Configuring a Priority Mapping Table Configuring the Priority for a Port Configuring the Trusted Precedence Type for a Port Displaying and Maintaining Priority Mapping Priority Mapping Overview Introduction to Priority Mapping When a packet enters a network, it will be marked with a certain value, which indicates the scheduling...

  • Page 376: Introduction To Priority Mapping Tables

    Figure 3-1 Priority mapping process in the case of supporting trusting port priority An S5810 series switch can trust one of the following two priority types: Trusting the DSCP precedence of received packets. In this mode, the switch searches the dscp-dot1p/dp/dscp mapping table based on the DSCP precedence of the received packet for the 802.1p precedence/drop precedence/DSCP precedence to be used to mark the packet.

  • Page 377: Configuration Procedure

    Table 3-1 The default dot1p-lp and dot1p-dscp mappings Input priority value dot1p-lp mapping dot1p-dscp mapping 802.1p precedence (dot1p) Local precedence (lp) DSCP value (dscp) Table 3-2 The default dscp-lp and dscp-dot1p mappings Input priority value dscp-lp mapping dscp-dot1p mapping dscp Local precedence (lp) 802.1p precedence (dot1p) 0 to 7...

  • Page 378: Configuration Example

    To do… Use the command… Remarks Enter system view system-view — Required qos map-table { dot1p-dscp | Enter priority mapping table You can enter the dot1p-lp | dscp-dot1p | view corresponding priority mapping dscp-lp } table view as required. Required Configure the priority mapping import import-value-list export Newly configured mappings...

  • Page 379: Configuring The Priority For A Port

    [Sysname-maptbl-dot1p-lp] import 6 7 export 3 Configuring the Priority for a Port Port priority is in the range of 0 to 7. You can set the port priority as needed. Configuration Prerequisites You need to decide on a priority for the port. Configuration Procedure Follow these steps to configure port priority: To do…...

  • Page 380: Configuration Prerequisites

    dscp: Trusts the DSCP values of the received IP packets and uses the DSCP values for mapping. Configuration Prerequisites It is determined to trust port priority. The trusted precedence type for the port is determined. The priority mapping table corresponding to the trusted precedence type is configured. For the detailed configuration procedure, refer to Configuring a Priority Mapping Table.

  • Page 381: Displaying And Maintaining Priority Mapping

    Displaying and Maintaining Priority Mapping To do… Use the command… Remarks display qos map-table Display priority mapping table [ dot1p-dscp | dot1p-lp | Available in any view configuration information dscp-dot1p | dscp-lp ] display qos trust interface Display the trusted precedence [ interface-type Available in any view type on the port...

  • Page 382: Traffic Policing And Traffic Shaping Configuration

    Traffic Policing and Traffic Shaping Configuration When configuring traffic classification, traffic policing, and traffic shaping, go to these sections for information you are interested in: Traffic Policing and Traffic Shaping Overview Traffic Policing, GTS and Line Rate Configuration Displaying and Maintaining Traffic Policing, GTS and Line Rate Traffic Policing and GTS Configuration Examples Traffic Policing and Traffic Shaping Overview If user traffic is not limited, burst traffic will make the network more congested.

  • Page 383: Traffic Policing

    One evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, it means that too many tokens have been used and the traffic is excessive.

  • Page 384: Traffic Shaping

    Figure 4-2 Schematic diagram for GTS Tokens are put into the bucket at the set rate Packets to be sent through this interface Packets sent Packet classification Token bucket Queue Packets dropped Traffic policing is widely used in policing traffic entering the networks of internet service providers (ISPs). It can classify the policed traffic and perform pre-defined policing actions based on different evaluation results.

  • Page 385: Traffic Policing, Gts And Line Rate Configuration

    Figure 4-3 Schematic diagram for GTS Tokens are put into the bucket at the set rate Packets to be sent through this interface Packets sent Packet classification Token bucket Queue Packets dropped For example, in Figure 4-4, Switch A sends packets to Switch B. Switch B performs traffic policing on packets from Switch A and drops packets exceeding the limit.

  • Page 386: Configuring Traffic Policing

    Configuring Traffic Policing Traffic policing configuration involves the following two tasks: defining the characteristics of packets to be policed (defined with ACLs on the S5810 series), defining policing policies for the matched packets. Follow these steps to configure ACL-based traffic policing: To do…...
  • Page 387 To do… Use the command… Remarks Enter system view system-view — Enter Use either command Enter interface interface-type interface interface interface-number Settings in interface view take view view or effect on the current interface; port settings in port group view take Enter port group effect on all ports in the port...

  • Page 388: Displaying And Maintaining Traffic Policing, Gts And Line Rate

    Displaying and Maintaining Traffic Policing, GTS and Line Rate To do… Use the command… Remarks display qos car interface Display the CAR information on [ interface-type Available in any view the specified interface interface-number ] display qos gts interface Display interface GTS [ interface-type Available in any view configuration information...
  • Page 389 <SwitchA> system-view [SwitchA] interface gigabitethernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] qos gts any cir 700 [SwitchA-GigabitEthernet1/0/3] quit # Configure ACLs to permit the packets from Server and Host A. [SwitchA] acl number 2001 [SwitchA-acl-basic-2001] rule permit source 1.1.1.1 0 [SwitchA-acl-basic-2001] quit [SwitchA] acl number 2002 [SwitchA-acl-basic-2002] rule permit source 1.1.1.2 0 [SwitchA-acl-basic-2002] quit # Configure CAR policies for different flows received on GigabitEthernet 1/0/1.

  • Page 390: Aggregation Car Configuration

    Aggregation CAR Configuration When configuring aggregation CAR, go to these sections for information you are interested in: Aggregation CAR Overview Configuring an Aggregation CAR Policy Referencing Aggregation CAR in a Traffic Behavior Displaying and Maintaining Aggregation CAR Aggregation CAR Overview Aggregation CAR means to use the same CAR for traffic on multiple ports.

  • Page 391: Configuration Example

    To do… Use the command… Remarks Apply the aggregation qos car inbound acl [ ipv6 ] CAR policy on the Required acl-number name car-name interface/port group Display aggregation CAR policy configuration display qos car interface information on the [ interface-type interface-number ] Optional interface or all interfaces Available in any view...

  • Page 392: Configuration Example

    To do… Use the command… Remarks Display traffic behavior display traffic behavior configuration user-defined [ behavior-name ] information Optional Available in any view Display information about the aggregation display qos car name [ car-name ] Configuration Example # Specify the aggregation CAR aggcar-1 to adopt the following parameters: CIR is 200, CBS is 2,000, and red packets are dropped.

  • Page 393: Congestion Management Configuration

    Congestion Management Configuration When configuring hardware congestion management, go to these sections for information you are interested in: Overview Congestion Management Configuration Methods Per-Queue Configuration Method Overview Congestion occurs on an interface when the traffic arriving rate is greater than the transmit rate. If there is no enough buffer capacity to store these packets, a part of them will be lost, which may cause the sending device to retransmit these packets because of timeout, deteriorating the congestion.
  • Page 394 Figure 6-1 Schematic diagram for SP queuing As shown in Figure 6-1, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
  • Page 395 This improves bandwidth resource use efficiency. The S5810 series use group-based WRR queuing. You can assign the output queues to WRR scheduling group 1 and WRR scheduling group 2 as required. Note that the queues in the same group must be consecutive.

  • Page 396: Congestion Management Configuration Methods

    Congestion Management Configuration Methods To achieve congestion management, you can perform per-queue configuration, that is, configure queue scheduling for each queue in interface view or port group view. Complete the following tasks to achieve hardware-based congestion management: Task Remarks Configuring SP Queuing Optional Per-Queue Configuration Method Configure WRR Queuing...

  • Page 397: Configure Wrr Queuing

    Configure WRR Queuing Configuration procedure Configuring basic WRR queuing Follow these steps to configure basic WRR queuing: To do… Use the command… Remarks Enter system view system-view — Enter Use either command interface interface-type Enter interface interface-number Settings in interface view take effect interface view on the current interface;...

  • Page 398: Configuring Sp+Wrr Queues

    [Sysname-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 70 [Sysname-GigabitEthernet1/0/1] qos wrr 4 group 2 weight 20 [Sysname-GigabitEthernet1/0/1] qos wrr 5 group 2 weight 50 [Sysname-GigabitEthernet1/0/1] qos wrr 6 group 2 weight 70 [Sysname-GigabitEthernet1/0/1] qos wrr 7 group 2 weight 100 Configuring SP+WRR Queues Configuration Procedure Follow these steps to configure SP + WRR queues:...
  • Page 399 [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] qos wrr 0 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 1 group sp [Sysname-GigabitEthernet1/0/1] qos wrr 2 group 1 weight 20 [Sysname-GigabitEthernet1/0/1] qos wrr 3 group 1 weight 70 [Sysname-GigabitEthernet1/0/1] qos wrr 4 group 1 weight 100 [Sysname-GigabitEthernet1/0/1] qos wrr 5 group 2 weight 10 [Sysname-GigabitEthernet1/0/1] qos wrr 6 group 2 weight 50 [Sysname-GigabitEthernet1/0/1] qos wrr 7 group 2 weight 80...

  • Page 400: Configuring Traffic Mirroring

    VLAN. After the VLAN is created and some ports join the VLAN, the action of mirroring traffic to the VLAN takes effect automatically. On the S5810 series Ethernet switches, traffic can only be mirrored to ports and to CPU. Configuring Traffic Mirroring To configure traffic mirroring, you must enter the view of an existing traffic behavior.

  • Page 401: Mirroring Traffic To An Interface

    Mirroring Traffic to an Interface Follow these steps to mirror traffic to an interface: To do… Use the command… Remarks Enter system view system-view — traffic behavior Enter traffic behavior view — behavior-name Specify the destination mirror-to interface Required interface for traffic mirroring interface-type interface-number Mirroring Traffic to the CPU Follow these steps to mirror traffic to the CPU:...
  • Page 402 Figure 7-1 Network diagram for configuring traffic mirroring to a port Configuration Procedure Configure Switch: # Enter system view. <Sysname> system-view # Configure basic IPv4 ACL 2000 to match packets with the source IP address 192.168.0.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 192.168.0.1 0 [Sysname-acl-basic-2000] quit # Configure a traffic classification rule to use ACL 2000 for traffic classification.

  • Page 403: Port Buffer Configuration

    Port Buffer Configuration When configuring port buffers, go to these sections for information you are interested in: Port Buffer Overview Configuring the Shared Buffer Displaying and Maintaining Port Buffer Burst Configuration Example Port Buffer Overview The S5810 supports transmit and receive buffering for ports to eliminate packet loss when traffic is arriving at a rate greater than the physical medium can support or when forwarding decision is made.

  • Page 404: Configuring The Shared Buffer Manually

    To do… Use the command… Remarks Enter system view system-view — Required Enable the burst function burst-mode enable Disabled by default Configuring the Shared Buffer Manually The shared buffer is assigned to incoming traffic and outgoing traffic respectively. The area buffers incoming traffic is called the shared receive buffer and the area buffers outgoing traffic is called the shared transmit buffer.

  • Page 405: Network Requirements

    Burst Configuration Example Network Requirements In a customer network shown in Figure 8-1, A server connects to the switch through a 1000 Mbps Ethernet interface. The server sends dense broadcast or multicast traffic to the hosts irregularly. Each host connects to the switch through a 100 Mbps network adapter. Configure the switch to process dense traffic from the server to guarantee that packets can reach the hosts.
  • Page 406 Security Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The Security Volume is organized as follows: Features Description Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: Introduction to AAA, RADIUS and HWTACACS AAA configuration RADIUS configuration...
  • Page 407 Features Description An ACL is used for identifying traffic based on a series of preset matching criteria. This document describes: ACL overview and ACL types ACL configuration ACL Application for Packet Filtering...
  • Page 408 Table of Contents 1 AAA Configuration ····································································································································1-1 Introduction to AAA ·································································································································1-1 Introduction to RADIUS···························································································································1-2 Client/Server Model ·························································································································1-2 Security and Authentication Mechanisms ·······················································································1-3 Basic Message Exchange Process of RADIUS ··············································································1-3 RADIUS Packet Format···················································································································1-4 Extended RADIUS Attributes ··········································································································1-7 Introduction to HWTACACS····················································································································1-7 Differences Between HWTACACS and RADIUS············································································1-8 Basic Message Exchange Process of HWTACACS ·······································································1-8 Protocols and Standards·······················································································································1-10 AAA Configuration Task List ·················································································································1-10...
  • Page 409 Specifying the HWTACACS Authorization Servers·······································································1-31 Specifying the HWTACACS Accounting Servers··········································································1-31 Setting the Shared Key for HWTACACS Packets·········································································1-32 Configuring Attributes Related to the Data Sent to HWTACACS Server······································1-33 Setting Timers Regarding HWTACACS Servers ··········································································1-33 Displaying and Maintaining HWTACACS······················································································1-34 AAA Configuration Examples················································································································1-34 AAA for Telnet Users by an HWTACACS Server ·········································································1-34 AAA for Telnet Users by Separate Servers···················································································1-36 AAA for SSH Users by a RADIUS Server ·····················································································1-37...

  • Page 410: Aaa Configuration

    AAA Configuration When configuring AAA, go to these sections for information you are interested in: Introduction to AAA Introduction to RADIUS Introduction to HWTACACS Protocols and Standards AAA Configuration Task List Configuring AAA Configuring RADIUS Configuring HWTACACS AAA Configuration Examples Troubleshooting AAA Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring...

  • Page 411: Introduction To Radius

    requirements. For example, you can use the HWTACACS server for authentication and authorization, and the RADIUS server for accounting. The three security functions are described as follows: Authentication: Identifies remote users and judges whether a user is legal. Authorization: Grants different users different rights. For example, a user logging into the server can be granted the permission to access and print the files in the server.

  • Page 412: Security And Authentication Mechanisms

    Figure 1-2 RADIUS server components Users: Stores user information such as the usernames, passwords, applied protocols, and IP addresses. Clients: Stores information about RADIUS clients, such as the shared keys and IP addresses. Dictionary: Stores information about the meanings of RADIUS protocol attributes and their values. Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network.

  • Page 413: Radius Packet Format

    The host initiates a connection request carrying the username and password to the RADIUS client. Having received the username and password, the RADIUS client sends an authentication request (Access-Request) to the RADIUS server, with the user password encrypted by using the Message-Digest 5 (MD5) algorithm and the shared key.
  • Page 414 Code Packet type Description From the server to the client. If all the attribute values carried in the Access-Request are Access-Accept acceptable, that is, the authentication succeeds, the server sends an Access-Accept response. From the server to the client. If any attribute value carried in the Access-Request is unacceptable, the Access-Reject server rejects the user and sends an...
  • Page 415 Attribute Attribute Service-Type Acct-Multi-Session-Id Framed-Protocol Acct-Link-Count Framed-IP-Address Acct-Input-Gigawords Framed-IP-Netmask Acct-Output-Gigawords Framed-Routing (unassigned) Filter-ID Event-Timestamp Framed-MTU 56-59 (unassigned) Framed-Compression CHAP-Challenge Login-IP-Host NAS-Port-Type Login-Service Port-Limit Login-TCP-Port Login-LAT-Port (unassigned) Tunnel-Type Reply_Message Tunnel-Medium-Type Callback-Number Tunnel-Client-Endpoint Callback-ID Tunnel-Server-Endpoint (unassigned) Acct-Tunnel-Connection Framed-Route Tunnel-Password Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access...

  • Page 416: Extended Radius Attributes

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. The vendor ID of H3C is 2011. Vendor-Type: Indicates the type of the sub-attribute.

  • Page 417: Differences Between Hwtacacs And Radius

    Differences Between HWTACACS and RADIUS HWTACACS and RADIUS have many common features, like implementing AAA, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in Table 1-3.
  • Page 418 Figure 1-6 Basic message exchange process of HWTACACS for a Telnet user Host HWTACACS client HWTACACS server 1) The user logs in 2) Start-authentication packet 3) Authentication response requesting the username 4) Request for username 5) The user inputs the username 6) Authentication continuance packet with the username 7) Authentication response requesting the login...

  • Page 419: Protocols And Standards

    12) The HWTACACS client sends the user authorization request packet to the HWTACACS server. 13) The HWTACACS server sends back the authorization response, indicating that the user is authorized now. 14) Knowing that the user is now authorized, the HWTACACS client pushes the configuration interface of the NAS to the user.

  • Page 420: Radius Configuration Task List

    AAA Configuration Task List Task Remarks Creating an ISP Domain Required Configuring ISP Domain Attributes Optional Required For local authentication, refer to Configuring Local User Attributes. Configuring AAA Authentication Methods for an For RADIUS authentication, refer to Configuring ISP Domain RADIUS.

  • Page 421: Configuring Aaa

    Task Remarks Specifying the HWTACACS Authentication Servers Required Specifying the HWTACACS Authorization Servers Optional Specifying the HWTACACS Accounting Servers Optional Setting the Shared Key for HWTACACS Packets Required Configuring Attributes Related to the Data Sent to HWTACACS Optional Server Setting Timers Regarding HWTACACS Servers Optional Displaying and Maintaining HWTACACS Optional...

  • Page 422: Configuring Isp Domain Attributes

    To do… Use the command… Remarks Return to system view quit — Optional domain default enable By default, the system has a Specify the default ISP domain isp-name default ISP domain named system. You cannot delete the default ISP domain unless you change it to a non-default ISP domain (with the domain default disable command) first.

  • Page 423: Configuring Aaa Authentication Methods For An Isp Domain

    Configuring AAA Authentication Methods for an ISP Domain In AAA, authentication, authorization, and accounting are separate processes. Authentication refers to the interactive authentication process of username/password/user information during access or service request. The authentication process neither sends authorization information to a supplicant nor triggers any accounting.

  • Page 424: Configuring Aaa Authorization Methods For An Isp Domain

    The authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode. With an authentication method that references a RADIUS scheme, AAA accepts only the authentication result from the RADIUS server.
  • Page 425 Determine the access mode or service type to be configured. With AAA, you can configure an authorization scheme specifically for each access mode and service type, limiting the authorization protocols that can be used for access. Determine whether to configure an authorization method for all access modes or service types. Follow these steps to configure AAA authorization methods for an ISP domain: To do…...

  • Page 426: Configuring Aaa Accounting Methods For An Isp Domain

    Configuring AAA Accounting Methods for an ISP Domain In AAA, accounting is a separate process at the same level as authentication and authorization. Its responsibility is to send accounting start/update/end requests to the specified accounting server. Accounting is not required, and therefore accounting method configuration is optional. AAA supports the following accounting methods: No accounting: The system does not perform accounting for the users.

  • Page 427: Configuring Local User Attributes

    With the accounting optional command configured, a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails. The local accounting is not used for accounting implementation, but together with the attribute access-limit command for limiting the number of local user connections.
  • Page 428 To do… Use the command… Remarks Configure a password for the local password { cipher | simple } Optional user password Optional When created, a local user Place the local user to the state of state { active | block } is in the state of active by active or blocked default, and the user can...

  • Page 429: Configuring User Group Attributes

    With an authentication method that requires the username and password, including local authentication, RADIUS authentication, HWTACACS authentication, the commands that a login user can use after logging in depend on the level of the user. With other authentication methods, which commands are available depends on the level of the user interface. For an SSH user using public key authentication, the commands that can be used depend on the level configured on the user interface.

  • Page 430: Configuring Radius

    To do… Use the command… Remarks Required Configure a NAS ID-VLAN nas-id nas-identifier bind vlan By default, no NAS ID-VLAN binding vlan-id binding exists. Displaying and Maintaining AAA To do… Use the command… Remarks Display the configuration information of a specified ISP domain or all ISP display domain [ isp-name ] Available in any view domains...

  • Page 431: Specifying The Radius Authentication/Authorization Servers

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme enter RADIUS scheme view radius-scheme-name Not defined by default A RADIUS scheme can be referenced by more than one ISP domain at the same time. Specifying the RADIUS Authentication/Authorization Servers Follow these steps to specify the RADIUS authentication/authorization servers: To do…...

  • Page 432: Setting The Shared Key For Radius Packets

    To do… Use the command… Remarks Enter system view system-view — radius scheme Enter RADIUS scheme view — radius-scheme-name Specify the primary RADIUS primary accounting Required accounting server ip-address [ port-number ] Configure at least one of the commands Specify the secondary RADIUS secondary accounting No accounting server by default accounting server...

  • Page 433: Setting The Upper Limit Of Radius Request Retransmission Attempts

    To do… Use the command… Remarks Enter system view system-view — radius scheme Enter RADIUS scheme view — radius-scheme-name Set the shared key for RADIUS Required key { accounting | authentication/authorization or authentication } string No key by default accounting packets The shared key configured on the device must be the same as that configured on the RADIUS server.

  • Page 434: Setting The Status Of Radius Servers

    To do… Use the command… Remarks radius scheme Enter RADIUS scheme view — radius-scheme-name Optional Specify the RADIUS server server-type { extended | By default, the supported type supported by the device standard } RADIUS server type is standard. If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit.

  • Page 435: Configuring Attributes Related To Data To Be Sent To The Radius Server

    To do… Use the command… Remarks Set the status of the secondary state secondary RADIUS authentication { active | authentication/authorization block } server Set the status of the secondary state secondary accounting RADIUS accounting server { active | block } If both the primary server and the secondary server are in the blocked state, it is necessary to manually turn the secondary server to the active state so that the secondary server can perform authentication.

  • Page 436: Setting Timers Regarding Radius Servers

    To do… Use the command… Remarks interface sending RADIUS packets will be used radius nas-ip ip-address as the source IP address of the RADIUS packets. Some earlier RADIUS servers cannot recognize usernames that contain an ISP domain name. In this case, the device must remove the domain name before sending a username including a domain name.

  • Page 437: Configuring Radius Accounting-On

    To do… Use the command… Remarks Optional Set the RADIUS server timer response-timeout response timeout timer seconds 3 seconds by default Optional Set the quiet timer for the timer quiet minutes primary server 5 minutes by default Optional Set the real-time accounting timer realtime-accounting interval minutes...

  • Page 438: Enabling The Listening Port Of The Radius Client

    3 seconds by default The accounting-on feature needs to cooperate with the H3C iMC network management system. Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client: To do…...

  • Page 439: Configuring Hwtacacs

    Configuring HWTACACS Different from RADIUS, except for deleting HWTACACS schemes and changing the IP addresses of the HWTACACS servers, you can make any changes to HWTACACS parameters, no matter whether there are users online or not. Creating an HWTACACS scheme The HWTACACS protocol is configured on a per scheme basis.

  • Page 440: Specifying The Hwtacacs Authorization Servers

    It is recommended to specify only the primary HWTACACS authentication server if backup is not required. If both the primary and secondary authentication servers are specified, the secondary one is used when the primary one is not reachable. The IP addresses of the primary and secondary authentication servers cannot be the same. Otherwise, the configuration fails.

  • Page 441: Setting The Shared Key For Hwtacacs Packets

    To do… Use the command… Remarks Enter HWTACACS scheme hwtacacs scheme — view hwtacacs-scheme-name Specify the primary primary accounting Required HWTACACS accounting server ip-address [ port-number ] Configure at least one of the commands Specify the secondary secondary accounting HWTACACS accounting server ip-address [ port-number ] No accounting server by default Enable the device to buffer...

  • Page 442: Configuring Attributes Related To The Data Sent To Hwtacacs Server

    Configuring Attributes Related to the Data Sent to HWTACACS Server Follow these steps to configure the attributes related to the data sent to the HWTACACS server: To do… Use the command… Remarks Enter system view system-view — hwtacacs scheme Enter HWTACACS scheme view —...

  • Page 443: Displaying And Maintaining Hwtacacs

    To do… Use the command… Remarks Optional Set the real-time accounting timer realtime-accounting interval minutes 12 minutes by default For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly The real-time accounting interval must be a multiple of 3.
  • Page 444 Figure 1-7 Configure AAA for Telnet users by an HWTACACS server Authentication/Accounting server 10.1.1.1/24 Internet Telnet user Switch Configuration procedure # Configure the IP addresses of the interfaces (omitted). # Enable the Telnet server on the switch. <Switch> system-view [Switch] telnet server enable # Configure the switch to use AAA for Telnet users.

  • Page 445: Aaa For Telnet Users By Separate Servers

    AAA for Telnet Users by Separate Servers Network requirements As shown in Figure 1-8, configure the switch to provide local authentication, HWTACACS authorization, and RADIUS accounting services to Telnet users. The user name and the password for Telnet users are both hello.

  • Page 446: Aaa For Ssh Users By A Radius Server

    [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Configure the RADIUS scheme. [Switch] radius scheme rd [Switch-radius-rd] primary accounting 10.1.1.1 1813 [Switch-radius-rd] key accounting expert [Switch-radius-rd] server-type extended [Switch-radius-rd] user-name-format without-domain [Switch-radius-rd] quit # Create a local user named hello. [Switch] local-user hello [Switch-luser-hello] service-type telnet [Switch-luser-hello] password simple hello [Switch-luser-hello] quit...
  • Page 447 Specify the ports for authentication and accounting as 1812 and 1813 respectively Select Device Management Service as the service type Select H3C as the access device type Select the access device from the device list or manually add the device with the IP address of 10.1.1.2...
  • Page 448 Figure 1-10 Add an access device # Add a user for device management Log into the iMC management platform, select the User tab, and select Access User View > All Access Users from the navigation tree to enter the All Access Users page. Then, click Add to enter the Add Device Management User window and perform the following configurations: Add a user named hello@bbb and specify the password Select SSH as the service type...
  • Page 449 Figure 1-11 Add an account for device management Configure the switch # Configure the IP address of VLAN interface 2, through which the SSH user accesses the switch. <Switch> system-view [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit # Configure the IP address of VLAN-interface 3, through which the switch access the server.

  • Page 450: Troubleshooting Aaa

    # Configure the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the RADIUS scheme. [Switch] radius scheme rad [Switch-radius-rad] primary authentication 10.1.1.1 1812 [Switch-radius-rad] primary accounting 10.1.1.1 1813 [Switch-radius-rad] key authentication expert [Switch-radius-rad] key accounting expert [Switch-radius-rad] user-name-format with-domain [Switch-radius-rad] quit # Specify the service type for the RADIUS server, which must be extended when the RADIUS server...

  • Page 451: Troubleshooting Hwtacacs

    The username is in the userid@isp-name format and a default ISP domain is specified on the NAS. The user is configured on the RADIUS server. The correct password is entered. The same shared key is configured on both the RADIUS server and the NAS. Symptom 2: RADIUS packets cannot reach the RADIUS server.
  • Page 452 Table of Contents 1 IP Source Guard Configuration················································································································1-1 IP Source Guard Overview ·····················································································································1-1 Configuring a Static Binding Entry ··········································································································1-1 Configuring Dynamic Binding Function···································································································1-2 Displaying and Maintaining IP Source Guard ·························································································1-3 IP Source Guard Configuration Examples ······························································································1-3 Static Binding Entry Configuration Example····················································································1-3 Dynamic Binding Function Configuration Example ·········································································1-4 Troubleshooting IP Source Guard ··········································································································1-6 Failed to Configure Static Binding Entries and Dynamic Binding Function·····································1-6...

  • Page 453: Ip Source Guard Configuration

    IP Source Guard Configuration When configuring IP Source Guard, go to these sections for information you are interested in: IP Source Guard Overview Configuring a Static Binding Entry Configuring Dynamic Binding Function Displaying and Maintaining IP Source Guard IP Source Guard Configuration Examples Troubleshooting IP Source Guard IP Source Guard Overview By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through...

  • Page 454: Configuring Dynamic Binding Function

    To do… Use the command… Remarks system-view Enter system view — interface interface-type Enter interface view — interface-number user-bind { ip-address ip-address | Required ip-address ip-address Configure a static binding entry No static binding entry exists by mac-address mac-address | default.

  • Page 455: Displaying And Maintaining Ip Source Guard

    Displaying and Maintaining IP Source Guard To do… Use the command… Remarks display user-bind [ interface Display information about static interface-type interface-number Available in any view binding entries | ip-address ip-address | mac-address mac-address ] display ip check source [ interface interface-type Display information about interface-number | ip-address Available in any view...

  • Page 456: Dynamic Binding Function Configuration Example

    [SwitchA-GigabitEthernet1/0/2] quit # Configure port GigabitEthernet 1/0/1 of Switch A to allow only IP packets with the source MAC address of 00-01-02-03-04-06 and the source IP address of 192.168.0.1 to pass. [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] user-bind ip-address 192.168.0.1 mac-address 0001-0203-0406 Configure Switch B # Configure the IP addresses of various interfaces (omitted).
  • Page 457 Figure 1-2 Network diagram for configuring dynamic binding function Configuration procedure Configure Switch A # Configure dynamic binding function on port GigabitEthernet 1/0/1 to filter packets based on both the source IP address and MAC address. <SwitchA> system-view [SwitchA] interface gigabitethernet1/0/1 [SwitchA-GigabitEthernet1/0/1] ip check source ip-address mac-address [SwitchA-GigabitEthernet1/0/1] quit # Enable DHCP snooping.

  • Page 458: Troubleshooting Ip Source Guard

    ==== =============== ============== ============ ==== ================= 192.168.0.1 0001-0203-0406 86335 GigabitEthernet1/0/1 As you see, port GigabitEthernet 1/0/1 has obtained the dynamic entries generated by DHCP snooping after it is configured with dynamic binding function. Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port.
  • Page 459 Table of Contents 1 SSH2.0 Configuration································································································································2-1 SSH2.0 Overview····································································································································2-1 Introduction to SSH2.0 ····················································································································2-1 Operation of SSH ····························································································································2-1 Configuring the Device as an SSH Server······························································································2-4 SSH Server Configuration Task List································································································2-4 Generating a DSA or RSA Key Pair ································································································2-4 Enabling SSH Server·······················································································································2-5 Configuring the User Interfaces for SSH Clients·············································································2-5 Configuring a Client Public Key·······································································································2-6 Configuring an SSH User ················································································································2-7 Setting the SSH Management Parameters ·····················································································2-9...

  • Page 460: Ssh2.0 Configuration

    SSH2.0 Configuration When configuring SSH2.0, go to these sections for information you are interested in: SSH2.0 Overview Configuring the Device as an SSH Server Configuring the Device as an SSH Client Displaying and Maintaining SSH SSH Server Configuration Examples SSH Client Configuration Examples SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging into a remote device securely.
  • Page 461 Stages Description After passing authentication, the client sends a session request to Session request the server. After the server grants the request, the client and server start to Interaction communicate with each other. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server.
  • Page 462 Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about DSA and RSA key pairs, refer to Public Key Configuration in the Security Volume.

  • Page 463: Configuring The Device As An Ssh Server

    Session request After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client.

  • Page 464: Enabling Ssh Server

    Follow these steps to generate a DSA or RSA key pair on the SSH server: To do… Use the command… Remarks Enter system view system-view — Required Generate the local DSA or RSA public-key local create { dsa | By default, there is neither DSA key pair rsa } key pair nor RSA key pair.

  • Page 465: Configuring A Client Public Key

    Follow these steps to configure the protocols for the current user interface to support: To do… Use the command… Remarks Enter system view system-view — Enter user interface view of one user-interface vty number — or more user interfaces [ ending-number ] Required Set the login authentication authentication-mode scheme...

  • Page 466: Configuring An Ssh User

    You are recommended to configure a client public key by importing it from a public key file. You can configure at most 20 client pubic keys on an SSH server. Configuring a client public key manually Follow these steps to configure the client public key manually: To do…...
  • Page 467 To do… Use the command… Remarks Enter system view system-view — ssh user username service-type stelnet authentication-type For Stelnet { password | { any | users password-publickey | Create an publickey } assign publickey SSH user, and keyname } specify the Required service type ssh user username...

  • Page 468: Setting The Ssh Management Parameters

    You can configure the accounting information either on the device or on the remote authentication server (such as RADIUS authentication server). After login, the commands available to a user are determined by AAA authorization. Setting the SSH Management Parameters SSH management includes: Enabling the SSH server to be compatible with SSH1 client Setting the server key pair update interval, applicable to users using SSH1 client Setting the SSH user authentication timeout period...

  • Page 469: Specifying A Source Ip Address/Interface For The Ssh Client

    Task Remarks Configuring Whether First-time Authentication is Optional Supported Establishing a Connection Between the SSH Required Client and the Server Specifying a Source IP address/Interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability.

  • Page 470: Establishing A Connection Between The Ssh Client And The Server

    Follow these steps to disable first-time authentication: To do... Use the command… Remarks Enter system view system-view — Optional Disable first-time authentication By default, first-time undo ssh client first-time support authentication is supported on a client. Required The method of configuring Refer to Configuring a Client Configure the server public key...

  • Page 471: Ssh Server Configuration Examples

    To do… Use the command… Remarks display public-key peer Display the public keys of the SSH peers [ brief | name Available in any view publickey-name ] For information about the display public-key local and display public-key peer commands, refer to Public Key Commands in the Security Volume.
  • Page 472 [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local user client001, and set the user command privilege level to 3 [Switch] local-user client001 [Switch-luser-client001] password simple aabbcc [Switch-luser-client001] service-type ssh [Switch-luser-client001] authorization-attribute level 3 [Switch-luser-client001] quit # Specify the service type for user client001 as Stelnet, and the authentication mode as password. This step is optional.

  • Page 473: When Switch Acts As Server For Publickey Authentication

    Figure 1-2 SSH client configuration interface In the window shown in Figure 1-2, click Open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. When Switch Acts as Server for Publickey Authentication Network requirements As shown in...
  • Page 474 [Switch] public-key local create rsa [Switch] public-key local create dsa [Switch] ssh server enable # Configure an IP address for VLAN interface 1. This address will serve as the destination of the SSH connection. [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 [Switch-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
  • Page 475 Figure 1-4 Generate a client key pair 1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-5. Otherwise, the process bar stops moving and the key pair generating process will be stopped.
  • Page 476 Figure 1-5 Generate a client key pair 2) After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key. Figure 1-6 Generate a client key pair 3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection.
  • Page 477 Figure 1-7 Generate a client key pair 4) After generating a key pair on a client, you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration of the client.

  • Page 478: Ssh Client Configuration Examples

    Figure 1-9 SSH client configuration interface 2) In the window shown in Figure 1-9, click Open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface.
  • Page 479 [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Create an IP address for VLAN interface 1, which the SSH client will use as the destination for SSH connection. [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit # Set the authentication mode for the user interfaces to AAA.
  • Page 480 If the client does not support first-time authentication, you need to perform the following configurations. # Disable first-time authentication. [SwitchA] undo ssh client first-time # Configure the host public key of the SSH server. You can get the server host public key by using the display public-key local dsa public command on the server.

  • Page 481: When Switch Acts As Client For Publickey Authentication

    When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 1-11, Switch A (the SSH client) needs to log into Switch B (the SSH server) through the SSH protocol. Publickey authentication is used, and the public key algorithm is DSA. Figure 1-11 Switch acts as client for publickey authentication Configuration procedure Configure the SSH server...
  • Page 482 # Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user. [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001 Configure the SSH client # Configure an IP address for Vlan interface 1. <SwitchA>...

  • Page 483: Sftp Service

    SFTP Service When configuring SFTP, go to these sections for information you are interested in: SFTP Overview Configuring an SFTP Server Configuring an SFTP Client SFTP Client Configuration Example SFTP Server Configuration Example SFTP Overview The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer.

  • Page 484: Configuring The Sftp Connection Idle Timeout Period

    When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the SFTP Connection Idle Timeout Period Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.

  • Page 485: Working With The Sftp Directories

    To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | Required Establish a connection to sha1 | sha1-96 } | prefer-kex the remote SFTP server Use this command { dh-group-exchange | dh-group1 |...

  • Page 486: Working With Sftp Files

    To do… Use the command… Remarks Create a new directory on the mkdir remote-path Optional remote SFTP server Delete a directory from the rmdir remote-path&<1-10> Optional SFTP server Working with SFTP Files SFTP file operations include: Changing the name of a file Downloading a file Uploading a file Displaying a list of the files...

  • Page 487: Terminating The Connection To The Remote Sftp Server

    Follow these steps to display a list of all commands or the help information of an SFTP client command: To do… Use the command… Remarks sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | Required...
  • Page 488 Figure 2-1 Network diagram for SFTP client configuration (on a switch) Configuration procedure Configure the SFTP server (Switch B) # Generate RSA and DSA key pairs and enable the SSH server. <SwitchB> system-view [SwitchB] public-key local create rsa [SwitchB] public-key local create dsa [SwitchB] ssh server enable # Enable the SFTP server.
  • Page 489 # Configure an IP address for VLAN interface 1. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate RSA key pairs. [SwitchA] public-key local create rsa # Export the host public key to file pubkey. [SwitchA] public-key local export rsa ssh2 pubkey [SwitchA] quit After generating key pairs on a client, you need to transmit the saved public key file to the server...
  • Page 490 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub # Add a directory named new1 and check if it has been created successfully.

  • Page 491: Sftp Server Configuration Example

    sftp-client> quit Connection closed. <SwitchA> SFTP Server Configuration Example Network requirements As shown in Figure 2-2, an SSH connection is established between the host and the switch. The host, an SFTP client, logs into the switch for file management and file transfer. An SSH user uses password authentication with the username being client002 and the password being aabbcc.
  • Page 492 [Switch-luser-client002] quit # Configure the user authentication type as password and service type as SFTP. [Switch] ssh user client002 service-type sftp authentication-type password Configure the SFTP client There are many kinds of SFTP client software. The following takes the PSFTP of Putty Version 0.58 as an example.
  • Page 493 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...

  • Page 494: Pki Configuration

    With digital certificates, the PKI system provides network communication and e-commerce with security services such as user authentication, data non-repudiation, data confidentiality, and data integrity. Currently, H3C's PKI system provides certificate management for IP Security (IPsec), Secure Sockets Layer (SSL), and WLAN Authentication and Privacy Infrastructure (WAPI).

  • Page 495: Architecture Of Pki

    This manual involves two types of certificates: local certificate and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CA certificate is the certificate of a CA. If multiple CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level.

  • Page 496: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.

  • Page 497: Pki Configuration Task List

    The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 498 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...

  • Page 499: Configuring A Pki Domain

    Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.

  • Page 500: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.

  • Page 501: Submitting A Certificate Request In Manual Mode

    Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...

  • Page 502: Retrieving A Certificate Manually

    If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key local create command, refer to Public Key Commands in the Security Volume.

  • Page 503: Configuring Pki Certificate Verification

    If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.

  • Page 504: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view — pki domain domain-name Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually...

  • Page 505: Configuring An Access Control Policy

    To do… Use the command… Remarks Enter system view system-view — pki delete-certificate { ca | Delete certificates Required local } domain domain-name Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server.

  • Page 506: Pki Configuration Examples

    To do… Use the command… Remarks display pki certificate Display information about one attribute-group { group-name | Available in any view or all certificate attribute groups all } Display information about one display pki certificate or all certificate attribute-based access-control-policy Available in any view access control policies { policy-name | all }...
  • Page 507 In this example, you need to configure these basic attributes on the CA server at first: Nickname: Name of the trusted CA. Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C). The other attributes may be left using the default values.
  • Page 508 It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates.

  • Page 509: Requesting A Certificate From A Ca Running Windows 2003 Server

    OU=test CN=myca Validity Not Before: Jan 8 09:26:53 2007 GMT Not After : Jan 8 09:26:53 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61...
  • Page 510 Network requirements Configure PKI entity Switch to request a local certificate from the CA server. Figure 1-3 Request a certificate from a CA running Windows 2003 server Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components >...
  • Page 511 [Switch-pki-domain-torsa] ca identifier myca # Configure the URL of the registration server in the format of http://host:port/ certsrv/mscep/mscep.dll, where host:port indicates the IP address and port number of the CA server. [Switch-pki-domain-torsa] certificate request http://4.4.4.1:8080/certsrv/mscep/mscep.dll # Set the registration authority to RA. [Switch-pki-domain-torsa] certificate request from ra # Specify the entity for certificate request as aaa.
  • Page 512 <Switch> display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 48FA0FD9 00000000 000C Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA server Validity Not Before: Nov 21 12:32:16 2007 GMT Not After : Nov 21 12:42:16 2008 GMT Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption...

  • Page 513: Configuring A Certificate Attribute-Based Access Control Policy

    You can also use some other display commands to view detailed information about the CA certificate. Refer to the display pki certificate ca domain command in PKI Commands of the Security Volume. Configuring a Certificate Attribute-Based Access Control Policy Network requirements The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol.

  • Page 514: Troubleshooting Pki

    [Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1 [Switch-pki-cert-attribute-group-mygroup1] quit # Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the FQDN of the alternative subject name does not include the string of apple, and the second rule defines that the DN of the certificate issuer name includes the string aabbcc.

  • Page 515: Failed To Request A Local Certificate

    Synchronize the system clock of the device with that of the CA. Failed to Request a Local Certificate Symptom Failed to request a local certificate. Analysis Possible reasons include these: The network connection is not proper. For example, the network cable may be damaged or loose. No CA certificate has been retrieved.
  • Page 516 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-6...

  • Page 517: Ssl Configuration

    SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols, for example, HTTP protocol.

  • Page 518: Ssl Configuration Task List

    For details about symmetric key algorithms, asymmetric key algorithm RSA and digital signature, refer to Public Key Configuration in the Security Volume. For details about PKI, certificate, and CA, refer to PKI Configuration in the Security Volume. SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at...

  • Page 519: Configuring An Ssl Server Policy

    Configuring an SSL Server Policy An SSL server policy is a set of SSL parameters for a server to use when booting up. An SSL server policy takes effect only after it is associated with an application layer protocol, HTTP protocol, for example.

  • Page 520: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
  • Page 521 # Create a PKI domain and configure it. [Device] pki domain 1 [Device-pki-domain-1] ca identifier ca1 [Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Device-pki-domain-1] certificate request from ra [Device-pki-domain-1] certificate request entity en [Device-pki-domain-1] quit # Create the local RSA key pairs. [Device] public-key local create rsa # Retrieve the CA certificate.

  • Page 522: Configuring An Ssl Client Policy

    Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. Configuration Prerequisites If the SSL server is configured to authenticate the SSL client, when configuring the SSL client policy, you need to specify the PKI domain to be used for obtaining the certificate of the client.

  • Page 523: Troubleshooting Ssl

    Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: No SSL server certificate exists, or the certificate is not trusted. The server is expected to authenticate the client, but the SSL client has no certificate or the certificate is not trusted.
  • Page 524 Table of Contents 1 Public Key Configuration··························································································································1-1 Public Key Algorithm Overview···············································································································1-1 Basic Concepts································································································································1-1 Key Algorithm Types ·······················································································································1-1 Asymmetric Key Algorithm Applications··························································································1-1 Configuring the Local Asymmetric Key Pair····························································································1-2 Creating an Asymmetric Key Pair ···································································································1-2 Displaying or Exporting the Local RSA or DSA Host Public Key ····················································1-3 Destroying an Asymmetric Key Pair································································································1-3 Configuring the Public Key of a Peer ······································································································1-3 Displaying and Maintaining Public Keys ·································································································1-4...

  • Page 525: Public Key Configuration

    Public Key Configuration When configuring public keys, go to these sections for information you are interested in: Public Key Algorithm Overview Configuring the Local Asymmetric Key Pair Configuring the Public Key of a Peer Displaying and Maintaining Public Keys Public Key Configuration Examples Public Key Algorithm Overview Basic Concepts Algorithm: A set of transformation rules for encryption and decryption.

  • Page 526: Configuring The Local Asymmetric Key Pair

    Encryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with.

  • Page 527: Displaying Or Exporting The Local Rsa Or Dsa Host Public Key

    Configuration of the public-key local create command can survive a reboot. The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. The length of an RSA key modulus is in the range 512 to 2048 bits.

  • Page 528: Displaying And Maintaining Public Keys

    To configure the public key of the peer, you can: Configure it manually: You can input on or copy the public key of the peer to the local host. The copied public key must have not been converted and be in the distinguished encoding rules (DER) encoding format.

  • Page 529: Public Key Configuration Examples

    Public Key Configuration Examples Configuring the Public Key of a Peer Manually Network requirements Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance. In this example: RSA is used.

  • Page 530: Importing The Public Key Of A Peer From A Public Key File

    4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 ===================================================== Time of Key pair created: 09:50:07 2007/08/07 Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 Configure Device B # Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A.
  • Page 531 In this example: RSA is used. The host public key of Device A is imported from the public key file to Device B. Figure 1-3 Network diagram for importing the public key of a peer from a public key file Configurtion procedure Create key pairs on Device A and export the host public key # Create RSA key pairs on Device A.
  • Page 532 307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001 # Export the RSA host public key to a file named devicea.pub. [DeviceA] public-key local export rsa ssh2 devicea.pub [DeviceA] quit Enable the FTP server function on Device B # Enable the FTP server function, create an FTP user with the username ftp and password 123. <DeviceB>...
  • Page 533 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA 80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001...
  • Page 534 Table of Contents 1 ACL Overview ············································································································································1-1 Introduction to IPv4 ACL ·························································································································1-1 IPv4 ACL Classification ···················································································································1-1 IPv4 ACL Naming ····························································································································1-2 IPv4 ACL Match Order ····················································································································1-2 IPv4 ACL Step ·································································································································1-3 Effective Period of an IPv4 ACL ······································································································1-4 IP Fragments Filtering with IPv4 ACL ·····························································································1-4 Introduction to IPv6 ACL ·························································································································1-4 IPv6 ACL Classification ···················································································································1-4 IPv6 ACL Naming ····························································································································1-5...
  • Page 535 4 ACL Application for Packet Filtering ·······································································································4-1 Filtering IPv4 Packets ·····························································································································4-1 Filtering IPv6 Packets ·····························································································································4-1 ACL Application Example ·······················································································································4-2...

  • Page 536: Acl Overview

    ACL Overview An access control list (ACL) is a set of rules (that is, a set of permit or deny statements) for identifying traffic based on matching criteria such as source address, destination address, and port number. The selected traffic will then be permitted or rejected by predefined security policies. ACLs are widely used in technologies where traffic identification is desired, such as packet filtering and QoS.

  • Page 537: Ipv4 Acl Naming

    Category ACL number Matching criteria Source IP address, destination IP address, protocol carried Advanced IPv4 ACL 3000 to 3999 over IP, and other Layer 3 or Layer 4 protocol header information Layer 2 protocol header fields such as source MAC address, Ethernet frame header ACL 4000 to 4999 destination MAC address,...

  • Page 538: Ipv4 Acl Step

    A wildcard mask is in dotted decimal notation. Its binary value 0 means "match" and binary value 1 means "do not care", which contrast with the meanings of the values of a subnet mask. For example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. Depth-first match for an advanced IPv4 ACL The following shows how your device performs depth-first match in an advanced IPv4 ACL: Sort rules by the protocol carried over IP.

  • Page 539: Effective Period Of An Ipv4 Acl

    Whenever the step changes, the rules are renumbered, starting from 0. For example, if four rules are numbered 5, 10, 15, and 20 respectively, changing the step from 5 to 2 will cause the rules to be renumbered 0, 2, 4, and 6. Benefits of using the step With the step and rule numbering/renumbering mechanism, you do not need to assign numbers to rules when defining them.

  • Page 540: Ipv6 Acl Naming

    Table 1-2 IPv6 ACL categories Category ACL number Matching criteria Basic IPv6 ACL 2000 to 2999 Source IPv6 address Source IPv6 address, destination IPv6 Advanced IPv6 ACL 3000 to 3999 address, protocol carried over IPv6, and other Layer 3 or Layer 4 protocol header information IPv6 ACL Naming When creating an IPv6 ACL, you can specify a unique name for it.

  • Page 541: Ipv6 Acl Step

    specified protocol type are of the same precedence level. Compare packets against the rule with the highest precedence. In case of a tie, look at the source IPv6 address prefixes. Then, compare packets against the rule configured with a longer prefix for the source IPv6 address. If the prefix lengths for the source IPv6 addresses are the same, look at the destination IPv6 address prefixes.

  • Page 542: Ipv4 Acl Configuration

    IPv4 ACL Configuration When configuring an IPv4 ACL, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Copying an IPv4 ACL Displaying and Maintaining IPv4 ACLs Creating a Time Range Two types of time ranges are available:...

  • Page 543: Configuring A Basic Ipv4 Acl

    Compound time range created using the time-range time-range-name start-time to end-time days { from time1 date1 [ to time2 date2 ] | to time2 date2 } command. A time range thus created recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on Wednesdays between January 1, 2004 00:00 and December 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59 12/31/2004 command.

  • Page 544: Configuring An Advanced Ipv4 Acl

    To do… Use the command… Remarks Optional Configure a description for the description text By default, a basic IPv4 ACL basic IPv4 ACL has no ACL description. Optional Configure a rule description rule rule-id comment text By default, an IPv4 ACL rule has no rule description.
  • Page 545 To do… Use the command… Remarks Enter system view system-view –– Required The default match order is config. acl number acl-number [ name Create an advanced IPv4 ACL If you specify a name for an acl-name ] [ match-order and enter its view IPv4 ACL when creating the { auto | config } ] ACL, you can use the acl name...

  • Page 546: Configuring An Ethernet Frame Header Acl

    You can modify the match order of an ACL with the acl number acl-number [ name acl-name ] match-order { auto | config } command, but only when the ACL does not contain any rules. The rule specified in the rule comment command must already exist. Configuring an Ethernet Frame Header ACL Ethernet frame header ACLs match packets based on Layer 2 protocol header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority), and link layer protocol type.

  • Page 547: Copying An Ipv4 Acl

    To do… Use the command… Remarks Optional By default, an Ethernet frame Configure a rule description rule rule-id comment text header ACL rule has no rule description. Note that: You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.

  • Page 548: Displaying And Maintaining Ipv4 Acls

    The source IPv4 ACL and the destination IPv4 ACL must be of the same type. The destination ACL does not take the name of the source IPv4 ACL. Displaying and Maintaining IPv4 ACLs To do... Use the command… Remarks Display information about one or all display acl { acl-number | all | Available in any view IPv4 ACLs...

  • Page 549: Ipv6 Acl Configuration

    IPv6 ACL Configuration When configuring IPv6 ACLs, go to these sections for information you are interested in: Creating a Time Range Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL Copying an IPv6 ACL Displaying and Maintaining IPv6 ACLs Creating a Time Range Refer to Creating a Time...

  • Page 550: Configuring An Advanced Ipv6 Acl

    To do… Use the command… Remarks Required rule [ rule-id ] { deny | permit } To create or modify multiple [ fragment | logging | source rules, repeat this step. { ipv6-address prefix-length | Note that the logging Create or modify a rule ipv6-address/prefix-length | keywords are not supported if any } | time-range...
  • Page 551 Configuration Prerequisites If you want to reference a time range in a rule, define it with the time-range command first. Configuration Procedure Follow these steps to configure an advanced IPv6 ACL: To do… Use the command… Remarks Enter system view system-view ––...

  • Page 552: Copying An Ipv6 Acl

    You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL. When the ACL match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order.

  • Page 553: Displaying And Maintaining Ipv6 Acls

    Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one display acl ipv6 { acl6-number | all | Available in any view or all IPv6 ACLs name acl6-name } Display the usage of ACL display acl resource Available in any view resources Display the configuration and...

  • Page 554: Acl Application For Packet Filtering

    ACL Application for Packet Filtering When applying an ACL for packet filtering, go to these sections for information you are interested in: Filtering IPv4 Packets Filtering IPv6 Packets ACL Application Example You can apply an ACL to the inbound or outbound direction of an interface to filter received or sent packets such as IPv4 packets and IPv6 packets.

  • Page 555: Acl Application Example

    ACL Application Example Network requirements As shown in Figure 4-1, apply an ACL to the inbound direction of interface GigabitEthernet 1/0/1 on Device A so that the interface denies IPv4 packets sourced from Host A from 8:00 to 18:00 everyday. Figure 4-1 Network diagram for applying an ACL to an interface for filtering Host A GE1/0/1...
  • Page 556 System Volume Organization Manual Version 6W100-20090626 Product Version Release 1102 Organization The System Volume is organized as follows: Features Description Upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: How to log in to your Ethernet switch Introduction to the user interface and common configurations Logging In Through the Console Port Login...
  • Page 557 Features Description A major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document File System describes: Management File system management Configuration File Management Hypertext Transfer Protocol (HTTP) is used for transferring web page...
  • Page 558 Features Description The track module is used to implement collaboration between different modules through established collaboration objects. The detection modules trigger the application modules to perform certain operations through the track module. This document describes: Track Track Overview Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules...
  • Page 559 Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to User Interface··················································································································1-1 Supported User Interfaces ··············································································································1-1 Users and User Interfaces···············································································································1-2 User Interface Number ····················································································································1-2 Common Login in to an Ethernet Switch·································································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1 Setting Up the Connection to the Console Port ······················································································2-1...
  • Page 560 5 Logging in Through Web-based Network Management System ··························································5-1 Introduction ·············································································································································5-1 Web Server Configuration·······················································································································5-1 Displaying Web Users·····························································································································5-2 Configuration Example····························································································································5-2 6 Logging In Through NMS··························································································································6-1 Introduction ·············································································································································6-1 Connection Establishment Using NMS ···································································································6-1 7 Specifying Source for Telnet Packets ·····································································································7-1 Introduction ·············································································································································7-1 Specifying Source IP address/Interface for Telnet Packets····································································7-1 Displaying the source IP address/Interface Specified for Telnet Packets ··············································7-2 8 Controlling Login Users····························································································································8-1...

  • Page 561: Logging In To An Ethernet Switch

    Telnet users and SSH users Ethernet port up to five VTY users. As the AUX port and the Console port of a H3C series switch are the same one, you will be in the AUX user interface if you log in through this port.

  • Page 562: Users And User Interfaces

    Users and User Interfaces User Interface NumberA device can support one AUX ports and multiple Ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. When the user initiates a connection request, based on the login type the system automatically assigns a type of idle user interface with the smallest number to the user.
  • Page 563 To do… Use the command… Remarks header { incoming | legal | Set the banner Optional login | shell | motd } text Set a system name for the sysname string Optional switch Display the information about You can execute this command the current user interface/all display users [ all ] in any view.

  • Page 564: Logging In Through The Console Port

    To log in through the Console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can log in to an H3C S5810 series Ethernet switch through its Console port only.
  • Page 565 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created.

  • Page 566: Console Port Login Configuration

    Figure 2-4 Set port parameters terminal window Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after the user presses the Enter key.

  • Page 567: Common Configuration

    Configuration Description Optional Data bits databits { 5 | 6 | 7 | 8 } The default data bits of a Console port is 8. Configure the Optional command level AUX user By default, commands of level 3 available to the interface user privilege level level are available to the users...

  • Page 568: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Description mode Optional Perform Perform common common configuration for Refer to Common Configuration configuration Console port login details. AAA configuration Optional Specify to specifies whether perform local Local authentication is performed by to perform local authentication default.
  • Page 569 Configuration Example Network requirements Assume the switch is configured to allow you to login through Telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects.

  • Page 570: Console Port Login Configuration With Authentication Mode Being Password

    [Sysname-ui-aux0] idle-timeout 6 After the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the PC, to make the configuration consistent with that on the switch. Refer to Setting Up the Connection to the Console Port for details.
  • Page 571 Network diagram Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being password) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate the user logging in through the Console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text).

  • Page 572: Console Port Login Configuration With Authentication Mode Being Scheme

    Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to perform Console port login configuration (with authentication mode being scheme): To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 —...
  • Page 573 Note that, when you log in to an Ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the AAA scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command.
  • Page 574 <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal. [Sysname-luser-guest] service-type terminal [Sysname-luser-guest] quit # Enter AUX user interface view.

  • Page 575: Logging In Through Telnet/Ssh

    Logging In Through Telnet/SSH Logging In Through Telnet When logging in through Telnet, go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Telnet Configuration with Authentication Mode Being Scheme Telnet Connection Establishment Introduction You can telnet to a remote switch to manage and maintain the switch.

  • Page 576: Telnet Connection Establishment

    Telnet Connection Establishment Telnetting to a Switch from a Terminal You can telnet to a switch and then configure the switch if the interface of the management VLAN of the switch is assigned with an IP address. (By default, VLAN 1 is the management VLAN.) Following are procedures to establish a Telnet connection to a switch: Step 1: Log in to the switch through the Console port, enable the Telnet server function and assign an IP address to the management VLAN interface of the switch.
  • Page 577 Step 5: Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as <H3C>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
  • Page 578 Step 4: Enter the password. If the password is correct, the CLI prompt (such as <H3C>) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.

  • Page 579: Telnet Login Configuration Task List

    Configuration Remarks Optional Set the maximum screen-length number of lines the By default, the screen can screen-length screen can contain contain up to 24 lines. Optional Set history command history-command By default, the history buffer size max-size value command buffer can contain up to 10 commands.
  • Page 580 Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in to VTY 0: Do not authenticate users logging in to VTY 0.

  • Page 581: Telnet Configuration With Authentication Mode Being Password

    Telnet Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to perform Telnet configuration (with authentication mode being password): To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty first-number —...

  • Page 582: Telnet Configuration With Authentication Mode Being Scheme

    [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported. [Sysname-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can contain to 30.
  • Page 583 To do… Use the command… Remarks Create a local user and local-user user-name No local user exists by default. enter local user view Required Set the authentication password { simple | By default, a user is authorized with password for the local user cipher } password no password Specifies the level of the...

  • Page 584: Logging In Through Ssh

    Figure 3-6 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure Configure the switch # Enter system view, and enable the Telnet service. <Sysname> system-view [Sysname] telnet server enable # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password of the local user to 123456 (in plain text).

  • Page 585: Logging In Using Modem

    Logging In Using Modem When logging in using modem, go to these sections for information you are interested in: Introduction Configuration on the Administrator Side Configuration on the Switch Side Modem Connection Establishment Introduction You may log in your switch from its console port from a remote device across a PSTN with a pair of modems in between.
  • Page 586 AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the modem from returning command response and the result, save the changes You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration.

  • Page 587: Configuration On The Administrator Side

    Figure 4-3 Call the modem Step 5: Provide the password when prompted. If the password is correct, the prompt (such as <H3C>) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.

  • Page 588: Configuration On The Switch Side

    Configuration on the Switch Side Modem Configuration Perform the following configuration on the modem directly connected to the switch: AT&F ----------------------- Restore the factory settings ATS0=1 ----------------------- Configure to answer automatically after the first ring AT&D ----------------------- Ignore DTR signal AT&K0 ----------------------- Disable flow control AT&R1...

  • Page 589: Configuration On Switch When The Authentication Mode Is Scheme

    Configuration on switch when the authentication mode is scheme Refer to Console Port Login Configuration with Authentication Mode Being Scheme.

  • Page 590: Introduction

    Management System Introduction An S5810 series switch has a Web server built in. You can log in to an S5810 series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 591: Displaying Web Users

    To do… Use the command… Remarks Optional Specify the service types for service-type telnet By default, no service is the local user authorized to a user. Required Start the Web server ip http enable Execute this command in system view. Displaying Web Users After the above configurations, execute the display command in any view to display the information about Web users, and thus to verify the configuration effect.
  • Page 592 Step 4: Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82). (Make sure the route between the Web-based network management terminal and the switch is available.) Step 5: When the login interface (shown in Figure...

  • Page 593: Logging In Through Nms

    Logging In Through NMS When logging in through NMS, go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch.

  • Page 594: Specifying Source For Telnet Packets

    Specifying Source for Telnet Packets When specifying source IP address/interface for Telnet packets, go to these sections for information you are interested in: Introduction Specifying Source IP address/Interface for Telnet Packets Displaying the source IP address/Interface Specified for Telnet Packets Introduction To improve security and make it easier to manage services, you can specify source IP addresses/interfaces for Telnet clients.

  • Page 595: Displaying The Source Ip Address/Interface Specified For Telnet Packets

    To do… Use the command… Remarks telnet client source { ip Optional Specify source IP ip-address | interface address/interface for Telnet By default, no source IP interface-type packets address/interface is specified. interface-number } The IP address specified must be a local IP address. When specifying the source interface for Telnet packets, make sure the interface already exists.

  • Page 596: Controlling Login Users

    Controlling Login Users When controlling login users, go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Introduction Multiple ways are available for controlling different types of login users, as listed in Table 8-1.

  • Page 597: Controlling Telnet Users By Source And Destination Ip Addresses

    To do… Use the command… Remarks acl [ ipv6 ] number acl-number number Create a basic ACL or enter [ match-order { config | command, the config keyword basic ACL view auto } ] is specified by default. rule [ rule-id ] { permit | deny } source sour-addr Define rules for the ACL...

  • Page 598: Controlling Telnet Users By Source Mac Addresses

    Controlling Telnet Users by Source MAC Addresses This configuration needs to be implemented by Layer 2 ACL; a Layer 2 ACL ranges from 4000 to 4999. For the definition of ACL, refer to ACL Configuration in the Security Volume. Follow these steps to control Telnet users by source MAC addresses: To do…...

  • Page 599: Controlling Network Management Users By Source Ip Addresses

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage a H3C S5810 series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
  • Page 600 To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, config enter basic ACL view { config | auto } ] keyword is specified by default. rule [ rule-id ] { permit | deny } [ source { sour-addr sour-wildcard | any } | Define rules for the ACL Required...

  • Page 601: Controlling Web Users By Source Ip Addresses

    # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to access the switch. [Sysname] snmp-agent community read h3c acl 2000 [Sysname] snmp-agent group v2c h3cgroup acl 2000 [Sysname] snmp-agent usm-user v2c h3cuser h3cgroup acl 2000 Controlling Web Users by Source IP Addresses The S5820X&S5800 series Ethernet switches support Web-based remote management, which allows...

  • Page 602: Forcing Online Web Users Offline

    Forcing Online Web Users Offline The network administrators can run a command to force online Web users offline. Perform the following operation to force online Web users offline: To do… Use the command… Remarks Required free web-users { all | user-id user-id | Force online Web users offline Use this command in user-name user-name }...
  • Page 603 Table of Contents 1 Basic Configurations·································································································································1-1 Configuration Display ······························································································································1-1 Basic Configurations ·······························································································································1-2 Entering System View ·····················································································································1-2 Exiting the Current View ··················································································································1-2 Exiting to User View ························································································································1-2 Configuring the Device Name ·········································································································1-3 Configuring the System Clock ·········································································································1-3 Enabling/Disabling the Display of Copyright Information ································································1-6 Configuring a Banner·······················································································································1-7 Configuring CLI Hotkeys··················································································································1-8 Configuring User Privilege Levels and Command Levels ·······························································1-9...

  • Page 604: Basic Configurations

    Basic Configurations While performing basic configurations of the system, go to these sections for information you are interested in: Configuration Display Basic Configurations CLI Features Configuration Display To avoid duplicate configuration, you can use the display commands to view the current configuration of the device before configuring the device.

  • Page 605: Entering System View

    Basic Configurations This section covers the following topics: Entering System View Configuring the Device Name Configuring the System Clock Enabling/Disabling the Display of Copyright Information Configuring a Banner Configuring CLI Hotkeys Configuring User Privilege Levels and Command Levels Displaying and Maintaining Basic Configurations Entering System View After you log in to the device, you will automatically enter user view.

  • Page 606: Configuring The Device Name

    — Optional Configure the device name sysname sysname The device name is H3C by default. Configuring the System Clock Configuring the system clock The system clock, displayed by system time stamp, is decided by the configured relative time, time zone, and daylight saving time.
  • Page 607 displayed in the ways shown in Table 1-1. The meanings of the parameters in the configuration column are as follows: 1 indicates date-time has been configured with the clock datetime. 2 indicates time-zone has been configured with the clock timezone command and the offset time is zone-offset.
  • Page 608 System clock displayed by Configuration Example the display clock command Configure: clock datetime 8:00 2007/1/1 and clock If date-time is in the daylight summer-time ss one-off 1:00 saving time range, “date-time” 2007/1/1 1:00 2007/8/8 2 + “summer-offset” is displayed. Display: 10:00:00 ss Mon 01/01/2007 Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00...

  • Page 609: Enabling/Disabling The Display Of Copyright Information

    AUX port. The copyright information will not be displayed under other circumstances. The display format of copyright information is as shown below: **************************************************************************** * Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.

  • Page 610: Configuring A Banner

    Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system supports the following five kinds of welcome information. shell banner, also called session banner, displayed when a non TTY Modem user enters user view.

  • Page 611: Configuring Cli Hotkeys

    To do… Use the command… Remarks Configure the authorization header legal text Optional information before login Configure the banner to be displayed when a user enters header shell text Optional user view (non Modem login users) Configure the banner to be Optional header motd text displayed before login...

  • Page 612: Configuring User Privilege Levels And Command Levels

    Hotkey Function Ctrl+N Displays the next command in the history command buffer. Displays the previous command in the history command Ctrl+P buffer. Ctrl+R Redisplays the current line information. Ctrl+V Pastes the content in the clipboard. Deletes all the characters in a continuous string to the left of Ctrl+W the cursor.
  • Page 613 Table 1-3 Default command levels Level Privilege Description Involves commands for network diagnosis and commands for accessing an external device. Commands at this level are not allowed to be saved after being configured. After Visit the device is restarted, the commands at this level will be restored to the default settings.
  • Page 614 To do… Use the command… Remarks local-user command to create a local User either approach user and enter local user For local authentication, if view. Using local you do not configure the authentication Use the level keyword in the user level, the user level is Configure the authorization-attribute 0, that is, users of this level...
  • Page 615 Follow these steps to configure the user privilege level under a user interface (SSH publickey authentication type): To do… Use the command… Remarks Required if users adopt the SSH login mode, and only username, instead of password Configure the authentication For the details, refer to SSH2.0 is needed at authentication.
  • Page 616 Perform no authentication to the users telnetting to the device, and specify the user privilege level as 1. (This configuration brings potential security problem. Therefore, you are recommended to use it only in a lab environment.) <Sysname> system-view [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode none [Sysname-ui-vty0-4] user privilege level 1 By default, when users telnet to the device, they can only use the following commands after passing the...
  • Page 617 log in to the device through Telnet, they need to input password 123, and then they can use commands of levels 0, 1, and 2. Switching user privilege level Users can switch their user privilege level temporarily without logging out and disconnecting the current connection;...

  • Page 618: Displaying And Maintaining Basic Configurations

    Modifying command level All the commands in a view are defaulted to different levels, as shown in Table 1-3. The administrator can modify the command level based on users’ needs to make users of a lower level use commands with a higher level or improve device security. Follow these steps to modify the command level: To do…...

  • Page 619: Cli Features

    of the commands display clock, display version, display device, and display current-configuration one by one. For the detailed description of the display users command, refer to Login Commands in the System Volume. The display commands discussed above are for the global configuration. Refer to the corresponding section for the display command for specific protocol and interface.
  • Page 620 Fuzzy help To obtain the desired help information, you can: Enter ? in any view to access all the commands in this view and brief description about them as well. <Sysname> ? User view commands: backup Backup next startup-configuration file to TFTP server boot-loader Set boot loader bootrom...

  • Page 621: Synchronous Information Output

    Press Tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in this command. If several matches are found, the complete keyword which is matched first is displayed (the matching rule is: the letters next to the input letters are arranged in alphabetic order, and the letter in the first place is matched first.).

  • Page 622: Cli Display

    Function Pressing Tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line. When there are several matches, if you repeatedly press Tab, all the keywords starting with the letter that you enter are displayed in cycles.
  • Page 623 Character Meaning Remarks For example, regular expression "user$” Ending sign, string appears only string$ only matches a string ending with “user”, at the end of a line. not “userA”. Full stop, a wildcard used in place of any character, For example, “.l” can match “vlan” or including single character, “mpls”.
  • Page 624 Character Meaning Remarks For example, [^16A] means to match a string containing any character except 1, 6 or A, and the string can also contain 1, Used to match any character 6 or A, but cannot contain these three not in a specified range. characters only.

  • Page 625: Saving Commands In The History Buffer

    To do… Use the command… Remarks Required By default, a login user uses the settings of the screen-length command. The default settings of the screen-length command are: Disable the multiple-screen multiple-screen output is output function of the current screen-length disable enabled and 24 lines are user displayed on the next screen.

  • Page 626: Command Line Error Information

    different commands. For example, if you execute the display cu command repeatedly, the system saves only one command in the history buffer; if you execute the command in the format of display cu and display current-configuration respectively, the system saves them as two commands. Follow these steps to access history commands: To do…...
  • Page 627 Table of Contents 1 Device Management ··································································································································1-1 Device Management Overview ···············································································································1-1 Device Management Configuration Task List ·························································································1-1 Configuring the Exception Handling Method ··························································································1-1 Rebooting a Device·································································································································1-2 Configuring the Scheduled Automatic Execution Function·····································································1-3 Upgrading Device Software ····················································································································1-4 Device Software Overview ··············································································································1-4 Upgrading the Boot ROM Program Through Command Lines ·······················································1-5 Upgrading the Boot File Through Command Lines·········································································1-5 Configuring Temperature Alarm Thresholds for a Device ······································································1-6...

  • Page 628: Device Management Overview

    Device Management When configuring device management, go to these sections for information you are interested in: Device Management Overview Device Management Configuration Task List Configuring the Exception Handling Method Rebooting a Device Configuring the Scheduled Automatic Execution Function Upgrading Device Software Configuring Temperature Alarm Thresholds for a Clearing the 16-bit Interface Indexes Not Used in the Current System Identifying and Diagnosing Pluggable Transceivers...

  • Page 629: Rebooting A Device

    maintain: The system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lost after the reboot.

  • Page 630: Configuring The Scheduled Automatic Execution Function

    To do… Use the command… Remarks The scheduled reboot function Enable the scheduled reboot schedule reboot delay is disabled by default. function and specify a reboot { hh:mm | mm } waiting time Available in user view. Device reboot may result in the interruption of the ongoing services. Use these commands with caution.

  • Page 631: Upgrading Device Software

    The system does not check the values of the view and command arguments. Therefore, ensure the correctness of the command argument (including the correct format of command and the correct relationship between the command and view arguments). After the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug.

  • Page 632: Upgrading The Boot Rom Program Through Command Lines

    The Boot ROM program and system boot file can both be upgraded through the Boot ROM menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the Boot ROM menu, refer to the installation menu of your device. Upgrading the Boot ROM Program Through Command Lines Follow these steps to upgrade the Boot ROM program: Copy the Boot ROM program to the root directory of the device's storage medium using FTP or...

  • Page 633: Configuring Temperature Alarm Thresholds For A Device

    You must save the file for the next device boot under the root directory of the device. You can copy or move a file to change the path of it to the root directory. You can’t to specify the boot file for the next boot of the USB device. Configuring Temperature Alarm Thresholds for a Device You can set temperature alarm thresholds for a device by using the following command.

  • Page 634: Identifying And Diagnosing Pluggable Transceivers

    Available for all pluggable [ interface-type pluggable transceiver(s) transceivers. interface-number ] Display part of the electrical display transceiver manuinfo Available for anti-spoofing label information of the interface [ interface-type pluggable transceiver(s) anti-spoofing transceiver(s) interface-number ] customized by H3C only. customized by H3C...

  • Page 635: Diagnosing Pluggable Transceivers

    You can use the Vendor Name field in the prompt information of the display transceiver command to identify an anti-spoofing pluggable transceiver customized by H3C. If the field is H3C, it is considered an H3C-customized pluggable transceiver. Electrical label information is also called permanent configuration data or archive information, which is written to the storage component of a card during device debugging or testing.

  • Page 636: Device Management Configuration Examples

    To do… Use the command… Remarks Display the power state of a display power [ power-id ] Available in any view device Display the reboot type of a display reboot-type Available in any view device Display the reboot time of a display schedule reboot Available in any view device...
  • Page 637 Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hello, and setting the user to have access to the flash:/aaa directory). <FTP-Server> system-view [FTP-Server] ftp server enable [FTP-Server] local-user aaa [FTP-Server-luser-aaa] password cipher hello [FTP-Server-luser-aaa] service-type ftp...
  • Page 638 Info: Command execute auto-update.bat in system view will be executed at 03:00 12/11/2007(in 12 hours and 0 minutes). After the device reboots, use the display version command to check if the upgrade is successful. 1-11...
  • Page 639 Table of Contents 1 File System Management··························································································································1-1 File System ·············································································································································1-1 File System Overview······················································································································1-1 Filename Formats····························································································································1-1 Directory Operations ·······························································································································1-2 Displaying Directory Information ·····································································································1-2 Displaying the Current Working Directory ·······················································································1-2 Changing the Current Working Directory ························································································1-2 Creating a Directory·························································································································1-2 Removing a Directory ······················································································································1-2 File Operations········································································································································1-3 Displaying File Information ··············································································································1-3 Displaying the Contents of a File·····································································································1-3...
  • Page 640 Backing Up the Startup Configuration File······························································································2-7 Deleting the Startup Configuration File for the Next Startup ··································································2-8 Restoring the Startup Configuration File·································································································2-9 Displaying and Maintaining Device Configuration ··················································································2-9...

  • Page 641: File System Management

    File System Management When managing a file system, go to these sections for information you are interested in: File System Directory Operations File Operations Batch Operations Storage Medium Operations Setting File System Prompt Modes File System Operations Example File System File System Overview A major function of the file system is to manage storage media.

  • Page 642: Displaying Directory Information

    Directory Operations Directory operations include creating/removing a directory, displaying the current working directory, displaying the specified directory or file information, and so on. Displaying Directory Information To do… Use the command… Remarks Required Display directory or file dir [ /all ] [ file-url ] information Available in user view Displaying the Current Working Directory...

  • Page 643: File Operations

    The directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory under this directory. For file deletion, refer to the delete command; for subdirectory deletion, refer to the rmdir command. After you execute the rmdir command successfully, the files in the recycle bin under the directory will be automatically deleted.

  • Page 644: Copying A File

    Copying a File To do… Use the command… Remarks Required Copy a file copy fileurl-source fileurl-dest Available in user view Moving a File To do… Use the command… Remarks Required Move a file move fileurl-source fileurl-dest Available in user view Deleting a File To do…...

  • Page 645: Emptying The Recycle Bin

    Emptying the Recycle Bin To do… Use the command… Remarks Optional If the original directory of the file Enter the original working to be deleted is not the current directory of the file to be cd { directory | .. | / } working directory, this deleted command is required.

  • Page 646: Displaying And Maintaining The Nand Flash Memory

    To do… Use the command… Remarks Optional Restore the space of a storage fixdisk device medium Available in user view Optional Format a storage medium format device Available in user view When you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file.

  • Page 647: Setting File System Prompt Modes

    To do… Use the command… Remarks Display data on the specified display nandflash page-data physical page page-value Setting File System Prompt Modes The file system provides the following two prompt modes: alert: In this mode, the system warns you about operations that may bring undesirable consequences such as file corruption or data loss.
  • Page 648 # Return to the upper directory. <Sysname> cd .. # Display the current working directory. <Sysname> pwd flash:...

  • Page 649: Configuration File Management

    Configuration File Management The device provides the configuration file management function with a user-friendly command line interface (CLI) for you to manage the configuration files conveniently. This section covers these topics: Configuration File Overview Saving the Current Configuration Setting Configuration Rollback Specifying a Startup Configuration File for the Next System Startup Backing Up the Startup Configuration File Deleting the Startup Configuration File...

  • Page 650: Coexistence Of Multiple Configuration Files

    Coexistence of Multiple Configuration Files Multiple configuration files can be stored on a storage medium of a device. You can save the configuration used in different environments as different configuration files. In this case, when the device moves between these networking environments, you just need to specify the corresponding configuration file as the startup configuration file for the next boot of the device and restart the device, so that the device can adapt to the network rapidly, saving the configuration workload.

  • Page 651: Setting Configuration Rollback

    The fast saving mode is suitable for environments where power supply is stable. The safe mode, however, is preferred in environments where stable power supply is unavailable or remote maintenance is involved. Follow the steps below to save the current configuration: To do…...

  • Page 652: Configuration Task List

    Save the current running configuration with the specified filename (filename prefix + serial number) to the specified path. The current running configuration can be saved in two ways: the system saves the current running configuration at a specified interval; or you can save the current running configuration as needed.

  • Page 653: Saving The Current Running Configuration Automatically

    To do… Use the command… Remarks Enter system view system-view — Required By default, the path and archive configuration Configure the path and filename of the saved location directory filename prefix of a saved configuration file are not filename-prefix configuration file configured, and the system filename-prefix does not save the configuration...

  • Page 654: Saving The Current Running Configuration Manually

    The path and filename prefix of a saved configuration file must be specified before you configure the automatic saving period. Saving the Current Running Configuration Manually Automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automatic saving of the current running configuration and save it manually.

  • Page 655: Specifying A Startup Configuration File For The Next System Startup

    The complete undo form of a command is not supported, namely, you cannot get the actual undo form of the command by simply putting the keyword undo in front of the command, so the complete undo form of the command cannot be recognized by the device. The configuration cannot be removed, such as hardware-related commands Commands in different views are dependent on each other If the replacement configuration file is not a complete file generated by using the save or archive...

  • Page 656: Deleting The Startup Configuration File For The Next Startup

    To do… Use the command… Remarks Back up the configuration file to Required be used at the next system backup startup-configuration startup to the specified TFTP to dest-addr [dest- filename ] Available in user view server Before the backup operation, you should: Ensure that the server is reachable, the server is enabled with TFTP service, and the client has permission to read and write.

  • Page 657: Restoring The Startup Configuration File

    Restoring the Startup Configuration File The restore function allows you to copy a configuration file from a TFTP server to the device and specify the file as the startup configuration file to be used at the next system startup. Follow the step below to restore the startup configuration file to be used at the next system startup: To do…...
  • Page 658 Table of Contents 1 HTTP Configuration···································································································································1-1 HTTP Overview·······································································································································1-1 How HTTP Works····························································································································1-1 Logging In to the Device Through HTTP·························································································1-1 Protocols and Standards ·················································································································1-1 Enabling the HTTP Service·····················································································································1-1 Configuring the Port Number of the HTTP Service·················································································1-2 Associating the HTTP Service with an ACL····························································································1-2 Displaying and Maintaining HTTP···········································································································1-3 2 HTTPS Configuration ································································································································2-1 HTTPS Overview ····································································································································2-1...

  • Page 659: Http Configuration

    HTTP Configuration When configuring HTTP, go to these sections for information you are interested in: HTTP Overview Enabling the HTTP Service HTTP Configuration Associating the HTTP Service with an ACL Displaying and Maintaining HTTP HTTP Overview The Hypertext Transfer Protocol (HTTP) is used for transferring web page information across the Internet.

  • Page 660: Configuring The Port Number Of The Http Service

    Follow these steps to enable the HTTP service: To do… Use the command… Remarks Enter system view system-view — Required Enable the HTTP service ip http enable Enabled by default. Configuring the Port Number of the HTTP Service Configuration of the port number of the HTTP service can reduce the attacks from illegal users on the HTTP service.

  • Page 661: Displaying And Maintaining Http

    If you execute the ip http acl command for multiple times to associate the HTTP with ACLs, the HTTP service is only associated with the last specified ACL. For the detailed introduction to ACL, refer to ACL Configuration in the Security Volume. Displaying and Maintaining HTTP To do…...

  • Page 662: Https Overview

    HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Configuring the Port Number of the HTTPS Service Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...

  • Page 663: Associating The Https Service With An Ssl Server Policy

    Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...

  • Page 664: Associating The Https Service With A Certificate Attribute Access Control Policy

    After the HTTPS service is enabled, you can use the display ip https command to view the state of the HTTPS service and verify the configuration. Enabling of the HTTPS service will trigger an SSL handshake negotiation process. During the process, if the local certificate of the device already exists, the SSL negotiation is successfully performed, and the HTTPS service can be started normally.

  • Page 665: Associating The Https Service With An Acl

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the port number of ip https port port-number By default, the port number of the HTTPS service the HTTPS service is 443. If you execute the ip https port command for multiple times, the last configured port number is used. Associating the HTTPS Service with an ACL Associating the HTTPS service with an ACL can filter out requests from some clients to let pass only clients that pass the ACL filtering.
  • Page 666 In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component. Figure 2-1 Network diagram for HTTPS configuration Configuration procedure Perform the following configurations on Device: Apply for a certificate for Device # Configure a PKI entity.
  • Page 667 [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit Configure a certificate access control policy # Configure a certificate attribute group. [Device] pki certificate attribute-group mygroup1 [Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca [Device-pki-cert-attribute-group-mygroup1] quit # Configure certificate access control policy myacp and create a control rule. [Device] pki certificate access-control-policy myacp [Device-pki-cert-acp-myacp] rule 1 permit mygroup1 [Device-pki-cert-acp-myacp] quit...
  • Page 668 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Mechanism···························································································································1-1 SNMP Protocol Version···················································································································1-2 MIB Overview ··································································································································1-2 SNMP Configuration ·······························································································································1-3 Configuring SNMP Logging ····················································································································1-5 Introduction to SNMP Logging ········································································································1-5 Enabling SNMP Logging ·················································································································1-5 Configuring SNMP Trap ··························································································································1-6 Enabling the Trap Function ·············································································································1-6 Configuring Trap Parameters ··········································································································1-7 Displaying and Maintaining SNMP··········································································································1-8 SNMPv1/SNMPv2c Configuration Example ···························································································1-8...

  • Page 669: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview SNMP Configuration Configuring SNMP Logging Configuring SNMP Trap Displaying and Maintaining SNMP SNMPv1/SNMPv2c Configuration Example SNMPv3 Configuration Example SNMP Logging Configuration Example SNMP Overview Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network;...

  • Page 670: Snmp Protocol Version

    Inform operation: The NMS sends traps to other NMSs through this operation. SNMP Protocol Version Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c. SNMPv1 uses community names for authentication, which defines the relationship between an SNMP NMS and an SNMP agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded.
  • Page 671 Optional The defaults are as follows: snmp-agent sys-info Hangzhou H3C Technologies Configure SNMP agent system { contact sys-contact | Co., Ltd. for contact; Hangzhou information location sys-location | version...
  • Page 672 Required The defaults are as follows: snmp-agent sys-info Hangzhou H3C Technologies Configure SNMP agent system { contact sys-contact | Co., Ltd. for contact; Hangzhou information location sys-location | version...

  • Page 673: Configuring Snmp Logging

    To do… Use the command… Remarks agent. Add a user to snmp-agent usm-user { v1 | v2c } user-name group-name SNMP [ acl acl-number ] group Configure the maximum size of Optional an SNMP packet that can be snmp-agent packet max-size received or sent by an SNMP byte-count 1,500 bytes by default.

  • Page 674: Configuring Snmp Trap

    A large number of logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable SNMP logging. The size of SNMP logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record cannot exceed 1K bytes;...

  • Page 675: Configuring Trap Parameters

    To enable an interface to send linkUp/linkDown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ standard [ linkdown | linkup ] * ] command to enable this function globally.

  • Page 676: Displaying And Maintaining Snmp

    An extended linkUp/linkDown trap is the standard linkUp/linkDown trap (defined in RFC) appended with interface description and interface type information. If the extended messages are not supported on the NMS, disable this function to let the device send standard linkUp/linkDown traps. If the sending queue of traps is full, the system will automatically delete some oldest traps to receive new traps.

  • Page 677: Snmpv3 Configuration Example

    Figure 1-3 Network diagram for SNMPv1/v2c Configuration procedure Configuring the SNMP agent # Configure the IP address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the NMS. (The configuration procedure is omitted here) # Configure the SNMP basic information, including the version and community name.
  • Page 678 Figure 1-4 Network diagram for SNMPv3 Configuration procedure Configuring the agent # Configure the IP address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the NMS. (The configuration procedure is omitted here) # Configure the access right: the user can read and write the objects under the interface node with the OID of 1.3.6.1.2.1.2, and cannot access other MIB objects.

  • Page 679: Snmp Logging Configuration Example

    SNMP Logging Configuration Example Network requirements As shown in Figure 1-5, the NMS and the agent are connected through an Ethernet. The IP address of the NMS is 1.1.1.2/24 The IP address of the agent is 1.1.1.1/24 Configure SNMP logging on the agent to record the operations performed by the NMS to the agent Figure 1-5 Network diagram for SNMP logging Agent 1.1.1.1/24...
  • Page 680 seqNO = <11> srcIP = <1.1.1.2> op = <set> errorIndex = <0> errorStatus =<noError> node = <sysName(1.3.6.1.2.1.1.5.0)> value = <Sysname> Table 1-1 Description on the output field of SNMP log Field Description Jan 1 02:49:40:566 2006 The time when the SNMP log is generated Serial number of the SNMP log (The system numbers seqNO the recorded SNMP logs automatically;...

  • Page 681: Mib Style Configuration

    MIB style, the device sysOID is under the H3C’s enterprise ID 25506, and the private MIB is under the enterprise ID 2011. In the H3C new MIB style, both the device sysOID and the private MIB are under the H3C’s enterprise ID 25506. These two styles of MIBs implement the same management function except for their root nodes.
  • Page 682 Table of Contents 1 RMON Configuration ·································································································································1-1 RMON Overview ·····································································································································1-1 Introduction······································································································································1-1 Working Mechanism ························································································································1-1 RMON Groups·································································································································1-2 Configuring the RMON Statistics Function ·····························································································1-3 Configuration Prerequisites ·············································································································1-3 Configuring the RMON Ethernet Statistics Function ·······································································1-4 Configuring the RMON History Statistics Function ·········································································1-4 Configuring the RMON Alarm Function ··································································································1-5 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5 Displaying and Maintaining RMON ·········································································································1-6...

  • Page 683: Introduction

    RMON Configuration When configuring RMON, go to these sections for information you are interested in: RMON Overview Configuring the RMON Statistics Function Configuring the RMON Alarm Function Displaying and Maintaining RMON RMON Configuration Example RMON Overview This section covers these topics: Introduction RMON Groups Introduction...

  • Page 684: Rmon Groups

    Among the RMON groups defined by RMON specifications (RFC 2819), the realized public MIB of the device supports the event group, alarm group, history group and statistics group. Besides, H3C also defines and implements the private alarm group, which enhances the functions of the alarm group. This section describes the five kinds of groups in general.

  • Page 685: Configuring The Rmon Statistics Function

    Private alarm group The private alarm group calculates the values of alarm variables and compares the result with the defined threshold, thereby realizing a more comprehensive alarming function. System handles the prialarm alarm table entry (as defined by the user) in the following ways: Periodically samples the prialarm alarm variables defined in the prialarm formula.

  • Page 686: Configuring The Rmon Ethernet Statistics Function

    Configuring the RMON Ethernet Statistics Function Follow these steps to configure the RMON Ethernet statistics function: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number — Create an entry in the RMON rmon statistics entry-number [ owner Required statistics table...

  • Page 687: Configuring The Rmon Alarm Function

    Configuring the RMON Alarm Function Configuration Prerequisites If you need to configure that the managed devices send traps to the NMS when it triggers an alarm event, you should configure the SNMP agent as described in SNMP Configuration in the System Volume before configuring the RMON alarm function.

  • Page 688: Displaying And Maintaining Rmon

    Table 1-1 Restrictions on the configuration of RMON Maximum number of Entry Parameters to be compared entries that can be created Event description (description string), event type (log, Event trap, logtrap or none) and community name (trap-community or log-trapcommunity) Alarm variable (alarm-variable), sampling interval (sampling-interval), sampling type (absolute or delta), Alarm rising threshold (threshold-value1) and falling threshold...
  • Page 689 Figure 1-1 Network diagram for RMON Configuration procedure # Configure RMON to gather statistics for interface GigabitEthernet1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] rmon statistics 1 owner user1-rmon [Sysname-GigabitEthernet1/0/1] quit # Display RMON statistics for interface GigabitEthernet1/0/1. <Sysname> display rmon statistics gigabitethernet 1/0/1 EtherStatsEntry 1 owned by user1-rmon is VALID.
  • Page 690 Table of Contents 1 MAC Address Table Management Configuration···················································································1-1 Overview ·················································································································································1-1 How a MAC Address Table Entry Is Created ··················································································1-1 Types of MAC Address Table Entries ·····························································································1-2 MAC Address Table-Based Frame Forwarding ··············································································1-2 Configuring MAC Address Table Management ······················································································1-3 Configuring MAC Address Table Entries·························································································1-3 Configuring the Aging Timer for Dynamic MAC Address Entries····················································1-4 Configuring the MAC Learning Limit ·······························································································1-4 Displaying and Maintaining MAC Address Table Management ·····························································1-5...

  • Page 691: Mac Address Table Management Configuration

    MAC Address Table Management Configuration When configuring MAC address table management, go to these sections for information you are interested in: Overview Configuring MAC Address Table Management MAC Address Table Management Configuration Example Interfaces that MAC address table management involves can only be Layer 2 Ethernet ports. Overview A device maintains a MAC address table for frame forwarding.

  • Page 692: Types Of Mac Address Table Entries

    updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts. Manually configuring MAC address entries With dynamic MAC address learning, a device does not tell illegitimate frames from legitimate ones. This brings security hazards.

  • Page 693: Configuring Mac Address Table Management

    Figure 1-1 Forward frames using the MAC address table Configuring MAC Address Table Management The MAC address table management configuration tasks include: Configuring MAC Address Table Entries Configuring the Aging Timer for Dynamic MAC Address Entries Configuring the MAC Learning Limit These configuration tasks are all optional and order independent.

  • Page 694: Configuring The Aging Timer For Dynamic Mac Address Entries

    Configuring the Aging Timer for Dynamic MAC Address Entries The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted. Set the aging timer appropriately: a long aging interval may cause the MAC address table to retain outdated entries and fail to accommodate the latest network changes;...

  • Page 695: Displaying And Maintaining Mac Address Table Management

    To do… Use the command… Remarks Required Configure the MAC learning limit on an The default maximum number Ethernet port, Layer 2 aggregate of MAC addresses that can be interface or port group, and configure mac-address learned is not configured. whether frames with unknown source max-mac-count { count When the MAC learning limit is...
  • Page 696 Table of Contents 1 System Maintaining and Debugging········································································································1-1 System Maintaining and Debugging ·······································································································1-1 Ping ·························································································································································1-1 Introduction······································································································································1-1 Configuring Ping ······························································································································1-1 Ping Configuration Example············································································································1-2 Tracert·····················································································································································1-4 Introduction······································································································································1-4 Configuring Tracert··························································································································1-4 System Debugging··································································································································1-5 Introduction to System Debugging ··································································································1-5 Configuring System Debugging·······································································································1-5 Ping and Tracert Configuration Example ································································································1-6...

  • Page 697: System Maintaining And Debugging

    System Maintaining and Debugging When maintaining and debugging the system, go to these sections for information you are interested in: System Maintaining and Debugging Ping Tracert System Debugging Ping and Tracert Configuration Example System Maintaining and Debugging You can use the ping command and the tracert command to verify the current network connectivity, and use the debug command to enable debugging and thus to diagnose system faults based on the debugging information.

  • Page 698: Ping Configuration Example

    For a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. Only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument Ping Configuration Example Network requirements...
  • Page 699 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Reply from 1.1.2.2: bytes=56 Sequence=1 ttl=254 time=53 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=2 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 Reply from 1.1.2.2: bytes=56 Sequence=3 ttl=254 time=1 ms Record Route: 1.1.2.1 1.1.2.2...

  • Page 700: Tracert

    Upon receiving the reply, the source device adds the IP address (1.1.1.1) of its inbound interface to the RR option. Finally, you can get the detailed information of routes from Device A to Device C: 1.1.1.1 <-> {1.1.1.2; 1.1.2.1} <-> 1.1.2.2. Tracert Introduction By using the tracert command, you can trace the Layer 3 devices involved in delivering an IP packet...

  • Page 701: Introduction To System Debugging

    To do… Use the command… Remarks Enable sending of Required ICMP timeout ip ttl-expires enable Disabled by default. packets Enable sending of Required ICMP destination ip unreachables enable Disabled by default. unreachable packets Display the routes tracert [ -a source-ip | -f first-ttl | -m max-ttl | Required from source to -p port | -q packet-number | -w timeout ] *...

  • Page 702: Ping And Tracert Configuration Example

    the corresponding debugging function, or use the undo debugging all command to disable all the debugging functions. Output of debugging information is related to the configurations of the information center and the debugging commands of each protocol and functional module. Displaying the debugging information on a terminal (including console or VTY) is a common way to output debugging information.
  • Page 703 Figure 1-4 Ping and tracert network diagram Configuration procedure # Use the ping command to display whether an available route exists between Device A and Device C. <DeviceA> ping 1.1.2.2 PING 1.1.2.2: 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out...
  • Page 704 Table of Contents 1 Information Center Configuration············································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-5 Configuring Information Center···············································································································1-7 Information Center Configuration Task List·····················································································1-7 Outputting System Information to the Console ···············································································1-7 Outputting System Information to a Monitor Terminal·····································································1-8 Outputting System Information to a Log Host ·················································································1-9 Outputting System Information to the Trap Buffer·········································································1-10 Outputting System Information to the Log Buffer ··········································································1-11...

  • Page 705: Information Center Configuration

    Information Center Configuration When configuring information center, go to these sections for information you are interested in: Information Center Configuration Configuring Information Center Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information, offering a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 706 Figure 1-1 Information center diagram (default) System Information Output information channel destination information console console monitor Trap monitor information Log host loghost Trap buffer trapbuffer Debug information Log buffer logbuffer Snmp agent snmpagent Syslog channel6 channel7 channel8 channel9 By default, the information center is enabled. An enabled information center affects the system performance in some degree due to information classification and output.
  • Page 707 Table 1-1 Severity description Severity Severity value Description Emergency The system is unusable. Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notice Normal but significant condition Informational Informational messages Debug Debug-level messages Seven output destinations and ten channels of system information The system supports seven information output destinations, including the console, monitor terminal (monitor), log buffer, log host, trap buffer, SNMP module and syslog.
  • Page 708 Information Default channel Default output destination Description channel name number Receives log, trap, and channel8 Not specified debugging information. Receives log, trap, and channel9 Not specified debugging information. Configurations for the seven output destinations function independently and take effect only after the information center is enabled.

  • Page 709: System Information Format

    TRAP DEBUG Output Modules destinati allowed Enabled/ Enabled/ Enabled/ Severity Severity Severity disabled disabled disabled default Informatio Log host (all Enabled Enabled Debug Disabled Debug modules) default Trap Informatio (all Disabled Enabled Warning Disabled Debug buffer modules) default Log buffer (all Enabled Warning...
  • Page 710 Int_16 (priority) The priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges from local0 to local7 (16 to 23 in decimal integers) and defaults to local7. The facility is mainly used to mark different log sources on the log host, query and filter the logs of the corresponding log source.

  • Page 711: Configuring Information Center

    If the timestamp starts with a *, the information is debugging information source This field indicates the source of the information, such as the slot number, or the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. content This field provides the content of the system information.

  • Page 712: Outputting System Information To A Monitor Terminal

    To do… Use the command… Remarks Optional info-center timestamp Configure the format of the time The time stamp format for log, { debugging | log | trap } stamp trap and debugging information { boot | date | none } is date by default.

  • Page 713: Outputting System Information To A Log Host

    To do… Use the command… Remarks info-center source { module-name | default } channel { channel-number | Optional Configure the output rules of channel-name } [ debug { level Refer to Default output rules of the system information severity | state state } * | log system information.

  • Page 714: Outputting System Information To The Trap Buffer

    To do… Use the command… Remarks Required By default, the system does not output information to a log host. If you specify to output system info-center loghost host-ip information to a log host, the Specify a log host and [ port port-number ] [ channel system uses channel 2 configure the parameters when { channel-number |...

  • Page 715: Outputting System Information To The Log Buffer

    To do… Use the command… Remarks Optional Configure the channel through info-center trapbuffer By default, system information which system information can [ channel { channel-number | is output to the trap buffer be output to the trap buffer and channel-name } | size through channel 3 (known as specify the buffer size buffersize ] *...

  • Page 716: Outputting System Information To The Snmp Module

    To do… Use the command… Remarks info-center source { module-name | default } channel { channel-number | Optional Configure the output rules of channel-name } [ debug { level Refer to Default output rules of the system information severity | state state } * | log system information.

  • Page 717: Configuring Synchronous Information Output

    To do… Use the command… Remarks Optional info-center timestamp Configure the format of the The time stamp format for log, { debugging | log | trap } timestamp trap and debugging information { boot | date | none } is date by default. Configuring Synchronous Information Output Synchronous information output refers to the feature that if the user’s input is interrupted by system output such as log, trap, or debugging information, then after the completion of system output the...

  • Page 718: Displaying And Maintaining Information Center

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Disable the port from By default, all ports are allowed generating link up/down undo enable log updown to generate link up/down logging information logging information when the port state changes.
  • Page 719 Figure 1-2 Network diagram for outputting log information to a Unix log host Configuration procedure Before the configuration, make sure that there is a route between Device and PC. Configure the device # Enable information center. <Sysname> system-view [Sysname] info-center enable # Specify the host with IP address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility.

  • Page 720: Outputting Log Information To A Linux Log Host

    In the above configuration, local4 is the name of the logging facility used by the log host to receive logs. info is the information level. The Unix system will record the log information with severity level equal to or higher than informational to file /var/log/Device/info.log. Be aware of the following issues while editing file /etc/syslog.conf: Comments must be on a separate line and begin with the # sign.
  • Page 721 # Disable the output of log, trap, and debugging information of all modules on channel loghost. [Sysname] info-center source default channel loghost debug state off log state off trap state As the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost in this example) first and then configure the output rule as needed so that unnecessary information will not be output.

  • Page 722: Outputting Log Information To The Console

    # syslogd -r & Ensure that the syslogd process is started with the -r option on a Linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting Log Information to the Console Network requirements Log information with a severity higher than informational will be output to the console;...
  • Page 723 # Enable the display of log information on a terminal. (Optional, this function is enabled by default.) <Sysname> terminal monitor Info: Current terminal monitor is on. <Sysname> terminal logging Info: Current terminal logging is on. After the above configuration takes effect, if the specified module generates log information, the information center automatically sends the log information to the console, which then displays the information.
  • Page 724 Table of Contents 1 Track Configuration···································································································································1-1 Track Overview ·······································································································································1-1 Collaboration Between the Track Module and the Detection Modules ···········································1-1 Collaboration Between the Track Module and the Application Modules·········································1-2 Track Configuration Task List ·················································································································1-2 Configuring Collaboration Between the Track Module and the Detection Modules ·······························1-2 Configuring Collaboration Between the Track Module and the Interface Management Module·····1-2 Configuring Collaboration Between the Track Module and the Application Modules·····························1-3 Configuring Track-VRRP Collaboration···························································································1-3...

  • Page 725: Track Overview

    Track Configuration When configuring Track, go to these sections for information you are interested in: Track Overview Track Configuration Task List Configuring Collaboration Between the Track Module and the Detection Modules Configuring Collaboration Between the Track Module and the Application Modules Displaying and Maintaining Track Objects Track Configuration Examples Track Overview...

  • Page 726: Collaboration Between The Track Module And The Application Modules

    At present, the detection modules is the interface management module. The interface management module is used to monitor the physical status or Layer 3 protocol status of an interface. When the physical status or Layer 3 protocol status of an interface is up, the status of a Track object is Positive;...

  • Page 727: Configuring Collaboration Between The Track Module And The Application Modules

    To do… Use the command… Remarks Create a Track object and associate it with the interface track track-entry-number management module to interface interface-type monitor the physical status of interface-number an interface Required Use either approach Create a Track object and track track-entry-number associate it with the interface interface interface-type...

  • Page 728: Configuring Track-Static Routing Collaboration

    To do… Use the command… Remarks interface interface-type Enter interface view — interface-number Required Create a VRRP group and vrrp vrid virtual-router-id No VRRP group is created by configure its virtual IP address virtual-ip virtual-address default. Required vrrp vrid virtual-router-id track Specify a Track object to be track-entry-number [ reduced No Track object is specified for...

  • Page 729: Displaying And Maintaining Track Objects

    To do… Use the command… Remarks ip route-static dest-address { mask | mask-length } Configure the Track-Static next-hop-address track Required Routing collaboration, so as to track-entry-number check the reachability of the Not configured by default. [ preference next hop of the static route preference-value ] [ description description-text ] For the configuration of Track-Static Routing collaboration, the specified static route can be an...
  • Page 730 When Switch A works normally, packets from Host A to Host B are forwarded through Switch A. When VRRP finds that there is a fault on the uplink of Switch A through the Interface Management Module, packets from Host A to Host B are forwarded through Switch B. Figure 1-2 Network diagram for VRRP,Track and the Interface Management Module collaboration configuration Virtual IP address:...
  • Page 731 [SwitchA-Vlan-interface2] vrrp vrid 1 track 1 reduced 30 Configure VRRP on Switch B. <SwitchB> system-view [SwitchB] interface vlan-interface 2 # Create VRRP group 1, and configure the virtual IP address 10.1.1.10 for the group. [SwitchB-Vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.10 # Set the authentication mode of VRRP group 1 to simple, and the authentication key to hello.
  • Page 732 Virtual IP : 10.1.1.10 Master IP : 10.1.1.1 The above output information indicates that in VRRP group 1, Switch A is the master and Switch B is a backup. Packets from Host A to Host B are forwarded through Switch A. When there is a fault on the link between Switch A and Switch C, you can still successfully ping Host B on Host A.

  • Page 733: Static Routing, Track And The Interface Management Module Collaboration Configuration Example

    Static Routing, Track and the Interface Management Module Collaboration Configuration Example Network requirements As shown in Figure 1-3, the next hop of the static route from Switch A to Switch C is Switch B. Configure Static Routing, Track and the Interface Management Module collaboration on Switch A to implement real-time monitoring of the validity of the static route to Switch C.
  • Page 734 Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.0/24 Static 60 10.2.1.1 Vlan3 10.2.1.0/24 Direct 0 10.2.1.2 Vlan3 10.2.1.2/32 Direct 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 127.0.0.1 InLoop0 The output information above indicates the NQA test result, that is, the next hop 10.2.1.1 is reachable (the status of the Track object is Positive), and the configured static route is valid.
  • Page 735 Table of Contents 1 NTP Configuration ·····································································································································1-1 NTP Overview ·········································································································································1-1 Applications of NTP ·························································································································1-1 Advantages of NTP ·························································································································1-1 How NTP Works ······························································································································1-2 NTP Message Format ·····················································································································1-3 Operation Modes of NTP·················································································································1-4 NTP Configuration Task List ···················································································································1-6 Configuring the Operation Modes of NTP·······························································································1-6 Configuring NTP Client/Server Mode ······························································································1-7 Configuring the NTP Symmetric Peers Mode ·················································································1-8 Configuring NTP Broadcast Mode···································································································1-9...

  • Page 736: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: NTP Overview NTP Configuration Task List Configuring the Operation Modes of NTP Configuring Optional Parameters of NTP Configuring Access-Control Rights Configuring NTP Authentication Displaying and Maintaining NTP NTP Configuration Examples NTP Overview Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed...

  • Page 737: How Ntp Works

    NTP can unicast, multicast or broadcast protocol messages. How NTP Works Figure 1-1 shows the basic workflow of NTP. Device A and Device B are interconnected over a network. They have their own independent system clocks, which need to be automatically synchronized through NTP.

  • Page 738: Ntp Message Format

    This is only a rough description of the work mechanism of NTP. For details, refer to RFC 1305. NTP Message Format NTP uses two types of messages, clock synchronization message and NTP control message. An NTP control message is used in environments where network management is needed. As it is not a must for clock synchronization, it will not be discussed in this document.

  • Page 739: Operation Modes Of Ntp

    Poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages. Precision: an 8-bit signed integer indicating the precision of the local clock. Root Delay: roundtrip delay to the primary reference source. Root Dispersion: the maximum error of the local clock relative to the primary reference source. Reference Identifier: Identifier of the particular reference source.
  • Page 740 Figure 1-4 Symmetric peers mode A device working in the symmetric active mode periodically sends clock synchronization messages, with the Mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive).

  • Page 741: Ntp Configuration Task List

    Figure 1-6 Multicast mode Server Client Network After receiving the first multicast message, the Periodically multicasts clock client sends a request synchronization messages (Mode 5) Calculates the network delay Clock synchronization message between client and the server exchange (Mode 3 and Mode 4) and enters the multicast client mode Periodically multicasts clock...

  • Page 742: Configuring Ntp Client/Server Mode

    Client/server mode Symmetric mode Broadcast mode Multicast mode For the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; for the broadcast or multicast mode, you need to configure both servers and clients. A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.

  • Page 743: Configuring The Ntp Symmetric Peers Mode

    In the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the IP address of the local clock. When the source interface for NTP messages is specified by the source-interface argument, the source IP address of the NTP messages will be configured as the primary IP address of the specified interface.

  • Page 744: Configuring Ntp Broadcast Mode

    Configuring NTP Broadcast Mode The broadcast server periodically sends NTP broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in NTP broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadcast mode, you need to configure both the server and clients. Because an interface needs to be specified on the broadcast server for sending NTP broadcast messages and an interface also needs to be specified on each broadcast client for receiving broadcast messages, the NTP broadcast mode can be configured only in the specific interface view.

  • Page 745: Configuring Optional Parameters Of Ntp

    Configuring a multicast client To do… Use the command… Remarks Enter system view — system-view Enter the interface used to interface interface-type Enter interface view receive NTP multicast interface-number messages. Configure the device to work in ntp-service multicast-client Required the NTP multicast client mode [ ip-address ] Configuring the multicast server To do…...

  • Page 746: Disabling An Interface From Receiving Ntp Messages

    To do… Use the command… Remarks Required By default, no source interface is specified for NTP messages, Specify the source interface for ntp-service source-interface and the system uses the IP NTP messages interface-type interface-number address of the interface determined by the matching route as the source IP address of NTP messages.

  • Page 747: Configuring Access-Control Rights

    Configuring Access-Control Rights With the following command, you can configure the NTP service access-control right to the local device. There are four access-control rights, as follows: query: control query permitted. This level of right permits the peer devices to perform control query to the NTP service on the local device but does not permit a peer device to synchronize its clock to that of the local device.

  • Page 748: Configuring Ntp Authentication

    Configuring NTP Authentication The NTP authentication feature should be enabled for a system running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication. Configuration Prerequisites The configuration of NTP authentication involves configuration tasks to be implemented on the client and on the server.
  • Page 749 To do… Use the command… Remarks Client/server mode: Required ntp-service unicast-server You can associate a { ip-address | server-name } non-existing key with an NTP authentication-keyid keyid server. To enable NTP Associate the specified key authentication, you must with an NTP server Symmetric peers mode: configure the key and specify it as a trusted key after...

  • Page 750: Displaying And Maintaining Ntp

    The procedure of configuring NTP authentication on a server is the same as that on a client, and the same authentication key must be configured on both the server and client sides. Displaying and Maintaining NTP To do… Use the command… Remarks View the information of NTP display ntp-service status...

  • Page 751: Configuring The Ntp Symmetric Mode

    Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Specify Device A as the NTP server of Device B so that Device B is synchronized to Device A. <DeviceB> system-view [DeviceB] ntp-service unicast-server 1.0.1.11 # View the NTP status of Device B after clock synchronization.
  • Page 752 Figure 1-8 Network diagram for NTP symmetric peers mode configuration Configuration procedure Configuration on Device B: # Specify Device A as the NTP server of Device B. <DeviceB> system-view [DeviceB] ntp-service unicast-server 3.0.1.31 View the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3...

  • Page 753: Configuring Ntp Broadcast Mode

    Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: -21.1982 ms Root delay: 15.00 ms Root dispersion: 775.15 ms Peer dispersion: 34.29 ms Reference time: 15:22:47.083 UTC Sep 19 2005 (C6D95647.153F7CED) As shown above, Device C has been synchronized to Device B and the clock stratum level of Device C is 4, while that of Device C is 1.

  • Page 754: Configuring Ntp Multicast Mode

    [SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server Configuration on Switch D: # Configure Switch D to work in the broadcast client mode and receive broadcast messages on VLAN-interface 2. <SwitchD> system-view [SwitchD] interface vlan-interface 2 [SwitchD-Vlan-interface2] ntp-service broadcast-client Configuration on Switch A: # Configure Switch A to work in the broadcast client mode and receive broadcast messages on VLAN-interface 3.
  • Page 755 Switch C works in the multicast server mode and sends out multicast messages from VLAN-interface 2. Switch D work in the multicast client mode and receive multicast messages through VLAN-interface 2 respectively. Figure 1-10 Network diagram for NTP multicast mode configuration Configuration procedure Configuration on Switch C: # Configure Switch C to work in the multicast server mode and send multicast messages through...

  • Page 756: Configuring Ntp Client/Server Mode With Authentication

    Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) As shown above, Switch D has been synchronized to Switch C, and the clock stratum level of Switch D is 3, while that of Switch C is 2. # View the NTP session information of Switch D, which shows that an association has been set up between Switch D and Switch C.

  • Page 757: Configuring Ntp Broadcast Mode With Authentication

    [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 # View the NTP status of Device B after clock synchronization. [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz...
  • Page 758 Figure 1-12 Network diagram for configuration of NTP broadcast mode with authentication Configuration procedure Configuration on Switch C: # Configure NTP authentication. [SwitchC] ntp-service authentication enable [SwitchC] ntp-service authentication-keyid 88 authentication-mode md5 123456 [SwitchC] ntp-service reliable authentication-keyid 88 # Specify Switch C as an NTP broadcast server, and specify an authentication key. [SwitchC] interface vlan-interface 2 [SwitchC-Vlan-interface2] ntp-service broadcast-server authentication-keyid 88 Configuration on Switch D:...
  • Page 759 Clock offset: 0.0000 ms Root delay: 31.00 ms Root dispersion: 8.31 ms Peer dispersion: 34.30 ms Reference time: 16:01:51.713 UTC Sep 19 2005 (C6D95F6F.B6872B02) As shown above, Switch D has been synchronized to Switch C, and the clock stratum level of Switch D is 4, while that of Switch C is 3.
  • Page 760 Table of Contents 1 VRRP Configuration ··································································································································1-1 VRRP Overview ······································································································································1-1 VRRP Standard Protocol Mode ··············································································································1-2 Introduction to VRRP Group············································································································1-2 VRRP Timers···································································································································1-3 Packet Format ·································································································································1-4 Principles of VRRP ··························································································································1-5 VRRP Tracking································································································································1-5 VRRP Application ····························································································································1-6 Configuring VRRP for IPv4 ·····················································································································1-7 VRRP for IPv4 Configuration Task List ···························································································1-7 Configuring the Association Between Virtual IP Address and MAC Address ·································1-8 Creating VRRP Group and Configuring Virtual IP Address ····························································1-8 Configuring Router Priority, Preemptive Mode and Tracking Function···········································1-9...

  • Page 761: Vrrp Configuration

    VRRP Configuration When configuring VRRP, go to these sections for information you are interested in: VRRP Overview VRRP Standard Protocol Mode Configuring VRRP for IPv4 IPv4-Based VRRP Configuration Examples Troubleshooting VRRP The term router in this document refers to a router in a generic sense or a Layer 3 switch. At present, the interfaces that VRRP involves can only be VLAN interfaces.

  • Page 762: Vrrp Standard Protocol Mode

    The S5810 series Switches support VRRPv2 that works in Standard protocol mode based on RFCs. VRRPv2 is based on IPv4.

  • Page 763: Vrrp Timers

    The IP address of the virtual router can be either an unused IP address on the segment where the VRRP group resides or the IP address of an interface on a router in the VRRP group. In the latter case, the router is called the IP address owner. In a VRRP group, you can configure only one IP address owner.

  • Page 764: Packet Format

    VRRP advertisement interval timer The master in a VRRP group sends VRRP advertisements periodically to inform the other routers in the VRRP group that it operates properly. You can adjust the interval for sending VRRP advertisements by setting the VRRP advertisement interval timer.

  • Page 765: Vrrp Tracking

    Authentication Data: Authentication key. Currently, this field is used only for simple authentication and is 0 for any other authentication modes. Principles of VRRP With VRRP enabled, the routers decide their respective roles in the VRRP group by priority. The router with the highest priority becomes the master, and the others are the backups.

  • Page 766: Vrrp Application

    For details of Track object tracking, refer to Track Configuration in the System Volume. VRRP Application Master/backup In master/backup mode, only one router, the master, provides services. When the master fails, a new master is elected from the original backups. This mode requires only one VRRP group, in which each router holds a different priority and the one with the highest priority becomes the master, as shown in Figure 1-4.

  • Page 767: Configuring Vrrp For Ipv4

    Figure 1-5 VRRP in load sharing mode VRRP group 1 VRRP group 2 VRRP group 3 Router A Backup Master Backup Host A Router B Backup Backup Master Network Host B Router C Master Backup Backup Host C A router can be in multiple VRRP groups and hold a different priority in different group. Figure 1-5, three VRRP groups are present: VRRP group 1: Router A is the master;...

  • Page 768: Configuring The Association Between Virtual Ip Address And Mac Address

    Configuring the Association Between Virtual IP Address and MAC Address After the virtual IP address of a VRRP group is associated with a MAC address, the master takes the configured MAC address as the source MAC address of the packets to be sent, so that the hosts in the internal network can learn the association between the IP address and the MAC address and thus forward the packets to be forwarded to the other network segments to the master.

  • Page 769: Configuring Router Priority, Preemptive Mode And Tracking Function

    VRRP group default. For the S5810 series, the maximum number of VRRP groups on a switch is 16; and the maximum number of virtual IP addresses for a VRRP group is 6. A VRRP group is removed after you remove all the virtual IP addresses in it. In addition, configurations on that VRRP group no longer take effect.

  • Page 770: Configuring Vrrp Packet Attributes

    To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Optional Configure router priority in the vrrp vrid virtual-router-id VRRP group priority priority-value 100 by default. Optional Configure the router in the vrrp vrid virtual-router-id The router in the VRRP group VRRP group to work in...

  • Page 771: Enabling The Trap Function Of Vrrp

    To do… Use the command… Remarks Configure the authentication Optional vrrp vrid virtual-router-id mode and authentication key authentication-mode { md5 | Authentication is not performed when the VRRP groups send simple } key by default and receive VRRP packets Configure the time interval for Optional vrrp vrid virtual-router-id timer the Master in the VRRP group...

  • Page 772: Displaying And Maintaining Vrrp For Ipv4

    Displaying and Maintaining VRRP for IPv4 To do… Use the command… Remarks Display VRRP group display vrrp [ verbose ] [ interface interface-type Available in any status interface-number [ vrid virtual-router-id ] ] view Display VRRP group display vrrp statistics [ interface interface-type Available in any statistics interface-number [ vrid virtual-router-id ] ]...
  • Page 773 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 # Create VRRP group 1 and set its virtual IP address to be 202.38.160.111. [SwitchA-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Set the priority of Switch A in VRRP group 1 to 110. [SwitchA-Vlan-interface2] vrrp vrid 1 priority 110 # Set Switch A to work in preemptive mode.
  • Page 774 Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID Adver Timer Admin Status : Up State : Backup Config Pri : 100 Running Pri : 100 Preempt Mode : Yes Delay Time Auth Type : None Virtual IP : 202.38.160.111...
  • Page 775 Figure 1-7 Network diagram for VRRP interface tracking Virtual IP address: 202.38.160.111/24 Vlan-int2 202.38.160.1/24 Vlan-int3 Switch A 203.2.3.1/24 202.38.160.3/24 Internet Host B Host A Vlan-int2 202.38.160.2/24 Switch B Configuration procedure Configure Switch A # Configure VLAN 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] port gigabitethernet 1/0/5 [SwitchA-vlan2] quit [SwitchA] interface vlan-interface 2...
  • Page 776 [SwitchB-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # Configure the authentication mode of the VRRP group as simple and authentication key as hello. [SwitchB-Vlan-interface2] vrrp vrid 1 authentication-mode simple hello # Set the interval for Master to send VRRP advertisement to five seconds. [SwitchB-Vlan-interface2] vrrp vrid 1 timer advertise 5 Verify the configuration After the configuration, Host B can be pinged successfully on Host A.
  • Page 777 # If VLAN-interface 3 on Switch A is not available, the detailed information of VRRP group 1 on Switch A is displayed. [SwitchA-Vlan-interface2] display vrrp verbose IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID Adver Timer...
  • Page 778 outside through Switch A and Switch B respectively, and if Switch A or Switch B fails, the hosts can use the other switch to communicate with the outside, so as to avoid communication interruption. Figure 1-8 Network diagram for multiple VRRP group configuration Virtual IP address 1: 202.38.160.100/25 Switch A...
  • Page 779 [SwitchB-vlan2] port gigabitethernet 1/0/5 [SwitchB-vlan2] quit [SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 202.38.160.2 255.255.255.128 # Create a VRRP group 1 and set its virtual IP address to 202.38.160.100. [SwitchB-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.100 [SwitchB-Vlan-interface2] quit # Configure VLAN 3. [SwitchB] vlan 3 [SwitchB-vlan3] port gigabitethernet 1/0/6 [SwitchB-vlan3] quit...

  • Page 780: Troubleshooting Vrrp

    IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 2 Interface Vlan-interface2 VRID Adver Timer Admin Status : Up State : Backup Config Pri : 100 Running Pri : 100 Preempt Mode : Yes Delay Time Auth Type...
  • Page 781 Ping between these masters, and do the following: If the ping fails, check network connectivity. If the ping succeeds, check that their configurations are consistent in terms of number of virtual IP addresses, virtual IP addresses, advertisement interval, and authentication. Symptom 3: Frequent VRRP state transition.
  • Page 782 Table of Contents 1 Cluster Management Configuration ········································································································1-1 Cluster Management Overview···············································································································1-1 Cluster Management Definition ·······································································································1-1 Roles in a Cluster ····························································································································1-1 How a Cluster Works·······················································································································1-2 Cluster Configuration Task List···············································································································1-5 Configuring the Management Device······································································································1-7 Enabling NDP Globally and for Specific Ports ················································································1-7 Configuring NDP Parameters··········································································································1-7 Enabling NTDP Globally and for Specific Ports ··············································································1-8 Configuring NTDP Parameters········································································································1-8...

  • Page 783: Cluster Management Configuration

    Cluster Management Configuration When configuring cluster management, go to these sections for information you are interested in: Cluster Management Overview Cluster Configuration Task List Configuring the Management Device Configuring the Member Devices Configuring Access Between the Management Device and Its Member Devices Adding a Candidate Device to a Cluster Configuring Advanced Cluster Functions Displaying and Maintaining Cluster Management...

  • Page 784: How A Cluster Works

    cluster. Different from a member device, its topology information has been collected by the management device but it has not been added to the cluster. Figure 1-1 Network diagram for a cluster As shown in Figure 1-1, the device configured with a public IP address and performing the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to a cluster is a candidate device.
  • Page 785 configuration according to the candidate device information collected through NTDP. Introduction to NDP NDP is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. NDP works in the following ways: A device running NDP periodically sends NDP packets to its neighbors.
  • Page 786 On the same device, except the first port, each NTDP-enabled port waits for a period of time and then forwards the NTDP topology collection request after its prior port forwards the NTDP topology collection request. Cluster management maintenance Adding a candidate device to a cluster You should specify the management device before creating a cluster.

  • Page 787: Cluster Configuration Task List

    information holdtime, it changes its state to Active; otherwise, it changes its state to Disconnect. If the communication between the management device and a member device is recovered, the member device which is in Disconnect state will be added to the cluster. After that, the state of the member device locally and on the management device will be changed to Active.
  • Page 788 Before configuring a cluster, you need to determine the roles and functions the devices play. You also need to configure the related functions, preparing for the communication between devices within the cluster. Complete these tasks to configure a cluster: Task Remarks Enabling NDP Globally and for Specific Ports Optional...

  • Page 789: Configuring The Management Device

    is, the entry with the destination address as the management device cannot be added to the routing table, the candidate device will be added to and removed from the cluster repeatedly. Configuring the Management Device Enabling NDP Globally and for Specific Ports For NDP to work normally, you must enable NTDP both globally and on specific ports.

  • Page 790: Enabling Ntdp Globally And For Specific Ports

    The time for the receiving device to hold NDP packets cannot be shorter than the interval for sending NDP packets; otherwise, the NDP table may become instable. Enabling NTDP Globally and for Specific Ports For NTDP to work normally, you must enable NTDP both globally and on specific ports. Follow these steps to enable NTDP globally and for specific ports: To do…...

  • Page 791: Manually Collecting Topology Information

    To do… Use the command… Remarks Enter system view system-view — Optional Configure the maximum hops ntdp hop hop-value for topology collection 3 by default. Optional Configure the interval to collect ntdp timer interval topology information 1 minute by default. Configure the delay to forward Optional ntdp timer hop-delay...

  • Page 792: Enabling Management Vlan Auto-Negotiation

    the device to be configured as the management device before establishing a cluster. Meanwhile, the IP addresses of the VLAN interfaces of the management device and member devices cannot be in the same network segment as that of the cluster address pool; otherwise, the cluster cannot work normally. When a candidate device is added to a cluster, the management device assigns it a private IP address for it to communicate with other devices in the cluster.

  • Page 793: Configuring Cluster Management Protocol Packets

    Configuring Communication Between the Management Device and the Member Devices Within a Cluster In a cluster, the management device and member devices communicate by sending handshake packets to maintain connection between them. You can configure interval of sending handshake packets and the holdtime of a device on the management device. This configuration applies to all member devices within the cluster.

  • Page 794: Cluster Member Management

    To do… Use the command… Remarks Configure the interval to send Optional cluster-mac syn-interval MAC address negotiation interval One minute by default. broadcast packets When you configure the destination MAC address for cluster management protocol packets: If the interval for sending MAC address negotiation broadcast packets is 0, the system automatically sets it to 1 minute.

  • Page 795: Configuring The Member Devices

    To do… Use the command… Remarks reboot member Reboot a specified member { member-number | Required device mac-address mac-address } [ eraseflash ] Configuring the Member Devices Enabling NDP Refer to Enabling NDP Globally and for Specific Ports. Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports.

  • Page 796: Adding A Candidate Device To A Cluster

    To do… Use the command… Remarks Switch from the operation cluster switch-to interface of a member device to Required administrator that of the management device Telnet connection is used in the switching between the management device and a member device. Note the following when switching between them: Authentication is required when you switch from a member device to the management device.

  • Page 797: Configuring Topology Management

    Configuring Topology Management The concepts of blacklist and whitelist are used for topology management. An administrator can diagnose the network by comparing the current topology (namely, the information of a node and its neighbors in the cluster) and the standard topology. Topology management whitelist (standard topology): A whitelist is a list of topology information that has been confirmed by the administrator as correct.

  • Page 798: Snmp Configuration Synchronization Function

    the management device. After you configure an FTP/TFTP server for a cluster, the members in the cluster access the FTP/TFTP server configured through the management device. After you configure a log host for a cluster, all the log information of the members in the cluster will be output to the configured log host in the following way: first, the member devices send their log information to the management device, which then converts the addresses of log information and sends them to the log host.

  • Page 799: Configuring Web User Accounts In Batches

    perform SNMP-related configurations on the management device and synchronize them to the member devices on the whitelist. This operation is equal to configuring multiple member devices at one time, simplifying the configuration process. Follow these steps to configure the SNMP configuration synchronization function: To do…...

  • Page 800: Displaying And Maintaining Cluster Management

    To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — cluster-local-user user-name Configure Web user accounts password { cipher | simple } Required in batches password If a cluster is dismissed or the member devices are removed from the whitelist, the configurations of Web user accounts are still retained.

  • Page 801: Cluster Management Configuration Example

    To do… Use the command… Remarks reset ndp statistics Clear NDP statistics Available in user view [ interface interface-list ] You can view the cluster status through not only the command lines, but also the seven-segment display on the front panel of the device to judge the role of the device in the cluster, as described in following table: Table 1-1 Seven-segment display description Status...
  • Page 802 Figure 1-4 Network diagram for cluster management configuration Configuration procedure Configure the member device Switch A # Enable NDP globally and for port GigabitEthernet 1/0/1. <SwitchA> system-view [SwitchA] ndp enable [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] ndp enable [SwitchA-GigabitEthernet1/0/1] quit # Enable NTDP globally and for port GigabitEthernet 1/0/1. [SwitchA] ntdp enable [SwitchA] interface gigabitethernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] ntdp enable...
  • Page 803 [SwitchB-GigabitEthernet1/0/3] ndp enable [SwitchB-GigabitEthernet1/0/3] quit # Configure the period for the receiving device to keep NDP packets as 200 seconds. [SwitchB] ndp timer aging 200 # Configure the interval to send NDP packets as 70 seconds. [SwitchB] ndp timer hello 70 # Enable NTDP globally and for ports GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
  • Page 804 # Configure the current device as the management device, and establish a cluster named abc. [SwitchB-cluster] build abc Restore topology from local flash file,for there is no base topology. (Please confirm in 30 seconds, default No). (Y/N) # Enable management VLAN auto-negotiation. [abc_0.SwitchB-cluster] management-vlan synchronization enable # Configure the holdtime of the member device information as 100 seconds.
  • Page 805 Table of Contents 1 Stack Configuration···································································································································1-1 Stack Configuration Overview·················································································································1-1 Introduction to Stack························································································································1-1 Establishing a Stack ························································································································1-2 Stack Configuration Task List ·················································································································1-2 Configuring the Master Device of a Stack·······························································································1-3 Configuring a Private IP Address Pool for a Stack··········································································1-3 Configuring Stack Ports···················································································································1-3 Creating a Stack ······························································································································1-3 Configuring Stack Ports of a Slave Device ·····························································································1-4 Logging In to the CLI of a Slave from the Master ···················································································1-4...

  • Page 806: Stack Configuration Overview

    Stack Configuration When configuring stack, go to these sections for information you are interested in: Stack Configuration Overview Stack Configuration Task List Configuring the Master Device of a Stack Configuring Stack Ports of a Slave Device Logging In to the CLI of a Slave from the Master Displaying and Maintaining Stack Configuration Stack Configuration Example Stack Configuration Overview...

  • Page 807: Establishing A Stack

    For the S5810 series switches, only the 10 GE ports can be configured as the stack ports and the switches can be connected to establish stacks only through some dedicated stack cables, which include: LSWM1STK LSWM2STK LSWM3STK If you plug some other SFP+ modules to the 10 GE port after you configure the port as a stack port, the state of the port will become down automatically.

  • Page 808: Configuring The Master Device Of A Stack

    Configuring the Master Device of a Stack Configuring a Private IP Address Pool for a Stack Follow these steps to configure a private IP address pool for a stack: To do… Use the command… Remarks Enter system view — system-view Required Configure a private IP address stack ip-pool ip-address...

  • Page 809: Configuring Stack Ports Of A Slave Device

    After you configure a device as the master device of a stack, the prompt changes to <stack_0.Sysname>, where Sysname is the system name of the device. Configuring Stack Ports of a Slave Device You need to configure stack ports to add a slave device to the stack. The ports of a slave device that connect to other stack devices need to be configured as stack ports.

  • Page 810: Displaying And Maintaining Stack Configuration

    Displaying and Maintaining Stack Configuration To do… Use the command… Remarks Display the stack information of display stack [ members ] Available in any view stack members You can view the stack status through not only the command lines, but also the seven-segment display on the front panel of the device to judge the role of the device in the stack, as described in the following table:...
  • Page 811 Configuration procedure Configure the master device # Configure a private IP address pool for the stack on Switch A. <SwitchA> system-view [SwitchA] stack ip-pool 192.168.1.1 24 # Configure port Ten-GigabitEthernet1/0/51 as a stack port on Switch A. [SwitchA] stack stack-port 1 port ten-gigabitethernet 1/0/51 # Configure switch A as the master device.
  • Page 812 Role : Slave Sysname : stack_3. DeviceD Device type: S5810-50S MAC address: 000f-e200-1003...
  • Page 813 Table of Contents 1 Automatic Configuration ··························································································································1-1 Introduction to Automatic Configuration··································································································1-1 Typical Networking of Automatic Configuration ······················································································1-1 How Automatic Configuration Works ······································································································1-2 Work Flow of Automatic Configuration ····························································································1-2 Obtaining the IP Address of an Interface and Related Information Through DHCP ·······················1-3 Obtaining the Configuration File from the TFTP Server··································································1-5 Executing the Configuration File ·····································································································1-7...

  • Page 814: Introduction To Automatic Configuration

    Automatic Configuration When configuring automatic configuration, go to these sections for information you are interested in: Introduction to Automatic Configuration Typical Networking of Automatic Configuration How Automatic Configuration Works Introduction to Automatic Configuration Automatic configuration enables a device to automatically obtain and execute the configuration file when it starts up without loading the configuration file.

  • Page 815: How Automatic Configuration Works

    configuration file with the name hostname.cfg from a TFTP server; if the device gets the domain name of the TFTP server from a DHCP response, the device can also resolve the domain name of the TFTP server to the IP address of the TFTP server through the DNS server. If the DHCP server, TFTP server, DNS server, and the device that performs automatic configuration are not in the same segment, you need to configure DHCP relay on a device working as a gateway.

  • Page 816: Obtaining The Ip Address Of An Interface And Related Information Through Dhcp

    Figure 1-2 Work flow of automatic configuration Obtaining the IP Address of an Interface and Related Information Through DHCP Obtaining an IP address When a device starts up without loading the configuration file, the system automatically configures the first active interface of the device as obtaining its IP address through DHCP. The device broadcasts a DHCP request through this interface.
  • Page 817 The configuration file name is saved in the Option 67 or file field of the DHCP response. The device first resolves the Option 67 field; if this field contains the configuration file name, the device does not resolve the file field; otherwise, it resolves the file field. Temporary configuration contains two parts: the configuration on the interface where automatic configuration is performed when the device starts up with default configuration;...

  • Page 818: Obtaining The Configuration File From The Tftp Server

    You need to configure a client ID (when a device works as the DHCP client, it uses the client ID as its ID) of the static binding when you configure manual address allocation. Therefore, you need to obtain the client ID in this way: start the device that performs automatic configuration, enable the interface that performs automatic configuration to obtain its IP address through DHCP, after the IP address is successfully obtained, use the display dhcp server ip-in-use command to display address binding information on the DHCP server, thus to obtain the client ID of the device.
  • Page 819 Obtaining the configuration file Figure 1-3 Obtain the configuration file Is the configuration file contained in the DHCP response? Obtain the network intermediate file Search the domain name corresponding to the IP address in the network intermediate file Resolve an IP address to a domain name through DNS Obtain the configuration...

  • Page 820: Executing The Configuration File

    If the IP address and the domain name of the TFTP server are not contained in the DHCP response or they are illegitimate, the device broadcasts a TFTP request to the TFTP server. When broadcasting a TFTP request, the device obtains the configuration file from the TFTP server who responds the first.

Table of Contents