- DL manuals
- 3Com
- Switch
- 4510G
- Configuration Manual
3Com 4510G Configuration Manual
Summary of 4510G
Page 1
3com switch 4510g family configuration guide switch 4510g 24-port switch 4510g 48-port product version: release 2202 manual version: 6w100-20100112 www.3com.Com 3com corporation 350 campus drive, marlborough, ma, usa 01752 3064.
Page 2
Copyright © 2010, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3com corporation. 3com corporation reserves th...
Page 3
About this manual organization 3com switch 4510g family configuration guide is organized as follows: volume features 00-product overview product overview acronyms ethernet port link aggregation port isolation mstp lldp vlan isolate-user-vl an voice vlan 01-access volume gvrp qinq bpdu tunneling port...
Page 4
Volume features logging in to an ethernet switch logging in through the console port logging in through telnet/ssh user interface configuration examples logging in through web-based network management system logging in through nms specifying source for telnet packets controlling login users basic sy...
Page 5
Gui conventions convention description button names are inside angle brackets. For example, click . [ ] window names, menu items, data table and field names are inside square brackets. For example, pop up the [new user] window. / multi-level menus are separated by forward slashes. For example, [file...
Page 6: Product Features
1-1 1 product features introduction to product the 3com switches 4510g are gigabit ethernet switching products and have abundant service features. They are designed as distribution and access devices for intranets and metropolitan area networks (mans). They can also be used for connecting server gro...
Page 7
1-2 volume features qos overview qos configuration approaches priority mapping traffic policing, traffic shaping, and line rate congestion management traffic filtering priority marking traffic redirecting 05-qos volume traffic mirroring class-based accounting user profile appendix aaa 802.1x ead fas...
Page 8: Features
2-1 2 features the following sections provide an overview of the main features of each module supported by the switch 4510g. Access volume table 2-1 features in access volume features description ethernet port this document describes: z combo port configuration z basic ethernet interface configurati...
Page 9
2-2 features description lldp lldp enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: z introduction to lldp z perfor...
Page 10
2-3 ip services volume table 2-2 features in the ip services volume features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the internet. This document describes: z introduction to ip addresses z ip address configuration arp ...
Page 11
2-4 features description dhcp snooping as a dhcp security feature, dhcp snooping can ensure dhcp clients to obtain ip addresses from authorized dhcp servers and record ip-to-mac mappings of dhcp clients.This document describes: z dhcp snooping overview z configuring dhcp snooping basic functions z c...
Page 12
2-5 ip routing volume table 2-3 features in the ip routing volume features description ip routing overview this document describes: z introduction to ip routing and routing table z routing protocol overview static routing a static route is manually configured by the administrator. The proper configu...
Page 13
2-6 features description igmp snooping running at the data link layer, igmp snooping is a multicast control mechanism on the layer 2 ethernet switch and it is used for multicast group management and control. This document describes: z configuring basic functions of igmp snooping z configuring igmp s...
Page 14
2-7 features description congestion management the key to congestion management is how to define a dispatching policy for resources to decide the order of forwarding packets when congestion occurs. This document describes: z configuring sp queuing z configure wrr queuing z configuring wfq queuing z ...
Page 15
2-8 features description ead fast deployment in conjunction with 802.1x, ead fast deployment can have an access switch to force all attached devices to download and install the ead client before permitting them to access the network. This document describes: z ead fast deployment overview z ead fast...
Page 16
2-9 features description acl overview acls are sets of rules (or sets of permit or deny statements) that decide what packets can pass and what should be rejected based on matching criteria. This document provides the introduction of ipv4 acl and ipv6 acl. Ipv4 acl this document describes: z creating...
Page 17
2-10 features description rrpp rrpp is a link layer protocol designed for ethernet rings. Rrpp can prevent broadcast storms caused by data loops when an ethernet ring is healthy, and rapidly restore the communication paths between the nodes after a link is disconnected on the ring. This document des...
Page 18
2-11 system volume table 2-8 features in the system volume features description logging in to an ethernet switch switch supports two types of user interfaces. This document describes: z supported user interfaces z users and user interfaces z user interface number z common user interface configuratio...
Page 19
2-12 features description controlling login users multiple ways are available for controlling different types of login users. This document describes: z introduction z controlling telnet users z controlling network management users by source ip addresses z controlling web users by source ip addresse...
Page 20
2-13 features description snmp simple network management protocol (snmp) offers a framework to monitor network devices through tcp/ip protocol suite. This document describes: z snmp overview z basic snmp function configuration z snmp log configuration z trap configuration mib style 3com private mib ...
Page 21
2-14 features description nqa nqa analyzes network performance, services and service quality by sending test packets to provide you with network performance and service quality parameters. This document describes: z nqa overview z configuring the nqa server z enabling the nqa client z creating an nq...
Page 22: Appendix A Acronyms
A-1 appendix a acronyms # a b c d e f g h i k l m n o p q r s t u v w x z acronyms full spelling # return 10ge ten-gigabitethernet a return aaa authentication, authorization and accounting abc activity based costing abr area border router ac alternating current ack acknowledgement acl access control...
Page 23
A-2 acronyms full spelling bgp border gateway protocol bims branch intelligent management system bootp bootstrap protocol bpdu bridge protocol data unit bri basic rate interface bsr bootstrap router bt bittorrent bt burst tolerance c return ca call appearance ca certificate authority car committed a...
Page 24
A-3 acronyms full spelling cv connectivity verification d return dar deeper application recognition dce data circuit-terminal equipment dd database description ddn digital data network dhcp dynamic host configuration protocol dis designated is dlci data link connection identifier dldp device link de...
Page 25
A-4 acronyms full spelling fdi forward defect indication fec forwarding equivalence class ffd fast failure detection fg forwarding group fib forwarding information base fifo first in first out fqdn full qualified domain name fr frame relay frr fast reroute frtt fairness round trip time ft functional...
Page 26
A-5 acronyms full spelling ibm international business machines icmp internet control message protocol icmpv6 internet control message protocol for ipv6 id identification/identity ieee institute of electrical and electronics engineers ietf internet engineering task force igmp internet group managemen...
Page 27
A-6 acronyms full spelling lacp link aggregation control protocol lacpdu link aggregation control protocol data unit lan local area network lcp link control protocol ldap lightweight directory access protocol ldp label distribution protocol ler label edge router lfib label forwarding information bas...
Page 28
A-7 acronyms full spelling mld multicast listener discovery protocol mld-snooping multicast listener discovery snooping mmc meet-me conference modem modulator-demodulator mp multilink ppp mp-bgp multiprotocol extensions for bgp-4 mpe middle-level pe mp-group multilink point to point protocol group m...
Page 29
A-8 acronyms full spelling nms network management station npdu network protocol data unit npe network provider edge nqa network quality analyzer nsap network service access point nsc netstream collector n-sel nsap selector nssa not-so-stubby area ntdp neighbor topology discovery protocol ntp network...
Page 30
A-9 acronyms full spelling poe power over ethernet pop point of presence pos packet over sdh ppp point-to-point protocol pptp point to point tunneling protocol ppvpn provider-provisioned virtual private network pq priority queuing prc primary reference clock pri primary rate interface ps protection ...
Page 31
A-10 acronyms full spelling rpr resilient packet ring rpt rendezvous point tree rrpp rapid ring protection protocol rsb reservation state block rsoh regenerator section overhead rstp rapid spanning tree protocol rsvp resource reservation protocol rtcp real-time transport control protocol rte route t...
Page 32
A-11 acronyms full spelling spf shortest path first spt shortest path tree ssh secure shell ssm synchronization status marker ssm source-specific multicast st shared tree stm-1 sdh transport module -1 stm-16 sdh transport module -16 stm-16c sdh transport module -16c stm-4c sdh transport module -4c s...
Page 33
A-12 acronyms full spelling v return vbr variable bit rate vci virtual channel identifier ve virtual ethernet vfs virtual file system vlan virtual local area network vll virtual leased lines vod video on demand voip voice over ip vos virtual operate system vpdn virtual private dial-up network vpdn v...
Page 34: Table of Contents
I table of contents 1 ethernet port configuration ·····················································································································1-1 ethernet port configuration ·····································································································...
Page 35
Ii 4 mstp configuration ··································································································································4-1 overview ·····································································································································...
Page 36
Iii enabling lldp·································································································································5-7 setting lldp operating mode ········································································································5-7 setting the ll...
Page 37
Iv voice vlan assignment modes ·····································································································8-2 security mode and normal mode of voice vlans ·········································································8-3 configuring a voice vlan ·················...
Page 38
V enabling bpdu tunneling·············································································································11-4 configuring destination multicast mac address for bpdus ························································11-5 bpdu tunneling configuration examples·······...
Page 39: Ethernet Port Configuration
1-1 1 ethernet port configuration ethernet port configuration ge and 10ge ports on the switch 4510g family are numbered in the following format: interface type a/b/c . Z a: number of a member device in an irf. If no irf is formed, this value is 1. Z b: slot number on the device. A value of 0 represe...
Page 40
1-2 in case of a combo port, only one interface (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Basic ethernet interface configuration configuring an ethernet interface...
Page 41
1-3 to do… use the command… remarks shut down the ethernet interface shutdown optional by default, an ethernet interface is in up state. To bring up an ethernet interface, use the undo shutdown command. Z 10ge ports can be displayed only when 10ge interface module expansion cards are available on th...
Page 42
1-4 to do… use the command… remarks configure the up/down suppression time of physical-link-state changes link-delay delay-time required by default, the physical-link-state change suppression time is not configured. Configuring loopback testing on an ethernet interface you can enable loopback testin...
Page 43
1-5 follow these steps to configure a manual port group: to do… use the command… remarks enter system view system-view — create a manual port group and enter manual port group view port-group manual port-group-name required add ethernet interfaces to the manual port group group-member interface-list...
Page 44
1-6 z this function is available for auto-negotiation-capable gigabit layer-2 ethernet electrical ports only.. Z if you repeatedly use the speed and the speed auto commands to configure the transmission rate on a port, only the latest configuration takes effect. Configuring storm suppression you can...
Page 46
1-8 to do… use the command… remarks interface interface-type interface-number frames in ethernet interface view jumboframe enable the length of 9,216 bytes to pass through all layer 2 ethernet interfaces. Enabling loopback detection on an ethernet interface if a port receives a packet that it sent o...
Page 47
1-9 z loopback detection on a given port is enabled only after the loopback-detection enable command has been configured in both system view and the interface view of the port. Z loopback detection on all ports will be disabled after the configuration of the undo loopback-detection enable command un...
Page 49
1-11 z blocking the interface. In this case, the interface is blocked and thus stops forwarding the traffic of this type till the traffic detected is lower than the threshold. Note that an interface blocked by the storm constrain function can still forward other types of traffic and monitor the bloc...
Page 50
1-12 z for network stability sake, configure the interval for generating traffic statistics to a value that is not shorter than the default. Z the storm constrain function, after being enabled, requires a complete statistical period (specified by the storm-constrain interval command) to collect traf...
Page 51
2-1 2 link aggregation configuration when configuring link aggregation, go to these sections for information you are interested in: z overview z link aggregation configuration task list z configuring an aggregation group z configuring an aggregate interface z configuring a load sharing mode for load...
Page 52
2-2 z selected: a selected port can forward user traffic. Z unselected: an unselected port cannot forward user traffic. The rate of an aggregate interface is the sum of the selected member ports’ rates. The duplex mode of an aggregate interface is consistent with that of the selected member ports. N...
Page 53
2-3 z when a marker response protocol data unit (pdu) is received from the peer or the timer expires, the device starts to redistribute service traffic on all the new link aggregation member ports in selected state. Currently, the switch 4510g family support returning marker response pdus only after...
Page 54
2-4 link aggregation modes depending on the link aggregation procedure, link aggregation operates in one of the following two modes: z static aggregation mode z dynamic aggregation mode static aggregation mode lacp is disabled on the member ports in a static aggregation group. In a static aggregatio...
Page 55
2-5 z compare the system id (comprising the system lacp priority and the system mac address) of the actor with that of the partner. The system with the lower lacp priority wins out. If they are the same, compare the system mac addresses. The system with the smaller mac address wins out. Z compare th...
Page 56
2-6 task remarks enabling linkup/linkdown trap generation for an aggregate interface optional shutting down an aggregate interface optional configuring a load sharing mode for load-sharing link aggregation groups optional configuring an aggregation group z the following ports cannot be assigned to a...
Page 57
2-7 z removing a layer 2 aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. Z to guarantee a successful static aggregation, ensure that the ports at the two ends of each link to be ag...
Page 58
2-8 z removing a dynamic aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. Z to guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one ...
Page 59
2-9 to do... Use the command... Remarks enable linkup/linkdown trap generation for the aggregate interface enable snmp trap updown optional enabled by default shutting down an aggregate interface shutting down or bringing up an aggregate interface affects the selected state of the ports in the corre...
Page 61
2-11 to do... Use the command... Remarks display detailed information of aggregation groups display link-aggregation verbose [ bridge-aggregation [ interface-number ] ] available in any view clear the lacp statistics of ports reset lacp statistics [ interface interface-type interface-number [ to int...
Page 62
2-12 [devicea-gigabitethernet1/0/1] quit [devicea] interface gigabitethernet 1/0/2 [devicea-gigabitethernet1/0/2] port link-aggregation group 1 [devicea-gigabitethernet1/0/2] quit [devicea] interface gigabitethernet 1/0/3 [devicea-gigabitethernet1/0/3] port link-aggregation group 1 2) configure devi...
Page 63
2-13 [devicea-gigabitethernet1/0/2] port link-aggregation group 1 [devicea-gigabitethernet1/0/2] quit [devicea] interface gigabitethernet 1/0/3 [devicea-gigabitethernet1/0/3] port link-aggregation group 1 2) configure device b follow the same configuration procedure performed on device a to configur...
Page 64
2-14 [devicea] interface bridge-aggregation 2 [devicea-bridge-aggregation2] link-aggregation load-sharing mode destination-mac [devicea-bridge-aggregation2] quit # assign ports gigabitethernet 1/0/3 and gigabitethernet 1/0/4 to aggregation group 2. [devicea] interface gigabitethernet 1/0/3 [devicea-...
Page 65: Port Isolation Configuration
3-1 3 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z introduction to port isolation z configuring the isolation group z displaying and maintaining isolation groups z port isolation configuration example introduction to port...
Page 66
3-2 displaying and maintaining isolation groups to do… use the command… remarks display the isolation group information display port-isolate group available in any view port isolation configuration example network requirements z users host a, host b, and host c are connected to gigabitethernet 1/0/1...
Page 67
3-3 uplink port support: no group id: 1 group members: gigabitethernet1/0/1 gigabitethernet1/0/2 gigabitethernet1/0/3.
Page 68: Mstp Configuration
4-1 4 mstp configuration when configuring mstp, go to these sections for information you are interested in: z overview z introduction to stp z introduction to rstp z introduction to mstp z mstp configuration task list z configuring mstp z displaying and maintaining mstp z mstp configuration example ...
Page 69
4-2 z topology change notification (tcn) bpdus, used for notifying the concerned devices of network topology changes, if any. Basic concepts in stp root bridge a tree network must have a root; hence the concept of root bridge was introduced in stp. There is one and only one root bridge in the entire...
Page 70
4-3 figure 4-1 a schematic diagram of designated bridges and designated ports all the ports on the root bridge are designated ports. Path cost path cost is a reference value used for link selection in stp. By calculating path costs, stp selects relatively robust links and blocks redundant links, and...
Page 71
4-4 for simplicity, the descriptions and examples below involve only four fields of configuration bpdus: z root bridge id (represented by device priority) z root path cost (related to the rate of the link connecting the port) z designated bridge id (represented by device priority) z designated port ...
Page 72
4-5 initially, each stp-enabled device on the network assumes itself to be the root bridge, with the root bridge id being its own device id. By exchanging configuration bpdus, the devices compare their root bridge ids to elect the device with the smallest root bridge id as the root bridge. Z selecti...
Page 73
4-6 figure 4-2 network diagram for the stp algorithm ap1 ap2 device a with priority 0 device b with priority 1 device c with priority 2 bp1 bp2 cp1 cp2 5 10 4 z initial state of each device table 4-4 shows the initial state of each device. Table 4-4 initial state of each device device port name bpdu...
Page 74
4-7 device comparison process bpdu of port after comparison z port bp1 receives the configuration bpdu of device a {0, 0, 0, ap1}. Device b finds that the received configuration bpdu is superior to the configuration bpdu of the local port {1, 0, 1, bp1}, and updates the configuration bpdu of bp1. Z ...
Page 75
4-8 device comparison process bpdu of port after comparison after comparison: z because the root path cost of cp2 (9) (root path cost of the bpdu (5) plus path cost corresponding to cp2 (4)) is smaller than the root path cost of cp1 (10) (root path cost of the bpdu (0) + path cost corresponding to c...
Page 76
4-9 z if a path becomes faulty, the root port on this path will no longer receive new configuration bpdus and the old configuration bpdus will be discarded due to timeout. In this case, the device will generate a configuration bpdu with itself as the root and send out the bpdus and tcn bpdus. This t...
Page 77
4-10 introduction to mstp why mstp weaknesses of stp and rstp stp does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge ...
Page 78
4-11 basic concepts in mstp figure 4-4 basic concepts in mstp cst region a0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region b0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region c0 vlan 1 mapped to instance 1 vlan 2 and...
Page 79
4-12 vlan-to-instance mapping table as an attribute of an mst region, the vlan-to-instance mapping table describes the mapping relationships between vlans and mstis. In figure 4-4 , for example, the vlan-to-instance mapping table of region a0 is as follows: vlan 1 is mapped to msti 1, vlan 2 to msti...
Page 80
4-13 during mstp calculation, a boundary port’s role on an msti is consistent with its role on the cist. But that is not true with master ports. A master port on mstis is a root port on the cist. Roles of ports mstp calculation involves these port roles: root port, designated port, master port, alte...
Page 81
4-14 port states in mstp, port states fall into the following three: z forwarding: the port learns mac addresses and forwards user traffic; z learning: the port learns mac addresses but does not forward user traffic; z discarding: the port neither learns mac addresses nor forwards user traffic. When...
Page 82
4-15 z within an mst region, the packet is forwarded along the corresponding msti. Z between two mst regions, the packet is forwarded along the cst. Implementation of mstp on devices mstp is compatible with stp and rstp. Stp and rstp protocol packets can be recognized by devices running mstp and use...
Page 83
4-16 task remarks enabling the mstp feature required configuring an mst region required configuring the work mode of an mstp device optional configuring the timeout factor optional configuring the maximum port rate optional configuring ports as edge ports optional configuring path costs of ports opt...
Page 84
4-17 configuring mstp configuring an mst region make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an mst region: to do... Use the command... Remarks enter system view system-view — enter mst region view stp region-configuration — c...
Page 85
4-18 configuring the root bridge or a secondary root bridge mstp can determine the root bridge of a spanning tree through mstp calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system. Note that: z a device...
Page 86
4-19 z after specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, ref...
Page 87
4-20 z after configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z during root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest mac address will be selected as the root bridge of the span...
Page 88
4-21 z based on the network diameter you configured, mstp automatically sets an optimal hello time, forward delay, and max age for the device. Z the configured network diameter is effective for the cist only, and not for mstis. Each mst region is considered as a device. Z the network diameter must b...
Page 89
4-22 to do... Use the command... Remarks configure the max age timer stp timer max-age time optional 2,000 centiseconds (20 seconds) by default z the length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer...
Page 90
4-23 to do... Use the command... Remarks enter system view system-view — configure the timeout factor of the device stp timer-factor factor required 3 by default configuring the maximum port rate the maximum rate of a port refers to the maximum number of bpdus the port can send within each hello tim...
Page 91
4-24 to do... Use the command... Remarks enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure the current por...
Page 92
4-25 table 4-7 link speed vs. Path cost link speed duplex state 802.1d-1998 802.1t private standard 0 — 65535 200,000,000 200,000 10 mbps single port aggregate link 2 ports aggregate link 3 ports aggregate link 4 ports 100 100 100 100 2,000,000 1,000,000 666,666 500,000 2,000 1,800 1,600 1,400 100 m...
Page 93
4-26 z if you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. Z when the path cost of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. If you use 0...
Page 94
4-27 z when the priority of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. Z generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends...
Page 95
4-28 z dot1s :802.1s-compliant standard format, and z legacy :compatible format by default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two mstp packet formats, and determines the format of packets it will send based on the recognized format....
Page 97
4-30 by then, you can perform an mcheck operation to force the port to migrate to the mstp (or rstp) mode. You can perform mcheck on a port through the following two approaches, which lead to the same result. Performing mcheck globally follow these steps to perform global mcheck: to do... Use the co...
Page 98
4-31 before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run mstp. Configuring the digest snooping feature you can enable digest snooping only on a device that is connected to a third-party device that uses its private key to calculate the conf...
Page 99
4-32 digest snooping configuration example 1) network requirements z device a and device b connect to device c, a third-party device, and all these devices are in the same region. Z enable digest snooping on device a and device b so that the three devices can communicate with one another. Figure 4-6...
Page 100
4-33 figure 4-7 shows the rapid state transition mechanism on mstp designated ports. Figure 4-7 rapid state transition of an mstp designated port figure 4-8 shows rapid state transition of an rstp designated port. Figure 4-8 rapid state transition of an rstp designated port root port designated port...
Page 101
4-34 to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface or port group view enter port group view port-group manual port-group-name required use either command...
Page 102
4-35 configuration prerequisites mstp has been correctly configured on the device. Enabling bpdu guard for access layer devices, the access ports generally connect directly with user terminals (such as pcs) or file servers. In this case, the access ports are configured as edge ports to allow rapid t...
Page 103
4-36 follow these steps to enable root guard: to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manu...
Page 104
4-37 with the tc-bpdu guard function, you can set the maximum number of immediate forwarding address entry flushes that the switch can perform within a certain period of time after receiving the first tc-bpdu. For tc-bpdus received in excess of the limit, the switch performs forwarding address entry...
Page 105
4-38 displaying and maintaining mstp to do... Use the command... Remarks view information about abnormally blocked ports display stp abnormal-port available in any view view information about ports blocked by stp protection functions display stp down-port available in any view view the historical in...
Page 106
4-39 figure 4-10 network diagram for mstp configuration g e 1/ 0/ 1 g e 1/0 /1 g e 1/ 0/ 1 g e 1/0 /1 configuration procedure 1) vlan and vlan member port configuration create vlan 10, vlan 20, and vlan 30 on device a and device b respectively, create vlan 10, vlan 20, and vlan 40 on device c, and c...
Page 107
4-40 system-view [deviceb] stp region-configuration [deviceb-mst-region] region-name example [deviceb-mst-region] instance 1 vlan 10 [deviceb-mst-region] instance 3 vlan 30 [deviceb-mst-region] instance 4 vlan 40 [deviceb-mst-region] revision-level 0 # activate mst region configuration. [deviceb-mst...
Page 108
4-41 # activate mst region configuration. [deviced-mst-region] active region-configuration [deviced-mst-region] quit # enable mstp globally. [deviced] stp enable 6) verifying the configurations you can use the display stp brief command to display brief spanning tree information on each device after ...
Page 109
4-42 3 gigabitethernet1/0/2 alte discarding none 4 gigabitethernet1/0/3 root forwarding none based on the above information, you can draw the msti corresponding to each vlan, as shown in figure 4-11 . Figure 4-11 mstis corresponding to different vlans.
Page 110: Lldp Configuration
5-1 5 lldp configuration when configuring lldp, go to these sections for information you are interested in: z overview z lldp configuration task list z performing basic lldp configuration z configuring cdp compatibility z configuring lldp trapping z displaying and maintaining lldp z lldp configurati...
Page 111
5-2 figure 5-1 ethernet ii-encapsulated lldp frame format the fields in the frame are described in table 5-1 : table 5-1 description of the fields in an ethernet ii-encapsulated lldp frame field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0...
Page 112
5-3 field description source mac address the mac address of the sending port. If the port does not have a mac address, the mac address of the sending bridge is used. Type the snap type for the upper layer protocol. It is 0xaaaa-0300-0000-88cc for lldp. Data lldpdu. Fcs frame check sequence, a 32-bit...
Page 113
5-4 type description remarks port description port description of the sending port. System name assigned name of the sending device. System description description of the sending device. System capabilities identifies the primary functions of the sending device and the primary functions that have be...
Page 114
5-5 management. In addition, lldp-med tlvs make deploying voice devices in ethernet easier. Lldp-med tlvs are shown in table 5-6 : table 5-6 lldp-med tlvs type description lldp-med capabilities allows a med endpoint to advertise the supported lldp-med tlvs and its device type. Network policy allows ...
Page 115
5-6 how lldp works transmitting lldp frames an lldp-enabled port operating in txrx mode or tx mode sends lldp frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by lldp frames at times of frequent local d...
Page 116
5-7 lldp-related configurations made in ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing basic lldp configuration enabling lldp to make lldp take effect on certain ports, you need to enabl...
Page 117
5-8 setting the lldp re-initialization delay when lldp operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the lldp re-initialization delay, you can avoid frequent initializations caused by frequent lldp operating mode changes on a p...
Page 119
5-10 setting other lldp parameters the ttl tlv carried in an lldpdu determines how long the device information carried in the lldpdu can be saved on a recipient device. You can configure the ttl of locally sent lldp frames to determine how long information about the local device can be saved on a ne...
Page 120
5-11 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Set the encapsulation for...
Page 121
5-12 configuring cdp compatibility cdp-compatible lldp operates in one of the follows two modes: z txrx, where cdp packets can be transmitted and received. Z disable, where cdp packets can neither be transmitted nor be received. To make cdp-compatible lldp take effect on certain ports, first enable ...
Page 122
5-13 to do… use the command… remarks enable lldp trap sending lldp notification remote-change enable required disabled by default quit to system view quit — set the interval to send lldp traps lldp timer notification-interval interval optional 5 seconds by default displaying and maintaining lldp to ...
Page 123
5-14 configuration procedure 1) configure switch a. # enable lldp globally. System-view [switcha] lldp enable # enable lldp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 (you can skip this step because lldp is enabled on ports by default), and set the lldp operating mode to rx. [switcha] interf...
Page 124
5-15 roll time : 0s number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 0 port 2 [gigabitethernet1/0/2]: port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors ...
Page 125
5-16 port 2 [gigabitethernet1/0/2]: port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors : 0 number of med neighbors : 0 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 0 as the sample output shows, gigabit...
Page 126
5-17 2) configure cdp-compatible lldp on switch a. # enable lldp globally and enable lldp to be compatible with cdp globally. [switcha] lldp enable [switcha] lldp compliance cdp # enable lldp (you can skip this step because lldp is enabled on ports by default), configure lldp to operate in txrx mode...
Page 127: Vlan Configuration
6-1 6 vlan configuration when configuring vlan, go to these sections for information you are interested in: z introduction to vlan z configuring basic vlan settings z configuring basic settings of a vlan interface z port-based vlan configuration z mac-based vlan configuration z protocol-based vlan c...
Page 128
6-2 2) confining broadcast traffic within individual vlans. This reduces bandwidth waste and improves network performance. 3) improving lan security. By assigning user groups to different vlans, you can isolate them at layer 2. To enable communication between vlans, routers or layer 3 switches are r...
Page 129
6-3 z the ethernet ii encapsulation format is used here. Besides the ethernet ii encapsulation format, other encapsulation formats, including 802.2 llc, 802.2 snap, and 802.3 raw, are also supported by ethernet. The vlan tag fields are also added to frames encapsulated in these formats for vlan iden...
Page 130
6-4 z as the default vlan, vlan 1 cannot be created or removed. Z you cannot manually create or remove vlans reserved for special purposes. Z dynamic vlans cannot be removed with the undo vlan command. Z a vlan with a qos policy applied cannot be removed. Z for isolate-user-vlans or secondary vlans,...
Page 131
6-5 before creating a vlan interface for a vlan, create the vlan first. Port-based vlan configuration introduction to port-based vlan port-based vlans group vlan members by port. A port forwards traffic for a vlan only after it is assigned to the vlan. Port link type you can configure the link type ...
Page 132
6-6 z do not set the voice vlan as the default vlan of a port in automatic voice vlan assignment mode. Otherwise, the system prompts error information. For information about voice vlan, refer to voice vlan configuration . Z the local and remote ports must use the same default vlan id for the traffic...
Page 133
6-7 to do… use the command… remarks enter vlan view vlan vlan-id required if the specified vlan does not exist, this command creates the vlan first. Assign one or a group of access ports to the current vlan port interface-list required by default, all ports belong to vlan 1. In vlan view, you only a...
Page 134
6-8 z before assigning an access port to a vlan, create the vlan first. Z after you configure a command on a layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interfac...
Page 135
6-9 z to change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. Z the local and remote hybrid ports must use the same default vlan id for the traffic of the default vlan to be transmitted properly. Z after configuring the default vlan for a tru...
Page 136
6-10 z to change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. Z before assigning a hybrid port to a vlan, create the vlan first. Z the local and remote hybrid ports must use the same default vlan id for the traffic of the default vlan to be ...
Page 137
6-11 the device associates mac addresses with vlans dynamically based on the information provided by the authentication server. If a user goes offline, the corresponding mac address-to-vlan association is removed automatically. Automatic configuration requires mac address-to–vlan mapping be configur...
Page 138
6-12 protocol-based vlan configuration introduction to protocol-based vlan protocol-based vlans are only applicable on hybrid ports. In this approach, inbound packets are assigned to different vlans based on their protocol types and encapsulation formats. The protocols that can be used for vlan assi...
Page 139
6-13 to do… use the command… remarks enter layer-2 aggregate interface view interface bridge-aggregation interface-number group view enter port group view port-group manual port-group-name use either command. Z in ethernet interface view, the subsequent configurations apply to the current port. Z in...
Page 140
6-14 ip subnet-based vlan configuration introduction in this approach, packets are assigned to vlans based on their source ip addresses and subnet masks. A port configured with ip subnet-based vlans assigns a received untagged packet to a vlan based on the source address of the packet. This feature ...
Page 141
6-15 to do… use the command… remarks associate the hybrid port(s) with the specified ip subnet-based vlan port hybrid ip-subnet-vlan vlan vlan-id required after you configure a command on a layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its a...
Page 142
6-16 to do... Use the command… remarks clear statistics on a port reset counters interface [ interface-type [ interface-number ] ] available in user view the reset counters interface command can be used to clear statistics on a vlan interface. For more information, refer to ethernet interface comman...
Page 143
6-17 # configure gigabitethernet 1/0/1 to permit packets from vlan 2, vlan 6 through vlan 50, and vlan 100 to pass through. [devicea-gigabitethernet1/0/1] port trunk permit vlan 2 6 to 50 100 please wait... Done. [devicea-gigabitethernet1/0/1] quit [devicea] quit 2) configure device b as you configu...
Page 144
6-18 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses output (normal): 0 packets, - bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier the output above shows...
Page 145
7-1 7 isolate-user-vlan configuration when configuring an isolate-user vlan, go to these sections for information you are interested in: z overview z configuring isolate-user-vlan z displaying and maintaining isolate-user-vlan z isolate-user-vlan configuration example overview an isolate-user-vlan a...
Page 146
7-2 3) assign non-trunk ports to the isolate-user-vlan and ensure that at least one port takes the isolate-user-vlan as its default vlan; 4) assign non-trunk ports to each secondary vlan and ensure that at least one port in a secondary vlan takes the secondary vlan as its default vlan; 5) associate ...
Page 147
7-3 displaying and maintaining isolate-user-vlan to do... Use the command... Remarks display the mapping between an isolate-user-vlan and its secondary vlan(s) display isolate-user-vlan [ isolate-user-vlan-id ] available in any view isolate-user-vlan configuration example network requirements z conn...
Page 148
7-4 [deviceb] vlan 2 [deviceb-vlan2] port gigabitethernet 1/0/2 [deviceb-vlan2] quit # associate the isolate-user-vlan with the secondary vlans. [deviceb] isolate-user-vlan 5 secondary 2 to 3 2) configure device c # configure the isolate-user-vlan. System-view [devicec] vlan 6 [devicec-vlan6] isolat...
Page 149
7-5 gigabitethernet 1/0/2 gigabitethernet 1/0/5 vlan id: 3 vlan type: static isolate-user-vlan type : secondary route interface: not configured description: vlan 0003 name: vlan 0003 tagged ports: none untagged ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5.
Page 150: Voice Vlan Configuration
8-1 8 voice vlan configuration when configuring a voice vlan, go to these sections for information you are interested in: z overview z configuring a voice vlan z displaying and maintaining voice vlan z voice vlan configuration overview a voice vlan is configured specially for voice traffic. After as...
Page 151
8-2 z in general, as the first 24 bits of a mac address (in binary format), an oui address is a globally unique identifier assigned to a vendor by ieee. Oui addresses mentioned in this document, however, are different from those in common sense. Oui addresses in this document are used by the system ...
Page 152
8-3 voice vlan assignment mode voice traffic type port link type access: not supported trunk: supported if the default vlan of the connecting port exists and is not the voice vlan and the connecting port belongs to the default vlan tagged voice traffic hybrid: supported if the default vlan of the co...
Page 153
8-4 table 8-3 how a voice vlan-enable port processes packets in security/normal mode voice vlan working mode packet type packet processing mode untagged packets packets carrying the voice vlan tag if the source mac address of a packet matches an oui address configured for the device, it is forwarded...
Page 154
8-5 to do... Use the command... Remarks configure the port to operate in automatic voice vlan assignment mode voice vlan mode auto optional automatic voice vlan assignment mode is enabled by default. The voice vlan assignment modes on different ports are independent of one another. Enable voice vlan...
Page 155
8-6 to do... Use the command... Remarks trunk port refer to section assigning a trunk port to a vlan . Configure the voice vlan as the default vlan of the port hybrid port refer to assigning a hybrid port to a vlan . Optional this operation is required for untagged inbound voice traffic and prohibit...
Page 156
8-7 figure 8-1 network diagram for automatic voice vlan assignment mode configuration device a device b ge1/0/1 ge1/0/1 ip phone b 010-1002 mac: 0011-2200-0001 mask: ffff-ff00-0000 0755-2002 ge1/0/2 ip phone a 010-1001 mac: 0011-1100-0001 mask: ffff-ff00-0000 internet pc a mac: 0022-1100-0002 pc b m...
Page 157
8-8 [devicea-gigabitethernet1/0/2] voice vlan mode auto [devicea-gigabitethernet1/0/2] port link-type access please wait... Done. [devicea-gigabitethernet1/0/2] port link-type hybrid [devicea-gigabitethernet1/0/2] voice vlan 3 enable verification # display the oui addresses, oui address masks, and d...
Page 158
8-9 figure 8-2 network diagram for manual voice vlan assignment mode configuration configuration procedure # configure the voice vlan to operate in security mode. (optional. A voice vlan operates in security mode by default.) system-view [devicea] voice vlan security enable # add a recognizable oui ...
Page 159
8-10 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 pingtel phone 0060-b900-0000 ffff-ff00-0000 philips/nec phone 00e0-7500-0000 ffff-ff00-0000 polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # display the current voice vlan state. Display voice vlan state maximum of voice v...
Page 160: Gvrp Configuration
9-1 9 gvrp configuration the garp vlan registration protocol (gvrp) is a garp application. It functions based on the operating mechanism of garp to maintain and propagate dynamic vlan registration information for the gvrp devices on the network. When configuring gvrp, go to these sections for inform...
Page 161
9-2 z hold timer –– when a garp application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one join message. This helps you save bandwidth. Z join timer –– a garp participant send...
Page 162
9-3 garp message format figure 9-1 garp message format figure 9-1 illustrates the garp message format. Table 9-1 describes the garp message fields. Table 9-1 description on the garp message fields field description value protocol id protocol identifier for garp 1 message one or multiple messages, ea...
Page 163
9-4 gvrp gvrp enables a device to propagate local vlan registration information to other participant devices and dynamically update the vlan registration information from other devices to its local database about active vlan members and through which port they can be reached. It thus ensures that al...
Page 164
9-5 to do… use the command… remarks enter system view system-view –– enable gvrp globally gvrp required globally disabled by default. Enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface...
Page 165
9-6 to do… use the command… remarks enter ethernet or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface view, or port-group view enter port-group view port-group manual port-group-name required perform either of the ...
Page 166
9-7 to do… use the command… remarks display the current gvrp state display gvrp state interface interface-type interface-number vlan vlan-id available in any view display statistics about gvrp display gvrp statistics [ interface interface-list ] available in any view display the global gvrp state di...
Page 167
9-8 [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [deviceb-gigabitethernet1/0/1] port link-type trunk [deviceb-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on trunk port gigabitet...
Page 168
9-9 [devicea-gigabitethernet1/0/1] quit # create vlan 2 (a static vlan). [devicea] vlan 2 2) configure device b # enable gvrp globally. System-view [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [de...
Page 169
9-10 [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on gigabitethernet 1/0/1 and set the gvrp registration type to forbidden on the port. [devicea-gigabitethernet1/0/1] gvrp [device...
Page 170: Qinq Configuration
10-1 10 qinq configuration when configuring qinq, go to these sections for information you are interested in: z introduction to qinq z qinq configuration task list z configuring basic qinq z configuring selective qinq z configuring the tpid value in vlan tags z qinq configuration examples throughout...
Page 171
10-2 figure 10-1 schematic diagram of the qinq feature network service provider network vlan 1~10 vlan 1~10 vlan 1~20 vlan 1~20 vlan 3 vlan 3 vlan 4 vlan 4 customer network a customer network a customer network b customer network b as shown in figure 10-1 , customer network a has cvlans 1 through 10...
Page 172
10-3 figure 10-2 single-tagged frame structure vs. Double-tagged ethernet frame structure the default maximum transmission unit (mtu) of an interface is 1500 bytes. The size of an outer vlan tag is 4 bytes. Therefore, you are recommended to increase the mtu of each interface on the service provider ...
Page 173
10-4 figure 10-3 vlan tag structure of an ethernet frame the device determines whether a received frame carries a svlan tag or a cvlan tag by checking the corresponding tpid value. Upon receiving a frame, the device compares the configured tpid value with the value of the tpid field in the frame. If...
Page 174
10-5 qinq configuration task list table 10-2 qinq configuration task list configuration task remarks configuring basic qinq optional configuring selective qinq based on ports configuring selective qinq configuring selective qinq through qos policies use either approach configuring the tpid value in ...
Page 175
10-6 the two approaches can achieve the same result. If two approaches are both used to configure different outer vlan tagging policies on the same port, the outer vlan tagging policy configured in the qos policy approach takes effect. Configuring selective qinq based on ports switch 4510g series sw...
Page 177
10-8 follow these steps to configure a tpid value globally: to do... Use the command... Remarks enter system view system-view — configure the tpid value in the cvlan tag or the svlan tag qinq ethernet-type hex-value optional by default, the tpid value is 0x8100 qinq configuration examples basic qinq...
Page 178
10-9 make sure that the devices in the service provider network have been configured to allow qinq packets to pass through. 1) configuration on provider a z configure gigabitethernet 1/0/1 # configure vlan 10 as the default vlan of gigabitethernet 1/0/1. System-view [providera] interface gigabitethe...
Page 179
10-10 # configure gigabitethernet 1/0/2 as a hybrid port and configure vlan 10 as the default vlan of the port. [providerb] interface gigabitethernet 1/0/2 [providerb-gigabitethernet1/0/2] port link-type hybrid [providerb-gigabitethernet1/0/2] port hybrid pvid vlan 10 [providerb-gigabitethernet1/0/2...
Page 180
10-11 figure 10-5 network diagram for comprehensive selective qinq configuration configuration procedure make sure that the devices in the service provider network have been configured to allow qinq packets to pass through. 1) configuration on provider a z configure gigabitethernet 1/0/1 # configure...
Page 181
10-12 [providera] interface gigabitethernet 1/0/2 [providera-gigabitethernet1/0/2] port link-type hybrid [providera-gigabitethernet1/0/2] port hybrid vlan 1000 untagged # tag cvlan 10 frames with svlan 1000. [providera-gigabitethernet1/0/2] qinq vid 1000 [providera-gigabitethernet1/0/2-vid-1000] raw...
Page 182
10-13 selective qinq configuration example (qos policy-based configuration) network requirements as shown in figure 10-6 , z provider a and provider b are service provider network access devices. Z customer a, customer b, customer c, and customer d are customer network access devices. Z provider a a...
Page 183
10-14 system-view z configuration on gigabitethernet 1/0/1 # configure the port as a hybrid port permitting frames of vlan 1000, vlan 2000, and vlan 3000 to pass through with the outer vlan tag removed. [providera] interface gigabitethernet 1/0/1 [providera-gigabitethernet1/0/1] port link-type hybri...
Page 184
10-15 [providera-gigabitethernet1/0/2] port access vlan 1000 # enable basic qinq. Tag frames from vlan 10 with the outer vlan tag 1000. [providera-gigabitethernet1/0/2] qinq enable [providera-gigabitethernet1/0/2] quit z configuration on gigabitethernet 1/0/3. # configure the port as a trunk port pe...
Page 185
10-16 as third-party devices are deployed between provider a and provider b, what we discuss here is only the basic configuration that should be made on the devices. Configure that device connecting with gigabitethernet 1/0/3 of provider a and the device connecting with gigabitethernet 1/0/1 of prov...
Page 186: Bpdu Tunneling Configuration
11-1 11 bpdu tunneling configuration when configuring bpdu tunneling, go to these sections for information you are interested in: z introduction to bpdu tunneling z configuring bpdu tunneling z bpdu tunneling configuration examples introduction to bpdu tunneling as a layer 2 tunneling technology, bp...
Page 187
11-2 depending on the device models, bpdu tunneling may support the transparent transmission of these types of layer 2 protocol packets: z cisco discovery protocol (cdp) z device link detection protocol (dldp) z ethernet operation, administration and maintenance (eoam) z garp vlan registration proto...
Page 188
11-3 networks of the same customer can implement consistent spanning tree calculation across the service provider network. Z bpdus of different customer networks can be confined within different vlans for transmission on the service provider network. Thus, each customer network can perform independe...
Page 189
11-4 z assign the port on which you want to enable bpdu tunneling on the pe device and the connected port on the ce device to the same vlan. Z configure all the ports in the service provider network as trunk ports allowing packets of any vlan to pass through. Enabling bpdu tunneling you can enable b...
Page 191
11-6 figure 11-3 network diagram for configuring bpdu tunneling for stp configuration procedure 1) configuration on pe 1 # configure the destination multicast mac address for bpdus as 0x0100-0ccd-cdd0. System-view [pe1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # create vlan 2 and assign gigabitetherne...
Page 192
11-7 z all ports used to connect devices in the service provider network are trunk ports and allow packets of any vlan to pass through. Z pvst is enabled for vlans 1 through 4094 on user a’s network. It is required that, after the configuration, ce 1 and ce 2 implement consistent pvst calculation ac...
Page 193: Port Mirroring Configuration
12-1 12 port mirroring configuration when configuring port mirroring, go to these sections for information you are interested in: z introduction to port mirroring z configuring local port mirroring z configuring remote port mirroring z displaying and maintaining port mirroring z port mirroring confi...
Page 194
12-2 as shown in figure 12-1 , packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze. Figure 12-1 local port mirroring implementation pc mirroring port monitor port data monitoring device mirroring port how the device processes packets monitor port ...
Page 195
12-3 you must ensure that the source device and the destination device can communicate at layer 2 in the remote probe vlan. Z destination device the destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a pac...
Page 196
12-4 to do… use the command… remarks [ mirroring-group groupid ] monitor-port z a local port mirroring group takes effect only after its mirroring and monitor ports are configured. Z to ensure operation of your device, do not enable stp, mstp, or rstp on the monitor port. Z a port mirroring group ca...
Page 198
12-6 z to remove the vlan configured as a remote probe vlan, you must remove the remote probe vlan with undo mirroring-group remote-probe vlan command first. Removing the probe vlan can invalidate the remote source mirroring group. Z you are recommended to use a remote probe vlan exclusively for the...
Page 199
12-7 when configuring the monitor port, use the following guidelines: z the port can belong to only the current mirroring group. Z to ensure operation of your device, do not assign the monitor port to a mirroring vlan. Z disable these functions on the port: stp, mstp, and rstp. Z you are recommended...
Page 200
12-8 figure 12-3 network diagram for local port mirroring configuration switch c data monitoring device r&d department switch a switch b ge1/0/2 ge1/0/1 ge1/0/3 marketing department configuration procedure configure switch c. # create a local port mirroring group. System-view [switchc] mirroring-gro...
Page 201
12-9 as shown in figure 12-4 , the administrator wants to monitor the packets sent from department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: z use switch a as the source device, switch b as the in...
Page 202
12-10 # configure port gigabitethernet 1/0/3 as a trunk port and configure the port to permit the packets of vlan 2. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] port link-type trunk [switcha-gigabitethernet1/0/3] port trunk permit vlan 2 2) configure switch b (the interm...
Page 203: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 204
Ii enabling arp defense against ip packet attacks ·········································································4-2 configuring arp active acknowledgement ····························································································4-2 introduction··························...
Page 205
Iii displaying and maintaining dhcp relay agent configuration ······························································6-9 dhcp relay agent configuration examples ··························································································6-9 dhcp relay agent configuration example...
Page 206
Iv 11 ip performance optimization configuration·······················································································11-1 ip performance overview ·····················································································································11-1 enabling recept...
Page 207
V 14 dual stack configuration······················································································································14-1 dual stack overview·····························································································································14-1...
Page 208: Ip Addressing Configuration
1-1 1 ip addressing configuration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying and maintaining ip addressing ip addressing overview this section covers these topi...
Page 209
1-2 table 1-1 ip address classes and ranges class address range remarks a 0.0.0.0 to 127.255.255.255 the ip address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packe...
Page 210
1-3 in the absence of subnetting, some special addresses such as the addresses with the net id of all zeros and the addresses with the host id of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeof...
Page 211
1-4 z the primary ip address you assigned to the interface can overwrite the old one if there is any. Z you cannot assign secondary ip addresses to an interface that has bootp or dhcp configured. Z the primary and secondary ip addresses you assign to the interface can be located on the same network ...
Page 212
1-5 ping 172.16.1.2 ping 172.16.1.2: 56 data bytes, press ctrl_c to break reply from 172.16.1.2: bytes=56 sequence=1 ttl=255 time=25 ms reply from 172.16.1.2: bytes=56 sequence=2 ttl=255 time=27 ms reply from 172.16.1.2: bytes=56 sequence=3 ttl=255 time=26 ms reply from 172.16.1.2: bytes=56 sequence...
Page 213: Arp Configuration
2-1 this document is organized as follows: z arp configuration z proxy arp configuration z arp attack defense configuration 2 arp configuration when configuring arp, go to these sections for information you are interested in: z arp overview z configuring arp z configuring gratuitous arp z displaying...
Page 214
2-2 hardware address length field is "6”. For an ip(v4) address, the value of the protocol address length field is “4”. Z op: operation code. This field specifies the type of arp message. The value “1” represents an arp request and “2” represents an arp reply. Z sender hardware address: this field s...
Page 215
2-3 request, in which the target ip address is the ip address of host b. After obtaining the mac address of host b, the gateway sends the packet to host b. Arp table after obtaining the mac address for the destination host, the device puts the ip-to-mac mapping into its own arp table. This mapping i...
Page 216
2-4 to do… use the command… remarks enter system view system-view — configure a permanent static arp entry arp static ip-address mac-address vlan-id interface-type interface-number required no permanent static arp entry is configured by default. Configure a non-permanent static arp entry arp static ...
Page 217
2-5 enabling the arp entry check the arp entry check function disables the device from learning multicast mac addresses. With the arp entry check enabled, the device cannot learn any arp entry with a multicast mac address, and configuring such a static arp entry is not allowed; otherwise, the system...
Page 218
2-6 z determining whether its ip address is already used by another device. Z informing other devices of its mac address change so that they can update their arp entries. A device receiving a gratuitous arp packet adds the information carried in the packet to its own dynamic arp table if it finds no...
Page 219: Proxy Arp Configuration
3-1 3 proxy arp configuration when configuring proxy arp, go to these sections for information you are interested in: z proxy arp overview z enabling proxy arp z displaying and maintaining proxy arp proxy arp overview if a host sends an arp request for the mac address of another host that actually r...
Page 220
3-2 you can solve the problem by enabling proxy arp on switch. After that, switch can reply to the arp request from host a with the mac address of vlan-interface 1, and forward packets sent from host a to host b. In this case, switch seems to be a proxy of host b. A main advantage of proxy arp is th...
Page 221
3-3 to do… use the command… remarks enable local proxy arp local-proxy-arp enable required disabled by default. Displaying and maintaining proxy arp to do… use the command… remarks display whether proxy arp is enabled display proxy-arp [ interface vlan-interface vlan-id ] available in any view displ...
Page 222
3-4 [switch-vlan-interface1] quit [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.20.99 255.255.255.0 [switch-vlan-interface2] proxy-arp enable [switch-vlan-interface2] quit local proxy arp configuration example in case of port isolation network requirements z host a ...
Page 223
3-5 # configure an ip address of vlan-interface 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 192.168.10.100 255.255.0.0 the ping operation from host a to host b is unsuccessfu...
Page 224
3-6 [switchb-vlan2] port gigabitethernet 1/0/2 [switchb-vlan2] quit [switchb] vlan 3 [switchb-vlan3] port gigabitethernet 1/0/3 [switchb-vlan3] quit [switchb] vlan 5 [switchb-vlan5] port gigabitethernet 1/0/1 [switchb-vlan5] isolate-user-vlan enable [switchb-vlan5] quit [switchb] isolate-user-vlan 5...
Page 225
4-1 4 arp attack defense configuration when configuring arp attack defense, go to these sections for information you are interested in: z configuring arp source suppression z configuring arp defense against ip packet attacks z configuring arp active acknowledgement z configuring source mac address b...
Page 226
4-2 displaying and maintaining arp source suppression to do… use the command… remarks display the arp source suppression configuration information display arp source-suppression available in any view configuring arp defense against ip packet attacks introduction to arp defense against ip packet atta...
Page 227
4-3 then, z if an arp reply is received within five seconds, the gateway updates the arp entry; z if not, the arp entry is not updated. Configuring the arp active acknowledgement function follow these steps to configure arp active acknowledgement: to do… use the command… remarks enter system view sy...
Page 228
4-4 follow these steps to configure protected mac addresses: to do… use the command… remarks enter system view system-view — configure protected mac addresses arp anti-attack source-mac exclude-mac mac-address& optional not configured by default. Configuring the aging timer for protected mac address...
Page 229
4-5 arp detection also checks source mac address consistency of arp packets, but it is enabled on an access device to detect only arp packets sent to it. Configuring arp packet source mac address consistency check follow these steps to enable arp packet source mac address consistency check: to do… u...
Page 230
4-6 enabling arp detection based on dhcp snooping entries/802.1x security entries/static ip-to-mac bindings with this feature enabled, the device compares the source ip and mac addresses of an arp packet received from the vlan against the dhcp snooping entries, 802.1x security entries, or static ip-...
Page 231
4-7 to do… use the command… remarks enter system view system-view — enter vlan view vlan vlan-id — enable arp detection for the vlan arp detection enable required disabled by default. That is, arp detection based on dhcp snooping entries/802.1x security entries/static ip-to-mac bindings is not enabl...
Page 232
4-8 during the dhcp assignment process, when the client receives the dhcp-ack message from the dhcp server, it broadcasts a gratuitous arp packet to detect address conflicts. If no response is received in a pre-defined time period, the client uses the assigned ip address. If the client is enabled wi...
Page 233
4-9 z if both the arp detection based on specified objects and the arp detection based on snooping entries/802.1x security entries/static ip-to-mac bindings are enabled, the former one applies first, and then the latter applies. Z before enabling arp detection based on dhcp snooping entries, make su...
Page 234
4-10 configuration procedure 1) add all the ports on switch b into vlan 10, and configure the ip address of vlan-interface 10 on switch a (the configuration procedure is omitted). 2) configure a dhcp server (the configuration procedure is omitted). 3) configure host a and host b as dhcp clients (the...
Page 235
4-11 figure 4-2 network diagram for arp detection configuration configuration procedure 1) add all the ports on switch b into vlan 10, and configure the ip address of vlan-interface 10 on switch a (the configuration procedure is omitted). 2) configure a dhcp server (the configuration procedure is om...
Page 236: Dhcp Overview
5-1 this document is organized as follows: z dhcp overview z dhcp relay agent configuration z dhcp client configuration z dhcp snooping configuration z bootp client configuration 5 dhcp overview introduction to dhcp the fast expansion and growing complexity of networks result in scarce ip addresses ...
Page 237
5-2 dhcp address allocation allocation mechanisms dhcp supports three mechanisms for ip address allocation. Z manual allocation: the network administrator assigns an ip address to a client like a www server, and dhcp conveys the assigned address to the client. Z automatic allocation: dhcp assigns a ...
Page 238
5-3 z after receiving the dhcp-ack message, the client probes whether the ip address assigned by the server is in use by broadcasting a gratuitous arp packet. If the client receives no response within a specified time, the client can use this ip address. Otherwise, the client sends a dhcp-decline me...
Page 239
5-4 z secs: filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. Z flags: the leftmost bit is defined as the broadcast (b) flag. If this flag is set to 0, the dhcp server sent a reply back...
Page 240
5-5 z option 121: classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Z option 33: static route option. It specifies a list of classful static routes (the d...
Page 241
5-6 figure 5-6 format of the value field of the acs parameter sub-option z the value field of the service provider identifier sub-option contains the service provider identifier. Z figure 5-7 shows the format of the value field of the pxe server address sub-option. Currently, the value of the pxe se...
Page 242
5-7 figure 5-8 sub-option 1 in normal padding format z sub-option 2: padded with the mac address of the dhcp relay agent interface or the mac address of the dhcp snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that...
Page 243
5-8 z sub-option 1: ip address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Z sub-option 2: ip address of the backup network calling processor that dhcp clients will contact when the primary one is unreacha...
Page 244
6-1 6 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z dhcp relay agent configuration task list z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent confi...
Page 245
6-2 figure 6-1 dhcp relay agent application ip network dhcp server dhcp relay agent dhcp client dhcp client dhcp client dhcp client no matter whether a relay agent exists or not, the dhcp server and client interact with each other in a similar way (see section dynamic ip address allocation process )...
Page 246
6-3 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal format...
Page 247
6-4 follow these steps to enable dhcp: to do… use the command… remarks enter system view system-view — enable dhcp dhcp enable required disabled by default. Enabling the dhcp relay agent on an interface with this task completed, upon receiving a dhcp request from the enabled interface, the relay age...
Page 248
6-5 to do… use the command… remarks correlate the dhcp server group with the current interface dhcp relay server-select group-id required by default, no interface is correlated with any dhcp server group. Z you can specify up to twenty dhcp server groups on the relay agent and eight dhcp server addr...
Page 249
6-6 z the dhcp relay address-check enable command is independent of other commands of the dhcp relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used. Z the dhcp relay address-check enable command only checks ip and m...
Page 250
6-7 follow these steps to enable unauthorized dhcp server detection: to do… use the command… remarks enter system view system-view — enable unauthorized dhcp server detection dhcp relay server-detect required disabled by default. With the unauthorized dhcp server detection enabled, the device puts a...
Page 251
6-8 configuring the dhcp relay agent to support option 82 follow these steps to configure the dhcp relay agent to support option 82: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the relay agent to support opti...
Page 252
6-9 the device name must contain no spaces. Otherwise, the dhcp relay agent will drop the message. Displaying and maintaining dhcp relay agent configuration to do… use the command… remarks display information about dhcp server groups correlated to a specified or all interfaces display dhcp relay { a...
Page 253
6-10 figure 6-3 network diagram for dhcp relay agent configuration procedure # specify ip addresses for the interfaces (omitted). # enable dhcp. System-view [switcha] dhcp enable # add dhcp server 10.1.1.1 into dhcp server group 1. [switcha] dhcp relay server-group 1 ip 10.1.1.1 # enable the dhcp re...
Page 254
6-11 configuration procedure # specify ip addresses for the interfaces (omitted). # enable dhcp. System-view [switcha] dhcp enable # add dhcp server 10.1.1.1 into dhcp server group 1. [switcha] dhcp relay server-group 1 ip 10.1.1.1 # enable the dhcp relay agent on vlan-interface 1. [switcha] interfa...
Page 255: Dhcp Client Configuration
7-1 7 dhcp client configuration when configuring the dhcp client, go to these sections for information you are interested in: z introduction to dhcp client z enabling the dhcp client on an interface z displaying and maintaining the dhcp client z dhcp client configuration example z the dhcp client co...
Page 256
7-2 z an interface can be configured to acquire an ip address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. Z after the dhcp client is enabled on an interface, no secondary ip address is configurable for the interface. Z if the ip ...
Page 257
7-3 configuration procedure 1) configure switch a # enable the dhcp client on vlan-interface 2. System-view [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address dhcp-alloc 2) verification # use the display dhcp client command to view the ip address and other network parameters a...
Page 258: Dhcp Snooping Configuration
8-1 8 dhcp snooping configuration when configuring dhcp snooping, go to these sections for information you are interested in: z dhcp snooping overview z configuring dhcp snooping basic functions z configuring dhcp snooping to support option 82 z displaying and maintaining dhcp snooping z dhcp snoopi...
Page 259
8-2 recording ip-to-mac mappings of dhcp clients dhcp snooping reads dhcp-request messages and dhcp-ack messages from trusted ports to record dhcp snooping entries, including mac addresses of clients, ip addresses obtained by the clients, ports that connect to dhcp clients, and vlans to which the po...
Page 260
8-3 figure 8-2 configure trusted ports in a cascaded network table 8-1 describes roles of the ports shown in figure 8-2 . Table 8-1 roles of ports device untrusted port trusted port disabled from recording binding entries trusted port enabled to record binding entries switch a ge1/0/1 ge1/0/3 ge1/0/...
Page 261
8-4 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal fo...
Page 262
8-5 z you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted port and the port connected to the dhcp client must be in the same vlan. Z you can specify layer 2 ethernet interfaces and layer 2 aggregate inter...
Page 265
8-8 [switchb-gigabitethernet1/0/1] dhcp-snooping trust [switchb-gigabitethernet1/0/1] quit dhcp snooping option 82 support configuration example network requirements z as shown in figure 8-3 , enable dhcp snooping and option 82 support on switch b. Z configure the handling strategy for dhcp requests...
Page 266: Bootp Client Configuration
9-1 9 bootp client configuration while configuring a bootp client, go to these sections for information you are interested in: z introduction to bootp client z configuring an interface to dynamically obtain an ip address through bootp z displaying and maintaining bootp client configuration z bootp c...
Page 267
9-2 because a dhcp server can interact with a bootp client, you can use the dhcp server to configure an ip address for the bootp client, without any bootp server. Obtaining an ip address dynamically a dhcp server can take the place of the bootp server in the following dynamic ip address acquisition....
Page 268
9-3 displaying and maintaining bootp client configuration to do… use the command… remarks display related information on a bootp client display bootp client [ interface interface-type interface-number ] available in any view bootp client configuration example network requirement as shown in figure 9...
Page 269: Dns Configuration
10-1 10 dns configuration when configuring dns, go to these sections for information you are interested in: z dns overview z configuring the dns client z configuring the dns proxy z displaying and maintaining dns z dns configuration examples z troubleshooting dns configuration this document only cov...
Page 270
10-2 3) the dns server looks up the corresponding ip address of the domain name in its dns database. If no match is found, it sends a query to a higher level dns server. This process continues until a result, whether successful or not, is returned. 4) the dns client returns the resolution result to ...
Page 271
10-3 if an alias is configured for a domain name on the dns server, the device can resolve the alias into the ip address of the host. Dns proxy introduction to dns proxy a dns proxy forwards dns requests and replies between dns clients and a dns server. As shown in figure 10-2 , a dns client sends a...
Page 272
10-4 configuring the dns client configuring static domain name resolution follow these steps to configure static domain name resolution: to do… use the command… remarks enter system view system-view –– configure a mapping between a host name and ip address in the static name resolution table ip host...
Page 273
10-5 configuring the dns proxy follow these steps to configure the dns proxy: to do… use the command… remarks enter system view system-view — enable dns proxy dns proxy enable required disabled by default. Displaying and maintaining dns to do… use the command… remarks display the static domain name ...
Page 274
10-6 56 data bytes, press ctrl_c to break reply from 10.1.1.2: bytes=56 sequence=1 ttl=128 time=1 ms reply from 10.1.1.2: bytes=56 sequence=2 ttl=128 time=4 ms reply from 10.1.1.2: bytes=56 sequence=3 ttl=128 time=3 ms reply from 10.1.1.2: bytes=56 sequence=4 ttl=128 time=2 ms reply from 10.1.1.2: b...
Page 275
10-7 in figure 10-5 , right click forward lookup zones, select new zone, and then follow the instructions to create a new zone named com. Figure 10-5 create a zone # create a mapping between the host name and ip address. Figure 10-6 add a host in figure 10-6 , right click zone com, and then select n...
Page 276
10-8 figure 10-7 add a mapping between domain name and ip address 2) configure the dns client # enable dynamic domain name resolution. System-view [sysname] dns resolve # specify the dns server 2.1.1.2. [sysname] dns server 2.1.1.2 # configure com as the name suffix. [sysname] dns domain com 3) conf...
Page 277
10-9 dns proxy configuration example network requirements z specify switch a as the dns server of switch b (the dns client). Z switch a acts as a dns proxy. The ip address of the real dns server is 4.1.1.1. Z switch b implements domain name resolution through switch a. Figure 10-8 network diagram fo...
Page 278
10-10 # specify the dns server 2.1.1.2. [switchb] dns server 2.1.1.2 4) configuration verification # execute the ping host.Com command on switch b to verify that the communication between the switch and the host is normal and that the corresponding destination ip address is 3.1.1.1. [switchb] ping h...
Page 279
11-1 11 ip performance optimization configuration when optimizing ip performance, go to these sections for information you are interested in: z ip performance overview z enabling reception and forwarding of directed broadcasts to a directly connected network z configuring tcp optional parameters z c...
Page 280
11-2 enabling forwarding of directed broadcasts to a directly connected network follow these steps to enable the device to forward directed broadcasts: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the interfac...
Page 281
11-3 [switcha-vlan-interface3] ip address 1.1.1.2 24 [switcha-vlan-interface3] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 2.2.2.2 24 # enable vlan-interface 2 to forward directed broadcasts. [switcha-vlan-interface2] ip forward-broadcast z configure switch b # ena...
Page 282
11-4 the actual length of the finwait timer is determined by the following formula: actual length of the finwait timer = (configured length of the finwait timer – 75) + configured length of the synwait timer configuring icmp to send error packets sending error packets is a major function of icmp. In...
Page 283
11-5 z if the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” icmp error packet to the source. Z when receiving a packet with the destination being local and transport layer protocol bei...
Page 284
11-6 displaying and maintaining ip performance optimization to do… use the command… remarks display current tcp connection state display tcp status display tcp connection statistics display tcp statistics display udp statistics display udp statistics display statistics of ip packets display ip stati...
Page 285: Udp Helper Configuration
12-1 12 udp helper configuration when configuring udp helper, go to these sections for information you are interested in: z introduction to udp helper z configuring udp helper z displaying and maintaining udp helper z udp helper configuration examples udp helper can be currently configured on vlan i...
Page 286
12-2 to do… use the command… remarks enter interface view interface interface-type interface-number — specify the destination server to which udp packets are to be forwarded udp-helper server ip-address required no destination server is specified by default. Z the udp helper enabled device cannot fo...
Page 287
12-3 figure 12-1 network diagram for udp helper configuration configuration procedure the following configuration assumes that a route from switch a to the network segment 10.2.0.0/16 is available. # enable udp helper. System-view [switcha] udp-helper enable # enable the forwarding broadcast packets...
Page 288: Ipv6 Basics Configuration
13-1 13 ipv6 basics configuration when configuring ipv6 basics, go to these sections for information you are interested in: z ipv6 overview z ipv6 basics configuration task list z configuring basic ipv6 functions z configuring ipv6 ndp z configuring pmtu discovery z configuring ipv6 tcp properties z...
Page 289
13-2 times the ipv4 address size, the basic ipv6 header size is 40 bytes and is only twice the ipv4 header size (excluding the options field). Figure 13-1 comparison between ipv4 packet header format and basic ipv6 packet header format adequate address space the source and destination ipv6 addresses...
Page 290
13-3 enhanced neighbor discovery mechanism the ipv6 neighbor discovery protocol is implemented through a group of internet control message protocol version 6 (icmpv6) messages that manage the information exchange between neighbor nodes on the same link. The group of icmpv6 messages takes the place o...
Page 291
13-4 z multicast address: an identifier for a set of interfaces (typically belonging to different nodes), similar to an ipv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Z anycast address: an identifier for a set of interfaces (ty...
Page 292
13-5 z unassigned address: the unicast address "::” is called the unassigned address and may not be assigned to any node. Before acquiring a valid ipv6 address, a node may fill this address in the source address field of an ipv6 packet. It cannot be used as a destination ipv6 address. Multicast addr...
Page 293
13-6 introduction to ipv6 neighbor discovery protocol the ipv6 neighbor discovery protocol (ndp) uses five types of icmpv6 messages to implement the following functions: z address resolution z neighbor reachability detection z duplicate address detection z router/prefix discovery and address autocon...
Page 294
13-7 figure 13-3 address resolution the address resolution procedure is as follows: 1) node a multicasts an ns message. The source address of the ns message is the ipv6 address of the sending interface of node a and the destination address is the solicited-node multicast address of node b. The ns me...
Page 295
13-8 2) if node b uses this ipv6 address, node b returns an na message. The na message contains the ipv6 address of node b. 3) node a learns that the ipv6 address is being used by node b after receiving the na message from node b. Otherwise, node b is not using the ipv6 address and node a can use it...
Page 296
13-9 the path mtu (pmtu) discovery mechanism is to find the minimum mtu of all links in the path from the source to the destination. Figure 13-5 shows the working procedure of pmtu discovery. Figure 13-5 working procedure of pmtu discovery the working procedure of the pmtu discovery is as follows: 1...
Page 297
13-10 z rfc 2463: internet control message protocol (icmpv6) for the internet protocol version 6 (ipv6) specification z rfc 2464: transmission of ipv6 packets over ethernet networks z rfc 2526: reserved ipv6 subnet anycast addresses z rfc 3307: allocation guidelines for ipv6 multicast addresses z rf...
Page 298
13-11 z manual assignment: ipv6 link-local addresses can be assigned manually. Follow these steps to configure an ipv6 unicast address: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — manually assign an ipv6 address...
Page 299
13-12 configuring ipv6 ndp configuring a static neighbor entry the ipv6 address of a neighbor node can be resolved into a link-layer address dynamically through ns and na messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry according...
Page 300
13-13 configuring parameters related to ra messages you can enable an interface to send ra messages, and configure the interval for sending ra messages and parameters in ra messages. After receiving an ra message, a host can use these parameters to perform corresponding operations. Table 13-4 lists ...
Page 301
13-14 to do… use the command… remarks configure the hop limit ipv6 nd hop-limit value optional 64 by default. Enter interface view interface interface-type interface-number — disable the ra message suppression undo ipv6 nd ra halt required by default, ra messages are suppressed. Configure the maximu...
Page 302
13-15 the maximum interval for sending ra messages should be less than or equal to the router lifetime in ra messages. Configuring the maximum number of attempts to send an ns message for dad an interface sends a neighbor solicitation (ns) message for duplicate address detection after acquiring an i...
Page 303
13-16 mtu. After the aging time expires, the dynamic pmtu is removed and the source host re-determines a dynamic path mtu through the pmtu mechanism. The aging time is invalid for a static pmtu. Follow these steps to configure the aging time for dynamic pmtus: to do… use the command… remarks enter s...
Page 304
13-17 successively sent exceeds the capacity of the token bucket, the additional icmpv6 error packets cannot be sent out until the capacity of the token bucket is restored. Follow these steps to configure the capacity and update interval of the token bucket: to do… use the command… remarks enter sys...
Page 305
13-18 configuring ipv6 dns client configuring static ipv6 domain name resolution configuring static ipv6 domain name resolution is to establish the mapping between a host name and an ipv6 address. When using such applications as telnet, you can directly input a host name and the system will resolve ...
Page 306
13-19 displaying and maintaining ipv6 basics configuration to do… use the command… remarks display dns suffix information display dns domain [ dynamic ] display ipv6 dynamic domain name cache information display dns ipv6 dynamic-host display ipv6 dns server information display dns ipv6 server [ dyna...
Page 307
13-20 to do… use the command… remarks clear the statistics of all ipv6 udp packets reset udp ipv6 statistics the display dns domain command is the same as the one of ipv4 dns. For details about the commands, refer to dns commands in the ip services volume. Ipv6 configuration example network requirem...
Page 308
13-21 # specify an aggregatable global unicast address for vlan-interface 1, and allow it to advertise ra messages (no interface advertises ra messages by default). [switcha] interface vlan-interface 1 [switcha-vlan-interface1] ipv6 address 2001::1/64 [switcha-vlan-interface1] undo ipv6 nd ra halt z...
Page 309
13-22 intooshorts: 0 intruncatedpkts: 0 inhoplimitexceeds: 0 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 47 outrequests: 89 outforwdatagrams: 48 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates:...
Page 310
13-23 intooshorts: 0 intruncatedpkts: 0 inhoplimitexceeds: 0 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 159 outrequests: 1012 outforwdatagrams: 35 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreat...
Page 311
13-24 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 117 outrequests: 83 outforwdatagrams: 0 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 28 inmcastnotmembers: 0 outmcastpkts: 7...
Page 312
13-25 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms as shown in the output information, host can ping switch b and switch a. Troubleshooting ipv6 basics configuration symptom the peer ipv6 address cannot be pinged. Solution z use the display current...
Page 313: Dual Stack Configuration
14-1 14 dual stack configuration when configuring dual stack, go to these sections for information you are interested in: z dual stack overview z configuring dual stack dual stack overview dual stack is the most direct approach to making ipv6 nodes compatible with ipv4 nodes. The best way for an ipv...
Page 315: Sflow Configuration
15-1 15 sflow configuration when configuring sflow, go to these sections for information you are interested in: z sflowoverview z configuring sflow z displaying and maintaining sflow z sflow configuration example z troubleshooting sflow configuration sflow overview introduction to sflow sampled flow...
Page 316
15-2 3) when the sflow packet buffer overflows or the one-second timer expires, the sflow agent sends sflow packets to the specified sflow collector. Configuring sflow the sflow feature enables the remote sflow collector to monitor the network and analyze sflow packet statistics. Follow these steps ...
Page 317
15-3 sflow configuration example network requirements z host a and server are connected to switch through gigabitethernet 1/0/1 and gigabitethernet 1/0/2 respectively. Z host b works as an sflow collector with ip address 3.3.3.2 and port number 6343, and is connected to switch through gigabitetherne...
Page 318
15-4 collector ip:3.3.3.2 port:6343 interval(s): 30 sflow port information: interface direction rate mode status ge1/0/1 in/out 100000 random active troubleshooting sflow configuration the remote sflow collector cannot receive sflow packets symptom the remote sflow collector cannot receive sflow pac...
Page 319: Table of Contents
I table of contents 1 ip routing overview··································································································································1-1 ip routing and routing table·································································································...
Page 320
Ii enabling zero field check on incoming ripv1 messages ···························································3-13 enabling source ip address check on incoming rip updates ····················································3-13 configuring ripv2 message authentication··························...
Page 321
Iii 6 route policy configuration ······················································································································6-1 introduction to route policy ····················································································································...
Page 322: Ip Routing Overview
1-1 1 ip routing overview go to these sections for information you are interested in: z ip routing and routing table z routing protocol overview z displaying and maintaining a routing table the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Ip routing and r...
Page 323
1-2 z ip address of the next hop: specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the ip address of the next hop. Z priority for the route. Routes to the same destination but having different nexthops may have different prioriti...
Page 324
1-3 routing protocol overview static routing and dynamic routing static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perform routing configuration again whenever the network topolo...
Page 326: Static Routing Configuration
2-1 2 static routing configuration when configuring a static route, go to these sections for information you are interested in: z introduction z configuring a static route z detecting reachability of the static route’s nexthop z displaying and maintaining static routes z static route configuration e...
Page 327
2-2 z the network administrator can configure a default route with both destination and mask being 0.0.0.0. The router forwards any packet whose destination address fails to match any entry in the routing table to the next hop of the default static route. Z some dynamic routing protocols, such as ri...
Page 329
2-4 network requirements to detect the reachability of a static route's nexthop through a track entry, you need to create a track first. For detailed track configuration procedure, refer to track configuration in the system volume. Configuration procedure follow these steps to detect the reachabilit...
Page 330
2-5 figure 2-1 network diagram for static route configuration configuration procedure 1) configuring ip addresses for interfaces (omitted) 2) configuring static routes # configure a default route on switch a. System-view [switcha] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # configure two static routes...
Page 331
2-6 # display the ip routing table of switch b. [switchb] display ip routing-table routing tables: public destinations : 10 routes : 10 destination/mask proto pre cost nexthop interface 1.1.2.0/24 static 60 0 1.1.4.1 vlan500 1.1.3.0/24 static 60 0 1.1.5.6 vlan600 1.1.4.0/30 direct 0 0 1.1.4.2 vlan50...
Page 332: Rip Configuration
3-1 3 rip configuration the term “router” in this document refers to a router in a generic sense or a layer 3 switch. When configuring rip, go to these sections for information you are interested in: z rip overview z configuring rip basic functions z configuring rip route control z configuring rip n...
Page 333
3-2 z egress interface: packet outgoing interface. Z metric: cost from the local router to the destination. Z route time: time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. Z route tag: identifies a route, used in a routing policy t...
Page 334
3-3 ripv1, a classful routing protocol, supports message advertisement via broadcast only. Ripv1 protocol messages do not carry mask information, which means it can only recognize routing information of natural networks such as class a, b, c. That is why ripv1 does not support discontiguous subnets....
Page 335
3-4 ripv2 message format the format of ripv2 message is similar to ripv1. Figure 3-2 shows it. Figure 3-2 ripv2 message format the differences from ripv1 are stated as following. Z version: version of rip. For ripv2 the value is 0x02. Z route tag: route tag. Z ip address: destination ip address. It ...
Page 336
3-5 z rfc 1723 only defines plain text authentication. For information about md5 authentication, refer to rfc 2453 “rip version 2”. Z with ripv1, you can configure the authentication mode in interface view. However, the configuration will not take effect because ripv1 does not support authentication...
Page 337
3-6 z if you make some rip configurations in interface view before enabling rip, those configurations will take effect after rip is enabled. Z rip runs only on the interfaces residing on the specified networks. Therefore, you need to specify the network after enabling rip to validate rip on a specif...
Page 339
3-8 to do… use the command… remarks enter system view system-view –– enter interface view interface interface-type interface-number –– define an inbound additional routing metric rip metricin [ route-policy route-policy-name ]value optional 0 by default define an outbound additional routing metric r...
Page 340
3-9 you need to disable ripv2 route automatic summarization before advertising a summary route on an interface. Disabling host route reception sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources. In ...
Page 342
3-11 to do… use the command… remarks enter system view system-view –– enter rip view rip [ process-id ] –– configure a priority for rip preference [ route-policy route-policy-name ] value optional 100 by default configuring rip route redistribution if a router runs rip and other routing protocols, y...
Page 344
3-13 to do… use the command… remarks enable poison reverse rip poison-reverse required disabled by default enabling zero field check on incoming ripv1 messages some fields in the ripv1 message must be zero. These fields are called zero fields. You can enable zero field check on received ripv1 messag...
Page 345
3-14 in plain text authentication, the authentication information is sent with the rip message, which however cannot meet high security needs. Follow these steps to configure ripv2 message authentication: to do… use the command… remarks enter system view system-view –– enter interface view interface...
Page 346
3-15 follow these steps to bind rip to mib: to do… use the command… remarks enter system view system-view –– bind rip to mib rip mib-binding process-id optional by default, mib is bound to rip process 1. Configuring the rip packet sending rate rip periodically sends routing information in rip packet...
Page 347
3-16 figure 3-4 network diagram for rip version configuration configuration procedure 1) configure an ip address for each interface (only the ip address configuration for the vlan interfaces is given in the following examples) # configure switch a. System-view [switcha] interface vlan-interface 100 ...
Page 348
3-17 destination/mask nexthop cost tag flags sec 10.0.0.0/8 192.168.1.2 1 0 ra 11 from the routing table, you can find that ripv1 uses a natural mask. 3) on switch a and switch b, specify the rip version as ripv2, and disable ripv2 route automatic summarization to advertise all subnet routes. # conf...
Page 349
3-18 figure 3-5 network diagram for rip route redistribution configuration configuration procedure 1) configure an ip address for each interface (omitted). 2) configure basic rip functions. # enable rip 100 and specify rip version 2 on switch a. System-view [switcha] rip 100 [switcha-rip-100] networ...
Page 350
3-19 12.3.1.2/32 direct 0 0 127.0.0.1 inloop0 16.4.1.0/24 direct 0 0 16.4.1.1 vlan400 16.4.1.1/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 3) configure route redistribution # on switch b, configure rip 200 to redistribute direct ...
Page 351
3-20 configuring an additional metric for a rip interface network requirements as shown in the following figure: z rip is enabled on all the interfaces of switch a, switch b, switch c, switch d, and switch e. The switches are interconnected through ripv2. Z switch a has two links to switch d. The li...
Page 352
3-21 [switchd] rip 1 [switchd-rip-1] network 1.0.0.0 [switchd-rip-1] version 2 [switchd-rip-1] undo summary # configure switch e. System-view [switche] rip 1 [switche-rip-1] network 1.0.0.0 [switche-rip-1] version 2 [switche-rip-1] undo summary # display the ip routing table of switch a. [switcha] d...
Page 353
3-22 if the peer is configured to send multicast messages, the same should be configured on the local end. Solution: z use the display current-configuration command to check rip configuration z use the display rip command to check whether some interface is disabled route oscillation occurred symptom...
Page 354
4-1 4 ipv6 static routing configuration when configuring ipv6 static routing, go to these sections for information you are interested in: z introduction to ipv6 static routing z configuring an ipv6 static route z displaying and maintaining ipv6 static routes z ipv6 static routing configuration examp...
Page 355
4-2 z enabling ipv6 packet forwarding z ensuring that the neighboring nodes are ipv6 reachable configuring an ipv6 static route follow these steps to configure an ipv6 static route: to do… use the commands… remarks enter system view system-view — configure an ipv6 static route ipv6 route-static ipv6...
Page 356
4-3 figure 4-1 network diagram for static routes configuration procedure 1) configure the ipv6 addresses of all vlan interfaces (omitted) 2) configure ipv6 static routes. # configure the default ipv6 static route on switcha. System-view [switcha] ipv6 route-static :: 0 4::2 # configure two ipv6 stat...
Page 357
4-4 nexthop : 1::1 preference : 0 interface : vlan-interface100 cost : 0 destination : 1::1/128 protocol : direct nexthop : ::1 preference : 0 interface : inloop0 cost : 0 destination : fe80::/10 protocol : direct nexthop : :: preference : 0 interface : null0 cost : 0 # verify the connectivity with ...
Page 358: Ripng Configuration
5-1 5 ripng configuration when configuring ripng, go to these sections for information you are interested in: z introduction to ripng z configuring ripng basic functions z configuring ripng route control z tuning and optimizing the ripng network z displaying and maintaining ripng z ripng configurati...
Page 359
5-2 each ripng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: z destination address: ipv6 address of a host or a network. Z next hop address: ipv6 address of a neighbor along the path to the destination. Z...
Page 360
5-3 figure 5-3 ipv6 prefix rte format ipv6 prefix (16 octets) route tag prefix length metric 0 7 15 31 z ipv6 prefix: destination ipv6 address prefix. Z route tag: route tag. Z prefix len: length of the ipv6 address prefix. Z metric: cost of a route. Ripng packet processing procedure request packet ...
Page 361
5-4 z configure an ip address for each interface, and make sure all nodes are reachable to one another. Configuration procedure follow these steps to configure the basic ripng functions: to do… use the command… remarks enter system view system-view –– create a ripng process and enter ripng view ripn...
Page 362
5-5 the inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route’s metric is changed. Follow these steps to configure an inbound/outbound additional routing metric: to do… use the command… remarks enter system view system-vie...
Page 363
5-6 configuring a ripng route filtering policy you can reference a configured ipv6 acl or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow the...
Page 364
5-7 tuning and optimizing the ripng network this section describes how to tune and optimize the performance of the ripng network as well as applications under special network environments. Before tuning and optimizing the ripng network, complete the following tasks: z configure a network layer addre...
Page 365
5-8 same interface to prevent routing loops between neighbors. Follow these steps to configure split horizon: to do… use the command… remarks enter system view system-view –– enter interface view interface interface-type interface-number –– enable the split horizon function ripng split-horizon optio...
Page 366
5-9 displaying and maintaining ripng to do… use the command… remarks display configuration information of a ripng process display ripng [ process-id ] available in any view display routes in the ripng database display ripng process-id database available in any view display the routing information of...
Page 367
5-10 [switchb] interface vlan-interface 200 [switchb-vlan-interface200] ripng 1 enable [switchb-vlan-interface200] quit [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # configure switch c. System-view [switchc] ripng 1 [switchc-ripn...
Page 368
5-11 via fe80::200:2ff:fe64:8904, cost 2, tag 0, a, 31 sec dest 5::/64, via fe80::200:2ff:fe64:8904, cost 2, tag 0, a, 31 sec dest 3::/64, via fe80::200:2ff:fe64:8904, cost 1, tag 0, a, 31 sec 3) configure switch b to filter incoming and outgoing routes. [switchb] acl ipv6 number 2000 [switchb-acl6-...
Page 369: Route Policy Configuration
6-1 6 route policy configuration a route policy is used on a router for route filtering and attributes modification when routes are received, advertised, or redistributed. When configuring route policy, go to these sections for information you are interested in: z introduction to route policy z rout...
Page 370
6-2 an ip prefix list is configured to match the destination address of routing information. Moreover, you can use the gateway option to allow only routing information from certain routers to be received. For gateway option information, refer to rip commands in the ip routing volume. An ip prefix li...
Page 371
6-3 defining an ip-prefix list define an ipv4 prefix list identified by name, an ipv4 prefix list can comprise multiple items. Each item specifies a prefix range to match and is identified by an index number. An item with a smaller index number is matched first. If one item is matched, the ip prefix...
Page 372
6-4 if all items are set to the deny mode, no routes can pass the ipv6 prefix list. Therefore, you need to define the permit :: 0 less-equal 128 item following multiple deny items to allow other ipv6 routing information to pass. For example, the following configuration filters routes 2000:1::/48, 20...
Page 373
6-5 z if a route policy node has the permit keyword specified, routing information matching all the if-match clauses of the node will be handled using the apply clauses of this node, without needing to match against the next node. If routing information does not match the node, it will go to the nex...
Page 374
6-6 z the if-match clauses of a route policy node are in logic and relationship, namely, routing information has to satisfy all its if-match clauses before being executed with its apply clauses. Z you can specify no or multiple if-match clauses for a route policy node. If no if-match clause is speci...
Page 375
6-7 displaying and maintaining the route policy to do… use the command… remarks display ipv4 prefix list statistics display ip ip-prefix [ ip-prefix-name ] display ipv6 prefix list statistics display ip ipv6-prefix [ ipv6-prefix-name ] display route policy information display route-policy [ route-po...
Page 376
6-8 [switcha-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [switcha-acl-basic-2000] rule permit source any [switcha-acl-basic-2000] quit # redistribute static routes. [switcha] rip [switcha-rip-1] import-route static # apply acl 2000 to filter the routing information to be advertised to sw...
Page 377
6-9 figure 6-2 network diagram for route policy application to route redistribution configuration procedure 1) configure switch a. # configure ipv6 addresses for vlan-interface 100 and vlan-interface 200. System-view [switcha] ipv6 [switcha] interface vlan-interface 100 [switcha-vlan-interface100] i...
Page 378
6-10 [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # enable ripng. [switchb] ripng # display ripng routing table information. [switchb-ripng-1] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-collect --------------------------------------------...
Page 379: Table of Contents
I table of contents 1 multicast overview ····································································································································2-1 introduction to multicast ·································································································...
Page 380
Ii configuring group policy and simulated joining··········································································2-19 static port configuration················································································································2-21 igmp snooping querier configur...
Page 381
Iii configuring maximum multicast groups that can be joined on a port········································4-16 configuring ipv6 multicast group replacement ···········································································4-17 displaying and maintaining mld snooping ·····················...
Page 382: Multicast Overview
2-1 1 multicast overview this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Introduction to multicast as a technique coexisting with unicast and broadcast, the multicast technique ef...
Page 383
2-2 figure 1-1 unicast transmission source receiver receiver receiver host a host b host c host d host e packets for host b packets for host d packets for host e ip network assume that host b, host d and host e need the information. A separate transmission channel needs to be established from the in...
Page 384
2-3 figure 1-2 broadcast transmission assume that only host b, host d, and host e need the information. If the information is broadcast to the subnet, host a and host c also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet. Therefore, broad...
Page 385
2-4 figure 1-3 multicast transmission the multicast source (source in the figure) sends only one copy of the information to a multicast group. Host b, host d and host e, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the inf...
Page 386
2-5 for a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of tv programs, as shown in table 1-1 . Table 1-1 an analogy between tv transmission and multicast transmission tv transmission multicast transmission a tv station transmits a tv pr...
Page 387
2-6 asm model in the asm model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of ...
Page 388
2-7 multicast addresses to allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast ip addresses must be provided. In addition, a technique must be available to map multicast ip addresses to link-layer multicast mac addresses. Ip...
Page 389
2-8 address description 224.0.0.7 shared tree (st) routers 224.0.0.8 st hosts 224.0.0.9 routing information protocol version 2 (ripv2) routers 224.0.0.11 mobile agents 224.0.0.12 dynamic host configuration protocol (dhcp) server/relay agent 224.0.0.13 all protocol independent multicast (pim) routers...
Page 390
2-9 bit description t z when set to 0, it indicates that this address is an ipv6 multicast address permanently-assigned by iana z when set to 1, it indicates that this address is a transient, or dynamically assigned ipv6 multicast address z scope: 4 bits, indicating the scope of the ipv6 internetwor...
Page 391
2-10 the high-order four bits of a multicast ipv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a mac address, so five bits of the multicast ipv4 address are lost. As a result, 32 multicast ipv4 addresses map to the sam...
Page 392
2-11 figure 1-8 positions of layer 3 multicast protocols 1) multicast management protocols typically, the internet group management protocol (igmp) or multicast listener discovery protocol (mld) is used between hosts and layer 3 multicast devices directly connected with the hosts. These protocols de...
Page 393
2-12 figure 1-9 position of layer 2 multicast protocols source receiver receiver ipv4/ipv6 multicast packets igmp snooping /mld snooping multicast vlan /ipv6 multicast vlan 2) igmp snooping/mld snooping running on layer 2 devices, internet group management protocol snooping (igmp snooping) and multi...
Page 394: Igmp Snooping Configuration
2-1 2 igmp snooping configuration when configuring igmp snooping, go to the following sections for information you are interested in: z igmp snooping overview z igmp snooping configuration task list z displaying and maintaining igmp snooping z igmp snooping configuration examples z troubleshooting i...
Page 395
2-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in igmp snooping igmp snooping related ports as shown in figure 2-2 , router a connects to the multicast so...
Page 396
2-3 aging timers for dynamic ports in igmp snooping and related messages and actions table 2-1 aging timers for dynamic ports in igmp snooping and related messages and actions timer description message before expiry action after expiry dynamic router port aging timer for each dynamic router port, th...
Page 397
2-4 when receiving a membership report a host sends an igmp report to the igmp querier in the following circumstances: z upon receiving an igmp query, a multicast group member host responds with an igmp report. Z when intended to join a multicast group, a host sends an igmp report to the igmp querie...
Page 398
2-5 upon receiving the igmp leave message from a host, the igmp querier resolves the multicast group address in the message and sends an igmp group-specific query to that multicast group through the port that received the leave message. Upon receiving the igmp group-specific query, the switch forwar...
Page 399
2-6 z configurations made in igmp snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in igmp snooping view is effective only if the same configuration is not made in vlan...
Page 400
2-7 z igmp snooping must be enabled globally before it can be enabled in a vlan. Z when you enable igmp snooping in a specified vlan, this function takes effect for the ports in this vlan only. Configuring the version of igmp snooping by configuring an igmp snooping version, you actually configure t...
Page 401
2-8 configuring aging timers for dynamic ports if the switch receives no igmp general queries or pim hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no igmp reports for a multicast group o...
Page 402
2-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 403
2-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 404
2-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-typeinterface-number enter ethernet port/layer 2 aggregate...
Page 405
2-12 it is meaningless to configure an igmp snooping querier in a multicast network running igmp. Although an igmp snooping querier does not take part in igmp querier elections, it may affect igmp querier elections because it sends igmp general queries with a low source ip address. Configuring igmp ...
Page 406
2-13 to do... Use the command... Remarks configure the maximum response time to igmp general queries igmp-snooping max-response-time interval optional 10 seconds by default configure the igmp last-member query interval igmp-snooping last-member-query-interval interval optional 1 second by default in...
Page 407
2-14 before configuring an igmp snooping policy, prepare the following data: z acl rule for multicast group filtering z the maximum number of multicast groups that can pass the ports configuring a multicast group filter on an igmp snooping–enabled switch, the configuration of a multicast group allow...
Page 408
2-15 if this feature is disabled on a port, the port can be connected with both multicast sources and multicast receivers. Configuring multicast source port filtering globally follow these steps to configure multicast source port filtering globally: to do... Use the command... Remarks enter system v...
Page 409
2-16 to do... Use the command... Remarks enable the function of dropping unknown multicast data igmp-snooping drop-unknown required disabled by default configuring igmp report suppression when a layer 2 device receives an igmp report from a multicast group member, the device forwards the message to ...
Page 410
2-17 z when the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the igmp snooping forwarding table, and the hosts on this port need to join the multicast groups again. Z if you have configu...
Page 411
2-18 configuring multicast group replacement on a port or a group of ports follow these steps to configure multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/laye...
Page 412
2-19 igmp snooping configuration examples configuring group policy and simulated joining network requirements z as shown in figure 2-3 , router a connects to the multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Z igmpv2 is required on router a, igmp snoop...
Page 413
2-20 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and enabl...
Page 414
2-21 ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:0100-5e01-0101 host port(s):total 2 port. Ge1/0/3 ge1/...
Page 415
2-22 network diagram figure 2-4 network diagram for static port configuration source 1.1.1.1/24 router a igmp querier ge1/0/1 10.1.1.1/24 ge1/0/2 1.1.1.2/24 switch a switch c switch b ge1/0/1 g e 1 /0 /2 g e 1 /0 /3 g e 1 /0 /1 ge1/0/2 g e 1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e 1...
Page 416
2-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] igmp-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable igmp snooping globally. Syst...
Page 417
2-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total...
Page 418
2-25 igmp snooping querier configuration network requirements z as shown in figure 2-5 , in a layer 2–only network environment, two multicast sources source 1 and source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, host a and host c are receivers of multicast group...
Page 419
2-26 # enable the igmp-snooping querier function in vlan 100 [switcha-vlan100] igmp-snooping querier # set the source ip address of igmp general queries and group-specific queries to 192.168.1.1 in vlan 100. [switcha-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [switcha-vlan100] igmp-s...
Page 420
2-27 troubleshooting igmp snooping configuration switch fails in layer 2 multicast forwarding symptom a switch fails to implement layer 2 multicast forwarding. Analysis igmp snooping is not enabled. Solution 1) enter the display current-configuration command to view the running status of igmp snoopi...
Page 421: Multicast Vlan Configuration
3-1 3 multicast vlan configuration when configuring multicast vlan, go to these sections for information you are interested in: z introduction to multicast vlan z multicast vlan configuration task list z configuring sub-vlan-based multicast vlan z configuring port-based multicast vlan z displaying a...
Page 422
3-2 figure 3-2 sub-vlan-based multicast vlan source router a igmp querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (multicast vlan) after the configuration, igmp snooping manages router ports in the multicast vlan an...
Page 423
3-3 z for information about igmp snooping, router ports, and member ports, refer to igmp snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Multicast vlan configuration task list complete the following tasks to conf...
Page 424
3-4 z the vlan to be configured as a multicast vlan must exist. Z the vlans to be configured as sub-vlans of the multicast vlan must exist and must not be sub-vlans of another multicast vlan. Z the total number of sub-vlans of a multicast vlan must not exceed 63. Configuring port-based multicast vla...
Page 426
3-6 configuring multicast vlan ports in port view or port group view follow these steps to configure multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as a multicast vlan and enter multicast vlan view m...
Page 427
3-7 z configure the sub-vlan-based multicast vlan feature so that router a just sends multicast data to switch a through the multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Network diagram figure 3-4 network diagram for sub-vlan-based multicast ...
Page 428
3-8 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable igmp snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabiteth...
Page 429
3-9 vlan(id):3. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 0 port. Ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:0100-5e0...
Page 430
3-10 port-based multicast vlan configuration network requirements z as shown in figure 3-5 , router a connects to a multicast source (source) through gigabitethernet 1/0/1, and to switch a through gigabitethernet 1/0/2. Z igmpv2 is required on router a. Igmpv2 snooping is required on switch a. Route...
Page 431
3-11 [routera-gigabitethernet1/0/1] quit [routera] interface gigabitethernet 1/0/2 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] igmp enable 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 10...
Page 432
3-12 total 1 multicast-vlan(s) multicast vlan 10 subvlan list: no subvlan port list: ge1/0/2 ge1/0/3 ge1/0/4 # view the igmp snooping multicast group information on switch a. [switcha] display igmp-snooping group total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic ...
Page 433: Mld Snooping Configuration
4-1 4 mld snooping configuration when configuring mld snooping, go to these sections for information you are interested in: z mld snooping overview z mld snooping configuration task list z displaying and maintaining mld snooping z mld snooping configuration examples z troubleshooting mld snooping ml...
Page 434
4-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in mld snooping mld snooping related ports as shown in figure 4-2 , router a connects to the multicast sour...
Page 435
4-3 z whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Z unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. Z on an mld snooping-enabled switch, the ports that recei...
Page 436
4-4 general queries the mld querier periodically sends mld general queries to all hosts and routers (ff02::1) on the local subnet to find out whether ipv6 multicast group members exist on the subnet. Upon receiving an mld general query, the switch forwards it through all ports in the vlan except the...
Page 437
4-5 z if the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the mld done message instead of forwarding it to any port. Z if the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the mld d...
Page 438
4-6 task remarks configuring an ipv6 multicast group filter optional configuring ipv6 multicast source port filtering optional configuring mld report suppression optional configuring maximum multicast groups that can be joined on a port optional configuring an mld snooping policy configuring ipv6 mu...
Page 439
4-7 to do... Use the command... Remarks enter vlan view vlan vlan-id — enable mld snooping in the vlan mld-snooping enable required disabled by default z mld snooping must be enabled globally before it can be enabled in a vlan. Z when you enable mld snooping in a specified vlan, this function takes ...
Page 440
4-8 z configure the corresponding port groups before configuring mld snooping port functions, prepare the following data: z aging time of dynamic router ports, z aging timer of dynamic member ports, and z ipv6 multicast group and ipv6 multicast source addresses configuring aging timers for dynamic p...
Page 441
4-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 442
4-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 443
4-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregat...
Page 444
4-12 to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — enable the mld snooping querier mld-snooping querier required disabled by default it is meaningless to configure an mld snooping querier in an ipv6 multicast network running mld. Although an mld s...
Page 445
4-13 configuring mld queries and responses in a vlan follow these steps to configure mld queries and responses in a vlan to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — configure mld query interval mld-snooping query-interval interval optional 125 s...
Page 446
4-14 configuring an mld snooping policy configuration prerequisites before configuring an mld snooping policy, complete the following tasks: z enable mld snooping in the vlan before configuring an mld snooping policy, prepare the following data: z ipv6 acl rule for ipv6 multicast group filtering z t...
Page 447
4-15 to do... Use the command... Remarks configure an ipv6 multicast group filter mld-snooping group-policy acl6-number [ vlan vlan-list ] required by default, no group filter is configured on the current port, that is, hosts on this port can join any valid ipv6 multicast group. Configuring ipv6 mul...
Page 448
4-16 configuring mld report suppression when a layer 2 device receives an mld report from an ipv6 multicast group member, the layer 2 device forwards the message to the layer 3 device directly connected with it. Thus, when multiple members belonging to an ipv6 multicast group exist on the layer 2 de...
Page 449
4-17 z when the number of ipv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the mld snooping forwarding table, and the hosts on this port need to join ipv6 multicast groups again. Z if ...
Page 450
4-18 configuring ipv6 multicast group replacement on a port or a group of ports follow these steps to configure ipv6 multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet...
Page 451
4-19 mld snooping configuration examples configuring ipv6 group policy and simulated joining network requirements z as shown in figure 4-3 , router a connects to the ipv6 multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Router a is the mld querier on the ...
Page 452
4-20 [routera-gigabitethernet1/0/2] pim ipv6 dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and ena...
Page 453
4-21 ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:3333-0000-1001 host port(s):total 2 port. Ge1/0/3 ge1/0/4 as shown above, gigabitethernet 1/0/3 and gigabitethernet 1/0/4...
Page 454
4-22 network diagram figure 4-4 network diagram for static port configuration source 1::1/64 router a mld querier ge1/0/1 2001::1/64 ge1/0/2 1::2/64 switch a switch c switch b ge1/0/1 g e 1 /0 /2 g e 1 /0 /3 g e 1 /0 /1 ge1/0/2 g e 1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e 1 /0 /3 g...
Page 455
4-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] mld-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable mld snooping globally. System...
Page 456
4-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 1 po...
Page 457
4-25 mld snooping querier configuration network requirements z as shown in figure 4-5 , in a layer-2-only network environment, two multicast sources source 1 and source 2 send ipv6 multicast data to multicast groups ff1e::101 and ff1e::102 respectively, host a and host c are receivers of multicast g...
Page 458
4-26 [switchb] ipv6 [switchb] mld-snooping [switchb-mld-snooping] quit # create vlan 100, add gigabitethernet 1/0/1 through gigabitethernet 1/0/4 into vlan 100. [switchb] vlan 100 [switchb-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # enable the mld snooping feature in vlan 100. [sw...
Page 459
4-27 configured ipv6 multicast group policy fails to take effect symptom although an ipv6 multicast group policy has been configured to allow hosts to join specific ipv6 multicast groups, the hosts can still receive ipv6 multicast data addressed to other groups. Analysis z the ipv6 acl rule is incor...
Page 460
5-1 5 ipv6 multicast vlan configuration when configuring ipv6 multicast vlan, go to these sections for information you are interested in: z introduction to ipv6 multicast vlan z multicast vlan configuration task list z configuring ipv6 sub-vlan-based ipv6 multicast vlan z configuring port-based ipv6...
Page 461
5-2 figure 5-2 sub-vlan-based ipv6 multicast vlan source router a mld querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c ipv6 multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (ipv6 multicast vlan) after the configuration, mld snooping manages router ports in the ipv6...
Page 462
5-3 z for information about mld snooping, router ports, and member ports, refer to mld snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Ipv6 multicast vlan configuration task list complete the following tasks to c...
Page 463
5-4 to do… use the command… remarks configure the specified vlan(s) as sub-vlan(s) of the ipv6 multicast vlan subvlan vlan-list required by default, an ipv6 multicast vlan has no sub-vlans. Z the vlan to be configured as an ipv6 multicast vlan must exist. Z the vlans to be configured as the sub-vlan...
Page 464
5-5 to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter port view or port group view port-group manual port-group-name required use either approach. Configue the user port link type as hybrid port link-type hybrid required access by def...
Page 465
5-6 configure ipv6 multicast vlan ports in terface view or port group view follow these steps to configure ipv6 multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as an ipv6 multicast vlan and enter ipv6...
Page 466
5-7 z configure the sub-vlan-based ipv6 multicast vlan feature so that router a just sends ipv6 multicast data to switch a through the ipv6 multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Figure 5-4 network diagram for sub-vlan-based ipv6 multic...
Page 467
5-8 the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable mld snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10]...
Page 468
5-9 ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:3333-0000-0101 host port(s):total 1 port. Ge1/0/3 vlan(id):4. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac gr...
Page 469
5-10 z switch a’s gigabitethernet 1/0/1 belongs to vlan 10, gigabitethernet 1/0/2 through gigabitethernet 1/0/4 belong to vlan 2 through vlan 4 respectively, and host a through host c are attached to gigabitethernet 1/0/2 through gigabitethernet 1/0/4 of switch a. Z the ipv6 multicast source sends i...
Page 470
5-11 # create vlan 10, assign gigabitethernet 1/0/1 to vlan 10, and enable mld snooping in this vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10] quit # create vlan 2 and enable mld snooping in the vlan. [switcha] vlan 2 [switch...
Page 471
5-12 total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):10. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge1/0/1 (d) ip group(s):the following ip group(s) match to one mac grou...
Page 472: Table of Contents
I table of contents 1 qos overview ············································································································································1-1 introduction to qos ·····································································································...
Page 473
Ii configuration procedure··················································································································4-6 configuration example ····················································································································4-6 configuring th...
Page 474
Iii class-based accounting configuration example··········································································10-2 11 user profile configuration····················································································································11-1 user profile overview ·...
Page 475: Qos Overview
1-1 1 qos overview this chapter covers the following topics: z introduction to qos z introduction to qos service models z qos techniques overview introduction to qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. I...
Page 476
1-2 requested, reserved, and pre-purchased resources. The inter-serv model can definitely identify and guarantee qos for each data flow, and provides the most granularly differentiated qos. However, the inter-serv model imposes extremely high requirements on devices. In a network with heavy data tra...
Page 477
1-3 z congestion management provides a resource scheduling policy to arrange the forwarding sequence of packets when congestion occurs. Congestion management is usually applied to the outgoing traffic of a port. Z congestion avoidance monitors the usage status of network resources and is usually app...
Page 478: Qos Configuration Approaches
2 qos configuration approaches this chapter covers the following topics: z qos configuration approach overview z configuring a qos policy qos configuration approach overview two approaches are available for you to configure qos: policy-based and non policy-based. Some qos features can be configured ...
Page 479
Configuring a qos policy figure 2-1 shows how to configure a qos policy. Figure 2-1 qos policy configuration procedure define a class define a behavior define a policy apply the policy apply the policy to an interface apply the policy to online users apply the policy to a vlan apply the policy globa...
Page 481
Form description service-dot1p 8021p-list specifies to match packets by 802.1p priority of the service provider network. The 8021p-list argument is a list of cos values in the range of 0 to 7. Even though you can provide up to eight space-separated cos values for this argument, the switch 4510g seri...
Page 482
Defining a policy in a policy, you can define multiple class-behavior associations. A behavior is performed for the associated class of packets. In this way, various qos features can be implemented. Follow these steps to associate a class with a behavior in a policy: to do… use the command… remarks ...
Page 483
Z you cannot modify the classification rules, traffic behaviors, and classifier-behavior associations in a qos policy already applied. To check whether a qos policy has been applied successfully, use the display qos policy global command and the display qos policy interface command. Z the switch may...
Page 484
To do… use the command… remarks enter user profile view user-profile profile-name dot1x required the configuration made in user profile view takes effect when the user-profile is activated and there are online users. Refer to user profile configuration in the qos volume for more information about us...
Page 485
Z qos policies cannot be applied to dynamic vlans, for example, vlans created by gvrp. Z do not apply a qos policy to a vlan and the ports in the vlan at the same time. Z a qos policy containing any of the nest, remark customer-vlan-id, and remark service-vlan-id actions cannot be applied to a vlan....
Page 486
To do… use the command… remarks clear the statistics of a global qos policy reset qos policy global [ inbound ] available in user view clear the statistics of qos policies applied to vlans reset qos vlan-policy [ vlan vlan-id] [ inbound ] available in user view.
Page 487
3-1 3 priority mapping configuration when configuring priority mapping, go to these sections for information you are interested in: z priority mapping overview z priority mapping configuration tasks z configuring priority mapping z displaying and maintaining priority mapping z priority mapping confi...
Page 488
3-2 the default priority mapping tables (as shown in appendix b default priority mapping tables ) are available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority mapping table cannot meet your requirements, you can modify the priority mapping table as r...
Page 489
3-3 figure 3-1 priority mapping procedure for an ethernet packet which priority is trusted on the port? Receive a packet on a port use the port priority as the 802.1p priority for priority mapping n look up the dot1p-dp and dot1p-lp mapping tables mark the packet with local precedence and drop prece...
Page 490
3-4 task remarks configuring a priority mapping table optional configuring the priority trust mode on a port optional configuring the port priority of a port optional configuring priority mapping configuring a priority mapping table follow these steps to configure an uncolored priority mapping table...
Page 491
3-5 to do… use the command… remarks trust the port priority undo qos trust display the priority trust mode configuration on the port display qos trust interface [ interface-type interface-number ] optional available in any view configuring the port priority of a port you can change the port priority...
Page 492
3-6 network requirements as shown in figure 3-2 , the enterprise network of a company interconnects all departments through device. The network is described as follows: z the marketing department connects to gigabitethernet 1/0/1 of device, which sets the 802.1p priority of traffic from the marketin...
Page 493
3-7 figure 3-2 network diagram for priority mapping table and priority marking configuration host server r&d department internet device ge1/0/3 marketing department host server host server management department public servers ge1/0/4 ge1/0/5 ge1/0/2 ge1/0/1 configuration procedure 1) configure trust...
Page 494
3-8 3) configure priority marking # mark the http traffic of the management department, marketing department, and r&d department to the internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6,...
Page 495: Configuration
4-1 4 traffic policing, traffic shaping, and line rate configuration when configuring traffic policing, traffic shaping and line rate, go to these sections for information you are interested in: z traffic policing, traffic shaping, and line rate overview z configuring traffic policing z configuring ...
Page 496
4-2 one evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, it means...
Page 497
4-3 traffic policing is widely used in policing traffic entering the networks of internet service providers (isps). It can classify the policed traffic and perform pre-defined policing actions based on different evaluation results. These actions include: z forwarding the traffic if the evaluation re...
Page 498
4-4 figure 4-3 gts application you can perform traffic shaping for the packets on the outgoing interface of switch a to avoid unnecessary packet loss. Packets exceeding the limit are cached in switch a. Once resources are released, traffic shaping takes out the cached packets and sends them out. In ...
Page 499
4-5 the required number of tokens are generated in the token bucket. Thus, traffic rate is restricted to the rate for generating tokens, thus limiting traffic rate and allowing bursty traffic. Line rate can only limit the total traffic rate on a physical port, while traffic policing can limit the ra...
Page 500
4-6 [sysname-acl-adv-3000] rule permit tcp destination-port eq 80 [sysname-acl-adv-3000] quit # create a class named http, and reference acl 3000 in the class to match http traffic. [sysname] traffic classifier http [sysname-classifier-http] if-match acl 3000 [sysname-classifier-http] quit # configu...
Page 501
4-7 [sysname-gigabitethernet1/0/1] qos gts queue 1 cir 512 configuring the line rate configuration procedure follow these steps to configure the line rate: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter interface v...
Page 502
4-8.
Page 503
5-1 5 congestion management configuration when configuring hardware congestion management, go to these sections for information you are interested in: z congestion management overview z congestion management configuration approaches z configuring congestion management z displaying and maintaining co...
Page 504
5-2 each queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. The switch 4510g series support the following four queue scheduling methods: z scheduling all queues with the strict priority ...
Page 505
5-3 figure 5-3 schematic diagram for wrr queuing assume there are eight output queues on a port. Wrr assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 mbps port, you can configure the weight valu...
Page 506
5-4 z short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with fq, wfq takes weights into account when determining...
Page 507
5-5 task remarks configure wrr queuing optional configuring wfq queuing optional configuring sp+wrr queues optional configuring congestion management configuring sp queuing configuration procedure follow these steps to configure sp queuing: to do… use the command… remarks enter system view system-vi...
Page 508
5-6 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 509
5-7 to do… use the command… remarks group view enter port group view port-group manual port-group-name settings in port group view take effect on all ports in the port group. Enable wfq queuing qos wfq required by default, all the ports adopt the wrr queue scheduling algorithm, with the weight value...
Page 510
5-8 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 511
5-9 displaying and maintaining congestion management to do… use the command… remarks display wrr queue configuration information display qos wrr interface [ interface-type interface-number ] display sp queue configuration information display qos sp interface [ interface-type interface-number ] displ...
Page 512
6-1 6 traffic filtering configuration when configuring traffic filtering, go to these sections for information you are interested in: z traffic filtering overview z configuring traffic filtering z traffic filtering configuration example traffic filtering overview you can filter in or filter out a cl...
Page 513
6-2 to do… use the command… remarks globally applying the qos policy globally — display the traffic filtering configuration display traffic behavior user-defined [ behavior-name ] optional available in any view with filter deny configured for a traffic behavior, the other actions (except class-based...
Page 514
6-3 [devicea-qospolicy-policy] quit # apply the policy named policy to the incoming traffic of gigabitethernet 1/0/1. [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] qos apply policy policy inbound.
Page 515
7-1 7 priority marking configuration when configuring priority marking, go to these sections for information you are interested in: z priority marking overview z configuring priority marking z priority marking configuration example priority marking overview priority marking can be used together with...
Page 516
7-2 to do… use the command… remarks set the ip precedence for packets remark ip-precedence ip-precedence-value optional set the local precedence for packets remark local-precedence local-precedence optional exit behavior view quit — create a policy and enter policy view qos policy policy-name — asso...
Page 517
7-3 figure 7-1 network diagram for priority marking configuration internet host a host b device data server 192.168.0.1/24 mail server 192.168.0.2/24 file server 192.168.0.3/24 ge1/0/1 ge1/0/2 configuration procedure # create advanced acl 3000, and configure a rule to match packets with destination ...
Page 518
7-4 [device] traffic behavior behavior_dbserver [device-behavior-behavior_dbserver] remark local-precedence 4 [device-behavior-behavior_dbserver] quit # create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [device] traffic be...
Page 519
8-1 8 traffic redirecting configuration when configuring traffic redirecting, go to these sections for information you are interested in: z traffic redirecting overview z configuring traffic redirecting traffic redirecting overview traffic redirecting traffic redirecting is the action of redirecting...
Page 520
8-2 to do… use the command… remarks globally applying the qos policy globally — z generally, the action of redirecting traffic to the cpu and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. Z you can use the display traffic behav...
Page 521
9-1 9 traffic mirroring configuration when configuring traffic mirroring, go to these sections for information you are interested in: z traffic mirroring overview z configuring traffic mirroring z displaying and maintaining traffic mirroring z traffic mirroring configuration examples traffic mirrori...
Page 522
9-2 to do… use the command… remarks specify the destination interface for traffic mirroring mirror-to interface interface-type interface-number required exit behavior view quit — create a policy and enter policy view qos policy policy-name — associate the class with the traffic behavior in the qos p...
Page 523
9-3 displaying and maintaining traffic mirroring to do… use the command… remarks display traffic behavior configuration information display traffic behavior user-defined [ behavior-name ] available in any view display qos policy configuration information display qos policy user-defined [ policy-name...
Page 524
9-4 [sysname] traffic behavior 1 [sysname-behavior-1] mirror-to interface gigabitethernet 1/0/2 [sysname-behavior-1] quit # create qos policy 1 and associate traffic behavior 1 with class 1 in the qos policy. [sysname] qos policy 1 [sysname-policy-1] classifier 1 behavior 1 [sysname-policy-1] quit #...
Page 525
10-1 10 class-based accounting configuration when configuring class-based accounting, go to these sections for information you are interested in: z class-based accounting overview z configuring class-based accounting z displaying and maintaining traffic accounting z class-based accounting configurat...
Page 526
10-2 displaying and maintaining traffic accounting after completing the configuration above, you can verify the configuration with the display qos policy global, display qos policy interface, or display qos vlan-policy command depending on the occasion where the qos policy is applied. Class-based ac...
Page 527
10-3 [devicea-gigabitethernet1/0/1] quit # display traffic statistics to verify the configuration. [devicea] display qos policy interface gigabitethernet 1/0/1 interface: gigabitethernet1/0/1 direction: inbound policy: policy classifier: classifier_1 operator: and rule(s) : if-match acl 2000 behavio...
Page 528: User Profile Configuration
11-1 11 user profile configuration when configuring user profile, go to these sections for information you are interested in: z user profile overview z user profile configuration z displaying and maintaining user profile user profile overview user profile provides a configuration template to save pr...
Page 529
11-2 creating a user profile configuration prerequisites before creating a user profile, you need to configure authentication parameters. User profile supports 802.1x authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and b...
Page 530
11-3 z when a user profile is active, you cannot configure or remove the qos policy applied to it. Z the qos policies applied in user profile view support only the remark, car, and filter actions. Z do not apply an empty qos policy in user profile view, because even if you can do that, the user prof...
Page 531: Appendix
12-1 12 appendix this chapter covers the following appendixes: z appendix a acronym z appendix b default priority mapping tables z appendix c introduction to packet precedences appendix a acronym table 12-1 appendix a acronym acronym full spelling af assured forwarding be best effort car committed a...
Page 532
12-2 acronym full spelling pe provider edge phb per-hop behavior pir peak information rate pq priority queuing qos quality of service red random early detection rsvp resource reservation protocol rtp real time protocol sla service level agreement te traffic engineering tos type of service tp traffic...
Page 533
12-3 input priority value dot1p-lp mapping dot1p-dp mapping 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 table 12-3 the default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables input priority value dscp-dp mapping dscp-dot1p mapping dscp drop precedence (dp) 802.1p priority (dot1p) 0 to 7 0...
Page 534
12-4 table 12-4 description on ip precedence ip precedence (decimal) ip precedence (binary) description 0 000 routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash-override 5 101 critical 6 110 internet 7 111 network table 12-5 description on dscp values dscp value (decimal) dscp value (bin...
Page 535
12-5 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where layer 3 header analysis is not needed and qos must be assured at layer 2. Figure 12-2 an ethernet frame with an 802.1q tag header as shown in figure 12-2 , the 4-byte 802.1q tag header consists o...
Page 536: Table of Contents
I table of contents 1 aaa configuration ····································································································································1-1 introduction to aaa ········································································································...
Page 537
Ii specifying the hwtacacs authorization servers·······································································1-32 specifying the hwtacacs accounting servers ··········································································1-32 setting the shared key for hwtacacs packets···········...
Page 538
Iii configuring habp ···································································································································4-2 configuring the habp server··········································································································4-2 configu...
Page 539
Iv configuring the macaddresselseuserloginsecure mode ····························································6-17 troubleshooting port security···············································································································6-19 cannot set the port security mode···...
Page 540
V establishing a connection to the sftp server···············································································9-2 working with the sftp directories ·································································································9-3 working with sftp files ············...
Page 541
Vi troubleshooting ssl·····························································································································11-6 ssl handshake failure·················································································································11-6 12 public...
Page 542
Vii configuration prerequisites ···········································································································14-6 configuration procedure················································································································14-6 configuration ex...
Page 543: Aaa Configuration
1-1 1 aaa configuration when configuring aaa, go to these sections for information you are interested in: z introduction to aaa z introduction to radius z introduction to hwtacacs z protocols and standards z aaa configuration task list z configuring aaa z configuring radius z configuring hwtacacs z ...
Page 544
1-2 requirements. For example, you can use the hwtacacs server for authentication and authorization, and the radius server for accounting. The three security functions are described as follows: z authentication: identifies remote users and judges whether a user is legal. Z authorization: grants diff...
Page 545
1-3 figure 1-2 radius server components z users: stores user information such as the usernames, passwords, applied protocols, and ip addresses. Z clients: stores information about radius clients, such as the shared keys and ip addresses. Z dictionary: stores information about the meanings of radius ...
Page 546
1-4 2) the host initiates a connection request carrying the username and password to the radius client. 3) having received the username and password, the radius client sends an authentication request (access-request) to the radius server, with the user password encrypted by using the message-digest ...
Page 547
1-5 code packet type description 2 access-accept from the server to the client. If all the attribute values carried in the access-request are acceptable, that is, the authentication succeeds, the server sends an access-accept response. 3 access-reject from the server to the client. If any attribute ...
Page 548
1-6 no. Attribute no. Attribute 8 framed-ip-address 52 acct-input-gigawords 9 framed-ip-netmask 53 acct-output-gigawords 10 framed-routing 54 (unassigned) 11 filter-id 55 event-timestamp 12 framed-mtu 56-59 (unassigned) 13 framed-compression 60 chap-challenge 14 login-ip-host 61 nas-port-type 15 log...
Page 549
1-7 no. Attribute no. Attribute 44 acct-session-id 91 tunnel-server-auth-id the attribute types listed in table 1-2 are defined by rfc 2865, rfc 2866, rfc 2867, and rfc 2568. Extended radius attributes the radius protocol features excellent extensibility. Attribute 26 (vender-specific) defined by rf...
Page 550
1-8 differences between hwtacacs and radius hwtacacs and radius have many common features, like implementing aaa, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in table 1-3 ...
Page 551
1-9 figure 1-6 basic message exchange process of hwtacacs for a telnet user host hwtacacs client hwtacacs server 1) the user logs in 2) start-authentication packet 3) authentication response requesting the username 4) request for username 5) the user inputs the username 6) authentication continuance...
Page 552
1-10 13) the hwtacacs client sends the user authorization request packet to the hwtacacs server. 14) the hwtacacs server sends back the authorization response, indicating that the user is authorized now. 15) knowing that the user is now authorized, the hwtacacs client pushes the configuration interf...
Page 553
1-11 aaa configuration task list task remarks creating an isp domain required configuring isp domain attributes optional configuring aaa authentication methods for an isp domain required for local authentication, refer to configuring local user attributes . For radius authentication, refer to config...
Page 554
1-12 hwtacacs configuration task list task remarks creating a hwtacacs scheme required specifying the hwtacacs authentication servers required specifying the hwtacacs authorization servers optional specifying the hwtacacs accounting servers optional setting the shared key for hwtacacs packets requir...
Page 555
1-13 for the nas, each user belongs to an isp domain. Up to 16 isp domains can be configured on a nas. If a user does not provide the isp domain name, the system considers that the user belongs to the default isp domain. Follow these steps to create an isp domain: to do… use the command… remarks ent...
Page 556
1-14 a self-service radius server, for example, imc, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Co...
Page 558
1-16 response after successful authentication. You can configure local authorization or no authorization as the backup method in case the remote server is not available. By default, an isp domain uses the local authorization method. If the no authorization method (none) is configured, the users are ...
Page 559
1-17 z the authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. Z radius authorization is special in that it takes effect only when the radius authorization scheme is the same as the radius auth...
Page 560
1-18 to do… use the command… remarks enter system view system-view — create an isp domain and enter isp domain view domain isp-name required enable the accounting optional feature accounting optional optional disabled by default specify the default accounting method for all types of users accounting...
Page 561
1-19 configuring local user attributes for local authentication, you need to create local users and configure user attributes on the device as needed. A local user represents a set of user attributes configured on a device, and such a user set is uniquely identified by the username. For a user reque...
Page 563
1-21 management of user attributes for the local users in the group. Currently, you can configure password control attributes and authorization attributes for a user group. By default, every newly added local user belongs to the user group of system and bears all attributes of the group. User group ...
Page 565
1-23 specifying the radius authentication/authorization servers follow these steps to specify the radius authentication/authorization servers: to do… use the command… remarks enter system view system-view — create a radius scheme and enter radius scheme view radius scheme radius-scheme-name required...
Page 566
1-24 to do… use the command… remarks set the maximum number of stop-accounting request transmission attempts retry stop-accounting retry-times optional 500 by default set the maximum number of accounting request transmission attempts retry realtime-accounting retry-times optional 5 by default z it i...
Page 567
1-25 the shared key configured on the device must be the same as that configured on the radius server. Setting the upper limit of radius request retransmission attempts because radius uses udp packets to carry data, the communication process is not reliable. If a nas receives no response from the ra...
Page 568
1-26 z if you change the type of radius server, the data stream destined to the original radius server will be restored to the default unit. Z when a third-party radius is used, you can configure the radius server to standard or extended. When imc server is used, you must configure the radius server...
Page 569
1-27 z if both the primary server and the secondary server are in the blocked state, it is necessary to manually turn the secondary server to the active state so that the secondary server can perform authentication. If the secondary server is still in the blocked state, the primary/secondary switcho...
Page 570
1-28 z some earlier radius servers cannot recognize usernames that contain an isp domain name. In this case, the device must remove the domain name before sending a username including a domain name. You can configure the user-name-format without-domain command on the device for this purpose. Z if a ...
Page 571
1-29 to do… use the command… remarks set the real-time accounting interval timer realtime-accounting minutes optional 12 minutes by default z the maximum number of retransmission attempts of radius packets multiplied by the radius server response timeout period cannot be greater than 75. This produc...
Page 572
1-30 you can specify up to eight security policy servers for a radius scheme. Enabling the listening port of the radius client follow these steps to enable the listening port of the radius client: to do… use the command… remarks enter system view system-view — enable the listening port of the radius...
Page 573
1-31 creating a hwtacacs scheme the hwtacacs protocol is configured on a per scheme basis. Before performing other hwtacacs configurations, follow these steps to create a hwtacacs scheme and enter hwtacacs scheme view: to do… use the command… remarks enter system view system-view — create a hwtacacs...
Page 574
1-32 specifying the hwtacacs authorization servers follow these steps to specify the hwtacacs authorization servers: to do… use the command… remarks enter system view system-view — create a hwtacacs scheme and enter hwtacacs scheme view hwtacacs scheme hwtacacs-scheme-name required not defined by de...
Page 575
1-33 z it is recommended to specify only the primary hwtacacs accounting server if backup is not required. Z if both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. Z the ip addresses of the primary and secondary accounting...
Page 577
1-35 z for real-time accounting, a nas must transmit the accounting information of online users to the hwtacacs accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly z the real-time accounting interv...
Page 578
1-36 figure 1-7 configure aaa for telnet users by a hwtacacs server internet switch telnet user authentication/accounting server 10.1.1.1/24 configuration procedure # configure the ip addresses of the interfaces (omitted). # enable the telnet server on the switch. System-view [switch] telnet server ...
Page 579
1-37 aaa for telnet users by separate servers network requirements as shown in figure 1-8 , configure the switch to provide local authentication, hwtacacs authorization, and radius accounting services to telnet users. The user name and the password for telnet users are both hello. Z the hwtacacs ser...
Page 580
1-38 [switch-hwtacacs-hwtac] user-name-format without-domain [switch-hwtacacs-hwtac] quit # configure the radius scheme. [switch] radius scheme rd [switch-radius-rd] primary accounting 10.1.1.1 1813 [switch-radius-rd] key accounting expert [switch-radius-rd] server-type extended [switch-radius-rd] u...
Page 581
1-39 figure 1-9 configure aaa for ssh users by a radius server internet switch ssh user radius server 10.1.1.1/24 vlan-int2 192.168.1.70/24 configuration procedure 1) configure the radius server. (imc) this example assumes that the radius server runs imc plat 3.20-r2602 or imc uam 3.60-e6102. # add ...
Page 582
1-40 figure 1-10 add an access device # add a user for device management log into the imc management platform, select the user tab, and select access user view > device mgmt user from the navigation tree to enter the device management user page. Then, click add to enter the add device management use...
Page 583
1-41 figure 1-11 add an account for device management 2) configure the switch # configure the ip address of vlan interface 2, through which the ssh user accesses the switch. System-view [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.1.70 255.255.255.0 [switch-vlan-in...
Page 584
1-42 [switch-ui-vty0-4] quit # configure the radius scheme. [switch] radius scheme rad [switch-radius-rad] primary authentication 10.1.1.1 1812 [switch-radius-rad] primary accounting 10.1.1.1 1813 [switch-radius-rad] key authentication expert [switch-radius-rad] key accounting expert [switch-radius-...
Page 585
1-43 11) the communication link between the nas and the radius server is down (at the physical layer and data link layer). 12) the nas is not configured with the ip address of the radius server. 13) the udp ports for authentication/authorization and accounting are not correct. 14) the port numbers o...
Page 586: 802.1X Configuration
2-1 2 802.1x configuration when configuring 802.1x, go to these sections for information you are interested in: z 802.1x overview z configuring 802.1x z configuring an 802.1x port-based guest vlan z 802.1x configuration example z guest vlan and vlan assignment configuration example z acl assignment ...
Page 587
2-2 figure 2-1 architecture of 802.1x z client: an entity to be authenticated by the device residing on the same lan. A client is usually a user-end device and initiates 802.1x authentication through 802.1x client software supporting the eap over lans (eapol) protocol. Z device: the entity that auth...
Page 588
2-3 figure 2-2 authorized/unauthorized status of a controlled port you can set the access control mode of a specified port to control the authorization status. The access control modes include: z authorized-force: places the port in the authorized state, allowing users of the ports to access the net...
Page 589
2-4 figure 2-3 eapol frame format z pae ethernet type: protocol type. It takes the value 0x888e. Z protocol version: version of the eapol protocol supported by the eapol frame sender. Z type: type of the eapol frame. Table 2-1 lists the types that the device currently supports. Table 2-1 types of ea...
Page 590
2-5 the packet is for querying the identity of the client. A value of 4 represents md5-challenge, which corresponds closely to the ppp chap protocol. Figure 2-5 format of the data field in an eap request/response packet z identifier: allows matching of responses with requests. Z length: length of th...
Page 591
2-6 unsolicited triggering of a client a client initiates authentication by sending an eapol-start frame to the device. The destination address of the frame is 01-80-c2-00-00-03, the multicast address specified by the ieee 802.1x protocol. Some devices in the network may not support multicast packet...
Page 592
2-7 figure 2-8 message exchange in eap relay mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge radius access-request (eap-response / identity) radius access-challenge (eap-request / md5 challenge) radius a...
Page 593
2-8 10) when receiving the radius access-request packet, the radius server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a radius access-accept packet. 1...
Page 594
2-9 figure 2-9 message exchange in eap termination mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge handshake request [ eap-request / identity ] handshake response [ eap-response / identity ] eapol-logoff...
Page 595
2-10 z handshake timer (handshake-period): after a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers t...
Page 596
2-11 the assigned vlan neither changes nor affects the configuration of a port. However, as the assigned vlan has higher priority than the initial vlan of the port, it is the assigned vlan that takes effect after a user passes authentication. After the user goes offline, the port returns to the init...
Page 597
2-12 the handshake packet for the maximum number of times, which is set by the dot1x retry command, the device will set the user state to offline. The online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device....
Page 599
2-14 configuring 802.1x for a port enabling 802.1x for a port follow these steps to enable 802.1x for a port: to do… use the command… remarks enter system view system-view — in system view dot1x interface interface-list interface interface-type interface-number enable 802.1x for one or more ports in...
Page 600
2-15 information about the user-name-format command, refer to aaa commands in the security volume. Z if the username of a client contains the version number or one or more blank spaces, you can neither retrieve information nor disconnect the client by using the username. However, you can use items s...
Page 601
2-16 z if the data flows from a user-side device carry vlan tags, and 802.1x and guest vlan are enabled on the access port, you are recommended to configure different vlan ids for the voice vlan, the default port vlan, and the guest vlan of 802.1x. Displaying and maintaining 802.1x to do… use the co...
Page 602
2-17 figure 2-10 network diagram for 802.1x configuration configuration procedure the following configuration procedure covers most aaa/radius configuration commands for the device, while configuration on the 802.1x client and radius server are omitted. For information about aaa/radius configuration...
Page 603
2-18 # set the interval for the device to retransmit packets to the radius server and the maximum number of transmission attempts. [device-radius-radius1] timer response-timeout 5 [device-radius-radius1] retry 5 # set the interval for the device to send real time accounting packets to the radius ser...
Page 604
2-19 as shown in figure 2-12 : z on port gigabitethernet 1/0/2, enable 802.1x and set vlan 10 as the guest vlan of the port. If the device sends an eap-request/identity packet from the port for the maximum number of times but still receives no response, the device adds the port to its guest vlan. In...
Page 605
2-20 figure 2-13 network diagram when the client passes authentication configuration procedure z the following configuration procedure uses many aaa/radius commands. For detailed configuration of these commands, refer to aaa configuration in the security volume. Z configurations on the 802.1x client...
Page 606
2-21 [device] interface gigabitethernet 1/0/2 [device-gigabitethernet1/0/2] dot1x # set the port access control method to portbased. [device-gigabitethernet1/0/2] dot1x port-method portbased # set the port access control mode to auto. [device-gigabitethernet1/0/2] dot1x port-control auto [device-gig...
Page 607
2-22 configuration procedure # configure the ip addresses of the interfaces. (omitted) # configure the radius scheme. System-view [device] radius scheme 2000 [device-radius-2000] primary authentication 10.1.1.1 1812 [device-radius-2000] primary accounting 10.1.1.2 1813 [device-radius-2000] key authe...
Page 608
3-1 3 ead fast deployment configuration when configuring ead fast deployment, go to these sections for information you are interested in: z ead fast deployment overview z configuring ead fast deployment z displaying and maintaining ead fast deployment z ead fast deployment configuration example z tr...
Page 609
3-2 configuring ead fast deployment currently, mac authentication and port security cannot work together with ead fast deployment. Once mac authentication or port security is enabled globally, the ead fast deployment is disabled automatically. Configuration prerequisites z enable 802.1x globally. Z ...
Page 610
3-3 configuring the ie redirect url follow these steps to configure the ie redirect url: to do… use the command… remarks enter system view system-view — configure the ie redirect url dot1x url url-string required no redirect url is configured by default. The redirect url and the freely accessible ne...
Page 611
3-4 ead fast deployment configuration example network requirements as shown in figure 3-1 , the host is connected to the device, and the device is connected to the freely accessible network segment and outside network. It is required that: z before successful 802.1 authentication, the host using ie ...
Page 612
3-5 c:\>ping 192.168.2.3 pinging 192.168.2.3 with 32 bytes of data: reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time ping statistics for 192.168.2.3: packets: sent = 4, received = 4, lost = 0 (0% l...
Page 613: Habp Configuration
4-1 4 habp configuration when configuring habp, go to these sections for the information you are interested in: z introduction to habp z configuring habp z displaying and maintaining habp z habp configuration example introduction to habp the hw authentication bypass protocol (habp) is used to enable...
Page 614
4-2 figure 4-1 network diagram for habp application internet switch b switch c authenticator supplicant switch a supplicant supplicant switch d switch e authentication server habp is a link layer protocol that works above the mac layer. It is built on the client-server model. Generally, the habp ser...
Page 615
4-3 to do… use the command… remarks configure habp to work in server mode habp server vlan vlan-id required habp works in client mode by default. Set the interval to send habp requests habp timer interval optional 20 seconds by default configuring an habp client configure the habp client function on...
Page 616
4-4 figure 4-2 network diagram for habp configuration configuration procedure 1) configure switch a # enable habp. System-view [switcha] habp enable # configure habp to work in server mode, allowing habp packets to be transmitted in vlan 2. [switcha] habp server vlan 2 # set the interval to send hab...
Page 617
5-1 5 mac authentication configuration when configuring mac authentication, go to these sections for information you are interested in: z mac authentication overview z related concepts z configuring mac authentication z displaying and maintaining mac authentication z mac authentication configuration...
Page 618
5-2 related concepts mac authentication timers the following timers function in the process of mac authentication: z offline detect timer: at this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the de...
Page 619
5-3 z for radius authentication, ensure that a route is available between the device and the radius server, and add the usernames and passwords on the server. When adding usernames and passwords on the device or server, ensure that: z the type of username and password must be consistent with that us...
Page 620
5-4 z you can configure mac authentication for ports first. However, the configuration takes effect only after you enable mac authentication globally. Z enabling mac authentication on a port is mutually exclusive with adding the port to an aggregation group. Z for details about the default isp domai...
Page 621
5-5 [device-luser-00-e0-fc-12-34-56] service-type lan-access [device-luser-00-e0-fc-12-34-56] quit # configure isp domain aabbcc.Net, and specify that the users in the domain use local authentication. [device] domain aabbcc.Net [device-isp-aabbcc.Net] authentication lan-access local [device-isp-aabb...
Page 622
5-6 radius-based mac authentication configuration example network requirements as illustrated in figure 5-2 , a host is connected to the device through port gigabitethernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the radius server. Z mac authentication is...
Page 623
5-7 [device-isp-2000] accounting default radius-scheme 2000 [device-isp-2000] quit # enable mac authentication globally. [device] mac-authentication # enable mac authentication for port gigabitethernet 1/0/1. [device] mac-authentication interface gigabitethernet 1/0/1 # specify the isp domain for ma...
Page 624
5-8 z on port gigabitethernet 1/0/1 of the switch, enable mac authentication and configure acl 3000. After the host passes mac authentication, the radius server assigns acl 3000 to port gigabitethernet 1/0/1 of the switch. As a result, the host can access the internet but cannot access the ftp serve...
Page 625
5-9 [sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [sysname-acl-adv-3000] quit # enable mac authentication globally. [sysname] mac-authentication # specify the isp domain for mac authentication users. [sysname] mac-authentication domain 2000 # specify the mac authentication username ty...
Page 626: Port Security Configuration
6-1 6 port security configuration when configuring port security, go to these sections for information you are interested in: z introduction to port security z port security configuration task list z displaying and maintaining port security z port security configuration examples z troubleshooting po...
Page 627
6-2 port security features ntk the need to know (ntk) feature checks the destination mac addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection the intrusion protection ...
Page 628
6-3 security mode description features userloginsecure in this mode, a port performs 802.1x authentication of users in portbased mode and services only one user passing 802.1x authentication. Userloginwithoui similar to the userloginsecure mode, a port in this mode performs 802.1x authentication of ...
Page 629
6-4 z currently, port security supports two authentication methods: 802.1x and mac authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. Z the maximum number of users a port supports is the lesser of the maximum num...
Page 630
6-5 enabling port security configuration prerequisites before enabling port security, you need to disable 802.1x and mac authentication globally. Configuration procedure follow these steps to enable port security: to do… use the command… remarks enter system view system-view — enable port security p...
Page 631
6-6 follow these steps to set the maximum number of secure mac addresses allowed on a port: to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — set the maximum number of secure mac addresses allowed on a port port-secur...
Page 632
6-7 configuring procedure follow these steps to enable any other port security mode: to do… use the command… remarks enter system view system-view — set an oui value for user authentication port-security oui oui-value index index-value optional not configured by default. The command is required for ...
Page 633
6-8 z ntk-withmulticasts: forwards only frames destined for authenticated mac addresses, multicast addresses, or the broadcast address. By default, ntk is disabled on a port and the port forwards all frames. With ntk configured, a port will discard any unicast packet with an unknown mac address no m...
Page 634
6-9 on a port operating in either the macaddresselseuserloginsecure mode or the macaddresselseuserloginsecureext mode, intrusion protection is triggered only after both mac authentication and 802.1x authentication for the same frame fail. Configuring trapping the trapping feature enables a device to...
Page 635
6-10 to do… use the command… remarks enter system view system-view — in system view port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id interface interface-type interface-number configure a secure mac address in interface view port-security mac-addre...
Page 636
6-11 to do… use the command… remarks display information about blocked mac addresses display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] available in any view port security configuration examples configuring the autolearn mode network requ...
Page 637
6-12 equipment port-security is enabled intrusion trap is enabled disableport timeout: 30s oui value: gigabitethernet1/0/1 is link-up port mode is autolearn needtoknow mode is disabled intrusion protection mode is disableporttemporarily max mac address number is 64 stored mac address number is 0 aut...
Page 638
6-13 gigabitethernet1/0/1 current state: port security disabled ip packet frame type: pktfmt_ethnt_2, hardware address: 000f-cb00-5558 description: gigabitethernet1/0/1 interface ...... The port should be re-enabled 30 seconds later. [switch-gigabitethernet1/0/1] display interface gigabitethernet 1/...
Page 639
6-14 configuration procedure z the following configuration steps cover some aaa/radius configuration commands. For details about the commands, refer to aaa configuration in the security volume. Z configurations on the host and radius servers are omitted. 1) configure the radius protocol # configure ...
Page 640
6-15 [switch] interface gigabitethernet 1/0/1 # set the port security mode to userloginwithoui. [switch-gigabitethernet1/0/1] port-security port-mode userlogin-withoui 4) verify the configuration after completing the above configurations, you can use the following command to view the configuration i...
Page 641
6-16 index is 5, oui value is 123405 gigabitethernet1/0/1 is link-up port mode is userloginwithoui needtoknow mode is disabled intrusion protection mode is noaction max mac address number is not configured stored mac address number is 0 authorization is permitted after an 802.1x user gets online, yo...
Page 642
6-17 controlled user(s) amount to 1 in addition, the port allows an additional user whose mac address has an oui among the specified ouis to access the port. You can use the following command to view the related information: display mac-address interface gigabitethernet 1/0/1 mac addr vlan id state ...
Page 643
6-18 [switch] dot1x authentication-method chap # set the maximum number of secure mac addresses allowed on the port to 64. [switch] interface gigabitethernet 1/0/1 [switch-gigabitethernet1/0/1] port-security max-mac-count 64 # set the port security mode to macaddresselseuserloginsecure. [switch-giga...
Page 644
6-19 the maximal retransmitting times 2 ead quick deploy configuration: ead timeout: 30m total maximum 802.1x user resource number is 1024 per slot total current used 802.1x resource number is 1 gigabitethernet1/0/1 is link-up 802.1x protocol is enabled handshake is enabled the port is an authentica...
Page 645
6-20 solution set the port security mode to norestrictions first. [switch-gigabitethernet1/0/1] undo port-security port-mode [switch-gigabitethernet1/0/1] port-security port-mode autolearn cannot configure secure mac addresses symptom cannot configure secure mac addresses. [switch-gigabitethernet1/0...
Page 646
7-1 7 ip source guard configuration when configuring ip source guard, go to these sections for information you are interested in: z ip source guard overview z configuring a static binding entry z configuring dynamic binding function z displaying and maintaining ip source guard z ip source guard conf...
Page 649
7-4 [switcha-gigabitethernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [switcha-gigabitethernet1/0/2] quit # configure port gigabitethernet 1/0/1 of switch a to allow only ip packets with the source mac address of 00-01-02-03-04-06 and the source ip address of 192.168.0.1 to ...
Page 650
7-5 for detailed configuration of a dhcp server, refer to dhcp configuration in the ip service volume. Network diagram figure 7-2 network diagram for configuring dynamic binding function configuration procedure 1) configure switch a # configure dynamic binding function on port gigabitethernet 1/0/1....
Page 651
7-6 [switcha-gigabitethernet1/0/1] display dhcp-snooping dhcp snooping is enabled. The client binding table for all untrusted ports. Type : d--dynamic , s--static type ip address mac address lease vlan interface ==== =============== ============== ============ ==== ================= d 192.168.0.1 00...
Page 652: Ssh2.0 Configuration
8-1 8 ssh2.0 configuration when configuring ssh2.0, go to these sections for information you are interested in: z ssh2.0 overview z configuring the device as an ssh server z configuring the device as an ssh client z displaying and maintaining ssh z ssh server configuration examples z ssh client conf...
Page 653
8-2 stages description session request after passing authentication, the client sends a session request to the server. Interaction after the server grants the request, the client and server start to communicate with each other. Version negotiation 1) the server opens port 22 to listen to connection ...
Page 654
8-3 before the negotiation, the server must have already generated a dsa or rsa key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about dsa and rsa key pairs, refer to public key configuration in the s...
Page 655
8-4 session request after passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an ssh_smsg_success packet and goes on to the inte...
Page 657
8-6 to do… use the command… remarks enter system view system-view — enter user interface view of one or more user interfaces user-interface vty number [ ending-number ] — set the login authentication mode to scheme authentication-mode scheme [ command-authorization ] required by default, the authent...
Page 658
8-7 z you are recommended to configure a client public key by importing it from a public key file. Z you can configure at most 20 client pubic keys on an ssh server. Configuring a client public key manually follow these steps to configure the client public key manually: to do… use the command… remar...
Page 660
8-9 z enabling the ssh server to be compatible with ssh1 client z setting the server key pair update interval, applicable to users using ssh1 client z setting the ssh user authentication timeout period z setting the maximum number of ssh authentication attempts setting the above parameters can help ...
Page 662
8-11 to do... Use the command… remarks configure the server public key refer to configuring a client public key required the method of configuring server public key on the client is similar to that of configuring client public key on the server. Specify the host public key name of the server ssh cli...
Page 664
8-13 [switch-ui-vty0-4] protocol inbound ssh [switch-ui-vty0-4] quit # create local user client001, and set the user command privilege level to 3 [switch] local-user client001 [switch-luser-client001] password simple aabbcc [switch-luser-client001] service-type ssh [switch-luser-client001] authoriza...
Page 665
8-14 figure 8-2 ssh client configuration interface in the window shown in figure 8-2 , click open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. W...
Page 666
8-15 [switch] public-key local create dsa [switch] ssh server enable # configure an ip address for vlan interface 1. This address will serve as the destination of the ssh connection. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168.1.40 255.255.255.0 [switch-vlan-inter...
Page 667
8-16 figure 8-4 generate a client key pair 1) while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in figure 8-5 . Otherwise, the process bar stops moving and the key pair generating process will be stopped..
Page 668
8-17 figure 8-5 generate a client key pair 2) after the key pair is generated, click save public key and specify the file name as key.Pub to save the public key. Figure 8-6 generate a client key pair 3).
Page 669
8-18 likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click yes and enter the name of the file for saving the key (private in this case). Figure 8-7 generate a client key pair 4) after generating...
Page 670
8-19 select connection/ssh/auth from the navigation tree.The following window appears. Click browse… to bring up the file selection window, navigate to the private key file and click ok. Figure 8-9 ssh client configuration interface 2) in the window shown in figure 8-9 , click open. If the connectio...
Page 671
8-20 # create rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server enable # create an ip address for vlan interface 1, which the ssh client will use as the destination for ssh connection. [switch...
Page 672
8-21 after you enter the correct username, you can log into switch b successfully. Z if the client does not support first-time authentication, you need to perform the following configurations. # disable first-time authentication. [switcha] undo ssh client first-time # configure the host public key o...
Page 673
8-22 when switch acts as client for publickey authentication network requirements z as shown in figure 8-11 , switch a (the ssh client) needs to log into switch b (the ssh server) through the ssh protocol. Z publickey authentication is used, and the public key algorithm is dsa. Figure 8-11 switch ac...
Page 674
8-23 # specify the authentication type for user client002 as publickey, and assign the public key switch001 to the user. [switchb] ssh user client002 service-type stelnet authentication-type publickey assign publickey switch001 2) configure the ssh client # configure an ip address for vlan interface...
Page 675: Sftp Configuration
9-1 9 sftp configuration when configuring sftp, go to these sections for information you are interested in: z sftp overview z configuring an sftp server z configuring an sftp client z sftp client configuration example z sftp server configuration example sftp overview the secure file transfer protoco...
Page 676
9-2 when the device functions as the sftp server, only one client can access the sftp server at a time. If the sftp client uses winscp, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the sftp connec...
Page 678
9-4 to do… use the command… remarks create a new directory on the remote sftp server mkdir remote-path optional delete a directory from the sftp server rmdir remote-path& optional working with sftp files sftp file operations include: z changing the name of a file z downloading a file z uploading a f...
Page 680
9-6 configuration procedure 1) configure the sftp server (switch b) # generate rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server enable # enable the sftp server. [switchb] sftp server enable #...
Page 681
9-7 # export the host public key to file pubkey. [switcha] public-key local export rsa ssh2 pubkey [switcha] quit after generating key pairs on a client, you need to transmit the saved public key file to the server through ftp or tftp and have the configuration on the server done before continuing c...
Page 682
9-8 sftp-client> mkdir new1 new directory created sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 2...
Page 683
9-9 sftp server configuration example network requirements as shown in figure 9-2 , an ssh connection is established between the host and the switch. The host, an sftp client, logs into the switch for file management and file transfer. An ssh user uses password authentication with the username being...
Page 684
9-10 z there are many kinds of ssh client software. The following takes the psftp of putty version 0.58 as an example. Z the psftp supports only password authentication. # establish a connection with the remote sftp server. Run the psftp.Exe to launch the client interface as shown in figure 9-3 , an...
Page 685: Pki Configuration
10-1 10 pki configuration when configuring pki, go to these sections for information you are interested in: z introduction to pki z pki configuration task list z displaying and maintaining pki z pki configuration examples z troubleshooting pki introduction to pki this section covers these topics: z ...
Page 686
10-2 top level. The root ca has a ca certificate signed by itself while each lower level ca has a ca certificate signed by the ca at the next higher level. Crl an existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the busine...
Page 687
10-3 ca a ca is a trusted authority responsible for issuing and managing digital certificates. A ca issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing crls. Ra a registration authority (ra) is an extended part of a ca or an independe...
Page 688
10-4 2) the ra reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the ca. 3) the ca verifies the digital signature, approves the application, and issues a certificate. 4) the ra receives the certificate from the ca, sends it to t...
Page 689
10-5 the configuration of an entity dn must comply with the ca certificate issue policy. You need to determine, for example, which entity dn parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity dn: to do… use the c...
Page 690
10-6 configuring a pki domain before requesting a pki certificate, an entity needs to be configured with some enrollment information, which is referred to as a pki domain. A pki domain is intended only for convenience of reference by other applications like ike and ssl, and has only local significan...
Page 692
10-8 submitting a certificate request in auto mode in auto mode, an entity automatically requests a certificate through the scep protocol when it has no local certificate or the present certificate is about to expire. Follow these steps to configure an entity to submit a certificate request in auto ...
Page 693
10-9 z if a pki domain already has a local certificate, creating an rsa key pair will result in inconsistency between the key pair and the certificate. To generate a new rsa key pair, delete the local certificate and then issue the public-key local create command. For information about the public-ke...
Page 694
10-10 z if a pki domain already has a ca certificate, you cannot retrieve another ca certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new ca certificate, use the pki delete-certificate...
Page 695
10-11 to do… use the command… remarks enter system view system-view — enter pki domain view pki domain domain-name — disable crl checking crl check disable required enabled by default return to system view quit — retrieve the ca certificate refer to retrieving a certificate manually required verify ...
Page 698
10-14 z subject dn: dn information of the ca, including the common name (cn), organization unit (ou), organization (o), and country (c). The other attributes may be left using the default values. # configure extended attributes. After configuring the basic attributes, you need to perform configurati...
Page 699
10-15 generating keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ z apply for certificates # retrieve the ca certificate and save it locally. [switch] pki retrieval-certif...
Page 700
10-16 not after : jan 8 09:26:53 2008 gmt subject: cn=switch subject public key info: public key algorithm: rsaencryption rsa public key: (1024 bit) modulus (1024 bit): 00d67d50 41046f6a 43610335 ca6c4b11 f8f89138 e4e905bd 43953ba2 623a54c0 ea3cb6e0 b04649ce c9cddd38 34015970 981e96d9 ff4f7b73 a5155...
Page 701
10-17 figure 10-3 request a certificate from a ca running windows 2003 server configuration procedure 1) configure the ca server z install the certificate server suites from the start menu, select control panel > add or remove programs, and then select add/remove windows components > certificate ser...
Page 702
10-18 # configure the url of the registration server in the format of http://host:port/ certsrv/mscep/mscep.Dll, where host:port indicates the ip address and port number of the ca server. [switch-pki-domain-torsa] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.Dll # set the registra...
Page 703
10-19 data: version: 3 (0x2) serial number: 48fa0fd9 00000000 000c signature algorithm: sha1withrsaencryption issuer: cn=ca server validity not before: nov 21 12:32:16 2007 gmt not after : nov 21 12:42:16 2008 gmt subject: cn=switch subject public key info: public key algorithm: rsaencryption rsa pu...
Page 704
10-20 configuring a certificate attribute-based access control policy network requirements z the client accesses the remote http security (https) server through the https protocol. Z ssl is configured to ensure that only legal clients log into the https server. Z create a certificate attribute-based...
Page 705
10-21 # create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the fqdn of the alternative subject name does not include the string of apple, and the second rule defines that the dn of the certificate issuer name includes the string aabbcc. [switch] pki ...
Page 706
10-22 failed to request a local certificate symptom failed to request a local certificate. Analysis possible reasons include these: z the network connection is not proper. For example, the network cable may be damaged or loose. Z no ca certificate has been retrieved. Z the current key pair has been ...
Page 707: Ssl Configuration
11-1 11 ssl configuration when configuring ssl, go to these sections for information you are interested in: z ssl overview z ssl configuration task list z displaying and maintaining ssl z troubleshooting ssl ssl overview secure sockets layer (ssl) is a security protocol providing secure connection s...
Page 708
11-2 z for details about symmetric key algorithms, asymmetric key algorithm rsa and digital signature, refer to public key configuration in the security volume. Z for details about pki, certificate, and ca, refer to pki configuration in the security volume. Ssl protocol stack as shown in figure 11-2...
Page 709
11-3 configuring an ssl server policy an ssl server policy is a set of ssl parameters for a server to use when booting up. An ssl server policy takes effect only after it is associated with an application layer protocol, http protocol, for example. Configuration prerequisites when configuring an ssl...
Page 710
11-4 z if you enable client authentication here, you must request a local certificate for the client. Z currently, ssl mainly comes in these versions: ssl 2.0, ssl 3.0, and tls 1.0, where tls 1.0 corresponds to ssl 3.1. When the device acts as an ssl server, it can communicate with clients running s...
Page 711
11-5 [device] pki domain 1 [device-pki-domain-1] ca identifier ca1 [device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.Dll [device-pki-domain-1] certificate request from ra [device-pki-domain-1] certificate request entity en [device-pki-domain-1] quit # create the local...
Page 712
11-6 configuration prerequisites if the ssl server is configured to authenticate the ssl client, when configuring the ssl client policy, you need to specify the pki domain to be used for obtaining the certificate of the client. Therefore, before configuring an ssl client policy, you must configure a...
Page 713
11-7 analysis ssl handshake failure may result from the following causes: z no ssl server certificate exists, or the certificate is not trusted. Z the server is expected to authenticate the client, but the ssl client has no certificate or the certificate is not trusted. Z the cipher suites used by t...
Page 714: Public Key Configuration
12-1 12 public key configuration when configuring public keys, go to these sections for information you are interested in: z asymmetric key algorithm overview z configuring the local asymmetric key pair z configuring the public key of a peer z displaying and maintaining public keys z public key conf...
Page 715
12-2 asymmetric key algorithm applications asymmetric key algorithms can be used for encryption/decryption and digital signature: z encryption/decryption: the information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to...
Page 716
12-3 z configuration of the public-key local create command can survive a reboot. Z the public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. Z the length of an rsa key modulus is in the range...
Page 717
12-4 z import it from the public key file: the system automatically converts the public key to a string coded using the pkcs (public key cryptography standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through ftp or tftp. Z if you ch...
Page 718
12-5 public key configuration examples configuring the public key of a peer manually network requirements device a is authenticated by device b when accessing device b, so the public key of device a should be configured on device b in advance. In this example: z rsa is used. Z the host public key of...
Page 719
12-6 ===================================================== time of key pair created: 09:50:07 2007/08/07 key name: server_key key type: rsa encryption key ===================================================== key code: 307c300d06092a864886f70d0101010500036b003068026100999089e7aee9802002d9eb2d0433b87...
Page 720
12-7 z the host public key of device a is imported from the public key file to device b. Figure 12-3 network diagram for importing the public key of a peer from a public key file configurtion procedure 1) create key pairs on device a and export the host public key # create rsa key pairs on device a....
Page 721
12-8 [devicea] public-key local export rsa ssh2 devicea.Pub [devicea] quit 2) enable the ftp server function on device b # enable the ftp server function, create an ftp user with the username ftp and password 123. System-view [deviceb] ftp server enable [deviceb] local-user ftp [deviceb-luser-ftp] p...
Page 722: Acl Overview
13-1 13 acl overview in order to filter traffic, network devices use sets of rules, called access control lists (acls), to identify and handle packets. When configuring acls, go to these chapters for information you are interested in: z acl overview z ipv4 acl configuration z ipv6 acl configuration ...
Page 723
13-2 z software-based application: an acl is referenced by a piece of upper layer software. For example, an acl can be referenced to configure login user control behavior, thus controlling telnet, snmp and web users. Note that when an acl is reference by the upper layer software, actions to be taken...
Page 724
13-3 the name of an ipv4 acl must be unique among ipv4 acls. However, an ipv4 acl and an ipv6 acl can share the same name. Ipv4 acl match order an acl may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts. The match order i...
Page 725
13-4 1) sort rules by source mac address mask first and compare packets against the rule configured with more ones in the source mac address mask. 2) if two rules are present with the same number of ones in their source mac address masks, look at the destination mac address masks. Then, compare pack...
Page 726
13-5 introduction to ipv6 acl this section covers these topics: z ipv6 acl classification z ipv6 acl naming z ipv6 acl match order z ipv6 acl step z effective period of an ipv6 acl ipv6 acl classification ipv6 acls, identified by acl numbers, fall into three categories, as shown in table 13-2 . Tabl...
Page 727
13-6 1) sort rules by source ipv6 address prefix first and compare packets against the rule configured with a longer prefix for the source ipv6 address. 2) in case of a tie, compare packets against the rule configured first. Depth-first match for an advanced ipv6 acl the following shows how your dev...
Page 728: Ipv4 Acl Configuration
14-1 14 ipv4 acl configuration when configuring an ipv4 acl, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv4 acl z configuring an advanced ipv4 acl z configuring an ethernet frame header acl z copying an ipv4 acl z displaying and maintai...
Page 729
14-2 recurs on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on wednesdays between january 1, 2004 00:00 and december 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 ...
Page 731
14-4 system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # verify the configuration. [sysname-acl-basic-2000] display acl 2000 basic acl 2000, named -none-, 1 rule, acl's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) configuring an advanced ipv4 acl a...
Page 733
14-6 system-view [sysname] acl number 3000 [sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # verify the configuration. [sysname-acl-adv-3000] display acl 3000 advanced acl 3000, named -none-, 1 rule, acl's step is 5 rule 0...
Page 734
14-7 note that: z you can only modify the existing rules of an acl that uses the match order of config. When modifying a rule of such an acl, you may choose to change just some of the settings, in which case the other settings remain the same. Z you cannot create a rule with, or modify a rule to hav...
Page 736
14-9 figure 14-1 network diagram for ipv4 acl configuration ge1/0/4 ge1/0/1 ge1/0/2 ge1/0/3 192.168.4.1 switch r&d department marketing department salary query server president`s office 192.168.2.0/24 192.168.3.0/24 192.168.1.0/24 configuration procedure 1) create a time range for office hours # cre...
Page 737
14-10 [switch-classifier-c_market] if-match acl 3001 [switch-classifier-c_market] quit # configure traffic behavior b_ market to deny matching packets. [switch] traffic behavior b_market [switch-behavior-b_market] filter deny [switch-behavior-b_market] quit # configure qos policy p_rd to use traffic...
Page 738: Ipv6 Acl Configuration
15-1 15 ipv6 acl configuration when configuring ipv6 acls, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv6 acl z configuring an advanced ipv6 acl z copying an ipv6 acl z displaying and maintaining ipv6 acls z ipv6 acl configuration examp...
Page 739
15-2 to do… use the command… remarks configure a description for the basic ipv6 acl description text optional by default, a basic ipv6 acl has no acl description. Configure a rule description rule rule-id comment text optional by default, an ipv6 acl rule has no rule description. Note that: z you ca...
Page 740
15-3 advanced ipv6 acls are numbered in the range 3000 to 3999. Compared with basic ipv6 acls, they allow of more flexible and accurate filtering. Configuration prerequisites if you want to reference a time range in a rule, define it with the time-range command first. Configuration procedure follow ...
Page 741
15-4 z when the acl match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the ids of the rules still remain the same. Z you can modify the match order of an ipv6 acl with the acl ipv6 number acl6-number [ name acl6-name ] match-...
Page 743
15-6 [switch] traffic classifier c_rd [switch-classifier-c_rd] if-match acl ipv6 2000 [switch-classifier-c_rd] quit # configure traffic behavior b_rd to deny matching packets. [switch] traffic behavior b_rd [switch-behavior-b_rd] filter deny [switch-behavior-b_rd] quit # configure qos policy p_rd to...
Page 744
16-1 16 acl application for packet filtering when applying an acl for packet filtering, go to these sections for information you are interested in: z filtering ethernet frames z filtering ipv4 packets z filtering ipv6 packets z configuring packet filtering statistics function z acl application examp...
Page 745
16-2 filtering ipv6 packets follow these steps to apply an ipv6 acl to an interface to filter ipv6 packets: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter interface view enter vlan interface view interface...
Page 746
16-3 if you execute the display acl command to display the information about the acls, the device outputs packet filtering statistics except those that have been displayed by the command during that interval. Acl application examples acl application to an ethernet interface network requirements as s...
Page 747
16-4 [devicea] info-center source default channel 0 log level informational acl application to a vlan interface network requirements as shown in figure 16-2 , apply an acl to the inbound direction of interface vlan-interface 100 on device a so that the interface denies ipv4 packets sourced from host...
Page 748: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-1 smart link overview ············································································································...
Page 749
Ii configuring rrpp ports················································································································3-12 configuring rrpp nodes··············································································································3-13 activating an rrpp do...
Page 750
Iii basic concepts in cfd ···················································································································6-1 basic functions of cfd···················································································································6-4 protocols and ...
Page 751: Smart Link Configuration
1-1 1 smart link configuration when configuring smart link, go to these sections for information that you are interested in: z smart link overview z configuring a smart link device z configuring an associated device z displaying and maintaining smart link z smart link configuration examples smart li...
Page 752
1-2 convergence speed, but it involves complicated networking and configurations and therefore is mainly used in ring-shaped networks. For more information about stp and rrpp, refer to mstp configuration in the access volume and rrpp configuration in the high availability volume. Smart link is a fea...
Page 753
1-3 receive control vlan the receive control vlan is used for receiving and processing flush messages. When link switchover occurs, the devices (such as device a, device b, and device e in figure 1-1 ) receive and process flush messages in the receive control vlan and refresh their mac address forwa...
Page 754
1-4 load sharing mechanism a ring network may carry traffic of multiple vlans. Smart link can forward traffic of different vlans in different smart link groups, thus implementing load sharing. To implement load sharing, you can assign a port to multiple smart link groups (each configured with differ...
Page 755
1-5 configuring protected vlans for a smart link group follow these steps to configure the protected vlans for a smart link group: to do… use the command… remarks enter system view system-view — create a smart link group and enter smart link group view smart-link group group-id — configure protected...
Page 757
1-7 z the control vlan configured for a smart link group must be different from that configured for any other smart link group. Z make sure that the configured control vlan already exists, and assign the smart link group member ports to the control vlan. Z do not remove the control vlan. Otherwise, ...
Page 758
1-8 to do… use the command… remarks enter system view system-view — enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number — configure the control vlans for receiving flush messages smart-link flush enable [ control-vlan vlan-id-list] required by ...
Page 759
1-9 to do... Use the command… remarks clear the statistics about flush messages reset smart-link statistics available in user view smart link configuration examples single smart link group configuration example network requirements as shown in figure 1-2: z map vlans 1 through 10, vlans 11 through 2...
Page 760
1-10 [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port link-type trunk [devicec-gigabitethernet1/0/1] port trunk permit vlan 1 to 30 [devicec-gigabitethernet1/0/1] quit [devicec] interface gigabitethernet 1/0/2 [devicec-gigab...
Page 761
1-11 # create smart link group 1 and configure all vlans mapped to mstis 0 through 2 as the protected vlans. [deviced] smart-link group 1 [deviced-smlk-group1] protected-vlan reference-instance 0 to 2 # configure gigabitethernet 1/0/1 as the master port and gigabitethernet 1/0/2 as the slave port fo...
Page 762
1-12 [devicee-gigabitethernet1/0/2] port trunk permit vlan 1 to 30 [devicee-gigabitethernet1/0/2] smart-link flush enable [devicee-gigabitethernet1/0/2] quit [devicee] interface gigabitethernet 1/0/3 [devicee-gigabitethernet1/0/3] port link-type trunk [devicee-gigabitethernet1/0/3] port trunk permit...
Page 763
1-13 device id of the last flush packet : 000f-e23d-5af0 control vlan of the last flush packet : 1 multiple smart link groups load sharing configuration example network requirements as shown in figure 1-3 : z traffic of vlans 1 through 200 on device c are dually uplinked to device a by device b and ...
Page 764
1-14 [devicec] interface gigabitethernet 1/0/2 [devicec-gigabitethernet1/0/2] undo stp enable [devicec-gigabitethernet1/0/2] port link-type trunk [devicec-gigabitethernet1/0/2] port trunk permit vlan 1 to 200 [devicec-gigabitethernet1/0/2] quit # create smart link group 1, and configure all vlans ma...
Page 765
1-15 [deviceb-gigabitethernet1/0/2] port link-type trunk [deviceb-gigabitethernet1/0/2] port trunk permit vlan 1 to 200 [deviceb-gigabitethernet1/0/2] smart-link flush enable control-vlan 10 101 [deviceb-gigabitethernet1/0/2] quit 3) configuration on device d # create vlan 1 through vlan 200. System...
Page 766
1-16 preemption mode: role control vlan: 10 protected vlan: reference instance 0 member role state flush-count last-flush-time ------------------------------------------------------------------------------- gigabitethernet1/0/1 master actvie 5 16:37:20 2009/02/21 gigabitethernet1/0/2 slave standby 1...
Page 767: Monitor Link Configuration
2-1 2 monitor link configuration when configuring monitor link, go to these sections for information you are interested in: z overview z configuring monitor link z displaying and maintaining monitor link z monitor link configuration example overview monitor link is a port collaboration function. Mon...
Page 768
2-2 configuring monitor link configuration prerequisites before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group. Configuration procedure follow these steps to configure monitor link: to do… use the command… remarks enter system view system...
Page 770
2-4 [devicec-gigabitethernet1/0/2] quit # create smart link group 1 and configure the smart link group to protect all the vlans mapped to mstis 0 through 15 for smart link group 1. [devicec] smart-link group 1 [devicec-smlk-group1]protected-vlan reference-instance 0 to 15 # configure gigabitethernet...
Page 771
2-5 # enable flush message receiving on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 separately. [deviced] interface gigabitethernet 1/0/1 [deviced-gigabitethernet1/0/1] smart-link flush enable [deviced-gigabitethernet1/0/1] quit [deviced] interface gigabitethernet 1/0/2 [deviced-gigabitethernet1...
Page 772: Rrpp Configuration
3-1 3 rrpp configuration when configuring rrpp, go to these sections for information you are interested in: z rrpp overview z rrpp configuration task list z creating an rrpp domain z configuring control vlans z configuring protected vlans z configuring rrpp rings z activating an rrpp domain z config...
Page 773
3-2 basic concepts in rrpp figure 3-1 rrpp networking diagram rrpp domain the interconnected devices with the same domain id and control vlans constitute an rrpp domain. An rrpp domain contains the following elements: primary ring, subring, control vlan, master node, transit node, primary port, seco...
Page 774
3-3 ip address configuration is prohibited on the control vlan interfaces. 2) data vlan a data vlan is a vlan dedicated to transferring data packets. Both rrpp ports and non-rrpp ports can be assigned to a data vlan. Node each device on an rrpp ring is referred to as a node. The role of a node is co...
Page 775
3-4 common port and edge port the ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in figure 3-1 , device b and device c lie on ring 1 and ring 2. Devi...
Page 776
3-5 rrpp timers when rrpp checks the link state of an ethernet ring, the master node sends hello packets out the primary port according to the hello timer and determines whether its secondary port receives the hello packets based on the fail timer. Z the hello timer specifies the interval at which t...
Page 777
3-6 ring recovery the master node may find the ring is restored after a period of time after the ports belonging to the rrpp domain on the transit nodes, the edge nodes, or the assistant-edge nodes are brought up again. A temporary loop may arise in the data vlan during this period. As a result, bro...
Page 778
3-7 single ring as shown in figure 3-2 , there is only a single ring in the network topology. In this case, you only need to define an rrpp domain. Figure 3-2 schematic diagram for a single-ring network tangent rings as shown in figure 3-3 , there are two or more rings in the network topology and on...
Page 779
3-8 figure 3-4 schematic diagram for an intersecting-ring network dual homed rings as shown in figure 3-5 , there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an rrpp domain, and configure one ring as the primary ring...
Page 780
3-9 figure 3-6 schematic diagram for a single-ring load balancing network domain 1 ring 1 device a device b device d device c domain 2 intersecting-ring load balancing in an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in figure 3-7 , ring ...
Page 781
3-10 complete the following tasks to configure rrpp: task remarks creating an rrpp domain required perform this task on all nodes in the rrpp domain. Configuring control vlans required perform this task on all nodes in the rrpp domain. Configuring protected vlans required perform this task on all no...
Page 782
3-11 configuring control vlans before configuring rrpp rings in an rrpp domain, configure the same control vlans for all nodes in the rrpp domain first. Perform this configuration on all nodes in the rrpp domain to be configured. Follow these steps to configure control vlans: to do… use the command…...
Page 783
3-12 configuring rrpp rings when configuring an rrpp ring, you must make some configurations on the ports connecting each node to the rrpp ring before configuring the nodes. Z rrpp ports, that is, ports connecting devices to an rrpp ring, must be layer-2 ge ports, layer-2 xge ports, or layer-2 aggre...
Page 785
3-14 to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — specify the current device as a transit node of the ring, and specify the primary port and the secondary port ring ring-id node-mode transit [ primary-port interface-type interface-num...
Page 786
3-15 activating an rrpp domain to activate an rrpp domain on the current device, enable the rrpp protocol and rrpp rings for the rrpp domain on the current device. Perform this operation on all nodes in the rrpp domain. Follow these steps to activate an rrpp domain: to do… use the command… remarks e...
Page 787
3-16 z the fail timer value must be equal to or greater than three times the hello timer value. Z to avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the fail timer value on the master node of the subring and that on the master node o...
Page 788
3-17 displaying and maintaining rrpp to do… use the command… remarks display brief rrpp information display rrpp brief display rrpp group configuration information display rrpp ring-group [ ring-group-id ] display detailed rrpp information display rrpp verbose domain domain-id [ ring ring-id ] displ...
Page 789
3-18 system-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] link-delay 0 [devicea-gigabitethernet1/0/1] undo stp enable [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all [devicea-gigabitethernet1/0/1] qos trust...
Page 790
3-19 [deviceb-gigabitethernet1/0/2] qos trust dot1p [deviceb-gigabitethernet1/0/2] quit # create rrpp domain 1, configure vlan 4092 as the primary control vlan of rrpp domain 1, and configure the vlans mapped to mstis 0 through 16 as the protected vlans of rrpp domain 1. [deviceb] rrpp domain 1 [dev...
Page 791
3-20 figure 3-9 network diagram for intersecting rings configuration configuration procedure 1) configuration on device a # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, a...
Page 792
3-21 [devicea-rrpp-domain1] quit # enable rrpp. [devicea] rrpp enable 2) configuration on device b # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1, gigabitethernet 1/0/2, and gigabitethernet 1/0/3 as zero, disable stp, configure the ports as trunk ports, and ...
Page 793
3-22 # enable rrpp. [deviceb] rrpp enable 3) configuration on device c # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1, gigabitethernet 1/0/2, and gigabitethernet 1/0/3 as zero, disable stp, configure the ports as trunk ports, and assign them to all vlans, an...
Page 794
3-23 [devicec] rrpp enable 4) configuration on device d # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, and assign them to all vlans, and configure them to trust the 802.1...
Page 795
3-24 [devicee] interface gigabitethernet 1/0/2 [devicee-gigabitethernet1/0/2] link-delay 0 [devicee-gigabitethernet1/0/2] undo stp enable [devicee-gigabitethernet1/0/2] port link-type trunk [devicee-gigabitethernet1/0/2] port trunk permit vlan all [devicee-gigabitethernet1/0/2] qos trust dot1p [devi...
Page 796
3-25 figure 3-10 network diagram for intersecting-ring load balancing configuration configuration procedure 1) configuration on device a # create vlans 10 and 20, map vlan 10 to msti 1 and vlan 20 to msti 2, and activate mst region configuration. System-view [devicea] vlan 10 [devicea-vlan10] quit [...
Page 797
3-26 [devicea-gigabitethernet1/0/2] link-delay 0 [devicea-gigabitethernet1/0/2] undo stp enable [devicea-gigabitethernet1/0/2] port link-type trunk [devicea-gigabitethernet1/0/2] undo port trunk permit vlan 1 [devicea-gigabitethernet1/0/2] port trunk permit vlan 10 20 [devicea-gigabitethernet1/0/1] ...
Page 798
3-27 # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, remove them from vlan 1, and assign them to vlan 10 and vlan 20, and configure them to trust the 802.1p precedence of ...
Page 799
3-28 [deviceb-rrpp-domain1] protected-vlan reference-instance 1 # configure device b as a transit node of primary ring 1 in rrpp domain 1, with gigabitethernet 1/0/1 as the primary port and gigabitethernet 1/0/2 as the secondary port, and enable ring 1. [deviceb-rrpp-domain1] ring 1 node-mode transi...
Page 800
3-29 vlan 1, and assign them to vlan 10 and vlan 20, and configure them to trust the 802.1p precedence of the received packets. [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] link-delay 0 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port lin...
Page 801
3-30 # configure device c as the transit node of primary ring 1 in rrpp domain 1, with gigabitethernet 1/0/1 as the primary port and gigabitethernet 1/0/2 as the secondary port, and enable ring 1. [devicec-rrpp-domain1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigab...
Page 802
3-31 [deviced] interface gigabitethernet 1/0/1 [deviced-gigabitethernet1/0/1] link-delay 0 [deviced-gigabitethernet1/0/1] undo stp enable [deviced-gigabitethernet1/0/1] port link-type trunk [deviced-gigabitethernet1/0/1] undo port trunk permit vlan 1 [deviced-gigabitethernet1/0/1] port trunk permit ...
Page 803
3-32 [devicee-vlan20] quit [devicee] stp region-configuration [devicee-mst-region] instance 2 vlan 20 [devicee-mst-region] active region-configuration [devicee-mst-region] quit # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero,...
Page 804
3-33 [devicef-mst-region] active region-configuration [devicef-mst-region] quit # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, remove them from vlan 1, and assign them to...
Page 805
3-34 8) verification after the configuration, you can use the display command to view rrpp configuration and operational information on each device. Troubleshooting symptom: when the link state is normal, the master node cannot receive hello packets, and the master node unblocks the secondary port. ...
Page 806: Dldp Configuration
4-1 4 dldp configuration when performing dldp configuration, go to these sections for information you are interested in: z overview z dldp configuration task list z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting the delaydown timer z setting the ...
Page 807
4-2 figure 4-2 unidirectional fiber link: a fiber not connected or disconnected device a device b pc ge1/0/50 ge1/0/50 ge1/0/51 ge1/0/51 the device link detection protocol (dldp) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, dldp, as configured, can...
Page 808
4-3 state indicates… disable a port enters this state when: z a unidirectional link is detected. Z the contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than dldpdus. Delaydown a port in the active, advertisement, or probe dldp link ...
Page 809
4-4 dldp timer description delaydown timer a device in the active, advertisement, or probe dldp link state transits to delaydown state rather than removes the corresponding neighbor entry and transits to the inactive state when it detects a port-down event. When a device transits to this state, the ...
Page 810
4-5 z in normal dldp mode, only fiber cross-connected unidirectional links (as shown in figure 4-1 ) can be detected. Z in enhanced dldp mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in figure 4-1 ). The other refers to fiber pairs with one fib...
Page 811
4-6 when a device transits from a dldp state other than inactive state or disable state to initial state, it sends flush packets. 2) a received dldp packet is processed as follows. Z in any of the three authentication modes, the packet is dropped if it fails to pass the authentication. Z the packet ...
Page 812
4-7 packet type processing procedure if not, no process is performed. Recoverprobe packet check to see if the local port is in disable or advertisement state. If yes, returns recoverecho packets. If not, no process is performed. Recoverecho packet check to see if the local port is in disable state. ...
Page 813
4-8 table 4-7 description on dldp neighbor states dldp neighbor state description unknown a neighbor is in this state when it is just detected and is being probed. No information indicating the state of the neighbor is received. A neighbor is in this state only when it is being probed. It transits t...
Page 814
4-9 follow these steps to enable dldp: to do… use the command… remarks enter system view system-view — enable dldp globally dldp enable required globally disabled by default enter ethernet port view interface interface-type interface-number enter ethernet port view or port group view enter port grou...
Page 815
4-10 to do… use the command… remarks set the interval for sending advertisement packets dldp interval time optional 5 seconds by default z the interval for sending advertisement packets applies to all dldp-enabled ports. Z set the interval for sending advertisement packets to a value no longer than ...
Page 816
4-11 links. In this mode, dldp only detects unidirectional links and generates log and traps. The operations to shut down unidirectional link ports are accomplished by the administrator. Z auto mode. In this mode, when a unidirectional link is detected, dldp transits to disable state, generates log ...
Page 817
4-12 z if the port is shut down with the shutdown command manually, use the undo shutdown command on the port. Z if the port is shut down by dldp automatically, use the dldp reset command on the port. Alternatively, you can leave the work to dldp, which can enable the port automatically upon detecti...
Page 818
4-13 dldp configuration example network requirements z device a and device b are connected through two fiber pairs, in which two fibers are cross-connected, as shown in figure 4-4 . Z it is desired that the unidirectional links can be disconnected on being detected; and the ports shut down by dldp c...
Page 819
4-14 configure device b as you configure device a. 3) verifying the configurations you can use the display dldp command to display the dldp configuration information on ports. # display the dldp configuration information on all the dldp-enabled ports of device a. [devicea] display dldp dldp global s...
Page 820
4-15 neighbor aged time : 11 interface gigabitethernet1/0/51 dldp port state : advertisement dldp link state : up the neighbor number of the port is 1. Neighbor mac address : 0000-0000-0102 neighbor port index : 59 neighbor state : two way neighbor aged time : 11 the output information indicates tha...
Page 821: Ethernet Oam Configuration
5-1 5 ethernet oam configuration when configuring the ethernet oam function, go to these sections for information you are interested in: z ethernet oam overview z ethernet oam configuration task list z configuring basic ethernet oam functions z configuring link monitoring z enabling oam remote loopb...
Page 822
5-2 figure 5-1 formats of different types of ethernet oampdus the fields in an oampdu are described as follows: table 5-1 description of the fields in an oampdu field description dest addr destination mac address of the ethernet oampdu. It is a slow protocol multicast address 0180c2000002. As slow p...
Page 823
5-3 table 5-2 functions of different types of oampdus oampdu type function information oampdu used for transmitting state information of an ethernet oam entity (including the information about the local device and remote devices, and customized information) to the remote ethernet oam entity and main...
Page 824
5-4 z oam connections can be initiated only by oam entities operating in active oam mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. Z no oam connection can be established between oam entities operating in passive oam mode. After an etherne...
Page 825
5-5 z the system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this...
Page 826
5-6 task remarks configuring basic ethernet oam functions required configuring errored symbol event detection optional configuring errored frame event detection optional configuring errored frame period event detection optional configuring link monitoring configuring errored frame seconds event dete...
Page 827
5-7 configuring errored symbol event detection an errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold. Follow these steps to configure errored symbol event detection: to do… use the command… remarks enter system vi...
Page 828
5-8 follow these steps to configure errored frame seconds event detection: to do… use the command… remarks enter system view system-view — configure the errored frame seconds event detection interval oam errored-frame-seconds period period-value optional 60 second by default configure the errored fr...
Page 829
5-9 z ethernet oam remote loopback is available only after the ethernet oam connection is established and can be performed only by the ethernet oam entities operating in active ethernet oam mode. Z remote loopback is available only on full-duplex links that support remote loopback at both ends. Z et...
Page 830
5-10 figure 5-2 network diagram for ethernet oam configuration configuration procedure 1) configure device a # configure gigabitethernet 1/0/1 to operate in passive ethernet oam mode and enable ethernet oam for it. System-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] ...
Page 831
5-11 you can use the display oam link-event command to display the statistics about ethernet oam link events and use the display oam critical-event command to display the ethernet oam configuration information. For example: # display the statistics of ethernet oam critical link events on all the por...
Page 832
6-1 6 connectivity fault detection configuration when configuring cfd, go to these sections for information you are interested in: z overview z cfd configuration task list z basic configuration tasks z configuring cc on meps z configuring lb on meps z configuring lt on meps z displaying and maintain...
Page 833
6-2 figure 6-1 two nested mds cfd exchanges messages and performs operations on a per-domain basis. By planning mds properly in a network, you can use cfd to locate failure points rapidly. Maintenance association a maintenance association (ma) is a set of maintenance points (mps) in a md. An ma is i...
Page 834
6-3 figure 6-2 outward-facing mep figure 6-3 inward-facing mep z mip a mip is internal to an md. It cannot send cfd packets actively; however, it can handle and respond to cfd packets. The ma and md that a mip belongs to define the vlan attribute and level of the packets received. By cooperating wit...
Page 835
6-4 figure 6-4 levels of mps basic functions of cfd cfd works effectively only in properly-configured networks. Its functions, which are implemented through the mps, include: z continuity check (cc); z loopback (lb) z linktrace (lt) continuity check continuity check is responsible for checking the c...
Page 836
6-5 the source mep can identify the path to the destination mep. Note that ltms are multicast frames while ltrs are unicast frames. Protocols and standards the cfd function is implemented in accordance with ieee p802.1ag. Cfd configuration task list for cfd to work effectively, you should first desi...
Page 837
6-6 based on the network design, you should configure meps or the rules for generating mips on each device. However, before doing this you must first configure the service instance. Configuring service instance a service instance is indicated by an integer to represent an ma in an md. The md and ma ...
Page 838
6-7 to do... Use the command... Remarks configure a remote mep for a mep in the same service instance cfd remote-mep remote-mep-id service-instance instance-id mep mep-id required no remote mep is configured for a mep by default. Enable the mep cfd mep service-instance instance-id mep mep-id enable ...
Page 839
6-8 configuring cc on meps after the cc function is configured, meps can send ccms mutually to check the connectivity between them. Configuration prerequisites before configuring this function, you should first complete the mep configuration. Configuring procedure follow these steps to configure cc ...
Page 840
6-9 configuration prerequisites before configuring this function, you should first complete the mep and mip configuration tasks. Configuration procedure follow these steps to configure lb on mep: to do... Use the command... Remarks enter system view system-view — enable lb cfd loopback service-insta...
Page 841
6-10 displaying and maintaining cfd to do... Use the command... Remarks display cfd status display cfd status available in any view display md configuration information display cfd md available in any view display ma configuration information display cfd ma [ [ma-name] md md-name ] available in any ...
Page 842
6-11 figure 6-5 network diagram for md configuration configuration procedure 1) configuration on device a (configuration on device e is the same as that on device a) system-view [devicea] cfd enable [devicea] cfd md md_a level 5 [devicea] cfd ma ma_md_a md md_a vlan 100 [devicea] cfd service-instanc...
Page 843
6-12 z decide the remote mep for each mep, and enable these meps. According to the network diagram as shown in figure 6-6 , perform the following configurations: z in md_a, there are three edge ports: gigabitethernet 1/0/1 on device a, gigabitethernet 1/0/3 on device d and gigabitethernet 1/0/4 on d...
Page 844
6-13 [deviced-gigabitethernet1/0/3] cfd remote-mep 1001 service-instance 1 mep 4002 [deviced-gigabitethernet1/0/3] cfd remote-mep 5001 service-instance 1 mep 4002 [deviced-gigabitethernet1/0/3] cfd mep service-instance 1 mep 4002 enable [deviced-gigabitethernet1/0/3] cfd cc service-instance 1 mep 40...
Page 845
6-14 configuration procedure 1) configure device b system-view [deviceb] cfd mip-rule explicit service-instance 1 2) configure device c system-view [devicec] cfd mip-rule default service-instance 2 after the above operation, you can use the display cfd mp command to verify your configuration. Config...
Page 846: Track Configuration
7-1 7 track configuration when configuring track, go to these sections for information you are interested in: z track overview z track configuration task list z configuring collaboration between the track module and the detection modules z configuring collaboration between the track module and the a...
Page 847
7-2 at present, the detection modules that can collaborate with the track module is the network quality analyzer (nqa). Refer to nqa configuration in the system volume for details of nqa. Collaboration between the track module and the application modules you can establish the collaboration between t...
Page 848
7-3 configuring collaboration between the track module and the application modules configuring track-static routing collaboration you can check the validity of a static route in real time by establishing collaboration between track and static routing. If you specify the next hop but not the egress i...
Page 850
7-5 # configure reaction entry 1, specifying that five consecutive probe failures trigger the static routing-track-nqa collaboration. [switcha-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [switcha-nqa-admin-test-icmp-echo] quit...
Page 851
7-6 # display the routing table of switch a. [switcha] display ip routing-table routing tables: public destinations : 4 routes : 4 destination/mask proto pre cost nexthop interface 10.2.1.0/24 direct 0 0 10.2.1.2 vlan3 10.2.1.2/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0...
Page 852: Table of Contents
I table of contents 1 logging in to an ethernet switch ............................................................................................................1-1 logging in to an ethernet switch .......................................................................................................
Page 853
Ii configuration procedure ..................................................................................................................4-3 command accounting configuration example .......................................................................................4-4 network diagram ..........
Page 854
Iii introduction to cli .........................................................................................................................9-15 online help with command lines .................................................................................................9-16 synchronous infor...
Page 855
Iv displaying and maintaining device configuration ..............................................................................11-17 12 ftp configuration .................................................................................................................................12-1 ftp overvi...
Page 856
V 16 snmp configuration..............................................................................................................................16-1 snmp overview....................................................................................................................................1...
Page 857
Vi configuring mac information mode ..............................................................................................19-2 configuring the interval for sending syslog or trap messages....................................................19-2 configuring the mac information queue length ......
Page 858
Vii loading a patch file......................................................................................................................22-6 activating patches .........................................................................................................................22-7 confirm ...
Page 859
Viii voice test configuration example ..............................................................................................22-34 dlsw test configuration example .............................................................................................22-37 nqa collaboration configuration...
Page 860
Ix enabling the cluster function .....................................................................................................25-10 establishing a cluster..................................................................................................................25-10 enabling managemen...
Page 861
X introduction to ipc.........................................................................................................................27-1 enabling ipc performance statistics ....................................................................................................27-2 displaying a...
Page 862
1-1 1 logging in to an ethernet switch when logging in to an ethernet switch, go to these sections for information you are interested in: z logging in to an ethernet switch z introduction to user interface z specifying source for telnet packets z controlling login users logging in to an ethernet swi...
Page 863
1-2 users and user interfaces a device can support one console ports and multiple ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. Z when the user initiates a connection request, based on the login type the system autom...
Page 864
1-3 to do… use the command… remarks display the information about the current user interface/all user interfaces display users [ all ] you can execute this command in any view. Display the physical attributes and configuration of the current/a specified user interface display user-interface [ type n...
Page 865
2-1 2 logging in through the console port when logging in through the console port, go to these sections for information you are interested in: z introduction z setting up the connection to the console port z console port login configuration z console port login configuration with authentication mod...
Page 866
2-2 z if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows 3.X or hyperterminal in windows 9x/windows 2000/windows xp) and perform the configuration shown in figure 2-2 through figure 2-4 for the connection to be created. Normally, the para...
Page 867
2-3 figure 2-4 set port parameters terminal window z turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. The username is “admin” and none of the passwo...
Page 869
2-5 console port login configurations for different authentication modes table 2-3 lists console port login configurations for different authentication modes. Table 2-3 console port login configurations for different authentication modes authenticati on mode configuration description none configure ...
Page 870
2-6 configuration example network requirements assume the switch is configured to allow you to login through telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects. Z the user is not authent...
Page 871
2-7 [sysname-ui-aux0] idle-timeout 6 after the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the pc, to make the configuration consistent with that on the switch. Refer to setting up th...
Page 872
2-8 network diagram figure 2-6 network diagram for aux user interface configuration (with the authentication mode being password) configuration procedure # enter system view. System-view # enter aux user interface view. [sysname] user-interface aux 0 # specify to authenticate the user logging in thr...
Page 873
2-9 console port login configuration with authentication mode being scheme configuration procedure follow these steps to perform console port login configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter aux user interface view use...
Page 874
2-10 note that, when you log in to an ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the aaa scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command. When th...
Page 875
2-11 # create a local user named guest and enter local user view. [sysname] local-user guest # set the authentication password to 123456 (in plain text). [sysname-luser-guest] password simple 123456 # set the service type to terminal. [sysname-luser-guest] service-type terminal [sysname-luser-guest]...
Page 876
2-12 to do… use the command… remarks enter aux user interface view user-interface aux 0 — enable command authorization command authorization required disabled by default, that is, users can execute commands without authorization. Configuring command accounting command accounting allows the hwtacacs ...
Page 877
3-1 3 logging in through telnet/ssh logging in through telnet when logging in through telnet, go to these sections for information you are interested in: z introduction z common configuration z telnet login configuration with authentication mode being none z telnet login configuration with authentic...
Page 878
3-2 [sysname] telnet server enable [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 202.38.160.92 255.255.255.0 step 2: before telnet users can log in to the switch, corresponding configurations should have been performed on the switch according to different authentication m...
Page 879
3-3 z a telnet connection will be terminated if you delete or modify the ip address of the vlan interface in the telnet session. Z by default, commands of level 0 are available to telnet users authenticated by password. Refer to basic system configuration in the system volume for information about c...
Page 880
3-4 table 3-2 common telnet configuration configuration remarks enter system view system-view — make the switch to operate as a telnet server telnet server enable by default, a switch does not operate as a telnet server enter one or more vty user interface views user-interface vty first-number [ las...
Page 881
3-5 table 3-3 telnet login configuration tasks when different authentication modes are adopted task description telnet login configuration with authentication mode being none configure not to authenticate users logging in user interfaces telnet login configuration with authentication mode being pass...
Page 882
3-6 figure 3-4 network diagram for telnet configuration (with the authentication mode being none) 3) configuration procedure # enter system view, and enable the telnet service. System-view [sysname] telnet server enable # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure no...
Page 883
3-7 configuration example 1) network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: z authenticate users logging in to vty 0 using the local password. Z set the local password to 123456 (in plain text). Z comm...
Page 884
3-8 telnet login configuration with authentication mode being scheme configuration procedure follow these steps to perform telnet configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter one or more vty user interface views user-int...
Page 885
3-9 for more information about aaa, radius, and hwtacacs, see aaa configuration in the security volume. Configuration example 1) network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: z configure the name of t...
Page 886
3-10 # configure telnet protocol is supported. [sysname-ui-vty0] protocol inbound telnet # set the maximum number of lines the screen can contain to 30. [sysname-ui-vty0] screen-length 30 # set the maximum number of commands the history command buffer can store to 20. [sysname-ui-vty0] history-comma...
Page 887
3-11 configuring command accounting command accounting allows the hwtacacs server to record all commands executed on the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is ...
Page 888
4-1 4 user interface configuration examples user authentication configuration example network diagram as shown in figure 4-1 , command levels should be configured for different users to secure device: z the device administrator accesses device through the console port on host a. When the administrat...
Page 889
4-2 [device-ui-vty0-4] quit # create a radius scheme and configure the ip address and udp port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the radius server. Set the shared key for authentication packets to expert for the scheme and th...
Page 890
4-3 configuration procedure # assign an ip address to device to make device be reachable from host a and hwtacacs server respectively. The configuration is omitted. # enable the telnet service on device. System-view [device] telnet server enable # set to use username and password authentication when...
Page 891
4-4 command accounting configuration example network diagram as shown in figure 4-3 , configure the commands that the login users execute to be recorded on the hwtacacs server to control and monitor user operations. Figure 4-3 network diagram for configuring command accounting internet console conne...
Page 892
4-5 [device-radius-rad] quit # create isp domain system, and configure the isp domain system to use hwtacacs scheme tac for accounting of command line users [device] domain system [device-isp-system] accounting command hwtacacs-scheme tac [device-isp-system] quit.
Page 893: Management System
5-1 5 logging in through web-based network management system introduction an switch 4510g has a built-in web server. You can log in to an switch 4510g through a web browser and manage and maintain the switch intuitively by interacting with the built-in web server. To log in to an switch 4510g throug...
Page 894
5-2 to do… use the command… remarks configure the authorization attributes for the local user authorization-attribute level level optional by default, no authorization attribute is configured for a local user. Specify the service types for the local user service-type telnet optional by default, no s...
Page 895
5-3 step 4: log in to the switch through ie. Launch ie on the web-based network management terminal (your pc) and enter the ip address of the management vlan interface of the switch (here it is http://10.153.17.82). (make sure the route between the web-based network management terminal and the switc...
Page 896: Logging In Through Nms
6-1 6 logging in through nms when logging in through nms, go to these sections for information you are interested in: z introduction z connection establishment using nms introduction you can also log in to a switch through an nms (network management station), and then configure and manage the switch...
Page 897
7-1 7 specifying source for telnet packets when specifying source ip address/interface for telnet packets, go to these sections for information you are interested in: z introduction z specifying source ip address/interface for telnet packets z displaying the source ip address/interface specified for...
Page 899: Controlling Login Users
8-1 8 controlling login users when controlling login users, go to these sections for information you are interested in: z introduction z controlling telnet users z controlling network management users by source ip addresses introduction multiple ways are available for controlling different types of ...
Page 901
8-3 controlling telnet users by source mac addresses this configuration needs to be implemented by layer 2 acl; a layer 2 acl ranges from 4000 to 4999. For the definition of acl, refer to acl configuration in the security volume. Follow these steps to control telnet users by source mac addresses: to...
Page 902
8-4 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [sysname-acl-basic-2000] rule 3 deny source any [sysname-acl-basic-20...
Page 904
8-6 controlling web users by source ip addresses the switch 4510g support web-based remote management, which allows web users to access the switches using the http protocol. By referencing access control lists (acls), you can control the access of web users to the switches. Prerequisites the control...
Page 905
8-7 figure 8-3 configure an acl to control the access of http users to the switch switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # create a basic acl. System-view [sysname] acl number 2030 match-order config [sysname-acl-basic-2030] rule 1 permit source 10.110.10...
Page 906: Basic System Configurations
9-1 9 basic system configurations while performing basic configurations of the system, go to these sections for information you are interested in: z configuration display z basic configurations z cli features configuration display to avoid duplicate configuration, you can use the display commands to...
Page 907
9-2 z configuring the device name z configuring the system clock z enabling/disabling the display of copyright information z configuring a banner z configuring cli hotkeys z configuring command aliases z configuring user privilege levels and command levels z displaying and maintaining basic configur...
Page 909
9-4 configuration system clock displayed by the display clock command example if the original system clock is in the daylight saving time range, the original system clock + summer-offset is displayed. Configure: clock summer-time ss one-off 00:30 2005/1/1 1:00 2005/8/8 2 display: 03:00:00 ss sat 01/...
Page 910
9-5 configuration system clock displayed by the display clock command example if date-time is not in the daylight saving time range, date-time is displayed. Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:30 2008/1/1 display:...
Page 911
9-6 configuring a banner introduction to banners banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system support...
Page 912
9-7 to do… use the command… remarks configure the banner to be displayed when a user enters user view (non modem login users) header shell text optional configure the banner to be displayed before login header motd text optional configuring cli hotkeys follow these steps to configure cli hotkeys: to...
Page 913
9-8 hotkey function ctrl+x deletes all the characters to the left of the cursor. Ctrl+y deletes all the characters to the right of the cursor. Ctrl+z exits to user view. Ctrl+] terminates an incoming connection or a redirect connection. Esc+b moves the cursor to the leading character of the continuo...
Page 914
9-9 to do… use the command… remarks enter system view system-view — enable the command alias function command-alias enable required disabled by default, that is, you cannot configure command aliases. Configure command aliases command-alias mapping cmdkey alias required not configured by default. Con...
Page 915
9-10 follow these steps to configure user privilege level by using aaa authentication parameters: to do… use the command… remarks enter system view system-view — enter user interface view user-interface [ type ] first-number [ last-number ] — configure the authentication mode for logging in to the u...
Page 916
9-11 [sysname-luser-test] password cipher 123 [sysname-luser-test] service-type telnet after the above configuration, when users telnet to the device through vty 1, they need to input username test and password 123. After passing the authentication, users can only use the commands of level 0. If the...
Page 917
9-12 to do… use the command… remarks configure the privilege level of the user logging in from the current user interface user privilege level level optional by default, the user privilege level for users logging in from the console user interface is 3, and that for users logging from the other user...
Page 918
9-13 undo cancel current setting z authenticate the usesr logging in to the device through telnet, verify their passwords, and specify the user privilege levels as 2. System-view [sysname] user-interface vty 0 4 [sysname-ui-vty0-4] authentication-mode password [sysname-ui-vty0-4] set authentication ...
Page 919
9-14 z when you configure the password for switching user privilege level with the super password command, the user privilege level is 3 if no user privilege level is specified. Z the password for switching user privilege level can be displayed in both cipher text and simple text. You are recommende...
Page 920
9-15 during daily maintenance or when the system is operating abnormally, you need to view each module’s running status to find the problem. Therefore, you are required to execute the corresponding display commands one by one. To collect more information one time, you can execute the display diagnos...
Page 921
9-16 file for next startup, you need to input st s at least; to enter system view, you need to input sy at least. You can press tab to complement the command, or you can input the complete command. Online help with command lines the following are the types of online help available with the cli: z fu...
Page 922
9-17 5) enter a command followed by a character string and a ?. All the keywords starting with this string are listed. Display ver? Version 6) press tab after entering the first several letters of a keyword to display the complete keyword, provided these letters can uniquely identify the keyword in ...
Page 923
9-18 key function tab pressing tab after entering part of a keyword enables the fuzzy help function. If finding a unique match, the system substitutes the complete keyword for the incomplete one and displays it in the next line; when there are several matches, if you repeatedly press tab, all the ke...
Page 924
9-19 character meaning remarks string$ ending sign, string appears only at the end of a line. For example, regular expression "user$” only matches a string ending with “user”, not “usera”. . Full stop, a wildcard used in place of any character, including single character, special character and blank...
Page 925
9-20 character meaning remarks \string used to match a character string starting with string. For example, “\ “domain” or string “doa”. String\> used to match a character string ending with string. For example, “do\>” can match word “undo” or string “abcdo”. \bcharacter2 used to match character1char...
Page 926
9-21 table 9-6 display functions action function press space when information display pauses continues to display information of the next screen page. Press enter when information display pauses continues to display information of the next line. Press ctrl+c when information display pauses stops the...
Page 927
9-22 command line error information the commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 9-7 lists some common errors. Table 9-7 common command line errors error information cause the command was not found. The keyword was not found. Parameter ...
Page 928: Device Management
10-1 10 device management when configuring device management, go to these sections for information you are interested in: z device management overview z device management configuration task list z configuring the exception handling method z rebooting a device z configuring the scheduled automatic ex...
Page 929
10-2 z maintain: the system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are l...
Page 930
10-3 z use the save command to save the current configuration before you reboot the device to avoid configuration lost. (for details of the save command, refer to file system management configuration in the system volume.) z use the display startup command and the display boot-loader command to veri...
Page 931
10-4 z after the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug. Z the system does not require any interactive information when it is executing the spe...
Page 932
10-5 the boot rom program and system boot file can both be upgraded through the boot rom menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the boot rom menu, refer to the installation menu of your device. Up...
Page 933
10-6 when multiple boot rom files are available on the storage media, you can specify a file for the next device boot by executing the following command. A main boot file is used to boot a device and a backup boot file is used to boot a device only when a main boot file is unavailable. Follow the st...
Page 934
10-7 to do… use the command… remarks enter system view system-view — configure a detection interval shutdown-interval time optional the detection interval is 30 seconds by default. Clearing the 16-bit interface indexes not used in the current system in practical networks, the network management soft...
Page 935
10-8 table 10-1 commonly used pluggable transceivers transceiver type application environment whether can be an optical transceiver whether can be an electrical transceiver sfp (small form-factor pluggable) generally used for 100m/1000m ethernet interfaces or pos 155m/622m/2.5g interfaces yes yes sf...
Page 936
10-9 diagnosing pluggable transceivers the system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by h3c also support the digital diagnosis function, which monitors the key parameters of a transceiver, such as temperatu...
Page 937
10-10 to do… use the command… remarks display detailed configurations of the scheduled automatic execution function display schedule job available in any view display the exception handling methods display system-failure available in any view device management configuration examples remote scheduled...
Page 938
10-11 z use text editor on the ftp server to edit batch file auto-update.Txt. The following is the content of the batch file: return startup saved-configuration new-config.Cfg boot-loader file soft-version2.Bin main reboot 2) configuration on device # log in to the ftp server (note that the prompt m...
Page 939
10-12 z the newest application soft-version2.Bin and the newest configuration file new-config.Cfg are both saved under the tftp server. Z the ip address of the irf system is 1.1.1.1/24, the ip address of the tftp server is 2.2.2.2/24, and the tftp server is reachable. Figure 10-3 network diagram for...
Page 940
10-13 please wait ... Setting the master board ... ... Done! Setting the slave board ... Slot 2: set next configuration file successfully # specify file soft-version2.Bin as the boot file for the next boot for all members. Boot-loader file soft-version2.Bin slot all main this command will set the bo...
Page 941
11-1 11 file system management configuration when configuring file system management, go to these sections for information you are interested in: z file system management z configuration file management z displaying and maintaining device configuration file system management this section covers thes...
Page 942
11-2 format description length example path/file-name specifies a file in the specified folder under the current working directory. Path represents the folder name. You can specify multiple folders, indicating a file under a multi-level folder. 1 to 135 characters test/a.Txt: indicates that a file n...
Page 944
11-4 displaying file information to do… use the command… remarks display file or directory information dir [ /all ] [ file-url ] required available in user view displaying the contents of a file to do… use the command… remarks display the contents of a file more file-url required currently only a .T...
Page 945
11-5 z the files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save stora...
Page 946
11-6 execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system will skip the command to the next one. Storage medium operations managing space of ...
Page 948
11-8 z saving the current configuration z setting configuration rollback z specifying a startup configuration file for the next system startup z backing up the startup configuration file z deleting the startup configuration file for the next startup z restoring the startup configuration file z displ...
Page 949
11-9 at a moment, there are at most one main startup configuration file and one backup startup configuration file. You can specify neither of the two files (displayed as null), or specify the two files as the same configuration file. You can specify the main and backup startup configuration files fo...
Page 950
11-10 to do… use the command… remarks enter system view system-view — enable configuration file auto-save slave auto-update config optional enabled by default. Modes in saving the configuration z fast saving mode. This is the mode when you use the save command without the safely keyword. The mode sa...
Page 951
11-11 setting configuration rollback configuration rollback allows you to revert to a previous configuration state based on a specified configuration file. The specified configuration file must be a valid .Cfg file, namely, it can be generated by using either the backup function (manually or automat...
Page 952
11-12 configuration task list complete these tasks to configure the configuration rollback: task remarks configuring parameters for saving the current running configuration required saving the current running configuration automatically saving the current running configuration manually required use ...
Page 953
11-13 z the saving and rollback operations are executed only on the master. To make the configuration rollback take effect on the new master after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file ...
Page 954
11-14 saving the current running configuration manually automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the autom...
Page 955
11-15 specifying a startup configuration file for the next system startup a startup configuration file is the configuration file to be used at the next system startup. You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two wa...
Page 956
11-16 before the backup operation, you should: z ensure that the server is reachable, the server is enabled with tftp service, and the client has permission to read and write. Z use the display startup command (in user view) to see whether you have set the startup configuration file, and use the dir...
Page 957
11-17 to do… use the command… remarks restore the startup configuration file to be used at the next system startup restore startup-configuration from src-addr src-filename required available in user view z the restore operation restores the main startup configuration file. Z before restoring a confi...
Page 958: Ftp Configuration
12-1 12 ftp configuration when configuring ftp, go to these sections for information you are interested in: z ftp overview z configuring the ftp client z configuring the ftp server z displaying and maintaining ftp ftp overview introduction to ftp the file transfer protocol (ftp) is an application la...
Page 959
12-2 table 12-1 configuration when the device serves as the ftp client device configuration remarks device (ftp client) use the ftp command to establish the connection to the remote ftp server if the remote ftp server supports anonymous ftp, the device can log in to it directly; if not, the device m...
Page 960
12-3 configuring the ftp client establishing an ftp connection to access an ftp server, an ftp client must establish a connection with the ftp server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in ftp client vi...
Page 961
12-4 z if no primary ip address is configured on the specified source interface, no ftp connection can be established. Z if you use the ftp client source command to first configure the source interface and then the source ip address of the transmitted packets, the newly configured source ip address ...
Page 962
12-5 to do… use the command… remarks view the detailed information of the files/directories on the ftp server dir [ remotefile [ localfile ] ] optional view the names of the files/directories on the ftp server ls [ remotefile [ localfile ] ] optional download a file from the ftp server get remotefil...
Page 963
12-6 ftp client configuration example single device upgrade network requirements z as shown in figure 12-2 , use device as an ftp client and pc as the ftp server. Their ip addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads a st...
Page 964
12-7 [ftp] ascii [ftp] put config.Cfg back-config.Cfg 227 entering passive mode (10,1,1,1,4,2). 125 ascii mode data connection already open, transfer starting for /config.Cfg. 226 transfer complete. Ftp: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # specify newest.Bin as the ...
Page 965
12-8 configuration procedure if the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # log in to the server through ftp. Ftp 10.1.1....
Page 966
12-9 reboot the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Configur...
Page 967
12-10 to do… use the command… remarks manually release the ftp connection established with the specified username free ftp user username optional available in user view configuring authentication and authorization on the ftp server to allow an ftp user to access certain directories on the ftp server...
Page 968
12-11 z for more information about the local-user, password, service-type ftp, and authorization-attribute commands, refer to aaa command in the security volume. Z when the device serves as the ftp server, if the client is to perform the write operations (upload, delete, create, and delete for examp...
Page 969
12-12 # check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. Dir directory of flash:/ 0 -rw- 10471471 sep 18 2008 02:45:15 4510g-d501.Bin 1 -rw- 9989823 jul 14 2008 19:30:46 4510g_b57.Bin 2 -rw- 6 apr 26 2000 12:04:33 patchstate 3 -rw- 2337...
Page 970
12-13 boot-loader file newest.Bin main # reboot the device and the startup file is updated at the system reboot. Reboot the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. Fo...
Page 971
12-14 [sysname-luser-ftp] service-type ftp [sysname-luser-ftp] quit # enable ftp server. [sysname] ftp server enable [sysname] quit # check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. Dir directory of flash:/ 0 -rw- 10471471 sep 18 2008 ...
Page 972
12-15 z you can take the same steps to upgrade configuration file with ftp. When upgrading the configuration file with ftp, put the new file under the root directory of the storage medium. Z after you finish upgrading the boot rom program through ftp, you must execute the bootrom update command to u...
Page 973: Tftp Configuration
13-1 13 tftp configuration when configuring tftp, go to these sections for information you are interested in: z tftp overview z configuring the tftp client z displaying and maintaining the tftp client z tftp client configuration example tftp overview introduction to tftp the trivial file transfer pr...
Page 974
13-2 when the device serves as the tftp client, you need to perform the following configuration: table 13-1 configuration when the device serves as the tftp client device configuration remarks device (tftp client) z configure the ip address and routing function, and ensure that the route between the...
Page 975
13-3 follow these steps to configure the tftp client: to do… use the command… remarks enter system view system-view — control the access to the tftp servers from the device through acl tftp-server [ ipv6] acl acl-number optional by default, the access to the tftp servers from the device is not contr...
Page 976
13-4 tftp client configuration example single device upgrade network requirements z as shown in figure 13-2 , use a pc as the tftp server and device as the tftp client. Their ip addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads ...
Page 977
13-5 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Irf system upgr...
Page 978
13-6 z download application file newest.Bin from pc to the root directory of the storage medium on the master. Tftp 1.2.1.1 get newest.Bin z download application file newest.Bin from pc to the root directory of the storage medium on a slave (with the member id 2). Tftp 1.2.1.1 get newest.Bin slot2#f...
Page 979: Http Configuration
14-1 14 http configuration when configuring http, go to these sections for information you are interested in: z http overview z enabling the http service z http configuration z associating the http service with an acl z displaying and maintaining http http overview the hypertext transfer protocol (h...
Page 980
14-2 follow these steps to enable the http service: to do… use the command… remarks enter system view system-view — enable the http service ip http enable required configuring the port number of the http service configuration of the port number of the http service can reduce the attacks from illegal...
Page 981: Https Configuration
15-1 15 https configuration when configuring https, go to these sections for information you are interested in: z https overview z https configuration task list z associating the https service with an ssl server policy z enabling the https service z associating the https service with a certificate a...
Page 982
15-2 configuration task remarks configuring the port number of the https service optional associating the https service with an acl optional associating the https service with an ssl server policy you need to associate the https service with a created ssl server policy before enabling the https serv...
Page 983
15-3 z after the https service is enabled, you can use the display ip https command to view the state of the https service and verify the configuration. Z enabling of the https service will trigger an ssl handshake negotiation process. During the process, if the local certificate of the device alrea...
Page 984
15-4 to do… use the command… remarks enter system view system-view — configure the port number of the https service ip https port port-number optional by default, the port number of the https service is 443. If you execute the ip https port command for multiple times, the last configured port number...
Page 985
15-5 figure 15-1 network diagram for https configuration configuration procedure perform the following configurations on device: 1) apply for a certificate for device # configure a pki entity. System-view [device] pki entity en [device-pki-entity-en] common-name http-server1 [device-pki-entity-en] f...
Page 986
15-6 # configure certificate access control policy myacp and create a control rule. [device] pki certificate access-control-policy myacp [device-pki-cert-acp-myacp] rule 1 permit mygroup1 [device-pki-cert-acp-myacp] quit 4) reference an ssl server policy # associate the https service with the ssl se...
Page 987: Snmp Configuration
16-1 16 snmp configuration when configuring snmp, go to these sections for information you are interested in: z snmp overview z snmp configuration z configuring snmp logging z snmp trap configuration z displaying and maintaining snmp z snmp configuration example z snmp logging configuration example ...
Page 988
16-2 snmp protocol version currently, snmp agents support snmpv3 and are compatible with snmpv1 and snmpv2c. Z snmpv1 uses community name for authentication, which defines the relationship between an snmp nms and an snmp agent. Snmp packets with community names that did not pass the authentication o...
Page 989
16-3 figure 16-2 mib tree a 2 6 1 5 2 1 1 2 1 b snmp configuration as configurations for snmpv3 differ substantially from those of snmpv1 and snmpv2c, their snmp functionalities is introduced separately below. Follow these steps to configure snmpv3: to do… use the command… remarks enter system view ...
Page 990
16-4 to do… use the command… remarks configure the maximum size of an snmp packet that can be received or sent by an snmp agent snmp-agent packet max-size byte-count optional 1,500 bytes by default configure the engine id for a local snmp agent snmp-agent local-engineid engineid optional company id ...
Page 992
16-6 z logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable snmp logging. Z the size of snmp logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record ...
Page 993
16-7 to enable an interface to send linkup/linkdown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ st...
Page 994
16-8 to do… use the command… remarks configure the holding time of the traps in the queue snmp-agent trap life seconds optional 120 seconds by default z an extended linkup/linkdown trap is the standard linkup/linkdown trap (defined in rfc) appended with interface description and interface type infor...
Page 995
16-9 snmp configuration example network requirements z the nms connects to the agent, a switch, through an ethernet. Z the ip address of the nms is 1.1.1.2/24. Z the ip address of the vlan interface on the switch is 1.1.1.1/24. Z the nms monitors and manages the agent using snmpv2c. The agent report...
Page 996
16-10 with snmpv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the nms. The configurations on the agent and the nms must match. Snmp logging configuration example netw...
Page 997
16-11 # enable snmp logging on the agent to log the get and set operations of the nms. [sysname] snmp-agent log get-operation [sysname] snmp-agent log set-operation z the following log information is displayed on the terminal when the nms performs the get operation to the agent. %jan 1 02:49:40:566 ...
Page 998
16-1 mib style configuration 3com private mib involves two styles, 3com compatible mib and 3com new mib. In the 3com compatible mib style, the device sysoid is under the 3com’s enterprise id 25506, and the private mib is under the enterprise id 2011. In the 3com new mib style, both the device sysoid...
Page 999: Rmon Configuration
17-1 17 rmon configuration when configuring rmon, go to these sections for information you are interested in: z rmon overview z configuring rmon z displaying and maintaining rmon z rmon configuration example rmon overview this section covers these topics: z introduction z rmon groups introduction re...
Page 1000
17-2 rmon groups among the ten rmon groups defined by rmon specifications (rfc 1757), the device supports the event group, alarm group, history group and statistics group. Besides, 3com also defines and implements the private alarm group, which enhances the functions of the alarm group. This section...
Page 1001
17-3 if the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group the history group periodically collects statistics on data at interfaces and saves the statistics in the histor...
Page 1003
17-5 displaying and maintaining rmon to do… use the command… remarks display rmon statistics display rmon statistics [ interface-type interface-number ] available in any view display the rmon history control entry and history sampling information display rmon history [ interface-type interface-numbe...
Page 1004
17-6 etherstatsbroadcastpkts : 56 , etherstatsmulticastpkts : 34 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 etherstatsfragments : 0 , etherstatsjabbers : 0 etherstatscrcalignerrors : 0 , etherstatscollisions : 0 etherstatsdropevents (insufficient resources): 0 packets received accordin...
Page 1005
18-1 18 mac address table management configuration when configuring mac address table management, go to these sections for information you are interested in: z introduction to mac address table z configuring mac address table management z mac address table management configuration example z mac info...
Page 1006
18-2 z if no entry is found, add an entry for the mac address to indicate from which port the frame is received. When receiving a frame destined for mac-source, the device then looks up the mac address table and forwards it from port 1. To adapt to network changes, mac address table entries need to ...
Page 1007
18-3 figure 18-1 forward frames using the mac address table configuring mac address table management the mac address table management configuration tasks include: z configuring mac address table entries z disabling mac address learning on a vlan z configuring the aging timer for dynamic mac address ...
Page 1008
18-4 follow these steps to disable mac address learning on a vlan: to do… use the command… remarks enter system view system-view — enter vlan view vlan vlan-id — disable mac address learning on the vlan mac-address mac-learning disable required enabled by default once mac learning is disabled in a v...
Page 1009
18-5 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter ethernet interface view, port group view enter port group view port-group manual port-group-name required use any of these three commands. The configuration you make in ethernet interfa...
Page 1010
18-6 000f-e235-dc71 1 config static gigabitethernet 1/0/1 noaged --- 1 mac address(es) found ---.
Page 1011
19-1 19 mac information configuration when configuring mac information, go to these sections for information you are interested in: z overview z configuring mac information z mac information configuration example overview introduction to mac information to monitor a network, you need to monitor user...
Page 1012
19-2 enabling mac information on an interface follow these steps to enable mac information on an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable mac information on the interface mac-address information...
Page 1013
19-3 to do… use the command… remarks enter system view system-view — configure the mac information queue length mac-address information queue-length value optional 50 by default setting the mac information queue length to 0 indicates that the device sends a syslog or trap message to the network mana...
Page 1014
19-4 [device] mac-address information mode syslog # enable mac information on gigabitethernet 1/0/1 [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] mac-address information enable added [device-gigabitethernet1/0/1] mac-address information enable deleted [device-gigabitethernet...
Page 1015
20-1 20 system maintenance and debugging when maintaining and debugging the system, go to these sections for information you are interested in: z system maintenance and debugging z ping z tracert z system debugging z ping and tracert configuration example system maintenance and debugging you can use...
Page 1016
20-2 z for a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. Z only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument pi...
Page 1017
20-3 ping 1.1.2.2: 56 data bytes, press ctrl_c to break reply from 1.1.2.2: bytes=56 sequence=1 ttl=254 time=53 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequence=2 ttl=254 time=1 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequen...
Page 1018
20-4 5) upon receiving the reply, the source device adds the ip address (1.1.1.1) of its inbound interface to the rr option. Finally, you can get the detailed information of routes from device a to device c: 1.1.1.1 {1.1.1.2; 1.1.2.1} 1.1.2.2. Tracert introduction by using the tracert command, you c...
Page 1020
20-6 configuring system debugging output of the debugging information may reduce system efficiency. The debugging commands are usually used by administrators in diagnosing network failure. After completing the debugging, disable the corresponding debugging function, or use the undo debugging all com...
Page 1021
20-7 figure 20-4 ping and tracert network diagram configuration procedure # use the ping command to display whether an available route exists between device a and device c. Ping 1.1.2.2 ping 1.1.2.2: 56 data bytes, press ctrl_c to break request time out request time out request time out request time...
Page 1022
21-1 21 information center configuration when configuring information center, go to these sections for information you are interested in: z information center configuration z configuring information center z displaying and maintaining information center z information center configuration examples in...
Page 1023
21-2 eight levels of system information the information is classified into eight levels by severity. The severity levels in the descending order are emergency, alert, critical, error, warning, notice, informational and debug. When the system information is output by level, the information with sever...
Page 1024
21-3 information channel number default channel name default output destination 4 logbuffer log buffer (receives log and debugging information, a buffer inside the router for recording information.) 5 snmpagent snmp module (receives trap information) 6 channel6 not specified (receives log, trap, and...
Page 1025
21-4 table 21-3 default output rules for different output destinations log trap debug output destinati on modules allowed enabled/ disabled severity enabled/ disabled severity enabled/ disabled severity console default (all modules) enabled warning enabled debug enabled debug monitor terminal defaul...
Page 1026
21-5 what follows is a detailed explanation of the fields involved: int_16 (priority) the priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges fr...
Page 1027
21-6 z if the timestamp starts with a %, the information is log information z if the timestamp starts with a #, the information is trap information z if the timestamp starts with a *, the information is debugging information source this field indicates the source of the information, such as the irf ...
Page 1032
21-11 outputting system information to the snmp module the snmp module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the snmp module. To monitor the device running status, trap information is usually sent to the snmp ...
Page 1033
21-12 follow these steps to enable synchronous information output: to do… use the command… remarks enter system view system-view — enable synchronous information output info-center synchronous required disabled by default z if system information, such as log information, is output before you input a...
Page 1035
21-14 [sysname] info-center enable # specify the host with ip address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # disable the ...
Page 1036
21-15 be aware of the following issues while editing file /etc/syslog.Conf: z comments must be on a separate line and begin with the # sign. Z no redundant spaces are allowed after the file name. Z the logging facility name and the information level specified in the /etc/syslog.Conf file must be ide...
Page 1037
21-16 [sysname] info-center source default channel loghost debug state off log state off trap state off as the default system configurations for different channels are different, you need to disable the output of log, trap, and debugging information of all modules on the specified channel (loghost i...
Page 1038
21-17 # syslogd -r & ensure that the syslogd process is started with the -r option on a linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting log information to the console network requirements z log information with a severit...
Page 1039
21-18 [sysname] quit # enable the display of log information on a terminal. (optional, this function is enabled by default.) terminal monitor % current terminal monitor is on terminal logging % current terminal logging is on after the above configuration takes effect, if the specified module generat...
Page 1040: Hotfix Configuration
22-1 22 hotfix configuration when configuring hotfix, go to these sections for information you are interested in: z hotfix overview z hotfix configuration task list z displaying and maintaining hotfix z hotfix configuration examples hotfix overview hotfix is a fast and cost-effective method to repai...
Page 1041
22-2 install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the deactive state, the patches turn to the...
Page 1042
22-3 figure 22-2 patches are not loaded to the memory patch area currently, the system patch area supports up to 200 patches. Deactive state patches in the deactive state have been loaded to the memory patch area but have not run in the system yet. Suppose that there are seven patches in the patch f...
Page 1043
22-4 figure 22-4 patches are activated running state after you confirm the running of the active patches, the state of the patches will become running and will be in the running state after system reboot. For the five patches in figure 22-4 , if you confirm the running the first three patches, their...
Page 1044
22-5 configuration prerequisites patches are released per device model type. Before patching the system, you need to save the appropriate patch files to the storage media of the device using ftp or tftp. When saving the patch files, note that: z the patch files match the device model and software ve...
Page 1045
22-6 z the patch matches the device type and software version. Z the patch install command changes the patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command. Step-by-step patch installation step-by-step pa...
Page 1046
22-7 set the file transfer mode to binary mode before using ftp or tftp to upload/download patch files to/from the flash of the device. Otherwise, patch file cannot be parsed properly. Follow the steps below to load a patch file: to do… use the command… remarks enter system view system-view — load t...
Page 1047
22-8 one-step patch uninstallation you can use the undo patch install command to uninstall patches from all the member devices. The patches then turn to the idle state. This equals the execution of the commands patch deactive and patch delete on each member device. Follow these steps to uninstall th...
Page 1048
22-9 displaying and maintaining hotfix to do… use the command… remarks display the patch information display patch information available in any view hotfix configuration examples hotfix configuration example (single device) network requirements z the software running on device is of some problem, an...
Page 1049
22-10 do you want to continue running patches after reboot? [y/n]:y installing patches........ Installation completed, and patches will continue to run after reboot. Hotfix configuration example (irf device) network requirements z irf refers to an irf in this example and it consists of two irf devic...
Page 1050
22-11 [device] patch install flash: patches will be installed. Continue? [y/n]:y do you want to continue running patches after reboot? [y/n]:y installing patches........ Installation completed, and patches will continue to run after reboot..
Page 1051: Nqa Configuration
22-1 23 nqa configuration when configuring nqa, go to these sections for information you are interested in: z nqa overview z nqa configuration task list z configuring the nqa server z enabling the nqa client z creating an nqa test group z configuring an nqa test group z configuring the collaboration...
Page 1052
22-2 collaboration with other modules is triggered. The implementation of collaboration is shown in figure 23-1 . Figure 23-1 implementation of collaboration the collaboration here involves three parts: the application modules, the track module, and the detection modules. Z the detection modules mon...
Page 1053
22-3 basic concepts of nqa test group before performing an nqa test, you need to create an nqa test group, and configure nqa test parameters such as test type, destination address and destination port. Each test group has an administrator name and operation tag, which can uniquely define a test grou...
Page 1054
22-4 nqa test operation an nqa test operation is as follows: 1) the nqa client constructs packets with the specified type, and sends them to the peer device; 2) upon receiving the packet, the peer device replies with a response with a timestamp. 3) the nqa client computes the packet loss rate and rt...
Page 1055
22-5 task remarks configuring optional parameters common to an nqa test group optional scheduling an nqa test group required configuring the nqa server before performing tcp, udp echo, udp jitter or voice tests, you need to configure the nqa server on the peer device. The nqa server makes a response...
Page 1056
22-6 if you execute the nqa entry command to enter the test group view with test type configured, you will enter the test type view of the test group directly. Configuring an nqa test group configuring an icmp echo test an icmp echo test is used to test reachability of the destination host according...
Page 1057
22-7 to do… use the command… remarks configure the source ip address of a probe request source ip ip-address optional by default, no source ip address is specified. If no source ip address is specified, but the source interface is specified, the ip address of the source interface is taken as the sou...
Page 1058
22-8 to do… use the command… remarks configure common optional parameters see configuring optional parameters common to an nqa test group optional z as dhcp test is a process to simulate address allocation in dhcp, the ip address of the interface performing the dhcp test will not be changed. Z after...
Page 1060
22-10 to do… use the command… remarks configure the test type as http and enter test type view type http required configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. The destination ip add...
Page 1061
22-11 delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets. The procedure of a udp jitter test is as follows: z the source sends packets at regular intervals to the destination port. Z the destination affixes ...
Page 1062
22-12 to do… use the command… remarks configure the number of packets sent in a udp jitter probe probe packet-number packet-number optional 10 by default. Configure the interval for sending packets in a udp jitter probe probe packet-interval packet-interval optional 20 milliseconds by default. Confi...
Page 1063
22-13 to do… use the command… remarks configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. Specify the source port number for a probe request in a test operation source port port-number opt...
Page 1064
22-14 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be consistent with port number of the listening service configured on the nqa server....
Page 1065
22-15 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be the port number of the listening service configured on the nqa server. Configure t...
Page 1066
22-16 interval for the source to send these two successive packets, and thus the network status can be analyzed. The voice parameter values that indicate voip network status can also be calculated in a voice test, including: z calculated planning impairment factor (icpif): measures attenuation of vo...
Page 1067
22-17 to do… use the command… remarks configure the advantage factor for calculating mos and icpif values advantage-factor factor optional by default, the advantage factor is 0. Specify the source ip address for the requests in a test operation source ip ip-address optional by default, no source ip ...
Page 1068
22-18 configuration prerequisites enable the dlsw function on the peer device before dlsw test. Configuring a dlsw test follow these steps to configure a dlsw test: to do… use the command… remarks enter system view system-view — enter nqa test group view nqaentry admin-name operation-tag — configure...
Page 1069
22-19 to do… use the command… remarks create a track object and associate it with the specified collaboration object of the nqa test group track entry-number nqa entry admin-name operation-tag reaction item-num required not created by default. Z you cannot modify the content of a reaction entry usin...
Page 1070
22-20 configuring the nqa statistics function nqa puts the nqa tests completed in a specified interval into one group, and calculates the statistics of the test results of the group. These statistics form a statistics group. You can use the display nqa statistics command to view information of the s...
Page 1072
22-22 scheduling an nqa test group with this configuration, you can set the start time and test duration for a test group to perform nqa tests. The start time can take a specific value or can be now, which indicates that a test is started immediately; the test duration can take a specific value or c...
Page 1073
22-23 displaying and maintaining nqa to do… use the command… remarks display history records of nqa test operation information display nqa history [ admin-name operation-tag ] display the results of the last nqa test display nqa result [ admin-name operation-tag ] display the statistics of a type of...
Page 1074
22-24 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 2/5/3 square-sum of round trip time: 96 last succeeded probe time: 2007-08-23 15:00:01.2 extended results: packet lost in test: 0...
Page 1075
22-25 [switcha-nqa-admin-test] type dhcp [switcha-nqa-admin-test-dhcp] operation interface vlan-interface 2 [switcha-nqa-admin-test-dhcp] quit # enable dhcp test. [switcha] nqa schedule admin test start-time now lifetime forever # disable dhcp test after the test begins for a period of time. [switch...
Page 1076
22-26 [devicea] nqa entry admin test [devicea-nqa-admin-test] type ftp [devicea-nqa-admin-test-ftp] destination ip 10.2.2.2 [devicea-nqa-admin-test-ftp] source ip 10.1.1.1 [devicea-nqa-admin-test-ftp] operation put [devicea-nqa-admin-test-ftp] username admin [devicea-nqa-admin-test-ftp] password sys...
Page 1077
22-27 figure 23-6 network diagram for the http tests configuration procedure # create an http test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type http [devicea-nqa-admin-test-http] destination ip 10.2.2.2 [devicea-nqa-admin-test-...
Page 1078
22-28 udp jitter test configuration example network requirements use the nqa udp jitter function to test the delay jitter of packet transmission between device a and device b. Figure 23-7 network diagram for udp jitter tests configuration procedure 1) configure device b. # enable the nqa server and ...
Page 1079
22-29 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 udp-jitter results: rtt number: 10 min positive sd: 4 min positive ds: 1 max positive sd: 21 max positive ds: 28 positive sd number: 5 positive ds number: 4 positive sd...
Page 1080
22-30 min positive sd: 3 min positive ds: 1 max positive sd: 30 max positive ds: 79 positive sd number: 186 positive ds number: 158 positive sd sum: 2602 positive ds sum: 1928 positive sd average: 13 positive ds average: 12 positive sd square sum: 45304 positive ds square sum: 31682 min negative sd:...
Page 1081
22-31 system-view [deviceb] snmp-agent sys-info version all [deviceb] snmp-agent community read public [deviceb] snmp-agent community write private 2) configurations on device a. # create an snmp query test group and configure related test parameters. System-view [devicea] nqa entry admin test [devi...
Page 1082
22-32 figure 23-9 network diagram for tcp tests configuration procedure 1) configure device b. # enable the nqa server and configure the listening ip address as 10.2.2.2 and port number as 9000. System-view [deviceb] nqa server enable [deviceb] nqa server tcp-connect 10.2.2.2 9000 2) configure devic...
Page 1083
22-33 nqa entry(admin admin, tag test) history record(s): index response status time 1 13 succeeded 2007-11-22 10:27:25.1 udp echo test configuration example network requirements use the nqa udp echo function to test the round trip time between device a and device b. The port number is 8000. Figure ...
Page 1084
22-34 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 # display the history of udp echo tests. [devicea] display nqa history admin test nqa entry(admin admin, ...
Page 1085
22-35 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 1000 receive response times: 1000 min/max/average round trip time: 31/1328/33 square-sum of round trip time: 2844813 last succeeded probe time: 2008-06-13 09:49:31.1 extended results: packet l...
Page 1086
22-36 min/max/average round trip time: 15/1328/32 square-sum of round trip time: 7160528 extended results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures du...
Page 1087
22-37 dlsw test configuration example network requirements use the nqa dlsw function to test the response time of the dlsw device. Figure 23-12 network diagram for the dlsw tests configuration procedure # create a dlsw test group and configure related test parameters. System-view [devicea] nqa entry...
Page 1088
22-38 nqa collaboration configuration example network requirements as shown in figure 23-13 , configure a static route to switch c on switch a, with switch b as the next hop. Associate the static route, track entry, and nqa test group to verify whether static route is active in real time. Figure 23-...
Page 1089
22-39 [switcha] track 1 nqa entry admin test reaction 1 5) verify the configuration. # on switch a, display information about all the track entries. [switcha] display track all track id: 1 status: positive notification delay: positive 0, negative 0 (in seconds) reference object: nqa entry: admin tes...
Page 1090
22-40 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 the above information shows that the next hop 10.2.1.1 of the static route is not reachable, and the status of the track entry is negative. The static route does not work..
Page 1091: Ntp Configuration
24-1 24 ntp configuration when configuring ntp, go to these sections for information you are interested in: z ntp overview z ntp configuration task list z configuring the operation modes of ntp z configuring optional parameters of ntp z configuring access-control rights z configuring ntp authenticat...
Page 1092
24-2 z ntp can unicast, multicast or broadcast protocol messages. How ntp works figure 24-1 shows the basic workflow of ntp. Device a and device b are interconnected over a network. They have their own independent system clocks, which need to be automatically synchronized through ntp. For an easy un...
Page 1093
24-3 ntp message format ntp uses two types of messages, clock synchronization message and ntp control message. An ntp control message is used in environments where network management is needed. As it is not a must for clock synchronization, it will not be discussed in this document. All ntp messages...
Page 1094
24-4 z poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages. Z precision: an 8-bit signed integer indicating the precision of the local clock. Z root delay: roundtrip delay to the primary reference source. Z root dispersion: the maximum err...
Page 1095
24-5 symmetric peers mode figure 24-4 symmetric peers mode a device working in the symmetric active mode periodically sends clock synchronization messages, with the mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive...
Page 1096
24-6 multicast mode figure 24-6 multicast mode network client server after receiving the first multicast message, the client sends a request clock synchronization message exchange (mode 3 and mode 4) periodically multicasts clock synchronization messages (mode 5) calculates the network delay between...
Page 1097
24-7 task remarks configuring access-control rights optional configuring ntp authentication optional configuring the operation modes of ntp devices can implement clock synchronization in one of the following modes: z client/server mode z symmetric mode z broadcast mode z multicast mode for the clien...
Page 1098
24-8 z in the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the ip address of the local clock. Z when the source interface for ntp messages is specified by the source-interface argument, the source ip address of the ...
Page 1099
24-9 configuring ntp broadcast mode the broadcast server periodically sends ntp broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in ntp broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadc...
Page 1100
24-10 configuring a multicast client to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter the interface used to receive ntp multicast messages. Configure the device to work in the ntp multicast client mode ntp-service mu...
Page 1101
24-11 z if you have specified the source interface for ntp messages in the ntp-service unicast-server or ntp-service unicast-peer command, the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command serves as the source interface of ntp messages. Z if you have confi...
Page 1102
24-12 z peer: full access. This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer device. From the highest ntp service access-control right to the lowest one are peer, ...
Page 1103
24-13 ntp server (symmetric-passive peer if in the symmetric peer mode). Otherwise, the ntp authentication feature cannot be normally enabled. Z for the broadcast server mode or multicast server mode, you need to associate the specified authentication key on the broadcast server or multicast server ...
Page 1104
24-14 configuring ntp authentication for a server follow these steps to configure ntp authentication for a server: to do… use the command… remarks enter system view system-view — enable ntp authentication ntp-service authentication enable required disabled by default configure an ntp authentication ...
Page 1105
24-15 ntp configuration examples configuring ntp client/server mode network requirements z the local clock of switch a is to be used as a master clock, with the stratum level of 2. Z switch b works in the client/server mode and switch a is to be used as the ntp server of switch b. Figure 24-7 networ...
Page 1106
24-16 as shown above, switch b has been synchronized to switch a, and the clock stratum level of switch b is 3, while that of switch a is 2. # view the ntp session information of switch b, which shows that an association has been set up between switch b and switch a. [switchb] display ntp-service se...
Page 1107
24-17 in the step above, switch b and switch c are configured as symmetric peers, with switch c in the symmetric-active mode and switch b in the symmetric-passive mode. Because the stratus level of switch c is 1 while that of switch b is 3, switch b is synchronized to switch c. # view the ntp status...
Page 1108
24-18 configuring ntp broadcast mode network requirements z the local clock of switch c is to be used as the master clock, with a stratum level of 2. Z switch c works in the broadcast server mode and sends out broadcast messages from vlan-interface 2. Z switch a and switch d work in the broadcast cl...
Page 1109
24-19 because switch a and switch c are on different subnets, switch a cannot receive the broadcast messages from switch c. Switch d gets synchronized upon receiving a broadcast message from switch c. # view the ntp status of switch d after clock synchronization. [switchd-vlan-interface2] display nt...
Page 1110
24-20 figure 24-10 network diagram for ntp multicast mode configuration configuration procedure 1) configuration on switch c: # configure switch c to work in the multicast server mode and send multicast messages through vlan-interface 2. System-view [switchc] interface vlan-interface 2 [switchc-vlan...
Page 1111
24-21 as shown above, switch d has been synchronized to switch c, and the clock stratum level of switch d is 3, while that of switch c is 2. # view the ntp session information of switch d, which shows that an association has been set up between switch d and switch c. [switchd-vlan-interface2] displa...
Page 1112
24-22 peer dispersion: 34.30 ms reference time: 16:02:49.713 utc sep 19 2005 (c6d95f6f.B6872b02) as shown above, switch a has been synchronized to switch c, and the clock stratum level of switch a is 3, while that of switch c is 2. # view the ntp session information of switch a, which shows that an ...
Page 1113
24-23 before switch b can synchronize its clock to that of switch a, you need to enable ntp authentication for switch a. Perform the following configuration on switch a: # enable ntp authentication. [switcha] ntp-service authentication enable # set an authentication key. [switcha] ntp-service authen...
Page 1114
24-24 z switch c works in the broadcast server mode and sends out broadcast messages from vlan-interface 2. Z switch d works in the broadcast client mode and receives broadcast messages through vlan-interface 2. Z ntp authentication is enabled on both switch c and switch d. Figure 24-12 network diag...
Page 1115
24-25 clock status: synchronized clock stratum: 4 reference clock id: 3.0.1.31 nominal frequency: 64.0000 hz actual frequency: 64.0000 hz clock precision: 2^7 clock offset: 0.0000 ms root delay: 31.00 ms root dispersion: 8.31 ms peer dispersion: 34.30 ms reference time: 16:01:51.713 utc sep 19 2005 ...
Page 1116
25-1 25 cluster management configuration when configuring cluster management, go to these sections for information you are interested in: z cluster management overview z cluster configuration task list z configuring the management device z configuring the member devices z configuring access between ...
Page 1117
25-2 figure 25-1 network diagram for a cluster as shown in figure 25-1 , the device configured with a public ip address and performs the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to ...
Page 1118
25-3 introduction to ndp ndp is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. Ndp works in the following ways: z a device running ndp periodically sends ndp packets to its neighbors. An n...
Page 1119
25-4 then forwards the ntdp topology collection request after its prior port forwards the ntdp topology collection request. Cluster management maintenance 1) adding a candidate device to a cluster you should specify the management device before creating a cluster. The management device discovers and...
Page 1120
25-5 member device which is in disconnect state will be added to the cluster. After that, the state of the member device locally and on the management device will be changed to active. Besides, a member device informs the management device using handshake packets when there is a neighbor topology ch...
Page 1121
25-6 complete these tasks to configure a cluster: task remarks enabling ndp globally and for specific ports optional configuring ndp parameters optional enabling ntdp globally and for specific ports optional configuring ntdp parameters optional manually collecting topology information optional enabl...
Page 1122
25-7 z disabling the ndp and ntdp functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed, but will influence the normal operation of the cluster. Z when both the cluster function and the 802.1x function (or the mac address authenti...
Page 1123
25-8 configuring ndp parameters a port enabled with ndp periodically sends ndp packets to its neighbors. If no ndp information from the neighbor is received when the holdtime times out, the corresponding entry is removed from the ndp table. Follow these steps to configure ndp parameters: to do… use ...
Page 1124
25-9 of the devices in a specified range, thus avoiding unlimited topology collection. After the interval for collecting topology information is configured, the device collects the topology information at this interval. To avoid network congestion caused by large amounts of topology responses receiv...
Page 1125
25-10 enabling the cluster function to do… use the command… remarks enter system view system-view — enable the cluster function globally cluster enable optional enabled by default. Establishing a cluster before establishing a cluster, you need to specify the management vlan, and you cannot modify th...
Page 1126
25-11 enabling management vlan auto-negotiation the management vlan limits the cluster management range. If the device discovered by the management device does not belong to the management vlan, meaning the cascade ports and the ports connecting with the management device do not allow the packets fr...
Page 1127
25-12 of 0180-c200-000a, cluster management packets cannot traverse these devices. For a cluster to work normally in this case, you can modify the destination mac address of a cluster management protocol packet without changing the current networking. The management device periodically sends mac add...
Page 1128
25-13 removing a member device to do… use the command… remarks enter system view system-view — enter cluster view cluster — remove a member device from the cluster delete-member member-number [ to-black-list ] required rebooting a member device to do… use the command… remarks enter system view syste...
Page 1129
25-14 the member devices through the management device. You can manage member devices in a cluster through switching from the operation interface of the management device to that of a member device or configure the management device by switching from the operation interface of a member device to tha...
Page 1130
25-15 to do… use the command… remarks add a candidate device to the cluster administrator-address mac-address name name required configuring advanced cluster functions this section covers these topics: z configuring topology management z configuring interaction for a cluster z snmp configuration syn...
Page 1132
25-17 to do… use the command… remarks configure the nm interface of the management device nm-interface vlan-interface vlan-interface-id optional to isolate management protocol packets of a cluster from packets outside the cluster, you are recommended to configure to prohibit packets from the managem...
Page 1133
25-18 z the snmp-related configurations are retained when a cluster is dismissed or the member devices are removed from the whitelist. Z for information about snmp, refer to snmp configuration in the system volume. Configuring web user accounts in batches configuring web user accounts in batches ena...
Page 1134
25-19 displaying and maintaining cluster management to do… use the command… remarks display ndp configuration information display ndp [ interface interface-list ] display the global ntdp information display ntdp display the device information collected through ntdp display ntdp device-list [ verbose...
Page 1135
25-20 figure 25-4 network diagram for cluster management configuration configuration procedure 1) configure the member device switch a # enable ndp globally and for port gigabitethernet 1/0/1. System-view [switcha] ndp enable [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] n...
Page 1136
25-21 [switchb-gigabitethernet1/0/3] quit # configure the period for the receiving device to keep ndp packets as 200 seconds. [switchb] ndp timer aging 200 # configure the interval to send ndp packets as 70 seconds. [switchb] ndp timer hello 70 # enable ntdp globally and for ports gigabitethernet 1/...
Page 1137
25-22 [switchb-cluster] build abc restore topology from local flash file,for there is no base topology. (please confirm in 30 seconds, default no). (y/n) n # enable management vlan auto-negotiation. [abc_0.Switchb-cluster] management-vlan synchronization enable # configure the holdtime of the member...
Page 1138: Irf Configuration
25-1 26 irf configuration when configuring irf, go to these sections for information you are interested in: z irf overview z irf working process z irf configuration task list z irf configuration z logging in to an irf z displaying and maintaining irf z irf configuration examples irf overview introdu...
Page 1139
25-2 figure 26-1 irf networking ip network irf ip network irf cable irf cable equals master slave slave irf has the following advantages: z simple management after an irf is formed, you can log in to the irf system by connecting to a port of any irf member. When you log in to the irf, actually you l...
Page 1140
25-3 of the switch to provide physical irf ports. The following 10 ge interface modules can be used to provide physical irf ports: z one-port 10 ge xfp interface module z dual-port 10 ge xfp interface module z short-haul dual-port 10 ge cx4 interface module z dual-port 10 ge sfp+ interface module fo...
Page 1141
25-4 an irf typically has a bus connection or a ring connection: z bus connection: given a device, its irf port 1 is connected to irf port 2 of another device, and its irf port 2 is connected to irf port 1 of a third one; devices are connected to form a single straight connection, as shown in figure...
Page 1142
25-5 figure 26-4 irf port correspondence based on the type and number of the interface module inserted on switch a, you can adopt one of the following typical correspondences to establish an irf connection. Z the dual-port 10 ge cx4 interface module is used in the following examples to introduce cor...
Page 1143
25-6 figure 26-6 correspondence in non-aggregate mode for two interface modules when two dual-port interface modules are installed, if the correspondence is not in the aggregate mode, you can bind an irf port to any physical irf port ( figure 26-6 only shows one possibility). However, you must ensur...
Page 1144
25-7 addition, you can only bind irf-port 1 to physical irf ports 1 and 2, and irf-port 2 to physical ports 3 and 4. If one dual-port interface module and one single-port interface module are installed, you can bind two physical irf ports on the dual-port interface module to the irf port in aggregat...
Page 1145
25-8 z the precision of the system up-time is six minutes. For example, if two devices with the same priority values reboot one after another within six minutes, they will have the same system up-time and the last role election principle will be followed, that is, the one with the lowest bridge mac ...
Page 1146
25-9 interface name for a device operating independently (that is, the device does not belong to any irf), its interface name is in the following format: member id/slot number/interface serial number, where z by default, member id is 1. Z after a device leaves an irf, it continues using the member i...
Page 1147
25-10 0 -rw- 1568 jul 14 2008 11:54:04 aa(20080714).Cfg 30861 kb total (20956 kb free) to access the file system of the master, use the name of the storage device; to access the file system of a slave, use the name in the following format: member-id#storage-device-name. For example: 1) to access the...
Page 1148
25-11 irf uses a strict configuration file synchronization mechanism to ensure that devices in an irf can work as a single device on the network, and to ensure that after the master fails, the other devices can operate normally. Z when a slave starts up, it automatically finds out the master, synchr...
Page 1149
25-12 complete the following tasks to configure irf: task remarks configuring irf ports required setting a member id for a device optional specifying a priority for an irf member required specifying the preservation time of irf bridge mac address optional enabling auto upgrade of boot files optional...
Page 1150
25-13 z the above configuration takes effect after the reboot of the device. Z an irf port that is bound with multiple physical irf ports is an aggregation irf port, which increases the bandwidth and reliability on the irf port. If you specify multiple physical irf ports with the port-list argument,...
Page 1151
25-14 z the above setting takes effect after the reboot of the device. Z you can use the display irf configuration command to view the current member id of the device and the member id will be used after the device reboot. Z in an irf, member ids are not only used to identify devices, but also used ...
Page 1152
25-15 in an irf, the bridge mac address of a member device is called member bridge mac address. The irf communicates with the outside as a single device; therefore, it also has a bridge mac address, which is called the irf bridge mac address. Typically, an irf uses the bridge mac address of the mast...
Page 1153
25-16 if this function is enabled, as soon as a device is added into an irf, the system compares its software version with that of the master. If the versions are not consistent, the device downloads the boot file from the master automatically, reboots with the new boot file, and joins the irf again...
Page 1154
25-17 logging in to an irf logging in to the master after an irf is formed, you can access the console of the irf system through the aux or console port of any member device. Configure an ip address for the vlan interface of a member device and make sure that the route is reachable, and then you can...
Page 1155
25-18 displaying and maintaining irf to do… use the command… remarks display related information of the irf display irf available in any view display topology information of the irf display irf topology available in any view display the pre-configurations of all members of the irf (the pre-configura...
Page 1156
25-19 warning: renumbering the switch number may result in configuration change or loss. Continue?[y/n]:y [switch2] irf member 1 irf-port 1 port 2 [switch2] irf member 1 irf-port 2 port 3 # configure switch 3. System-view [switch3] irf member 1 renumber 3 warning: renumbering the switch number may r...
Page 1157: Ipc Configuration
27-1 27 ipc configuration when configuring ipc, go to these sections for information you are interested in: z ipc overview z enabling ipc performance statistics z displaying and maintaining ipc ipc overview introduction to ipc inter-process communication (ipc) is a reliable communication mechanism a...
Page 1158
27-2 data of an upper layer application module is sent to the ipc module through a channel, and the ipc module sends the data to a peer node through the link. The relationship between a node, link and channel is as shown in figure 27-1 . Figure 27-1 relationship between a node, link and channel node...
Page 1160: Automatic Configuration
28-1 28 automatic configuration when configuring automatic configuration, go to these sections for information you are interested in: z introduction to automatic configuration z typical networking of automatic configuration z how automatic configuration works introduction to automatic configuration ...
Page 1161
28-2 name of the tftp server from a dhcp response, the device can also resolve the domain name of the tftp server to the ip address of the tftp server through the dns server. If the dhcp server, tftp server, dns server, and the device that performs automatic configuration are not in the same segment...
Page 1162
28-3 figure 28-2 work flow of automatic configuration start the device without loading the configuration file the interface obtains parameters through dhcp is the tftp server address contained in the parameters? Yes no yes no unicast a tftp request to obtain the configuration file yes yes broadcast ...
Page 1163
28-4 z the configuration file name is saved in the option 67 or file field of the dhcp response. The device first resolves the option 67 field; if this field contains the configuration file name, the device does not resolve the file field; otherwise, it resolves the file field. Z temporary configura...
Page 1164
28-5 you need to configure a client id (when a device works as the dhcp client, it uses the client id as its id) of the static binding when you configure manual address allocation. Therefore, you need to obtain the client id in this way: start the device that performs automatic configuration, enable...
Page 1165
28-6 obtaining the configuration file figure 28-3 obtain the configuration file is the configuration file contained in the dhcp response? Obtain the network intermediate file search the domain name corresponding to the ip address in the network intermediate file yes obtain the specified configuratio...
Page 1166
28-7 z if the ip address and the domain name of the tftp server are not contained in the dhcp response or they are illegitimate, the device broadcasts a tftp request to the tftp server. Z when broadcasting a tftp request, the device obtains the configuration file from the tftp server who responds th...