DL manuals
3Com
Switch
5500-EI PWR
Install Manual

3Com 5500-EI PWR Install Manual

Other manuals for 5500-EI PWR: Datasheet, Quick Reference Manual, Getting Started Manual, Reference Manual

Page of 1072

Download

Print this page

Bookmark us

Table of Contents

1 CLI Configuration ······································································································································1-1

Introduction to the CLI·····························································································································1-1

Command Hierarchy ·······························································································································1-1

Command Level and User Privilege Level ······················································································1-1

Modifying the Command Level········································································································1-2

Switching User Level ·······················································································································1-3

CLI Views ················································································································································1-7

CLI Features ·········································································································································1-11

Online Help····································································································································1-11

Terminal Display····························································································································1-13

Command History··························································································································1-13

Error Prompts ································································································································1-13

Command Edit·······························································································································1-14

1 2 3 4 5 6 7 Next › »

Summary of 5500-EI PWR

Page 1
I table of contents 1 cli configuration ······································································································································1-1 introduction to the cli···································································································...
Page 2: Cli Configuration
1-1 1 cli configuration when configuring cli, go to these sections for information you are interested in: z introduction to the cli z command hierarchy z cli views z cli features introduction to the cli a command line interface (cli) is a user interface to interact with a switch. Through the cli on ...
Page 3
1-2 z monitor level (level 1): commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. Z system level (level 2): commands at this level are mainly used to configure servic...
Page 4
1-3 to do… use the command… remarks configure the level of a command in a specific view command-privilege level level view view command required z you are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of comma...
Page 5
1-4 can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited. H...
Page 6
1-5 when both the super password authentication and the hwtacacs authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the hwtacacs authentication serve...
Page 7
1-6 to do… use the command… remarks enter system view system-view — enter isp domain view domain domain-name — set the hwtacacs authentication scheme for user level switching authenticationsuper hwtacacs-scheme hwtacacs-scheme-name required by default, the hwtacacs authentication scheme for user lev...
Page 8
1-7 # set the password used by the current user to switch to level 3. [sysname] super password level 3 simple 123 z a vty 0 user switches its level to level 3 after logging in. # a vty 0 user telnets to the switch, and then uses the set password to switch to user level 3. Super 3 password: user priv...
Page 9
1-8 table 1-1 lists the cli views provided by the 3com switch 5500-ei, operations that can be performed in different cli views and the commands used to enter specific cli views. Table 1-1 cli views view available operation prompt example enter method quit method user view display operation status an...
Page 10
1-9 view available operation prompt example enter method quit method user interface view configure user interface parameters [sysname-ui-aux0] execute the user-interface command in system view. Ftp client view configure ftp client parameters [ftp] execute the ftp command in user view. Sftp client vi...
Page 11
1-10 view available operation prompt example enter method quit method ospf view configure ospf protocol parameters [sysname-ospf-1] execute the ospf command in system view. Ospf area view configure ospf area parameters [sysname-ospf-1- area-0.0.0.1] execute the area command in ospf view. Execute the...
Page 12
1-11 view available operation prompt example enter method quit method msdp view configure msdp parameters [sysname-msdp] execute the msdp command in system view. Poe profile view configure poe profile parameters [sysname-poe-pro file-a123] execute the poe-profile command in system view. Smart link g...
Page 13
1-12 boot set boot option cd change current directory clock specify the system clock cluster run cluster command copy copy from one file to another debugging enable system debugging functions delete delete a file dir list files on a file system display display current system information 2) enter a c...
Page 14
1-13 terminal display the cli provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see table 1-2 ). Table 1-2 display-related operations operation function press stop the displa...
Page 15
1-14 table 1-3 common error messages error message remarks the command does not exist. The keyword does not exist. The parameter type is wrong. Unrecognized command the parameter value is out of range. Incomplete command the command entered is incomplete. Too many parameters the parameters entered a...
Page 16: Table of Contents
I table of contents 1 logging in to an ethernet switch ············································································································1-1 logging in to an ethernet switch ····································································································...
Page 17
Ii modem connection establishment ·········································································································4-2 5 logging in through the web-based network management system····················································5-1 introduction ····························...
Page 18
1-1 1 logging in to an ethernet switch go to these sections for information you are interested in: z logging in to an ethernet switch z introduction to the user interface logging in to an ethernet switch you can log in to an ethernet switch in one of the following ways: z logging in through the cons...
Page 19
1-2 user interface index two kinds of user interface index exist: absolute user interface index and relative user interface index. 1) the absolute user interface indexes are as follows: z the absolute aux user interfaces are numbered 0 through 7. Z vty user interface indexes follow aux user interfac...
Page 20
1-3 to do… use the command… remarks enter user interface view user-interface [ type ] first-number [ last-number ] — display the information about the current user interface/all user interfaces display users [ all ] display the physical attributes and configuration of the current/a specified user in...
Page 21
2-1 2 logging in through the console port go to these sections for information you are interested in: z introduction z logging in through the console port z console port login configuration z console port login configuration with authentication mode being none z console port login configuration with...
Page 22
2-2 2) if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows 3.X or hyperterminal in windows 9x/windows 2000/windows xp. The following assumes that you are running windows xp) and perform the configuration shown in figure 2-2 through figure ...
Page 23
2-3 figure 2-4 set port parameters 3) turn on the switch. You will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt appears after you press the enter key. 4) you can then configure the switch or check the information about the switch by ex...
Page 24
2-4 configuration remarks set the maximum number of lines the screen can contain optional by default, the screen can contain up to 24 lines. Set history command buffer size optional by default, the history command buffer can contain up to 10 commands. Set the timeout time of a user interface optiona...
Page 25
2-5 authentication mode console port login configuration remarks specify to perform local authentication or remote radius authentication aaa configuration specifies whether to perform local authentication or radius authentication optional local authentication is performed by default. Refer to the aa...
Page 27
2-7 z commands of level 2 are available to the users logging in to the aux user interface. Z the baud rate of the console port is 19,200 bps. Z the screen can contain up to 30 lines. Z the history command buffer can contain up to 20 commands. Z the timeout time of the aux user interface is 6 minutes...
Page 28
2-8 console port login configuration with authentication mode being password configuration procedure follow these steps to configure console port login with the authentication mode being password: to do… use the command… remarks enter system view system-view — enter aux user interface view user-inte...
Page 29
2-9 to do… use the command… remarks set the timeout time for the user interface idle-timeout minutes [ seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed ...
Page 30
2-10 # specify to authenticate users logging in through the console port using the local password. [sysname-ui-aux0] authentication-mode password # set the local password to 123456 (in plain text). [sysname-ui-aux0] set authentication password simple 123456 # specify commands of level 2 are availabl...
Page 32
2-12 to do… use the command… remarks set the timeout time for the user interface idle-timeout minutes [seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed ...
Page 33
2-13 configuration procedure # enter system view. System-view # create a local user named guest and enter local user view. [sysname] local-user guest # set the authentication password to 123456 (in plain text). [sysname-luser-guest] password simple 123456 # set the service type to terminal, specify ...
Page 34: Logging In Through Telnet
3-1 3 logging in through telnet go to these sections for information you are interested in: z introduction z telnet configuration with authentication mode being none z telnet configuration with authentication mode being password introduction switch 5500-ei support telnet. You can manage and maintain...
Page 35
3-2 configuration description make terminal services available optional by default, terminal services are available in all user interfaces set the maximum number of lines the screen can contain optional by default, the screen can contain up to 24 lines. Set history command buffer size optional by de...
Page 36
3-3 to improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22, ports for telnet and ssh services respectively, will be enabled or disabled after corresponding configurations. Z if the authentication mode is none, tcp 23 will be enabled, and tcp 22 will be disabled. Z if the au...
Page 37
3-4 to do… use the command… remarks set the history command buffer size history-command max-size value optional the default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the vty user interface idle-timeout minutes...
Page 38
3-5 [sysname-ui-vty0] authentication-mode none # specify commands of level 2 are available to users logging in to vty 0. [sysname-ui-vty0] user privilege level 2 # configure telnet protocol is supported. [sysname-ui-vty0] protocol inbound telnet # set the maximum number of lines the screen can conta...
Page 39
3-6 to do… use the command… remarks set the maximum number of lines the screen can contain screen-length screen-length optional by default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Set the history command ...
Page 40
3-7 configuration procedure # enter system view. System-view # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure to authenticate users logging in to vty 0 using the password. [sysname-ui-vty0] authentication-mode password # set the local password to 123456 (in plain text). ...
Page 43
3-10 scenario authentication mode user type command command level the user privilege level level command is executed, and the service-type command does not specify the available command level. Level 0 the user privilege level level command is executed, and the service-type command specifies the avai...
Page 44
3-11 # set the authentication password of the local user to 123456 (in plain text). [sysname-luser-guest] password simple 123456 # set the service type to telnet, specify commands of level 2 are available to users logging in to vty 0.. [sysname-luser-guest] service-type telnet level 2 [sysname-luser...
Page 45
3-12 3) connect your pc/terminal and the switch to an ethernet, as shown in figure 3-5 . Make sure the port through which the switch is connected to the ethernet belongs to vlan 1 and the route between your pc and vlan-interface 1 is reachable. Figure 3-5 network diagram for telnet connection establ...
Page 46
3-13 telnetting to another switch from the current switch you can telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected ethernet ports of the two switches are in the same lan segment, mak...
Page 47: Logging In Using A Modem
4-1 4 logging in using a modem go to these sections for information you are interested in: z introduction z configuration on the switch side z modem connection establishment introduction the administrator can log in to the console port of a remote switch using a modem through public switched telepho...
Page 48
4-2 you can verify your configuration by executing the at&v command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch configuration after logging in to a switch through its console port by ...
Page 49
4-3 figure 4-1 establish the connection by using modems console port pstn telephone line modem serial cable telephone number of the romote end: 82882285 modem modem 4) launch a terminal emulation utility on the pc and set the telephone number to call the modem directly connected to the switch, as sh...
Page 50
4-4 figure 4-3 set the telephone number figure 4-4 call the modem 5) if the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? At anytime for help...
Page 51: Management System
5-1 5 logging in through the web-based network management system go to these sections for information you are interested in: z introduction z establishing an http connection z configuring the login banner z enabling/disabling the web server introduction switch 5500-ei has a web server built in. It e...
Page 52
5-2 [sysname-luser-admin] service-type telnet level 3 [sysname-luser-admin] password simple admin 3) establish an http connection between your pc and the switch, as shown in figure 5-1 . Figure 5-1 establish an http connection between your pc and the switch 4) log in to the switch through ie. Launch...
Page 53
5-3 configuration example network requirements z a user logs in to the switch through web. Z the banner page is desired when a user logs into the switch. Network diagram figure 5-3 network diagram for login banner configuration configuration procedure # enter system view. System-view # configure the...
Page 54
5-4 to do… use the command… remarks enter system view system-view — enable the web server ip http shutdown required by default, the web server is enabled. Disable the web server undo ip http shutdown required to improve security and prevent attack to the unused sockets, tcp 80 port (which is for htt...
Page 55: Logging In Through Nms
6-1 6 logging in through nms go to these sections for information you are interested in: z introduction z connection establishment using nms introduction you can also log in to a switch through a network management station (nms), and then configure and manage the switch through the agent module on t...
Page 56: Packets
7-1 7 configuring source ip address for telnet service packets go to these sections for information you are interested in: z overview z configuring source ip address for telnet service packets z displaying source ip address configuration overview you can configure the source ip address for telnet se...
Page 58: User Control
8-1 8 user control go to these sections for information you are interested in: z introduction z controlling telnet users z controlling network management users by source ip addresses z controlling web users by source ip address refer to the acl part for information about acl. Introduction you can co...
Page 59
8-2 controlling telnet users prerequisites the controlling policy against telnet users is determined, including the source ip addresses, destination ip addresses and source mac addresses to be controlled and the controlling actions (permitting or denying). Controlling telnet users by source ip addre...
Page 61
8-4 network diagram figure 8-1 network diagram for controlling telnet users using acls switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysnam...
Page 63
8-6 [sysname] acl number 2000 [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] quit # apply the acl to only permit snmp users sourced from the ip addresses of 10.110.100.52 to access the switch. [sysname] snmp-agent community read aaa acl 2000 [sysname] snmp-age...
Page 65: Table of Contents
I table of contents 1 configuration file management···············································································································1-1 introduction to configuration file ···································································································...
Page 66
1-1 1 configuration file management when configuring configuration file management, go to these sections for information you are interested in: z introduction to configuration file z configuration task list introduction to configuration file a configuration file records and stores user configuration...
Page 67
1-2 z when saving the current configuration, you can specify the file to be a main or backup or normal configuration file. Z when removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, y...
Page 68
1-3 modes in saving the configuration z fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process. Z safe mode. This is...
Page 69
1-4 z it is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. Z if you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuratio...
Page 70
1-5 you can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file z if you save the current configuration to the main configuration file, the system will automaticall...
Page 71: Table of Contents
I table of contents 1 vlan overview ··········································································································································1-1 vlan overview·············································································································...
Page 72: Vlan Overview
1-1 1 vlan overview this chapter covers these topics: z vlan overview z port-based vlan z protocol-based vlan vlan overview introduction to vlan the traditional ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. H...
Page 73
1-2 figure 1-1 a vlan implementation advantages of vlans compared with the traditional ethernet, vlan enjoys the following advantages. Z broadcasts are confined to vlans. This decreases bandwidth consumption and improves network performance. Z network security is improved. Because each vlan forms a ...
Page 74
1-3 tag is encapsulated after the destination mac address and source mac address to show the information about vlan. Figure 1-3 format of vlan tag as shown in figure 1-3 , a vlan tag contains four fields, including the tag protocol identifier (tpid), priority, canonical format indicator (cfi), and v...
Page 75
1-4 mac address forwarding table. Packets received in any vlan on a port are forwarded according to this table. Z independent vlan learning (ivl), where the switch maintains an independent mac address forwarding table for each vlan. The source mac address of a packet received in a vlan on a port is ...
Page 76
1-5 configure a port connected to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity. A hybrid port allows the packets of multiple vlans to be sent untagged, but a trunk port only allows the packets of the default vlan to be sent untagged. The three...
Page 77
1-6 table 1-2 packet processing of a trunk port processing of an incoming packet for an untagged packet for a tagged packet processing of an outgoing packet z if the port has already been added to its default vlan, tag the packet with the default vlan tag and then forward the packet. Z if the port h...
Page 78
1-7 ethernet ii and 802.2/802.3 encapsulation mainly, there are two encapsulation types of ethernet packets: ethernet ii and 802.2/802.3, defined by rfc 894 and rfc 1042 respectively. The two encapsulation formats are described in the following figures. Ethernet ii packet: figure 1-4 ethernet ii enc...
Page 79
1-8 z 802.2 logical link control (llc) encapsulation: the length field, the destination service access point (dsap) field, the source service access point (ssap) field and the control field are encapsulated after the source and destination address field. The value of the control field is always 3. F...
Page 80
1-9 procedure for the switch to judge packet protocol figure 1-9 procedure for the switch to judge packet protocol encapsulation formats table 1-4 lists the encapsulation formats supported by some protocols. In brackets are type values of these protocols. Table 1-4 encapsulation formats encapsulatio...
Page 81
1-10 implementation of protocol-based vlan the ethernet switches assign the packet to the specific vlan by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user...
Page 82: Vlan Configuration
2-1 2 vlan configuration when configuring vlan, go to these sections for information you are interested in: z vlan configuration z configuring a port-based vlan z configuring a protocol-based vlan vlan configuration vlan configuration task list complete the following tasks to configure vlan: task re...
Page 83
2-2 z vlan 1 is the system default vlan, which needs not to be created and cannot be removed, either. Z the vlan you created in the way described above is a static vlan. On the switch, there are dynamic vlans which are registered through gvrp. For details, refer to “gvrp” part of this manual. Z when...
Page 84
2-3 the operation of enabling/disabling a vlan’s vlan interface does not influence the physical status of the ethernet ports belonging to this vlan. Displaying vlan configuration to do... Use the command... Remarks display the vlan interface information display interface vlan-interface [ vlan-id ] d...
Page 85
2-4 assigning an ethernet port to a vlan you can assign an ethernet port to a vlan in ethernet port view or vlan view. Z you can assign an access port to a vlan in either ethernet port view or vlan view. Z you can assign a trunk port or hybrid port to a vlan only in ethernet port view. 1) in etherne...
Page 86
2-5 configuring the default vlan for a port because an access port can belong to only one vlan, its default vlan is the vlan it resides in and cannot be configured. This section describes how to configure a default vlan for a trunk or hybrid port. Follow these steps to configure the default vlan for...
Page 87
2-6 network diagram figure 2-1 network diagram for vlan configuration switcha switchb pc1 pc2 ge1/0/1 ge1/0/2 ge1/0/10 ge1/0/11 ge1/0/12 ge1/0/13 server2 server1 configuration procedure z configure switch a. # create vlan 100, specify its descriptive string as dept1, and add gigabitethernet 1/0/1 to...
Page 88
2-7 [switcha-gigabitethernet1/0/2] port trunk permit vlan 100 [switcha-gigabitethernet1/0/2] port trunk permit vlan 200 # configure gigabitethernet 1/0/10 of switch b. [switchb] interface gigabitethernet 1/0/10 [switchb-gigabitethernet1/0/10] port link-type trunk [switchb-gigabitethernet1/0/10] port...
Page 89
2-8 z because the ip protocol is closely associated with the arp protocol, you are recommended to configure the arp protocol type when configuring the ip protocol type and associate the two protocol types with the same port to avoid that arp packets and ip packets are not assigned to the same vlan, ...
Page 91
2-10 [sysname-vlan100] quit [sysname] vlan 200 [sysname-vlan200] port gigabitethernet 1/0/12 # configure protocol templates for vlan 200 and vlan 100, matching appletalk protocol and ip protocol respectively. [sysname-vlan200] protocol-vlan at [sysname-vlan200] quit [sysname] vlan 100 [sysname-vlan1...
Page 92
2-11 appletalk workstations can be automatically assigned to vlan 100 and vlan 200 respectively for transmission by matching the corresponding protocol templates, so as to realize the normal communication between workstations and servers..
Page 93: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 94: Ip Addressing Configuration
1-1 1 ip addressing configuration when configuring ip addressing, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying ip addressing configuration z ip address configuration examples ip addressing overview ip address classes ip ...
Page 95
1-2 table 1-1 ip address classes and ranges class address range description a 0.0.0.0 to 127.255.255.255 address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its ip address. This address is never a valid destination address. Addresses sta...
Page 96
1-3 while allowing you to create multiple logical networks within a single class a, b, or c network, subnetting is transparent to the rest of the internet. All these networks still appear as one. As subnetting adds an additional level, subnet id, to the two-level hierarchy with ip addressing, ip rou...
Page 97
1-4 z you can assign at most five ip address to an interface, among which one is the primary ip address and the others are secondary ip addresses. A newly specified primary ip address overwrites the previous one if there is any. Z the primary and secondary ip addresses of an interface cannot reside ...
Page 98
1-5 ip address configuration example ii network requirements as shown in figure 1-4 , vlan-interface 1 on a switch is connected to a lan comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the swit...
Page 99
1-6 --- 172.16.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms the output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # ping a host on the subnet 172.16.2.0/24 from the switch to ...
Page 100
2-1 2 ip performance optimization configuration when configuring ip performance, go to these sections for information you are interested in: z ip performance overview z configuring ip performance z displaying and maintaining ip performance configuration ip performance overview introduction to ip per...
Page 101
2-2 z finwait timer: when the tcp connection is changed into fin_wait_2 state, finwait timer will be started. If no fin packets are received within the timer timeout, the tcp connection will be terminated. If fin packets are received, the tcp connection state changes to time_wait. If non-fin packets...
Page 102
2-3 z if receiving a lot of malicious packets that cause it to send icmp error packets, the device’s performance will be reduced. Z as the icmp redirection function increases the routing table size of a host, the host’s performance will be reduced if its routing table becomes very large. Z if a host...
Page 103
2-4 to do… use the command… remarks clear ip traffic statistics reset ip statistics clear tcp traffic statistics reset tcp statistics clear udp traffic statistics reset udp statistics available in user view.
Page 104: Table of Contents
I table of contents 1 voice vlan configuration························································································································1-1 voice vlan overview···············································································································...
Page 105: Voice Vlan Configuration
1-1 1 voice vlan configuration when configuring voice vlan, go to these sections for information you are interested in: z voice vlan overview z voice vlan configuration z displaying and maintaining voice vlan z voice vlan configuration example voice vlan overview voice vlans are allocated specially ...
Page 106
1-2 following describes the way an ip phone acquires an ip address. Figure 1-1 network diagram for ip phones as shown in figure 1-1 , the ip phone needs to work in conjunction with the dhcp server and the ncp to establish a path for voice data transmission. An ip phone goes through the following thr...
Page 107
1-3 tag to communicate with the voice gateway. In this case, the port connecting to the ip phone must be configured to allow the packets tagged with the voice vlan tag to pass. Z an untagged packet carries no vlan tag. Z a tagged packet carries the tag of a vlan. To set an ip address and a voice vla...
Page 108
1-4 z set the dscp precedence to 46. You can adjust the qos scheme for voice traffic according to the precedence of the voice traffic marked by the switch. Alternatively, you can modify the precedence of voice traffic as needed at the command line interface to apply an existing qos scheme to voice t...
Page 109
1-5 support for voice vlan on various ports voice vlan packets can be forwarded by access ports, trunk ports, and hybrid ports. You can enable a trunk or hybrid port belonging to other vlans to forward voice and service packets simultaneously by enabling the voice vlan. For different types of ip pho...
Page 110
1-6 ip phones acquiring ip address and voice vlan through manual configuration can forward only tagged traffic, so the matching relationship is relatively simple, as shown in table 1-3 : table 1-3 matching relationship between port types and voice devices acquiring voice vlan through manual configur...
Page 111
1-7 table 1-4 how a packet is handled when the voice vlan is operating in different modes voice vlan mode packet type processing method untagged packet packet carrying the voice vlan tag if the source mac address of the packet matches the oui list, the packet is transmitted in the voice vlan. Otherw...
Page 112
1-8 to do… use the command… remarks set the voice vlan aging timer voice vlan aging minutes optional the default aging timer is 1440 minutes. Enable the voice vlan function globally voice vlan vlan-id enable required enter ethernet port view interface interface-type interface-number required enable ...
Page 113
1-9 configuring the voice vlan to operate in manual voice vlan assignment mode follow these steps to configure a voice vlan to operate in manual voice vlan assignment mode: to do… use the command… remarks enter system view system-view — set an oui address that can be identified by the voice vlan voi...
Page 114
1-10 to do… use the command… remarks configure the voice vlan to be the default vlan of the port port trunk pvid vlan vlan-id port hybrid pvid vlan vlan-id optional refer to table 1-2 to determine whether or not this operation is needed. Z the voice vlan function can be enabled for only one vlan at ...
Page 115
1-11 voice vlan configuration example voice vlan configuration example (automatic voice vlan assignment mode) network requirements as shown in figure 1-2 , z the mac address of ip phone a is 0011-1100-0001. The phone connects to a downstream device named pc a whose mac address is 0022-1100-0002 and ...
Page 116
1-12 # configure the allowed oui addresses as mac addresses prefixed by 0011-1100-0000 or 0011-2200-0000. In this way, device a identifies packets whose mac addresses match any of the configured oui addresses as voice packets. [devicea] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 descr...
Page 117
1-13 voice vlan configuration example (manual voice vlan assignment mode) network requirements create a voice vlan and configure it to operate in manual voice vlan assignment mode. Add the port to which an ip phone is connected to the voice vlan to enable voice traffic to be transmitted within the v...
Page 118
1-14 # configure the voice vlan as the default vlan of ethernet 1/0/1, and add the voice vlan to the list of untagged vlans whose traffic is permitted by the port. [devicea-ethernet1/0/1] port hybrid pvid vlan 2 [devicea-ethernet1/0/1] port hybrid vlan 2 untagged # enable the voice vlan function on ...
Page 119: Table of Contents
I table of contents 1 gvrp configuration ··································································································································1-1 introduction to gvrp ········································································································...
Page 120: Gvrp Configuration
1-1 1 gvrp configuration when configuring gvrp, go to these sections for information you are interested in: z introduction to gvrp z gvrp configuration z displaying and maintaining gvrp z gvrp configuration example introduction to gvrp garp vlan registration protocol (gvrp) is an implementation of g...
Page 121
1-2 2) garp timers timers determine the intervals of sending different types of garp messages. Garp defines four timers to control the period of sending garp messages. Z hold: when a garp entity receives a piece of registration information, it does not send out a join message immediately. Instead, t...
Page 122
1-3 figure 1-1 format of garp packets the following table describes the fields of a garp packet. Table 1-1 description of garp packet fields field description value protocol id protocol id 1 message each message consists of two parts: attribute type and attribute list. — attribute type defined by th...
Page 123
1-4 gvrp as an implementation of garp, garp vlan registration protocol (gvrp) maintains dynamic vlan registration information and propagates the information to the other switches through garp. With gvrp enabled on a device, the vlan registration information received by the device from other devices ...
Page 124
1-5 to do ... Use the command ... Remarks enter system view system-view — enable gvrp globally gvrp required by default, gvrp is disabled globally. Enter ethernet port view interface interface-type interface-number — enable gvrp on the port gvrp required by default, gvrp is disabled on the port. Z a...
Page 125
1-6 table 1-2 relations between the timers timer lower threshold upper threshold hold 10 centiseconds this upper threshold is less than or equal to one-half of the timeout time of the join timer. You can change the threshold by changing the timeout time of the join timer. Join this lower threshold i...
Page 126
1-7 displaying and maintaining gvrp to do … use the command … remarks display garp statistics display garp statistics [ interface interface-list ] display the settings of the garp timers display garp timer [ interface interface-list ] display gvrp statistics display gvrp statistics [interface interf...
Page 127
1-8 [switcha-ethernet1/0/1] port link-type trunk [switcha-ethernet1/0/1] port trunk permit vlan all # enable gvrp on ethernet1/0/1. [switcha-ethernet1/0/1] gvrp [switcha-ethernet1/0/1] quit # configure ethernet1/0/2 to be a trunk port and to permit the packets of all the vlans. [switcha] interface e...
Page 128
1-9 the following dynamic vlans exist: 5, 7, 8, # display the vlan information dynamically registered on switch b. [switchb] display vlan dynamic total 3 dynamic vlan exist(s). The following dynamic vlans exist: 5, 7, 8, # display the vlan information dynamically registered on switch e. [switche] di...
Page 129
1-10 5, 8, # display the vlan information dynamically registered on switch e. [switche] display vlan dynamic no dynamic vlans exist!.
Page 130: Table of Contents
I table of contents 1 port basic configuration ··························································································································1-1 ethernet port configuration ···································································································...
Page 131: Port Basic Configuration
1-1 1 port basic configuration when performing basic port configuration, go to these sections for information you are interested in: z ethernet port configuration z ethernet port configuration example z troubleshooting ethernet port configuration ethernet port configuration initially configuring a p...
Page 132
1-2 configuring port auto-negotiation speed you can configure an auto-negotiation speed for a port by using the speed auto command. Take a 10/100/1000 mbps port as an example. Z if you expect that 10 mbps is the only available auto-negotiation speed of the port, you just need to configure speed auto...
Page 134
1-4 to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure flow control to operate in txrx mode flow-control configure flow control to operate in rx mode flow-control no-pauseframe-sending required use either com...
Page 135
1-5 after you enable loopback detection on ethernet ports, the switch can monitor if an external loopback occurs on them. If there is a loopback port found, the switch will deal with the loopback port according to your configuration. 1) if a loop is found on an access port, the system will set the p...
Page 136
1-6 to do… use the command… remarks detection on a specified port loopback-detection enable enable the loopback port auto-shutdown function loopback-detection shutdown enable optional by default, the loopback port auto-shutdown function is enabled on ports if the device boots with the default config...
Page 137
1-7 z external: performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100m port, the self-loop headers are made from four cores of the 8-core cables, for 1000m port, the self-loop header are made from eight cores of the 8-core cables, ...
Page 138
1-8 to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — set the interval to perform statistical analysis on port traffic flow-interval interval optional by default, this interval is 300 seconds. Enabling giant-frame...
Page 139
1-9 configuration examples # in the default conditions, where up/down log output is enabled, execute the shutdown command or the undo shutdown command on ethernet 1/0/1. The up/down log information for ethernet 1/0/1 is generated and displayed on the terminal. System-view system view: return to user...
Page 141
1-11 to do … use the command … remarks set the port state change delay link-delay delay-time required defaults to 0, which indicates that no delay is introduced. The delay configured in this way does not take effect for ports in dldp down state. For information about the dldp down state, refer to dl...
Page 142
1-12 ethernet port configuration example network requirements z switch a and switch b are connected to each other through two trunk port (ethernet 1/0/1). Z configure the default vlan id of both ethernet 1/0/1 to 100. Z allow the packets of vlan 2, vlan 6 through vlan 50 and vlan 100 to pass both et...
Page 143: Table of Contents
I table of contents 1 link aggregation configuration ··············································································································1-1 overview ····························································································································...
Page 144
1-1 1 link aggregation configuration when configuring link aggregation, go to these sections for information you are interested in: z overview z link aggregation classification z aggregation group categories z link aggregation configuration z displaying and maintaining link aggregation configuration...
Page 145
1-2 table 1-1 consistency considerations for ports in an aggregation category considerations stp state of port-level stp (enabled or disabled) attribute of the link (point-to-point or otherwise) connected to the port port path cost stp priority stp packet format loop protection root protection port ...
Page 146
1-3 lacp is disabled on the member ports of manual aggregation groups, and you cannot enable lacp on ports in a manual aggregation group. Port status in manual aggregation group a port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation grou...
Page 147
1-4 z the ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. Z the system sets the...
Page 148
1-5 for an aggregation group: z when the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; z when the rate of a port decreases, if the port belongs to a manual or static lacp aggregation group, the port will be switched to the unselected state; if th...
Page 149
1-6 z a load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. Z when more than eight load-sharing aggregation groups are configured on a single switch, fabric ports can...
Page 150
1-7 for a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: to do… use the command… remarks enter system view system-view — create a manual aggregation group link-aggregation group agg...
Page 151
1-8 to do… use the command… remarks create a static aggregation group link-aggregation group agg-id mode static required enter ethernet port view interface interface-type interface-number — add the port to the aggregation group port link-aggregation group agg-id required for a static lacp aggregatio...
Page 152
1-9 to do… use the command… remarks configure the port priority lacp port-priority port-priority optional by default, the port priority is 32,768. Changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member...
Page 153
1-10 link aggregation configuration example ethernet port aggregation configuration example network requirements z switch a connects to switch b with three ports ethernet 1/0/1 to ethernet 1/0/3. It is required that load between the two switches can be shared among the three ports. Z adopt three dif...
Page 154
1-11 system-view [sysname] link-aggregation group 1 mode static # add ethernet 1/0/1 through ethernet 1/0/3 to aggregation group 1. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port link-aggregation group 1 [sysname-ethernet1/0/1] quit [sysname] interface ethernet 1/0/2 [sysname-ethern...
Page 155: Table of Contents
I table of contents 1 port isolation configuration ·····················································································································1-1 port isolation overview ········································································································...
Page 156: Port Isolation Configuration
1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z port isolation overview z port isolation configuration z displaying and maintaining port isolation configuration z port isolation configuration example port isolation ove...
Page 157
1-2 z when a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. Z for ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggreg...
Page 158
1-3 network diagram figure 1-1 network diagram for port isolation configuration configuration procedure # add ethernet1/0/2, ethernet1/0/3, and ethernet1/0/4 to the isolation group. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/2 [sysname-ethernet1/0/2] po...
Page 159: Table of Contents
I table of contents 1 port security configuration······················································································································1-1 port security overview···········································································································...
Page 160: Port Security Configuration
1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z port security overview z port security configuration task list z displaying and maintaining port security configuration z port security configuration examples port security...
Page 161
1-2 table 1-1 description of port security modes security mode description feature norestriction in this mode, access to the port is not restricted. In this mode, neither the ntk nor the intrusion protection feature is triggered. Autolearn in this mode, a port can learn a specified number of mac add...
Page 162
1-3 security mode description feature userlogin in this mode, port-based 802.1x authentication is performed for access users. In this mode, neither ntk nor intrusion protection will be triggered. Userloginsecure mac-based 802.1x authentication is performed on the access user. The port is enabled onl...
Page 163
1-4 security mode description feature macaddresselseus erloginsecure in this mode, a port performs mac authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs 802.1x authentication of the user. In this mode, there can be only on...
Page 164
1-5 task remarks configuring guest vlan for a port in macaddressoruserloginsecure mode optional ignoring the authorization information from the radius server optional configuring security mac addresses optional enabling port security configuration prerequisites before enabling port security, you nee...
Page 165
1-6 z control the maximum number of users who are allowed to access the network through the port z control the number of security mac addresses that can be added with port security this configuration is different from that of the maximum number of mac addresses that can be leaned by a port in mac ad...
Page 166
1-7 z before setting the port security mode to autolearn, you need to set the maximum number of mac addresses allowed on the port with the port-security max-mac-count command. Z when the port operates in the autolearn mode, you cannot change the maximum number of mac addresses allowed on the port. Z...
Page 167
1-8 to do... Use the command... Remarks set the timer during which the port remains disabled port-security timer disableport timer optional 20 seconds by default the port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command t...
Page 168
1-9 z the users of the port can initiate 802.1x authentication. If a user passes authentication, the port leaves the guest vlan and is added to the original vlan, that is, the one the port belongs to before it is added to the guest vlan). The port then does not handle other users' authentication req...
Page 169
1-10 ignoring the authorization information from the radius server after an 802.1x user or mac-authenticated user passes remote authentication dial-in user service (radius) authentication, the radius server delivers the authorization information to the device. You can configure a port to ignore the ...
Page 170
1-11 to do... Use the command... Remarks enter system view system-view — in system view mac-address security mac-address interface interface-type interface-number vlan vlan-id interface interface-type interface-number add a security mac address entry in ethernet port view mac-address security mac-ad...
Page 171
1-12 displaying and maintaining port security configuration to do... Use the command... Remarks display information about port security configuration display port-security [ interface interface-list ] display information about security mac address configuration display mac-address security [ interfa...
Page 172
1-13 [switch-ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # configure the port to be silent for 30 seconds after intrusion protection is triggered. [switch-ethernet1/0/1] port-security intrusion-mode disableport-temporarily [switch-ethernet1/0/1] quit [switch] port-security timer disabl...
Page 173
1-14 # configure radius scheme 2000. System-view [switch] radius scheme 2000 [switch-radius-2000] primary authentication 10.11.1.1 1812 [switch-radius-2000] primary accouting 10.11.1.1 1813 [switch-radius-2000] key authentication abc [switch-radius-2000] key accouting abc [switch-radius-2000] user-n...
Page 174: Table of Contents
I table of contents 1 port-mac-ip binding configuration ········································································································1-1 port-mac-ip binding overview············································································································...
Page 175
1-1 1 port-mac-ip binding configuration when configuring port-mac-ip binding, go to these sections for information you are interested in: z port-mac-ip binding overview z displaying and maintaining port-mac-ip binding configuration z port-mac-ip binding configuration example port-mac-ip binding over...
Page 177
1-3 network diagram figure 1-1 network diagram for port-mac-ip binding configuration 10.12.1.1/24 mac address: 0001-0002-0003 host a host b eth1/0/1 switch a switch b configuration procedure configure switch a as follows: # enter system view. System-view # enter ethernet 1/0/1 port view. [switcha] i...
Page 178: Table of Contents
I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...
Page 179: Dldp Configuration
1-1 1 dldp configuration when configuring dldp, go to these sections for information you are interested in: z overview z dldp fundamentals z dldp configuration z dldp configuration example overview device link detection protocol (dldp) is an technology for dealing with unidirectional links that may ...
Page 180
1-2 figure 1-2 fiber broken or not connected device a ge1/0/49 ge1/0/50 device b ge1/0/49 ge1/0/50 pc device link detection protocol (dldp) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If dldp finds a unidirectional link, it dis...
Page 181
1-3 dldp packet type function rsy-advertisement packets (referred to as rsy packets hereafter) advertisement packet with the rsy flag set to 1. Rsy advertisement packets are sent to request synchronizing the neighbor information when neighbor information is not locally available or a neighbor inform...
Page 182
1-4 dldp status a link can be in one of these dldp states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 dldp status status description initial initial status before dldp is enabled. Inactive dldp is enabled but the corresponding link is down active dldp is enabl...
Page 183
1-5 timer description entry aging timer when a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled when an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated in the normal m...
Page 184
1-6 table 1-4 dldp operating mode and neighbor entry aging dldp operating mode detecting a neighbor after the corresponding neighbor entry ages out removing the neighbor entry immediately after the entry timer expires triggering the enhanced timer after an entry timer expires normal mode no yes no e...
Page 185
1-7 table 1-5 dldp state and dldp packet type dldp state type of the dldp packets sent active advertisement packets, with the rsy flag set or not set. Advertisement advertisement packets probe probe packets 2) a dldp packet received is processed as follows: z in authentication mode, the dldp packet ...
Page 186
1-8 table 1-7 processing procedure when no echo packet is received from the neighbor no echo packet received from the neighbor processing procedure in normal mode, no echo packet is received when the echo waiting timer expires. In enhanced mode, no echo packet is received when the enhanced timer exp...
Page 187
1-9 dldp configuration performing basic dldp configuration follow these steps to perform basic dldp configuration: to do … use the command … remarks enter system view system-view — enable dldp on all optical ports of the switch dldp enable enter ethernet port view interface interface-type interface-...
Page 188
1-10 z when connecting two dldp-enabled devices, make sure the software running on them is of the same version. Otherwise, dldp may operate improperly. Z when you use the dldp enable/dldp disable command in system view to enable/disable dldp on all optical ports of the switch, the configuration take...
Page 189
1-11 dldp configuration example network requirements as shown in figure 1-4 , z switch a and switch b are connected through two pairs of fibers. Both of them support dldp. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 mbps. Z suppose the fibers betwee...
Page 190
1-12 # set the dldp handling mode for unidirectional links to auto. [switcha] dldp unidirectional-shutdown auto # display the dldp state [switcha] display dldp 1 when two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inact...
Page 191: Table of Contents
I table of contents 1 mac address table management············································································································1-1 overview ·································································································································...
Page 192: Mac Address Table Management
1-1 1 mac address table management when mac address table management functions, go to these sections for information you are interested in: z overview z mac address table management z displaying mac address table information z configuration example this chapter describes the management of static, dy...
Page 193
1-2 generally, the majority of mac address entries are created and maintained through mac address learning. The following describes the mac address learning process of a switch: 1) as shown in figure 1-1 , user a and user b are both in vlan 1. When user a communicates with user b, the packet from us...
Page 194
1-3 figure 1-4 mac address learning diagram (3) 4) at this time, the mac address table of the switch includes two forwarding entries shown in figure 1-5 . When forwarding the response packet from user b to user a, the switch sends the response to user a through gigabitethernet 1/0/1 (technically cal...
Page 195
1-4 z the mac address aging timer only takes effect on dynamic mac address entries. Z with the “destination mac address triggered update function” enabled, when a switch finds a packet with a destination address matching one mac address entry within the aging time, it updates the entry and restarts ...
Page 196
1-5 task remarks enabling destination mac address triggered update optional configuring a mac address entry you can add, modify, or remove a mac address entry, remove all mac address entries concerning a specific port, or remove specific type of mac address entries (dynamic or static mac address ent...
Page 197
1-6 z when you add a mac address entry, the current port must belong to the vlan specified by the vlan argument in the command. Otherwise, the entry will not be added. Z if the vlan specified by the vlan argument is a dynamic vlan, after a static mac address is added, it will become a static vlan. S...
Page 198
1-7 by setting the maximum number of mac addresses that can be learned from individual ports, the administrator can control the number of the mac address entries the mac address table can dynamically maintain. When the number of the mac address entries learnt from a port reaches the set value, the p...
Page 199
1-8 to do… use the command… remarks display the aging time of the dynamic mac address entries in the mac address table display mac-address aging-time display the configured start port mac address display port-mac configuration examples adding a static mac address entry manually network requirements ...
Page 200: Table of Contents
I table of contents 1 auto detect configuration························································································································1-1 introduction to the auto detect function·························································································...
Page 201: Auto Detect Configuration
1-1 1 auto detect configuration when configuring the auto detect function, go to these sections for information you are interested in: z introduction to the auto detect function z auto detect configuration z auto detect configuration examples introduction to the auto detect function the auto detect ...
Page 202
1-2 task remarks auto detect implementation in vrrp optional auto detect implementation in vlan interface backup optional auto detect basic configuration follow these steps to configure the auto detect function: to do… use the command… remarks enter system view system-view — create a detected group ...
Page 203
1-3 the disadvantage of using static routes is that they cannot adapt to network topology changes. If a fault or a topology change occurs to the network, the routes may be unreachable and the network may break. To avoid such problems, you can configure another route to back up the static route and u...
Page 204
1-4 switch a switch b internet master backup master backup vlan 10 gateway: 10.1.1.1/24 vlan 20 gateway: 20.1.1.1/24 the uplink port of switch a fails figure 1-1 the uplink of the master switch fails using vrrp together with the auto detect function, you can change the priority of a switch according...
Page 205
1-5 and thus cannot transmit traffic normally, vlan-interface 2 takes over to transmit traffic. In this way, the traffic can be transmitted smoothly without interruption. Figure 1-2 schematic diagram for vlan interface backup using auto detect can help implement vlan interfaces backup. When data can...
Page 206
1-6 auto detect configuration examples configuration example for auto detect implementation with static routing network requirements z create detected group 8 on switch a; detect the reachability of the ip address 10.1.1.4, with 192.168.1.2 as the next hop, and the detecting number set to 1. Z on sw...
Page 207
1-7 z packets sourced from host a and destined for host b is forwarded by switch a under normal situations. Z when the connection between switch a and switch c fails, switch b becomes the master in vrrp group 1 automatically and the link from switch b to host b, the backup link, is enabled. Network ...
Page 208
1-8 configuration example for auto detect implementation with vlan interface backup network requirements z make sure the routes between switch a, switch b, and switch c, and between switch a, switch d, and switch c are reachable. Z create detected group 10 on switch a to detect the connectivity betw...
Page 209: Table of Contents
I table of contents 1 mstp configuration ··································································································································1-1 overview ····················································································································...
Page 210
Ii introduction····································································································································1-39 configuring digest snooping·········································································································1-40 configuring...
Page 211: Mstp Configuration
1-1 1 mstp configuration go to these sections for information you are interested in: z overview z mstp configuration task list z configuring root bridge z configuring leaf nodes z performing mcheck operation z configuring guard functions z configuring digest snooping z configuring rapid transition z...
Page 212
1-2 in the narrow sense, stp refers to ieee 802.1d stp; in the broad sense, stp refers to the ieee 802.1d stp and various enhanced spanning tree protocols derived from that protocol. Protocol packets of stp stp uses bridge protocol data units (bpdus), also known as configuration messages, as its pro...
Page 213
1-3 z two devices are connected to the lan: device b and device c. If device b forwards bpdus to the lan, the designated bridge for the lan is device b, and the designated port is the port bp2 on device b. Figure 1-1 a schematic diagram of designated bridges and designated ports all the ports on the...
Page 214
1-4 the 3com switches 5500-ei support using multiple standards to calculate the path costs of ports, as well as using commands to configure the path costs of ports. For details, see configuring the path cost for a port . 6) port id a port id used on a 3com switch 5500-ei consists of two bytes, that ...
Page 215
1-5 upon initialization of a device, each device generates a bpdu with itself as the root bridge, in which the root path cost is 0, designated bridge id is the device id, and the designated port is the local port. Z selection of the optimum configuration bpdu each device sends out its configuration ...
Page 216
1-6 step description 2 based on the configuration bpdu and the path cost of the root port, the device calculates a designated port configuration bpdu for each of the rest ports. Z the root bridge id is replaced with that of the configuration bpdu of the root port. Z the root path cost is replaced wi...
Page 217
1-7 the following table shows the initial state of each device. Table 1-4 initial state of each device device port name bpdu of port ap1 {0, 0, 0, ap1} device a ap2 {0, 0, 0, ap2} bp1 {1, 0, 1, bp1} device b bp2 {1, 0, 1, bp2} cp1 {2, 0, 2, cp1} device c cp2 {2, 0, 2, cp2} z comparison process and r...
Page 218
1-8 device comparison process bpdu of port after comparison z port cp1 receives the configuration bpdu of device a {0, 0, 0, ap2}. Device c finds that the received configuration bpdu is superior to the configuration bpdu of the local port {2, 0, 2, cp1}, and updates the configuration bpdu of cp1. Z ...
Page 219
1-9 figure 1-3 the final calculated spanning tree to facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. 3) the bpdu forwarding mechanism in stp z upon network initiation, every switch regards itself as the root b...
Page 220
1-10 for this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration bpdus to be propagate...
Page 221
1-11 z mstp supports mapping vlans to multiple spanning tree (mst) instances (mstis) by means of a vlan-to-instance mapping table. Mstp introduces instances (which integrates multiple vlans into a set) and can bind multiple vlans to an instance, thus saving communication overhead and improving resou...
Page 222
1-12 2) msti a multiple spanning tree instance (msti) refers to a spanning tree in an mst region. Multiple spanning trees can be established in one mst region. These spanning trees are independent of each other. For example, each region in figure 1-4 contains multiple spanning trees known as mstis. ...
Page 223
1-13 z a region boundary port is located on the boundary of an mst region and is used to connect one mst region to another mst region, an stp-enabled region or an rstp-enabled region. Z an alternate port is a secondary port of a root port or master port and is used for rapid transition. With the roo...
Page 224
1-14 z forwarding state. Ports in this state can forward user packets and receive/send bpdu packets. Z learning state. Ports in this state can receive/send bpdu packets but do not forward user packets. Z discarding state. Ports in this state can only receive bpdu packets. Port roles and port states ...
Page 225
1-15 in addition to the basic mstp functions, 3com switch 5500-ei also provides the following functions for users to manage their switches. Z root bridge hold z root bridge backup z root guard z bpdu guard z loop guard z tc-bpdu attack guard z bpdu packet drop protocols and standards mstp is documen...
Page 226
1-16 task remarks configuring the timeout time factor optional configuring the maximum transmitting rate on the current port optional the default value is recommended. Configuring the current port as an edge port optional setting the link type of a port to p2p optional enabling mstp required to prev...
Page 227
1-17 configuring root bridge configuring an mst region configuration procedure follow these steps to configure an mst region: to do... Use the command... Remarks enter system view system-view — enter mst region view stp region-configuration — configure the name of the mst region region-name name req...
Page 228
1-18 z mstp-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), mst region name, vlan-to-instance mapping table, and revision level. Z the 3com switches 5500-ei support only the mst...
Page 229
1-19 specify the current switch as the secondary root bridge of a spanning tree follow these steps to specify the current switch as the secondary root bridge of a spanning tree: to do... Use the command... Remarks enter system view system-view — specify the current switch as the secondary root bridg...
Page 230
1-20 configuring the bridge priority of the current switch root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An mstp-enabled switch can have different bridge priorit...
Page 233
1-23 configuring the network diameter of the switched network in a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches; it equals the number of the switches on...
Page 234
1-24 to do... Use the command... Remarks configure the max age parameter stp timer max-age centiseconds required the max age parameter defaults to 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the cist root bridge. Z...
Page 235
1-25 configuring the timeout time factor when the network topology is stable, a non-root-bridge switch regularly forwards bpdus received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its up...
Page 236
1-26 to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure the maximum transmitting rate stp transmit-limit packetnum required the maximum transmitting rate of all ethernet ports on a switch defaults to 10. ...
Page 237
1-27 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — configure the port as an edge port stp edged-port enable required by default, all the ethernet ports of a switch are non-edge ports. On a switch with bpdu guard disabled, an edge port become...
Page 238
1-28 setting the link type of a port to p2p in ethernet port view follow these steps to specify whether the link connected to a port is point-to-point link in ethernet port view: to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type int...
Page 239
1-29 to do... Use the command... Remarks disable mstp on specified ports stp interface interface-list disable optional by default, mstp is enabled on all ports. To enable a switch to operate more flexibly, you can disable mstp on specific ports. As mstp-disabled ports do not participate in spanning ...
Page 240
1-30 configuring the timeout time factor refer to configuring the timeout time factor . Configuring the maximum transmitting rate on the current port refer to configuring the maximum transmitting rate on the current port . Configuring a port as an edge port refer to configuring the current port as a...
Page 241
1-31 rate operation mode (half-/full-duplex) 802.1d-1998 ieee 802.1t latency standard 1,000 mbps full-duplex aggregated link 2 ports aggregated link 3 ports aggregated link 4 ports 4 3 3 3 20,000 10,000 6,666 5,000 20 18 16 14 10 gbps full-duplex aggregated link 2 ports aggregated link 3 ports aggre...
Page 242
1-32 1) perform this configuration in system view system-view [sysname] stp interface ethernet 1/0/1 instance 1 cost 2000 2) perform this configuration in ethernet port view system-view [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp instance 1 cost 2000 configuration example (b) # co...
Page 243
1-33 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — configure port priority for the port stp [ instance instance-id ] port priority priority required. The default port priority is 128. Changing port priority of a port may change the role of t...
Page 244
1-34 configuration procedure you can perform the mcheck operation in the following two ways. Perform the mcheck operation in system view follow these steps to perform the mcheck operation in system view: to do... Use the command... Remarks enter system view system-view — perform the mcheck operation...
Page 245
1-35 shuts down the edge ports that receive configuration bpdus and then reports these cases to the administrator. Ports shut down in this way can only be restored by the administrator. You are recommended to enable bpdu guard for devices with edge ports configured. Configuration prerequisites mstp ...
Page 246
1-36 forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration bpdus with higher priorities for a specified period. Z you are recommended to enable root guard on the designated ports of a root bridge. Z loop guard, root guard, a...
Page 247
1-37 configuring loop guard a switch maintains the states of the root port and other blocked ports by receiving and processing bpdus from the upstream switch. These bpdus may get lost because of network congestions or unidirectional link failures. If a switch does not receive bpdus from the upstream...
Page 248
1-38 period, the switch may be busy in removing the mac address table and arp entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch cpu utilization. With the tc-bpdu attack guard function enabled, a switch performs a removing operation upon receivi...
Page 249
1-39 as a result, stp calculation is performed repeatedly, which may occupy too much cpu of the switches or cause errors in the protocol state of the bpdu packets. In order to avoid this problem, you can enable bpdu dropping on ethernet ports. Once the function is enabled on a port, the port will no...
Page 250
1-40 the digest snooping function is not applicable to edge ports. Configuring digest snooping configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same mst region through mstis. Con...
Page 251
1-41 z when the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send bpdu packets. The port is not involved in the stp calculation until it receives bpdu packets from the peer port. Z the digest snooping feature is needed only wh...
Page 252
1-42 figure 1-6 the rstp rapid transition mechanism root port blocks other non- edge ports, changes to forwarding state and sends agreement to upstream device downstream switch upstream switch proposal for rapid transition agree ment designated port changes to forwarding state root port designated p...
Page 253
1-43 configuring rapid transition configuration prerequisites as shown in figure 1-8 , a 3com switch 5500-ei is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch...
Page 254
1-44 z the rapid transition feature can be enabled on only root ports or alternate ports. Z if you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring vlan-vpn tunnel introduction the vlan-vpn tunnel function enables stp packets to b...
Page 255
1-45 to do... Use the command... Remarks enable the vlan-vpn tunnel function globally vlan-vpn tunnel required the vlan-vpn tunnel function is disabled by default. Enter ethernet port view interface interface-type interface-number make sure that you enter the ethernet port view of the port for which...
Page 256
1-46 system-view [sysname] stp instance 1 portlog # enable log/trap output for the ports of all instances. System-view [sysname] stp portlog all enabling trap messages conforming to 802.1d standard a switch sends trap messages conforming to 802.1d standard to the network management device in the fol...
Page 257
1-47 mstp configuration example network requirements implement mstp in the network shown in figure 1-10 to enable packets of different vlans to be forwarded along different mstis. The detailed configurations are as follows: z all switches in the network belong to the same mst region. Z packets of vl...
Page 258
1-48 # specify switch a as the root bridge of msti 1. [sysname] stp instance 1 root primary 2) configure switch b # enter mst region view. System-view [sysname] stp region-configuration # configure the region name, vlan-to-instance mapping table, and revision level for the mst region. [sysname-mst-r...
Page 259
1-49 vlan-vpn tunnel configuration example network requirements z switch c and switch d are the access devices for the service provider network. Z the 3com switches 5500-ei operate as the access devices of the customer networks, that is, switch a and switch b in the network diagram. Z switch c and s...
Page 260
1-50 [sysname] vlan-vpn tunnel # add gigabitethernet 1/0/1 to vlan 10. [sysname] vlan 10 [sysname-vlan10] port gigabitethernet 1/0/1 [sysname-vlan10] quit # enable the vlan vpn function on gigabitethernet 1/0/1. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] port access vla...
Page 261: Table of Contents
I table of contents 1 ip routing protocol overview ··················································································································1-1 introduction to ip route and routing table·························································································...
Page 262
Ii 4 ospf configuration ··································································································································4-1 ospf overview ································································································································...
Page 263
Iii 5 ip route policy configuration··················································································································5-1 ip route policy overview ·······················································································································5-1...
Page 264: Ip Routing Protocol Overview
1-1 1 ip routing protocol overview go to these sections for information you are interested in: z introduction to ip route and routing table z routing protocol overview z displaying and maintaining a routing table introduction to ip route and routing table ip route routers are used for route selectio...
Page 265
1-2 z interface: it indicates through which interface ip packets should be forwarded to the destination. Z nexthop: it indicates the next router that ip packets will pass through to reach the destination. Z preference: there may be multiple routes with different next hops to the same destination. Th...
Page 266
1-3 routing protocol overview static routing and dynamic routing static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routin...
Page 267
1-4 routing protocols and routing priority different routing protocols may find different routes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol can uniquely determine the current optimal routing to t...
Page 268
1-5 under normal circumstances, packets are forwarded through the primary route. When the primary route goes down, the route with the highest priority among the backup routes is selected to forward packets. When the primary route recovers, the route selection process is performed again and the prima...
Page 269: Static Route Configuration
2-1 2 static route configuration when configuring a static route, go to these sections for information you are interested in: z introduction to static route z static route configuration z displaying and maintaining static routes z static route configuration example z troubleshooting a static route t...
Page 270
2-2 z blackhole route: route with blackhole attribute. If a static route destined for a destination has the blackhole attribute, the outgoing interface of this route is the null 0 interface regardless of the next hop address, and all the ip packets addressed to this destination will be dropped witho...
Page 271
2-3 z use the ip route-static command to configure a default route by setting the destination ip address and the mask to 0.0.0.0. Z avoid configuring the next hop address of a static route to the address of an interface on the local switch. Z different preferences can be configured to implement flex...
Page 272
2-4 figure 2-1 network diagram for static route configuration 1.1.5.2/24 switch b switch a switch c host c host a host b 1.1.5.1/24 1.1.1.1/24 1.1.1.2/24 1.1.2.2/24 1.1.2.1/24 1.1.3.2/24 1.1.3.1/24 1.1.4.1/24 1.1.4.2/24 configuration procedure when only one interface of the device is interconnected ...
Page 273
2-5 # configure static routes on switch c. System-view [switchc] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [switchc] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 2) perform the following configurations on the host. # set the default gateway address of host a to 1.1.5.1. Detailed configuration p...
Page 274: Rip Configuration
3-1 3 rip configuration when configuring rip, go to these sections for information you are interested in: z rip overview z rip configuration task list z rip configuration example z troubleshooting rip configuration the term router in this chapter refers to a router in a generic sense or an ethernet ...
Page 275
3-2 z next hop: ip address of an interface on the adjacent router that ip packets should pass through to reach the destination. Z interface: outbound interface on this router, through which ip packets should be forwarded to reach the destination. Z metric: cost from the local router to the destinati...
Page 276
3-3 rip configuration task list complete the following tasks to configure rip: task remarks enabling rip on the interfaces attached to a specified network segment required setting the rip operating status on an interface optional configuring basic rip functions specifying the rip version on an inter...
Page 277
3-4 to do... Use the command... Remarks enable rip on the specified interface network network-address required disabled by default z related rip commands configured in interface view can take effect only after rip is enabled. Z rip operates on the interfaces attached to a specified network segment. ...
Page 278
3-5 rip route control in actual implementation, it may be needed to control rip routing information more accurately to accommodate complex network environments. By performing the configuration described in the following sections, you can: z control route selection by adjusting additional routing met...
Page 279
3-6 the rip metricout command takes effect only on the rip routes learnt by the router and the rip routes generated by the router itself, but the command is invalid for any route imported to rip from other routing protocols. Configuring rip route summarization rip route summarization means that when...
Page 281
3-8 to do... Use the command... Remarks enter system view system-view — enter rip view rip — enable load sharing among rip interfaces traffic-share-across-interf ace required disabled by default configuring rip to redistribute routes from another protocol follow these steps to configure rip to impor...
Page 283
3-10 some fields in a rip-1 packet must be 0, and they are known as must be zero field. For rip-1, the must be zero field is checked for incoming packets, and those rip-1 packets with this field being nonzero will not be processed. Setting rip-2 packet authentication mode rip-2 supports two authenti...
Page 284
3-11 displaying and maintaining rip configuration to do... Use the command... Remarks display the current rip running status and configuration information display rip display rip interface information display rip interface display rip routing information display rip routing available in any view res...
Page 285
3-12 configuration procedure only the configuration related to rip is listed below. Before the following configuration, make sure the ethernet link layer works normally and the ip addresses of vlan interfaces are configured correctly. 1) configure switch a: # configure rip. System-view [switcha] rip...
Page 286
3-13.
Page 287: Ospf Configuration
4-1 4 ospf configuration when configuring ospf, go to these sections for information you are interested in: z ospf overview z ospf configuration task list z displaying and maintaining ospf configuration z ospf configuration examples z troubleshooting ospf configuration the term router in this chapte...
Page 288
4-2 ospf route calculation taking no account of area partition, the routing calculation process of the ospf protocol is as follows: z each ospf-supported router maintains a link state database (lsdb), which describes the topology of the whole as. According to the network topology around itself, each...
Page 289
4-3 z hello packet: hello packets are most commonly used ospf packets, which are periodically sent by a router to its neighbors. A hello packet contains the values of some timers, dr, bdr and known neighbors. Z dd packet: when two routers synchronize their databases, they use database description (d...
Page 290
4-4 z type-7 lsas can only be advertised in an nssa area. When type-7 lsas reach an abr, the abr can convert part of the routing information carried in the type-7 lsas into type-5 lsas and advertise the type-5 lsas. Type-7 lsas are not directly advertised to other areas (including the backbone area)...
Page 291
4-5 figure 4-1 ospf area partition on the border of an area is a router, which belongs to different areas. After area partition, area border routers perform route summarization to reduce the number of lsas advertised to other areas and minimize the effect of topology changes. Classification of route...
Page 292
4-6 figure 4-2 ospf router types area 1 area 2 area 3 area 4 backbone router asbr rip rip internal router abr area 0 5) type-7 lsas translator a type-7 lsas translator takes effect on an abr. The state of the type-7 lsas translator determines whether the abr needs to translate type-7 lsas into type-...
Page 293
4-7 in the following figure, area 2 has no direct physical link to the backbone area 0. Configuring a virtual link between abrs can connect area 2 to the backbone area. Figure 4-3 virtual link application 1 another application of virtual links is to provide redundant links. If the backbone area cann...
Page 294
4-8 z a (totally) stub area cannot have an asbr because as external routes cannot be distributed into the stub area. Z virtual links cannot transit (totally) stub areas. Nssa area similar to a stub area, an nssa area imports no as external lsa (type-5 lsa) but can import type-7 lsas that are generat...
Page 295
4-9 figure 4-6 route summarization ospf has two types of route summarization: 1) abr route summarization to distribute routing information to other areas, an abr generates type-3 lsas on a per network segment basis for an attached non-backbone area. If contiguous network segments are available in th...
Page 296
4-10 ospf network type four ospf network types ospf divides networks into four types by link layer protocols: z broadcast: if ethernet or fddi is adopted, ospf defaults the network type to broadcast. In a broadcast network, protocol packets are sent in multicast (224.0.0.5 and 224.0.0.6) by default....
Page 297
4-11 solve this problem, dr is defined in ospf so that all routers send information to the dr only and the dr broadcasts the network link states in the network. If the dr fails, a new dr must be elected and synchronized with the other routers on the network. The process takes quite a long time; in t...
Page 298
4-12 z dr is based on the router interfaces in a certain segment. A router may be a dr on an interface and a bdr or dr other on another interface. Z the priority of a router affects the dr and bdr election. However, it has no effect on the election after the dr and bdr election ends. A new priority ...
Page 299
4-13 task remarks configuring ospf route priority optional configuring the maximum number of ospf ecmp routes optional configuring ospf to redistribute external routes optional configuring ospf timers optional configuring the lsa transmission delay optional configuring the spf calculation interval o...
Page 300
4-14 packet exchange between an ospf process and other routers. Therefore, packets can be exchanged between routers with different ospf processes ids. Z configuring an area and the network segments in the area. You need to plan areas in an as before performing the corresponding configurations on eac...
Page 301
4-15 ospf area attribute configuration area partition in ospf reduces the number of lsas in the network and enhances ospf scalability. To further reduce routing table size and the number of lsas in some non-backbone areas on the edge of the as, you can configure these areas as stub areas. A stub are...
Page 304
4-18 configuring the dr priority on an ospf interface you can control the dr/bdr election on a broadcast or nbma network by configuring the dr priorities of interfaces. Follow these steps to configure the dr priority on an ospf interface: to do... Use the command... Remarks enter system view system-...
Page 305
4-19 z configuring asbr route summarization for imported routes. Follow these steps to configure abr route summarization: to do... Use the command... Remarks enter system view system-view — enter ospf view ospf [ process-id [ router-id router-id ] ] — enter area view area area-id — enable abr route ...
Page 306
4-20 configuring the ospf cost on an interface follow these steps to configure the ospf cost on an interface: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — configure the ospf cost on the interface ospf cost value ...
Page 307
4-21 configuring ospf to redistribute external routes follow these steps to configure ospf to redistribute external routes: to do... Use the command... Remarks enter system view system-view — enter ospf view ospf [ process-id [ router-id router-id ] ] — configure ospf to redistribute routes from ano...
Page 308
4-22 z by adjusting spf calculation interval, you can mitigate resource consumption caused by frequent network changes. Z in a network with high security requirements, you can enable ospf authentication to enhance ospf network security. Z in addition, ospf supports network management. You can config...
Page 309
4-23 z default hello and dead timer values will be restored once the network type is changed. Z do not set an lsa retransmission interval that is too short. Otherwise, unnecessary retransmission will occur. Lsa retransmission interval must be greater than the round trip time of a packet between two ...
Page 310
4-24 to do... Use the command... Remarks configure the spf calculation interval spf-schedule-interval interval required 5 seconds by default disabling ospf packet transmission on an interface to prevent ospf routing information from being acquired by the routers on a certain network, use the silent-...
Page 312
4-26 to do... Use the command... Remarks enter ospf view ospf [ process-id [ router-id router-id ] ] — enable the ospf logging of neighbor state changes log-peer-change required disabled by default configuring ospf network management follow these steps to configure ospf network management (nm): to d...
Page 313
4-27 to do... Use the command... Remarks display ospf routing table display ospf [ process-id ] routing display ospf virtual links display ospf [ process-id ]vlink display ospf request list display ospf [ process-id ] request-queue display ospf retransmission list display ospf [ process-id ] retrans...
Page 314
4-28 switch d vlan-int1 196.1.1.4/24 4.4.4.4 1 configuration procedure # configure switch a. System-view [switcha] interface vlan-interface 1 [switcha-vlan-interface1] ip address 196.1.1.1 255.255.255.0 [switcha-vlan-interface1] ospf dr-priority 100 [switcha-vlan-interface1] quit [switcha] router id...
Page 315
4-29 on switch a, run the display ospf peer command to display its ospf peers. Note that switch a has three peers. The state of each peer is full, which means that adjacency is established between switch a and each peer. Switch a and switch c must establish adjacencies with all the switches on the n...
Page 316
4-30 network diagram figure 4-9 network diagram for ospf virtual link configuration device interface ip interface router id switch a vlan-int1 196.1.1.1/24 1.1.1.1 switch b vlan-int1 196.1.1.2/24 2.2.2.2 vlan-int2 197.1.1.2/24 switch c vlan-int1 152.1.1.1/24 3.3.3.3 vlan-int2 197.1.1.1/24 configurat...
Page 317
4-31 [switchb] ospf [switchb-ospf-1] area 0 [switchb-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [switchb-ospf-1-area-0.0.0.0] quit [switchb-ospf-1] area 1 [switchb-ospf-1-area-0.0.0.1] network 197.1.1.0 0.0.0.255 [switchb-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 # configure switch c. System-vie...
Page 318
4-32 1) use the display ip interface brief command to verify that the link layer works normally. 2) use the ping command to check network layer connectivity. 3) use the display ospf interface command to view the ospf interface configuration. 4) if the network type of an interface is nbma, use the di...
Page 319
5-1 5 ip route policy configuration when configuring an ip route policy, go to these sections for information you are interested in: z ip route policy overview z ip route policy configuration task list z displaying ip route policy z ip route policy configuration example z troubleshooting ip route po...
Page 320
5-2 acl you can specify a range of ip addresses or subnets when defining an acl so as to match the destination network addresses or next-hop addresses in routing information. You can reference an acl into a route policy to filter routing information. For acl configuration, refer to the part discussi...
Page 321
5-3 route policy configuration a route policy is used to match given routing information or some attributes of routing information and change the attributes of the routing information if the conditions are met. The above-mentioned filtering lists can serve as the match conditions: a route policy can...
Page 323
5-5 to do... Use the command... Remarks define a rule to match the next-hop interface of routing information if-match interface interface-type interface-number optional by default, no matching is performed on the next-hop interface of routing information. Define a rule to match the next-hop address ...
Page 324
5-6 configuration prerequisites before configuring a filter list, prepare the following data: z ip-prefix name z range of addresses to be matched configuring an ip-prefix list an ip-prefix list is identified by its ip-prefix list name. Each ip-prefix list can comprise multiple entries. Each entry ca...
Page 325
5-7 ip route policy configuration example configuring to filter received routing information network requirements switch a communicates with switch b. Ospf protocol is enabled on both switches. The router id of switch a is 1.1.1.1 and that of switch b is 2.2.2.2. Configure three static routes and en...
Page 326
5-8 [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1]quit # configure an acl. [switcha] acl number 2000 [switcha-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [switcha-acl-basic-2000] rule...
Page 327
5-9 20.0.0.0/8 1 type2 1 10.0.0.1 1.1.1.1 40.0.0.0/8 1 type2 1 10.0.0.1 1.1.1.1 total nets: 3 intra area: 1 inter area: 0 ase: 2 nssa: 0 controlling rip packet cost to implement dynamic route backup network requirements the required speed of convergence in the small network of a company is not high....
Page 328
5-10 host 192.168.0.9/24 configuration considerations z according to the network requirements, select rip. Z for the oa server, the main link is between switch a and switch c, while the backup link is between switch b and switch c. Z for the service server, the main link is between switch b and swit...
Page 329
5-11 [switchc-route-policy] if-match interface vlan-interface2 [switchc-route-policy] if-match ip-prefix 1 [switchc-route-policy] apply cost 5 [switchc-route-policy] quit # create node 20 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes mat...
Page 330
5-12 2.0.0.0/8 direct 0 0 2.2.2.2 vlan-interface2 2.2.2.2/32 direct 0 0 127.0.0.1 inloopback0 3.0.0.0/8 rip 100 5 6.6.6.5 vlan-interface6 6.0.0.0/8 direct 0 0 6.6.6.6 vlan-interface6 6.6.6.6/32 direct 0 0 127.0.0.1 inloopback0 127.0.0.0/8 direct 0 0 127.0.0.1 inloopback0 127.0.0.1/32 direct 0 0 127....
Page 331
5-13 analysis the route policy cannot filter routing information correctly in the following two cases: z all nodes in the route policy are in the deny mode. Z all entries in the ip-prefix list are in the deny mode. Solution 1) use the display ip ip-prefix command to display the configuration of the ...
Page 332: Route Capacity Configuration
6-1 6 route capacity configuration when configuring route capacity, go to these sections for information you are interested in: z route capacity configuration overview z route capacity limitation configuration z displaying and maintaining route capacity limitation configuration the term router in th...
Page 333
6-2 route capacity limitation huge routing tables are usually caused by ospf route entries. Therefore, the route capacity limitation of a switch applies only to ospf routes, instead of static routes and rip routes. The route capacity limitation is implemented by controlling the size of the free memo...
Page 334
6-3 to do... Use the command... Remarks enable automatic protocol recovery memory auto-establish enable optional enabled by default follow these steps to disable automatic protocol recovery: to do... Use the command... Remarks enter system view system-view — disable automatic protocol recovery memor...
Page 335: Table of Contents
I table of contents 1 multicast overview ······································································································································· 1 multicast overview ······································································································...
Page 336
Ii displaying and maintaining igmp············································································································ 12 4 pim configuration·······································································································································...
Page 337
Iii displaying and maintaining msdp··········································································································· 14 msdp configuration example ················································································································· 15 anycast rp...
Page 338: Multicast Overview
1 1 multicast overview in this manual, the term “router” refers to a router in the generic sense or a layer 3 ethernet switch running an ip multicast protocol. Multicast overview with the development of the internet, more and more interaction services such as data, voice, and video services are runn...
Page 339
2 assume that hosts b, d and e need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of user...
Page 340
3 information transmission in the multicast mode as described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast ...
Page 341
4 z all receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. Z a router that supports layer 3 multicast is called multicast router or layer 3 multicast device. In addition to providing multicast routing, a multicast router ...
Page 342
5 advantages and applications of multicast advantages of multicast advantages of multicast include: z enhanced efficiency: multicast decreases network traffic and reduces server load and cpu load. Z optimal performance: multicast reduces redundant traffic. Z distributive application: multicast makes...
Page 343
6 the radical difference between the ssm model and the asm model is that in the ssm model, receivers already know the locations of the multicast sources by some means. In addition, the ssm model uses a multicast address range that is different from that of the asm model, and dedicated multicast forw...
Page 344
7 group address), rather than one address. All the receivers join a group. Once they join the group, the data sent to this group of addresses starts to be transported to the receivers. All the members in this group can receive the data packets. This group is a multicast group. A multicast group has ...
Page 345
8 class d address range description 224.0.0.11 mobile agents 224.0.0.12 dhcp server/relay agent 224.0.0.13 all protocol independent multicast (pim) routers 224.0.0.14 resource reservation protocol (rsvp) encapsulation 224.0.0.15 all core-based tree (cbt) routers 224.0.0.16 the specified subnetwork b...
Page 346
9 multicast protocols z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp, pim, and msdp; we refer to ip multicast working at the data link layer as layer 2 multicast and ...
Page 347
10 among a variety of mature intra-domain multicast routing protocols, protocol independent multicast (pim) is a popular one. Based on the forwarding mechanism, pim comes in two modes – dense mode (often referred to as pim-dm) and sparse mode (often referred to as pim-sm). Z an inter-domain multicas...
Page 348
11 z in the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. Z to process the same multicast information from different peers received on different...
Page 349
12 considers the path along which the packet from the rpf neighbor arrived on the rpf interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in figure 1-1 . Multicast packets travel along the spt from the multicast source to the rec...
Page 350
1 2 common multicast configuration in this manual, the term “router” refers to a router in the generic sense or a layer 3 ethernet switch running an ip multicast protocol. Common multicast configuration table 2-1 complete the following tasks to perform common multicast configurations: task remarks e...
Page 351
2 to do... Use the command... Remarks configure the maximum number of packets that can be buffered per multicast forwarding entry multicast storing-packet packet-number optional the system default is 100. The multicast packet buffering feature should be enabled before multicast routing is enabled. E...
Page 352
3 to do... Use the command... Remarks configure the maximum number of multicast route entries multicast route-limit limit optional by default, the maximum number of multicast route entries is 256 configuring suppression on the multicast source port some users may deploy unauthorized multicast server...
Page 354
5 z if the multicast mac address entry to be created already exists, the system gives you a prompt. Z if you want to add a port to a multicast mac address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified ...
Page 355
6 z consistent with the multicast routing table, the multicast forwarding table is the table that guide multicast forwarding. Follow these commands to display common multicast configuration: to do... Use the command... Remarks display the statistics information about multicast source port suppressio...
Page 356: Igmp Configuration
1 3 igmp configuration in this manual, the term “router” refers to a router in the generic sense or a layer 3 ethernet switch running an ip multicast protocol. When configuring igmp, go to these sections for information you are interested in: z igmp overview z configuring igmp z displaying and maint...
Page 357
2 figure 3-1 joining multicast groups query report dr host a (g2) host b (g1) host c (g1) ethernet router a router b ip network assume that host b and host c are expected to receive multicast data addressed to multicast group g1, while host a is expected to receive multicast data addressed to g2, as...
Page 358
3 enhancements provided by igmpv2 compared with igmpv1, igmpv2 provides the querier election mechanism and leave group mechanism. Querier election mechanism in igmpv1, the dr elected by the layer 3 multicast routing protocol (such as pim) serves as the querier among multiple routers on the same subn...
Page 359
4 z if it does not expect multicast data from specific sources like s1, s2, …, it sends a report with the filter-mode denoted as “exclude sources (s1, s2, …). As shown in figure 1-7 , the network comprises two multicast sources, source 1 (s1) and source 2 (s2), both of which can send multicast data ...
Page 360
5 z to_ex: the filtering mode has changed from include to exclude. Z allow: the source address fields in this group record contain a list of the additional sources that the system wishes to hear from, for packets sent to the specified multicast address. If the change was to an include source list, t...
Page 361
6 enable multicast routing, and then enable pim and igmp on vlan-interface 1 and vlan-interface 2. Run the igmp proxy command on vlan-interface 1 to configure it as the proxy interface for vlan-interface 2. Configure switch a as follows: z enable multicast routing, enable igmp and pim on vlan-interf...
Page 362
7 before performing the following configurations described in this chapter, you must enable multicast routing and enable igmp on the specific interfaces. Configuring igmp version follow these steps to configure igmp version: to do... Use the command... Remarks enter system view system-view — enter i...
Page 363
8 z if the igmp querier receives igmp report messages from other hosts within the period of robust-value x lastmember-queryinterval, it will maintain the membership of the group. Z if the igmp querier does not receive igmp report messages from other hosts after the period of robust-value x lastmembe...
Page 364
9 to do... Use the command... Remarks configure the maximum response time of igmp general queries igmp max-response-time seconds optional 10 seconds by default. Configuring the maximum allowed number of multicast groups by configuring the maximum number of igmp multicast groups allowed to be joined ...
Page 366
11 configuring simulated joining in interface view follow these steps to configure simulated joining in interface view: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — vlan interface view igmp host-join group-addres...
Page 367
12 z you must enable the pim protocol on the interface before configuring the igmp proxy command. Otherwise, the igmp proxy feature does not take effect. Z one interface cannot serve as the proxy interface for two or more interfaces. Z generally, an interface serving as an igmp querier cannot act as...
Page 368: Pim Configuration
1 4 pim configuration when configuring pim, go to these sections for information you are interested in: z pim overview z configuring pim-dm z configuring pim-sm z configuring common pim parameters z displaying and maintaining pim z pim configuration examples z troubleshooting pim in this manual, the...
Page 369
2 introduction to pim-dm pim-dm is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely distributed multicast members. The basic implementation of pim-dm is as follows: z pim-dm assumes that at least one mult...
Page 370
3 corresponding interface from the outgoing interface list in the (s, g) entry and stop forwarding subsequent packets addressed to that multicast group down to this node. Z an (s, g) entry contains the multicast source address s, multicast group address g, outgoing interface list, and incoming inter...
Page 371
4 1) the node that need to receive multicast data sends a graft message hop by hop toward the source, as a request to join the spt again. 2) upon receiving this graft message, the upstream node puts the interface on which the graft was received into the forwarding state and responds with a graft-ack...
Page 372
5 pim-sm is a type of sparse mode multicast protocol. It uses the “pull mode” for multicast forwarding, and is suitable for large- and medium-sized networks with sparsely and widely distributed multicast group members. The basic implementation of pim-sm is as follows: z pim-sm assumes that no hosts ...
Page 373
6 a dr must be elected in a multi-access network, no matter this network connects to multicast sources or to receivers. The dr at the receiver side sends join messages to the rp; the dr at the multicast source side sends register messages to the rp. Z a dr is elected on a multi-access subnet by mean...
Page 374
7 z switch 5500-ei series ethernet switches do not support dr priority. Dr election is based on ip addresses. Z in a pim-dm domain, a dr serves as an igmpv1 querier. Rp discovery the rp is the core of a pim-sm domain. For a small-sized, simple network, one rp is enough for forwarding information thr...
Page 375
8 figure 4-5 building an rpt in pim-sm rpt building as shown in figure 4-5 , the process of building an rpt is as follows: 1) when a receiver joins a multicast group g, it uses an igmp message to inform the directly connected dr. 2) upon getting the receiver information, the dr sends a join message,...
Page 376
9 figure 4-6 multicast registration as shown in figure 4-6 , the multicast source registers with the rp as follows: 1) when the multicast source s sends the first multicast packet to a multicast group g, the dr directly connected with the multicast source, upon receiving the multicast packet, encaps...
Page 377
10 assert pim-sm uses exactly the same assert mechanism as pim-dm does. Refer to assert . Configuring pim-dm enabling pim-dm with pim-dm enabled, a router sends hello messages periodically to discover pim neighbors and processes messages from pim neighbors. When deploying a pim-dm domain, you are re...
Page 378
11 to do... Use the command... Remarks enter interface view interface interface-type interface-number — enable pim-sm pim sm required disabled by default configuring an rp an rp can be manually configured or dynamically elected through the bsr mechanism. For a large pim network, static rp configurat...
Page 380
13 the right of advertising rp information in the network. After being configured as a c-bsr, a router automatically floods the network with bootstrap messages. As a bootstrap message has a ttl value of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap...
Page 381
14 after this feature is configured, bootstrap messages cannot pass the border. However, the other pim messages can pass the domain border. The network can be effectively divided into domains that use different bsrs. Filtering the registration packets from dr to rp within a pim-sm domain, the source...
Page 382
15 typically, you need to configure the above-mentioned parameters on the receiver-side dr and the rp only. Since both the dr and rp are elected, however, you should carry out these configurations on the routers that may win dr election and on the c-rps that may win rp election. Configuring common p...
Page 383
16 z if you have configured a basic acl, the switch filters all the received multicast packets based on the multicast source address, and discards packets that fail source address match. Z if you have configured an advanced acl, the switch filters all the received multicast packets based on the mult...
Page 384
17 to do... Use the command... Remarks configure a limit on the number of pim neighbors on the interface pim neighbor-limit limit optional by default, the upper limit on the number of pim neighbors on an interface is 128. Configure a filtering rule to filter pim neighbors pim neighbor-policy acl-num...
Page 385
18 the pim prune delay function is applicable only to pim-sm networks, but not to pim-dm networks. Upon receiving a prune message from a downstream device, the upstream node removes the interface connecting the downstream node from the outgoing interface list of the (s, g) entry. If the downstream n...
Page 387
20 network diagram figure 4-7 network diagram for pim-dm configuration ether net ether net ethern et n1 n2 vlan- in t10 2 vlan- int1 02 vl an- int10 3 vlan- int 103 device interface ip address device interface ip address switch a vlan-int100 10.110.1.1/24 switch d vlan-int300 10.110.5.1/24 vlan-int1...
Page 388
21 [switcha-vlan-interface103] quit the configuration on switch b and switch c is similar to the configuration on switch a. # enable ip multicast routing on switch d, and enable pim-dm on each interface. System-view [switchd] multicast routing-enable [switchd] interface vlan-interface 300 [switchd-v...
Page 389
22 pim-dm routing table total 1 (s,g) entry (10.110.5.100, 225.1.1.1) protocol 0x40: pimdm, flag 0xc: spt neg_cache uptime: 00:00:23, timeout in 187 sec upstream interface: vlan-interface300, rpf neighbor: null downstream interface list: vlan-interface101, protocol 0x200: spt, timeout in 147 sec vla...
Page 390
23 network diagram figure 4-8 network diagram for pim-sm domain configuration ether net ether net e thernet n1 n2 vl an- in t101 vlan- int10 1 device interface ip address device interface ip address switch a vlanint100 10.110.1.1/24 switch d vlanint300 10.110.5.1/24 vlanint101 192.168.1.1/24 vlanint...
Page 391
24 [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-interface101] pim sm [switcha-vlan-interface101] quit [switcha] interface vlan-interface 102 [switcha-vlan-interface102] pim sm [switcha-vlan-interface102] quit the configuration on switch b and switch c is simi...
Page 392
25 uptime: 00:49:44 expires: 00:01:46 # display pim routing table information on switch a. Display pim routing-table pim-sm routing table total 1 (s,g) entries, 1 (*,g) entries, 0 (*,*,rp) entry (*, 225.1.1.1), rp 192.168.9.2 protocol 0x20: pimsm, flag 0x2003: rpt wc null_iif uptime: 00:23:21, never...
Page 393
26 (10.110.5.100, 225.1.1.1) protocol 0x20: pimsm, flag 0x4: spt uptime: 00:03:03, timeout in 27 sec upstream interface: vlan-interface105, rpf neighbor: 192.168.4.2 downstream interface list: vlan-interface102, protocol 0x200: spt, timeout in 147 sec vlan-interface103, protocol 0x200: spt, timeout ...
Page 394: Msdp Configuration
1 5 msdp configuration when configuring msdp, go to these sections for information you are interested in: z msdp overview z configuring msdp basic functions z configuring connection between msdp peers z configuring sa message transmission z displaying and maintaining msdp z msdp configuration exampl...
Page 395
2 msdp achieves this objective. By establishing msdp peer relationships among rps of different pim-sm domains, source active (sa) messages can be forwarded among domains and the multicast source information can be shared. Z msdp is applicable only if the intra-domain multicast protocol is pim-sm. Z ...
Page 396
3 z intermediate msdp peer: an msdp peer with multicast remote msdp peers, like rp 2. An intermediate msdp peer forwards sa messages received from one remote msdp peer to other remote msdp peers, functioning as a relay of multicast source information. 2) msdp peers created on common pim-sm routers (...
Page 397
4 1) when the multicast source in pim-sm 1 sends the first multicast packet to multicast group g, dr 1 encapsulates the multicast data within a register message and sends the register message to rp 1. Then, rp 1 gets aware of the information related to the multicast source. 2) as the source-side rp,...
Page 398
5 if only one msdp peer exists in a pim-sm domain, this pim-sm domain is also called a stub domain. For example, as 4 in figure 5-3 is a stub domain. The msdp peer in a stub domain can have multiple remote msdp peers at the same time. You can configure one or more remote msdp peers as static rpf pee...
Page 399
6 because the sa message is from a static rpf peer (rp 6), rp 7 accepts the sa message and forwards it to other peer (rp 8). 6) when rp 8 receives the sa message from rp 7 an ebgp route exists between two msdp peers in different ass. Because the sa message is from an msdp peer (rp 7) in a different ...
Page 400
7 2) receivers send join messages to the nearest rp to join in the rpt rooted as this rp. In this example, receiver joins the rpt rooted at rp 2. 3) rps share the registered multicast information by means of sa messages. In this example, rp 1 creates an sa message and sends it to rp 2, with the mult...
Page 401
8 z in the case that all the peers use the rp-policy keyword: multiple static rpf peers function at the same time. Rps in sa messages are filtered based on the configured prefix list, and only the sa messages whose rp addresses pass the filtering are received. If multiple static rpf peers using the ...
Page 402
9 configuration prerequisites before configuring an msdp peer connection, you need to configure: z a unicast routing protocol z basic functions of ip multicast z pim-sm basic functions z msdp basic functions complete the following tasks to configure an msdp peer connection: task remarks configuring ...
Page 403
10 z before you configure an msdp mesh group, make sure that the routers are fully connected with one another. Z the same group name must be configured on all the peers before they can join a mesh group. Z if you add the same msdp peer to multiple mesh groups, only the latest configuration takes eff...
Page 404
11 to reduce the delay in obtaining the multicast source information, you can cache sa messages on the router. The number of sa messages cached must not exceed the system limit. The more messages are cached, the more router memory is occupied. Configuration prerequisites before you configure sa mess...
Page 405
12 configuring sa message cache with the sa message caching mechanism enabled on the router, the group that a new member subsequently joins can obtain all active sources directly from the sa cache and join the corresponding spt source tree, instead of waiting for the next sa message. You can configu...
Page 406
13 to do... Use the command... Remarks configure a rule for filtering the sa messages received by an msdp peer peer peer-address sa-request-policy [ acl acl-number ] optional by default, a router receives all sa request messages from the msdp peer. Configuring a rule for filtering the multicast sour...
Page 408
15 you can locate message loss and configuration errors by tracing the network path of the specified (s, g, rp) entries. Once the transmission path of sa messages is determined, correct configuration can prevent the flooding of sa messages. Msdp configuration example anycast rp configuration network...
Page 409
16 configuration procedure 1) configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each interface as per figure 5-5 . Detailed configuration steps are omitted here. Configure ospf for interconnection between the switches. Ensu...
Page 410
17 [switchb-msdp] peer 2.2.2.2 connect-interface loopback 0 [switchb-msdp] quit # configure an msdp peer on loopback 0 of switch d. [switchd] msdp [switchd-msdp] originating-rp loopback 0 [switchd-msdp] peer 1.1.1.1 connect-interface loopback 0 [switchd-msdp] quit 5) verify the configuration you can...
Page 411
18 pim-sm routing table total 0 (s,g) entry, 0 (*,g) entry, 0 (*,*,rp) entry matched 0 (s,g) entry, 0 (*,g) entry, 0 (*,*,rp) entry troubleshooting msdp configuration msdp peer always in the down state symptom an msdp peer is configured, but it is always in the down state. Analysis an msdp peer rela...
Page 412: Igmp Snooping Configuration
1 6 igmp snooping configuration when configuring igmp snooping, go to these sections for information you are interested in: z igmp snooping overview z configuring igmp snooping z displaying and maintaining igmp snooping z igmp snooping configuration examples z troubleshooting igmp snooping in this m...
Page 413
2 figure 6-1 before and after igmp snooping is enabled on layer 2 device multicast packet transmission without igmp snooping source multicast router host a receiver host b host c receiver multicast packets layer 2 switch multicast packet transmission when igmp snooping runs source multicast router h...
Page 414
3 member ports. The switch records all member ports on the local device in the igmp snooping forwarding table. Port aging timers in igmp snooping and related messages and actions table 6-1 port aging timers in igmp snooping and related messages and actions timer description message before expiry act...
Page 415
4 a switch will not forward an igmp report through a non-router port for the following reason: due to the igmp report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevent...
Page 416
5 configuring igmp snooping complete the following tasks to configure igmp snooping: task remarks enabling igmp snooping required configuring the version of igmp snooping optional configuring timers optional configuring fast leave processing optional configuring a multicast group filter optional con...
Page 417
6 z although both layer 2 and layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a vlan or its corresponding vlan interface. Z before enabling igmp snooping in a vlan, be sure to enable igmp snooping globally in system view; otherwise the igmp sn...
Page 418
7 configuring timers this section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports, and the query response timer. Follow these steps to configure timers: to do... Use the command... Remarks enter system view system-view — configure the agin...
Page 419
8 to do... Use the command... Remarks enable fast leave processing for specific vlans igmp-snooping fast-leave [ vlan vlan-list ] required by default, the fast leave processing feature is disabled. Z the fast leave processing function works for a port only if the host attached to the port runs igmpv...
Page 420
9 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — configure a multicast group filter igmp-snooping group-policy acl-number [vlan vlan-list ] optional no group filter is configured by default, namely hosts can join any multicast group. Z a port...
Page 421
10 z to prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. Z when the number of multicast groups exceeds the configured limit, the switch removes i...
Page 422
11 to do... Use the command... Remarks enable igmp snooping querier igmp-snooping querier required by default, igmp snooping querier is disabled. Configuring igmp query interval follow these steps to configure igmp query interval: to do... Use the command... Remarks enter system view system-view — e...
Page 423
12 z if the function of dropping unknown multicast packets or the xrn fabric function is enabled, you cannot enable unknown multicast flooding suppression. Z unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time. If both are enabled, only mu...
Page 424
13 configuring a static router port in a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives igmp messages from that router. In ethernet port view follow these ...
Page 425
14 z this feature is recommended in mff networks only. Z for details about mff, refer to arp operation. Configuring a port as a simulated group member simulated joining in igmp snooping is implemented in the same way as in igmp except that igmp snooping establishes and maintains igmp snooping entrie...
Page 426
15 configuring a vlan tag for query messages by configuring the vlan tag carried in igmp general and group-specific queries forwarded and sent by igmp snooping switches, you can enable multicast packet forwarding between different vlans in a layer-2 multicast network environment. Follow these steps ...
Page 428
17 z one port can belong to only one multicast vlan. Z the port connected to a user terminal must be a hybrid port. Z the multicast member ports must be in the same vlan with the router port. Otherwise, the multicast member port cannot receive multicast packets. Z if a router port is in a multicast ...
Page 429
18 network diagram figure 6-3 network diagram for igmp snooping configuration multicast packets source router a switch a receiver receiver host b host a host c 1.1.1.1/24 eth1/0/4 eth1/0/2 eth1/0/3 igmp querier eth1/0/1 eth1/0/1 10.1.1.1/24 eth1/0/2 1.1.1.2/24 vlan100 configuration procedure 1) conf...
Page 430
19 display igmp-snooping group vlan100 total 1 ip group(s). Total 1 mac group(s). Vlan(id):100. Total 1 ip group(s). Total 1 mac group(s). Static router port(s): dynamic router port(s): ethernet1/0/1 ip group(s):the following ip group(s) match to one mac group. Ip group address: 224.1.1.1 static hos...
Page 431
20 device device description networking description host a user 1 host a is connected to ethernet 1/0/1 on switch b. Host b user 2 host b is connected to ethernet 1/0/2 on switch b. In this configuration example, you need to configure the ports that connect switch a and switch b to each other as hyb...
Page 432
21 [switcha-ethernet1/0/10] port hybrid vlan 10 tagged [switcha-ethernet1/0/10] quit # configure the interface ip address of vlan 10 as 168.10.2.1, and enable pim-dm and igmp. [switcha] interface vlan-interface 10 [switcha-vlan-interface10] ip address 168.10.2.1 255.255.255.0 [switcha-vlan-interface...
Page 433
22 1) igmp snooping is not enabled. Z use the display current-configuration command to check the status of igmp snooping. Z if igmp snooping is disabled, check whether it is disabled globally or in the specific vlan. If it is disabled globally, use the igmp-snooping enable command in both system vie...
Page 434: Table of Contents
I table of contents 1 802.1x configuration ·································································································································1-1 introduction to 802.1x······································································································...
Page 435
Ii layer 3 error control ·······················································································································4-1 configuring system guard······················································································································4-1 config...
Page 436: 802.1X Configuration
1-1 1 802.1x configuration when configuring 802.1x, go to these sections for information you are interested in: z introduction to 802.1x z introduction to 802.1x configuration z basic 802.1x configuration z advanced 802.1x configuration z displaying and maintaining 802.1x configuration z configurati...
Page 437
1-2 figure 1-1 architecture of 802.1x authentication z the supplicant system is the entity seeking access to the lan. It resides at one end of a lan segment and is authenticated by the authenticator system at the other end of the lan segment. The supplicant system is usually a user terminal device. ...
Page 438
1-3 z the controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. Z controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both th...
Page 439
1-4 figure 1-3 the format of an eapol packet in an eapol packet: z the pae ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888e. Z the protocol version field holds the version of the protocol supported by the sender of the eapol packet. Z the type field can be one o...
Page 440
1-5 z the length field indicates the size of an eap packet, which includes the code, identifier, length, and data fields. Z the data field carries the eap packet, whose format differs with the code field. A success or failure packet does not contain the data field, so the length field of it is 4. Fi...
Page 441
1-6 eap relay mode this mode is defined in 802.1x. In this mode, eap packets are encapsulated in higher level protocol (such as eapor) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the radius server support the two newly-added fields: the e...
Page 442
1-7 figure 1-8 802.1x authentication procedure (in eap relay mode) supplicant system pae raduis server eapol eapor eapol-start eap- request / identity eap- response / identity eap- request / md5 challenge eap-success eap- response / md5 challenge radius access - request (eap- response / identity) ra...
Page 443
1-8 feedbacks (through a radius access-accept packet and an eap-success packet) to the switch to indicate that the supplicant system is authenticated. Z the switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. Z the supplicant sys...
Page 444
1-9 figure 1-9 802.1x authentication procedure (in eap terminating mode) supplicant system pae authenticator system pae radius server eapol radius eapol- start eap- request /identity eap- response/identity eap- request/ md5 challenge eap- success eap- response/md5 challenge radius access-request ( c...
Page 445
1-10 z re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. Z radius server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the radius server, th...
Page 446
1-11 z sends trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a cams server. Z the 802.1x client needs to be capable of detecting multiple network adapters, proxies, and ie proxies. Z the cams server is configured to disable the use o...
Page 447
1-12 z users belonging to the guest vlan can access the resources of the guest vlan without being authenticated. But they need to be authenticated when accessing external resources. Normally, the guest vlan function is coupled with the dynamic vlan delivery function. Refer to aaa operation for detai...
Page 448
1-13 note: 802.1x re-authentication will fail if a cams server is used and configured to perform authentication but not accounting. This is because a cams server establishes a user session after it begins to perform accounting. Therefore, to enable 802.1x re-authentication, do not configure the acco...
Page 449
1-14 configuring basic 802.1x functions follow these steps to configure basic 802.1x functions: to do… use the command… remarks enter system view system-view — enable 802.1x globally dot1x required by default, 802.1x is disabled globally. In system view dot1x interface interface-list interface inter...
Page 450
1-15 caution: z 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. Z the settings of 802.1x and mac address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on mac address learning on the port ...
Page 453
1-18 enabling dhcp-triggered authentication after performing the following configuration, 802.1x allows running dhcp on access users, and users are authenticated when they apply for dynamic ip addresses through dhcp. Follow these steps to enable dhcp-triggered authentication: to do... Use the comman...
Page 454
1-19 to do... Use the command... Remarks enter system view system-view — in system view dot1x re-authenticate [ interface interface-list] enable 802.1x re-authentication on port(s) in port view dot1x re-authenticate required by default, 802.1x re-authentication is disabled on a port. Note: z to enab...
Page 456
1-21 network diagram figure 1-12 network diagram for aaa configuration with 802.1x and radius enabled configuration procedure note: following configuration covers the major aaa/radius configuration commands. Refer to aaa operation for the information about these commands. Configuration on the client...
Page 457
1-22 [sysname-radius-radius1] key accounting money # set the interval and the number of the retries for the switch to send packets to the radius servers. [sysname-radius-radius1] timer 5 [sysname-radius-radius1] retry 5 # set the timer for the switch to send real-time accounting packets to the radiu...
Page 458
2-1 2 quick ead deployment configuration when configuring quick ead deployment, go to these sections for information you are interested in: z introduction to quick ead deployment z configuring quick ead deployment z displaying and maintaining quick ead deployment z quick ead deployment configuration...
Page 459
2-2 configuring quick ead deployment configuration prerequisites z enable 802.1x on the switch. Z set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration procedure configuring a free ip range a free ip range is an ip range that users can a...
Page 460
2-3 large number of users log in but cannot pass authentication, the switch may run out of acl resources, preventing other users from logging in. A timer called acl timer is designed to solve this problem. You can control the usage of acl resources by setting the acl timer. The acl timer starts once...
Page 461
2-4 configuration procedure note: before enabling quick ead deployment, make sure sure that: z the web server is configured properly. Z the default gateway of the pc is configured as the ip address of the layer-3 virtual interface of the vlan to which the port that is directly connected with the pc ...
Page 462: Habp Configuration
3-1 3 habp configuration when configuring habp, go to these sections for information you are interested in: z introduction to habp z habp server configuration z habp client configuration z displaying and maintaining habp configuration introduction to habp when a switch is configured with the 802.1x ...
Page 463
3-2 configure the current switch to be an habp server habp server vlan vlan-id required by default, a switch operates as an habp client after you enable habp on the switch. If you want to use the switch as a management switch, you need to configure the switch to be an habp server. Configure the inte...
Page 464: System Guard Configuration
4-1 4 system guard configuration when configuring system guard, go to these sections for information you are interested in: z system guard overview z configuring system guard z displaying and maintaining system guard configuration system guard overview guard against ip attacks system-guard operates ...
Page 465
4-2 set the maximum number of infected hosts that can be concurrently monitored system-guard ip detect-maxnum number optional 30 by default set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit before an action is taken and the address isola...
Page 466
4-3 enabling layer 3 error control follow these steps to enable layer 3 error control: to do... Use the command... Remarks enter system view system-view — enable layer 3 error control system-guard l3err enable required enabled by default displaying and maintaining system guard configuration to do......
Page 467: Table of Contents
I table of contents 1 aaa overview ············································································································································1-1 introduction to aaa ·····································································································...
Page 468
Ii local authentication of ftp/telnet users·····················································································2-28 hwtacacs authentication and authorization of telnet users ···················································2-29 troubleshooting aaa ·································...
Page 469: Aaa Overview
1-1 1 aaa overview introduction to aaa aaa is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management. Z authentication: defines what users can acce...
Page 470
1-2 z none accounting: no accounting is performed for users. Z remote accounting: user accounting is performed on a remote radius or tacacs server. Introduction to isp domain an internet service provider (isp) domain is a group of users who belong to the same isp. For a username in the format of use...
Page 471
1-3 figure 1-1 databases in a radius server in addition, a radius server can act as a client of some other aaa server to provide authentication or accounting proxy service. Basic message exchange procedure in radius the messages exchanged between a radius client (a switch, for example) and a radius ...
Page 472
1-4 4) the radius client accepts or denies the user depending on the received authentication result. If it accepts the user, the radius client sends a start-accounting request (accounting-request, with the status-type attribute value = start) to the radius server. 5) the radius server returns a star...
Page 473
1-5 4 accounting-request direction: client->server. The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the accounting is determined by the acct-status-type attribute in the message). This message carries almost the same at...
Page 474
1-6 11 filter-id 33 proxy-state 12 framed-mtu 34 login-lat-service 13 framed-compression 35 login-lat-node 14 login-ip-host 36 login-lat-group 15 login-service 37 framed-appletalk-link 16 login-tcp-port 38 framed-appletalk-network 17 (unassigned) 39 framed-appletalk-zone 18 reply-message 40-59 (rese...
Page 475
1-7 table 1-3 differences between hwtacacs and radius hwtacacs radius adopts tcp, providing more reliable network transmission. Adopts udp. Encrypts the entire message except the hwtacacs header. Encrypts only the password field in authentication message. Separates authentication from authorization....
Page 476
1-8 figure 1-6 aaa implementation procedure for a telnet user the basic message exchange procedure is as follows: 1) a user sends a login request to the switch acting as a tacacs client, which then sends an authentication start request to the tacacs server. 2) the tacacs server returns an authentica...
Page 477
1-9 9) after receiving the response indicating an authorization success, the tacacs client pushes the configuration interface of the switch to the user. 10) the tacacs client sends an accounting start request to the tacacs server. 11) the tacacs server returns an accounting response, indicating that...
Page 478: Aaa Configuration
2-1 2 aaa configuration aaa configuration task list you need to configure aaa to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure aaa (configuring a combined aaa sch...
Page 479
2-2 task remarks creating an isp domain and configuring its attributes required configuring separate aaa schemes required configuring an aaa scheme for an isp domain required with separate aaa schemes, you can specify authentication, authorization and accounting schemes respectively. You need to con...
Page 483
2-6 accounting. In this case, if the combined scheme uses radius or hwtacacs, the system never uses the secondary scheme for authorization and accounting. Z if you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system...
Page 484
2-7 z in string mode, if the vlan id assigned by the radius server is a character string containing only digits (for example, 1024), the switch first regards it as an integer vlan id: the switch transforms the string to an integer value and judges if the value is in the valid vlan id range; if it is...
Page 486
2-9 z the following characters are not allowed in the user-name string: /:*?. And you cannot input more than one “@” in the string. Z after the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user p...
Page 487
2-10 task remarks creating a radius scheme required configuring radius authentication/authorization servers required configuring radius accounting servers required configuring shared keys for radius messages optional configuring the maximum number of radius request transmission attempts optional con...
Page 488
2-11 creating a new radius scheme, you should configure the ip address and udp port number of each radius server you want to use in this scheme. These radius servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a rad...
Page 489
2-12 create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been created in the system. Set the ip address and port number of the primary radius authentication/authorization server primary authentication ip-address [...
Page 490
2-13 enable stop-accounting request buffering stop-accounting-buffer enable optional by default, stop-accounting request buffering is enabled. Set the maximum number of transmission attempts of a buffered stop-accounting request. Retry stop-accounting retry-times optional by default, the system trie...
Page 491
2-14 set a shared key for radius authentication/authorization messages key authentication string required by default, no shared key is created. Set a shared key for radius accounting messages key accounting string required by default, no shared key is created. The authentication/authorization shared...
Page 492
2-15 z if you change the radius server type, the units of data flows sent to radius servers will be restored to the defaults. Z when the third party radius server is used, you can select standard or extended as the server-type in a radius scheme; when the cams server is used, you can select extended...
Page 493
2-16 to do… use the command… remarks enter system view system-view — create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been created in the system. Set the format of the usernames to be sent to radius server user...
Page 494
2-17 z generally, the access users are named in the userid@isp-name or userid.Isp-name format. Here, isp-name after the “@” or “.” character represents the isp domain name, by which the device determines which isp domain a user belongs to. However, some old radius servers cannot accept the usernames...
Page 495
2-18 z if you adopt the local radius server function, the udp port number of the authentication/authorization server must be 1645, the udp port number of the accounting server must be 1646, and the ip addresses of the servers must be set to the addresses of this switch. Z the message encryption key ...
Page 496
2-19 set the response timeout time of radius servers timer response-timeout seconds optional by default, the response timeout time of radius servers is three seconds. Set the time that the switch waits before it try to re-communicate with primary server and restore the status of the primary server t...
Page 497
2-20 user cannot get authenticated. In this case, the user can access the network again only when the cams administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem. After this function is enabled, every time the ...
Page 498
2-21 hwtacacs configuration task list complete the following tasks to configure hwtacacs: task remarks creating a hwtacacs scheme required configuring tacacs authentication servers required configuring tacacs authorization servers required configuring tacacs accounting servers optional configuring s...
Page 499
2-22 set the ip address and port number of the primary tacacs authentication server primary authentication ip-address [ port ] required by default, the ip address of the primary authentication server is 0.0.0.0, and the port number is 0. Set the ip address and port number of the secondary tacacs aut...
Page 500
2-23 configuring tacacs accounting servers follow these steps to configure tacacs accounting servers: to do… use the command… remarks enter system view system-view — create a hwtacacs scheme and enter its view hwtacacs scheme hwtacacs-scheme-name required by default, no hwtacacs scheme exists. Set t...
Page 502
2-25 to do… use the command… remarks enter system view system-view — create a hwtacacs scheme and enter its view hwtacacs scheme hwtacacs-scheme-name required by default, no hwtacacs scheme exists. Set the response timeout time of tacacs servers timer response-timeout seconds optional by default, th...
Page 503
2-26 displaying and maintaining radius protocol configuration to do… use the command… remarks display radius message statistics about local radius server display local-server statistics display configuration information about one specific or all radius schemes display radius scheme [ radius-scheme-n...
Page 504
2-27 network requirements in the network environment shown in figure 2-1 , you are required to configure the switch so that the telnet users logging into the switch are authenticated by the radius server. Z a radius authentication server with ip address 10.110.91.164 is connected to the switch. Z on...
Page 505
2-28 [sysname-radius-cams] server-type extended [sysname-radius-cams] user-name-format with-domain [sysname-radius-cams] quit # associate the isp domain with the radius scheme. [sysname] domain cams [sysname-isp-cams] scheme radius-scheme cams a telnet user logging into the switch by a name in the f...
Page 506
2-29 # configure an authentication scheme for the default “system” domain. [sysname] domain system [sysname-isp-system] scheme local a telnet user logging into the switch with the name telnet@system belongs to the "system" domain and will be authenticated according to the configuration of the "syste...
Page 507
2-30 [sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [sysname-hwtacacs-hwtac] key authentication aabbcc [sysname-hwtacacs-hwtac] key authorization aabbcc [sysname-hwtacacs-hwtac] user-name-format without-domain [sysname...
Page 508
2-31 troubleshooting hwtacacs configuration see the previous section if you encounter an hwtacacs fault..
Page 509: Ead Configuration
3-1 3 ead configuration introduction to ead endpoint admission defense (ead) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting t...
Page 510
3-2 z configuring the ip address of the security policy server. Z associating the isp domain with the radius scheme. Ead is commonly used in radius authentication environment. This section mainly describes the configuration of security policy server ip address. For other related configuration, refer...
Page 511
3-3 network diagram figure 3-2 ead configuration eth1/0/1 internet user security policy servers 10.110.91.166/16 virus patch servers 10.110.91.168/16 authentication servers 10.110.91.164/16 configuration procedure # configure 802.1x on the switch. Refer to “configuring 802.1x” in 802.1x and system g...
Page 512: Table of Contents
I table of contents 1 mac address authentication configuration ··························································································1-1 mac address authentication overview ··································································································1-1 perfo...
Page 513
1-1 1 mac address authentication configuration when configuring mac address authentication, go to these sections for information you are interested: z mac address authentication overview z related concepts z configuring basic mac address authentication functions z mac address authentication enhanced...
Page 514
1-2 format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. Z in fixed mode, all users’ mac addresses are automatically mapped to the configured local passwords and usernames. Z the service type of a local user need...
Page 516
1-4 task remarks configuring a guest vlan optional configuring the maximum number of mac address authentication users allowed to access a port optional configuring a guest vlan different from guest vlans described in the 802.1x and system-guard manual, guest vlans mentioned in this section refer to ...
Page 517
1-5 after a port is added to a guest vlan, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast mac address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the guest vlan, and thus the user can...
Page 518
1-6 z if more than one client are connected to a port, you cannot configure a guest vlan for this port. Z when a guest vlan is configured for a port, only one mac address authentication user can access the port. Even if you set the limit on the number of mac address authentication users to more than...
Page 519
1-7 z if both the limit on the number of mac address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of mac address authentication users allow...
Page 520
1-8 # set the user name in mac address mode for mac address authentication, requiring hyphened lowercase mac addresses as the usernames and passwords. [sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # add a local user. Z specify the user name and passw...
Page 521: Table of Contents
I table of contents 1 web authentication configuration ··········································································································1-1 introduction to web authentication ····································································································...
Page 522
1-1 1 web authentication configuration when configuring web authentication, go to these sections for information you are interested in: z introduction to web authentication z web authentication configuration z displaying and maintaining web authentication z web authentication configuration example i...
Page 524
1-3 z before enabling global web authentication, you should first set the ip address of a web authentication server. Z web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, mac authentication, port security, port aggregation and xrn. Z you can ma...
Page 525
1-4 network diagram figure 1-1 web authentication for user configuration procedure # perform dhcp-related configuration on the dhcp server. (it is assumed that the user will automatically obtain an ip address through the dhcp server.) # set the ip address and port number of the web authentication se...
Page 526
1-5 # create isp domain aabbcc.Net for web authentication users and enter the domain view. [sysname] domain aabbcc.Net # configure domain aabbcc.Net as the default user domain. [sysname] domain default enable aabbcc.Net # reference scheme radius1 in domain aabbcc.Net. [sysname-isp-aabbcc.Net] scheme...
Page 527: Table of Contents
I table of contents 1 vrrp configuration ··································································································································1-1 vrrp overview ···············································································································...
Page 528: Vrrp Configuration
1-1 1 vrrp configuration when configuring vrrp, go to these sections for information you are interested in: z vrrp overview z vrrp configuration z displaying and maintaining vrrp z vrrp configuration examples z troubleshooting vrrp vrrp overview as shown in figure 1-1 , the following occasions may o...
Page 529
1-2 introduction to vrrp group vrrp allows you to combine a group of lan switches (including a master and several backups) into a vrrp group. The vrrp group functions as a virtual router, forwarding packets as a gateway. Figure 1-2 vrrp network diagram host 1 ethernet master network host 2 host 3 ba...
Page 530
1-3 preemptive mode and preemption delay of a switch in a vrrp group you can configure a 5500-ei ethernet switch to operate in preemptive mode. Z in non-preemptive mode, as long as a switch in a vrrp group becomes the master, it stays as the master as long as it operates normally, even if a backup i...
Page 531
1-4 z the virtual router ip address and the ip addresses used by the member switches in the vrrp group must belong to the same network segment. If not, the vrrp group will be in the initial state (the state before you configure the vrrp on the switches of the group). In this case, vrrp does not take...
Page 532
1-5 z you need to configure the mapping between the ip addresses of the vrrp group and the mac address before enabling vrrp feature on a 5500-ei ethernet switch. If vrrp is already enabled, the system does not support this configuration. Z the number of virtual router ip addresses that can be mapped...
Page 533
1-6 interface tracking function of the vrrp group when the vlan interface of the master goes down, if you want the specified backup to become the master, you can use the interface tracking function. With this function enabled for the vrrp group: z if the tracked vlan interface of the master goes dow...
Page 534
1-7 vrrp configuration configuring basic vrrp functions follow these steps to configure the basic vrrp functions: to do… use the command… remarks enter system view system-view — configure response of the virtual router to the ping operations vrrp ping-enable optional by default, the virtual ip addre...
Page 535
1-8 task remarks configuring vrrp tracking optional configuring the preemptive mode and preemption delay for a switch to do… use the command… remarks enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure a virtual router ip address vrrp vrid virtual-r...
Page 536
1-9 configuring vrrp tracking follow these steps to configure vrrp tracking: to do… use the command… remarks enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure a virtual router ip address vrrp vrid virtual-router-id virtual-ip virtual-address requi...
Page 537
1-10 vrrp configuration examples single-vrrp group configuration network requirements host a uses the vrrp virtual router comprising switch a and switch b as its default gateway to visit host b on the internet. The information about the vrrp group is as follows: z vrrp group id: 1 z virtual router i...
Page 538
1-11 system-view [lsw-a] vlan 3 [lsw-a-vlan3] port ethernet1/0/10 [lsw-a-vlan3] quit [lsw-a] interface vlan-interface 3 [lsw-a-vlan-interface3] ip address 10.100.10.2 255.255.255.0 [lsw-a-vlan-interface3] quit # configure vlan 2. [lsw-a] vlan 2 [lsw-a-vlan2] port ethernet 1/0/6 [lsw-a-vlan2] quit [l...
Page 539
1-12 [lsw-b-vlan-interface2] ip address 202.38.160.2 255.255.255.0 [lsw-b-vlan-interface2] quit # enable a vrrp group to respond to ping operations destined for its virtual router ip address. [lsw-b] vrrp ping-enable # create a vrrp group. [lsw-b] interface vlan 2 [lsw-b-vlan-interface2] vrrp vrid 1...
Page 540
1-13 configuration procedure z configure switch a. # configure vlan 3. System-view [lsw-a] vlan 3 [lsw-a-vlan3] port ethernet1/0/10 [lsw-a-vlan3] quit [lsw-a] interface vlan-interface 3 [lsw-a-vlan-interface3] ip address 10.100.10.2 255.255.255.0 [lsw-a-vlan-interface3] quit # configure vlan 2. [lsw...
Page 541
1-14 [lsw-b-vlan2] quit [lsw-b] interface vlan-interface 2 [lsw-b-vlan-interface2] ip address 202.38.160.2 255.255.255.0 [lsw-b-vlan-interface2] quit # configure that the virtual router can be pinged through. [lsw-b] vrrp ping-enable # create a vrrp group. [lsw-b] interface vlan-interface 2 [lsw-b-v...
Page 542
1-15 network diagram figure 1-5 network diagram for multiple-vrrp group configuration switch a host c host b switch b vlan-int3 10.100.10.2/24 vlan-int2 202.38.160.1/24 vlan-int2 202.38.160.2/24 202.38.160.3/24 10.2.3.1/24 host a 202.38.160.4/24 internet vrrp group 1 virtual ip address 202.38.160.11...
Page 543
1-16 z configure switch b. # configure vlan 3. System-view [lsw-b] vlan 3 [lsw-b-vlan3] port ethernet1/0/10 [lsw-b-vlan3] quit [lsw-b] interface vlan-interface 3 [lsw-b-vlan-interface3] ip address 10.100.10.3 255.255.255.0 [lsw-b-vlan-interface3] quit # configure vlan 2. [lsw-b] vlan 2 [lsw-b-vlan2]...
Page 544
1-17 network diagram figure 1-6 network diagram for vrrp port tracking configuration vlan-int3 10.100.10. 2/24 master network layer 2 switch backup actual ip address virtual ip address 202.38.160.111/24 virtual ip address 202.38.160.111/24 vlan-int2 202.38.160. 1/24 actual ip address vlan-int2 202.3...
Page 545
1-18 [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] vrrp vlan-interface 2 vrid 1 track reduced 50 troubleshooting vrrp you can locate vrrp problems through the configuration and debugging information. Here are some possible symptoms you might meet and the corresponding troubleshooting met...
Page 546: Table of Contents
I table of contents 1 arp configuration·····································································································································1-1 introduction to arp ········································································································...
Page 547
Ii resilient arp configuration example ····································································································4-2.
Page 548: Arp Configuration
1-1 1 arp configuration when configuring arp, go to these sections for information you are interested in: z introduction to arp z configuring arp z configuring gratuitous arp z displaying and debugging arp z arp configuration examples z support for arp attack defense is added. For details, refer to ...
Page 549
1-2 figure 1-1 arp message format hardware type (16 bits) protocol type (16 bits) length of hardware address length of protocol address operator (16 bits) hardware address of the sender ip address of the sender hardware address of the receiver ip address of the receiver hardware type (16 bits) hardw...
Page 550
1-3 value description 5 chaos 6 ieee802.X 7 arc network arp table in an ethernet, the mac addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an ethernet maintains an arp table, where the latest used ip address-to-mac address mapping entries are st...
Page 551
1-4 mode, all hosts on this subnet can receive the request, but only the requested host (namely, host b) will process the request. 3) host b compares its own ip address with the destination ip address in the arp request. If they are the same, host b saves the source ip address and source mac address...
Page 552
1-5 configuring arp follow these steps to configure arp basic functions: to do… use the command… remarks enter system view system-view — add a static arp entry arp static ip-address mac-address [ vlan-id interface-type interface-number ] optional by default, the arp mapping table is empty, and entri...
Page 553
1-6 z the sending of gratuitous arp packets is enabled as long as an s5500-ei switch operates. No command is needed for enabling this function. That is, the device sends gratuitous arp packets whenever a vlan interface is enabled (such as when a link is enabled or an ip address is configured for the...
Page 554
1-7 [sysname-vlan-interface1] quit [sysname] arp timer aging 10 [sysname] arp static 192.168.1.1 000f-e201-0000 1 ethernet 1/0/10
Page 555
2-1 2 arp attack defense configuration arp attack defense configuration although arp is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, arp attacks and viruses are threatening lan security. The device can provide multiple features to detect and p...
Page 556
2-2 figure 2-1 network diagram for arp man-in-the-middle attack arp attack detection to guard against the man-in-the-middle attacks launched by hackers or attackers, s5500-ei series ethernet switches support the arp attack detection function. After you enable arp attack detection for a vlan, z when ...
Page 557
2-3 z for details about dhcp snooping and ip static binding, refer to dhcp operation. Z for details about 802.1x authentication, refer to 802.1x and system guard operation. Arp restricted forwarding with the arp restricted forwarding function enabled, arp request packets are forwarded through truste...
Page 558
2-4 figure 2-2 gateway spoofing attack to prevent gateway spoofing attacks, an s5500-ei series ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter arp packets based on the gateway’s address. Z t...
Page 559
2-5 task remarks configuring the maximum number of dynamic arp entries that a vlan interface can learn optional the switch serves as a gateway. Configuring arp source mac address consistency check optional the switch serves as a gateway or an access device. Arp packet filtering based on gateway’s ad...
Page 560
2-6 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — configure arp packet filtering based on the gateway’s ip address arp filtersource ip-address required not configured by default. Follow these steps to configure arp packet filtering based on gate...
Page 561
2-7 to do… use the command… remarks specify the current port as a trusted port dhcp-snooping trust optional after dhcp snooping is enabled, you need to configure the upstream port connected to the dhcp server as a trusted port. Configure the port as an arp trusted port arp detection trust optional b...
Page 562
2-8 to do… use the command… remarks enable the arp packet rate limit function arp rate-limit enable required by default, the arp packet rate limit function is disabled on a port. Configure the maximum arp packet rate allowed on the port arp rate-limit rate optional by default, the maximum arp packet...
Page 563
2-9 network diagram figure 2-3 arp attack detection and packet rate limit configuration configuration procedure # enable dhcp snooping on switch a. System-view [switcha] dhcp-snooping # specify ethernet 1/0/1 as the dhcp snooping trusted port and the arp trusted port. [switcha] interface ethernet 1/...
Page 564
2-10 arp attack defense configuration example ii network requirements host a and host b are connected to gateway through an access switch (switch). The ip and mac addresses of gateway are 192.168.100.1/24 and 000d-88f8-528c. To prevent gateway spoofing attacks from host a and host b, configure arp p...
Page 565
2-11 arp attack defense configuration example iii network requirements host a and host b are connected to gateway (switch a) through a layer 2 switch (switch b). To prevent arp attacks such as arp flooding: z enable arp packet source mac address consistency check on switch a to block arp packets wit...
Page 566
2-12 z enable arp attack detection based on bindings of authenticated 802.1x clients on the switch to prevent arp attacks. Network diagram figure 2-6 network diagram for 802.1x based arp attack defense configuration procedures # enter system view. System-view # enable 802.1x authentication globally....
Page 567: Proxy Arp Configuration
3-1 3 proxy arp configuration when configuring proxy arp, go to these sections for information you are interested in: z proxy arp overview z configuring proxy arp z proxy arp configuration examples proxy arp overview introduction to proxy arp if a host sends an arp request for the mac address of ano...
Page 568
3-2 host a and host d are on different sub networks. When host a (192.168.0.22/16) needs to send packets to host d (192.168.1.30/16), because the mask of the two hosts are both 16 bits, host a regards host d to be on its directly connected sub network, and thus host a will broadcast an arp request t...
Page 569
3-3 to do… use the command… remarks enter vlan interface view interface vlan-interface vlan-id — enable common proxy arp arp proxy enable required disabled by default. Enable local proxy arp local-proxy-arp enable required disabled by default. Display common and local proxy arp configuration display...
Page 570
3-4 [switch-vlan-interface3] quit # configure the ip address of vlan-interface 4 to be 192.168.1.27/24. [switch] interface vlan-interface 4 [switch-vlan-interface4] ip address 192.168.1.27 24 [switch-vlan-interface4] quit # enter vlan-interface 3 view, and enable common proxy arp on it. [switch] int...
Page 571
3-5 [switchb-ethernet1/0/3] quit 2) configure switch a # configure local proxy arp on vlan-interface 1, enabling host a and host b to communicate at layer 3. System-view [switcha] interface vlan-interface 1 [switcha-vlan-interface1] local-proxy-arp enable [switcha-vlan-interface1] quit.
Page 572: Resilient Arp Configuration
4-1 4 resilient arp configuration when configuring resilient arp, go to these sections for information you are interested in: z introduction to resilient arp z configuring resilient arp z resilient arp configuration example introduction to resilient arp in expandable resilient networking (xrn) netwo...
Page 573
4-2 to do… use the command… remarks configure the vlan interface through which resilient packets are sent resilient-arp interface vlan-interface vlan-id optional by default, resilient arp packets are sent through the interface of vlan 1 (vlan-interface 1). Display information about the resilient arp...
Page 574: Table of Contents
I table of contents 1 dhcp overview··········································································································································1-1 introduction to dhcp ······································································································...
Page 575
Ii configuring ip address detecting ·································································································2-24 configuring dhcp accounting functions ·····························································································2-25 introduction to dhcp accou...
Page 576
Iii introduction to bootp client ·················································································································6-1 configuring a dhcp/bootp client········································································································6-2 dhcp client...
Page 577: Dhcp Overview
1-1 1 dhcp overview when configuring dhcp, go to these sections for information you are interested in: z introduction to dhcp z dhcp ip address assignment z dhcp packet format z protocol specification z ip filtering based on authenticated 802.1x clients are added. For details, refer to configuring i...
Page 578
1-2 dhcp ip address assignment ip address assignment policy currently, dhcp provides the following three ip address assignment policies to meet the requirements of different clients: z manual assignment. The administrator configures static ip-to-mac bindings for some special clients, such as a www s...
Page 579
1-3 z after the client receives the dhcp-ack message, it will probe whether the ip address assigned by the server is in use by broadcasting a gratuitous arp packet. If the client receives no response within specified time, the client can use this ip address. Otherwise, the client sends a dhcp-declin...
Page 580
1-4 z htype, hlen: hardware address type and length of the dhcp client. Z hops: number of dhcp relay agents which a dhcp packet passes. For each dhcp relay agent that the dhcp request packet passes, the field value increases by 1. Z xid: random number that the client selects when it initiates a requ...
Page 581: Dhcp Server Configuration
2-1 2 dhcp server configuration when configuring the dhcp server, go to these sections for information you are interested in: z introduction to dhcp server z dhcp server configuration task list z enabling dhcp z configuring the global address pool based dhcp server z configuring the interface addres...
Page 582
2-2 types of address pool the address pools of a dhcp server fall into two types: global address pool and interface address pool. Z a global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. Z if an interface is configured with a ...
Page 583
2-3 3) if there is an address pool where an ip address is statically bound to the mac address or id of the client, the dhcp server will select this address pool and assign the statically bound ip address to the client. 4) otherwise, the dhcp server observes the following principles to select a dynam...
Page 584
2-4 z when you merge two or more xrn systems into one xrn system, a new master unit is elected, and the new xrn system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the dhcp servers) being lost. As the new xrn...
Page 585
2-5 to improve security and avoid malicious attacks to unused sockets, s5500-ei ethernet switches provide the following functions: z udp port 67 and udp port 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp port 67 and udp port 68 ports are disabled when dhcp is disabled. The corre...
Page 586
2-6 to do… use the command… remarks enter system view system-view — interface interface-type interface-number dhcp select global configure the current interface quit configure the specified interface(s) or all the interfaces to operate in global address pool mode configure multiple interfaces simult...
Page 587
2-7 currently, only one ip address in a global dhcp address pool can be statically bound to a mac address or a client id. Follow these steps to configure the static ip address allocation mode: to do… use the command… remarks enter system view system-view — enter dhcp address pool view dhcp server ip...
Page 588
2-8 to improve security and avoid malicious attack to the unused sockets, s5500-ei ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp 67 and udp 68 ports are disabled when dhcp is disabled. The corresponding implemen...
Page 589
2-9 z in the same dhcp global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. Z the dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple ip addresses that are not dynamically as...
Page 590
2-10 configuring wins servers for the dhcp client for microsoft windows-based dhcp clients that communicate through netbios protocol, the host name-to-ip address translation is carried out by windows internet naming service (wins) servers. So you need to perform wins-related configuration for most w...
Page 591
2-11 configuring gateways for the dhcp client gateways are necessary for dhcp clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a dhcp server, the dhcp server provides the gateway addresses to dhcp clients as well while assigning ip address...
Page 592
2-12 meanings of the sub-options for option 184 table 2-1 meanings of the sub-options for option 184 sub-option feature function note ncp-ip (sub-option 1) the ncp-ip sub-option carries the ip address of the network call processor (ncp). The ip address of the ncp server carried by sub-option 1 of op...
Page 593
2-13 mechanism of using option 184 on dhcp server the dhcp server encapsulates the information for option 184 to carry in the response packets sent to the dhcp clients. Supposing that the dhcp clients are on the same segment as the dhcp server, the mechanism of option 184 on the dhcp server is as fo...
Page 594
2-14 configuring the tftp server and bootfile name for the dhcp client this task is to specify the ip address and name of a tftp server and the bootfile name in the dhcp global address pool. The dhcp clients use these parameters to contact the tftp server, requesting the configuration file used for ...
Page 596
2-16 task remarks enabling the interface address pool mode on interface(s) required configuring the static ip address allocation mode configuring an address allocation mode for an interface address pool configuring the dynamic ip address allocation mode one of the two options is required. And these ...
Page 597
2-17 to improve security and avoid malicious attack to the unused sockets, s5500-ei ethernet switches provide the following functions: z udp port 67 and udp port 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp port 67 and udp port 68 ports are disabled when dhcp is disabled. The c...
Page 598
2-18 z the ip addresses statically bound in interface address pools and the interface ip addresses must be in the same network segment. Z there is no limit to the number of ip addresses statically bound in an interface address pool, but the ip addresses statically bound in interface address pools an...
Page 599
2-19 z the dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple ip addresses that are not dynamically assigned to dhcp clients. Z use the dhcp server forbidden-ip command to configure the ip addresses that are not assigned dynamically in global address poo...
Page 600
2-20 to do… use the command… remarks enter system view system-view — interface interface-type interface-number dhcp server dns-list ip-address& configure the current interface quit configure dns server addresses for dhcp clients configure multiple interfaces in system view dhcp server dns-list ip-ad...
Page 601
2-21 follow these steps to configure wins servers for the dhcp client: to do… use the command… remarks enter system view system-view — interface interface-type interface-number dhcp server nbns-list ip-address& configure the current interface quit configure wins server addresses for dhcp clients con...
Page 602
2-22 follow these steps to configure option 184 parameters for the client with voice service: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — specify the primary network calling processor dhcp server voice-config ncp-ip...
Page 603
2-23 follow these steps to configure the tftp server and bootfile name for the dhcp client: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — specify the tftp server dhcp server tftp-server ip-address ip-address specify t...
Page 604
2-24 be cautious when configuring self-defined dhcp options because such configuration may affect the dhcp operation process. Configuring dhcp server security functions dhcp security configuration is needed to ensure the security of dhcp service. Prerequisites before configuring dhcp security, you s...
Page 605
2-25 will assign the ip address to the requesting client (the dhcp client probes the ip address by sending gratuitous arp packets). Follow these steps to configure ip address detecting: to do… use the command… remarks enter system view system-view — specify the number of ping packets dhcp server pin...
Page 606
2-26 dhcp accounting configuration prerequisites before configuring dhcp accounting, make sure that: z the dhcp server is configured and operates properly. Address pools and lease time are configured. Z dhcp clients are configured and dhcp service is enabled. Z the network operates properly. Configu...
Page 608
2-28 z the ip addresses of vlan-interface 1 and vlan-interface 2 on switch a are 10.1.1.1/25 and 10.1.1.129/25 respectively. Z in the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.Com, dns server address 10.1.1.2, gateway 10.1.1.126, and...
Page 609
2-29 system-view [switcha] dhcp enable # configure the ip addresses that are not dynamically assigned. (that is, the ip addresses of the dns server, wins server, and gateways.) [switcha] dhcp server forbidden-ip 10.1.1.2 [switcha] dhcp server forbidden-ip 10.1.1.4 [switcha] dhcp server forbidden-ip ...
Page 610
2-30 network diagram figure 2-2 network diagram for option 184 support configuration dhcp client dhcp client dhcp client 3com vcx dhcp server ip:10.1.1.1/24 configuration procedure 1) configure the dhcp client. Configure the 3com vcx device to operate as a dhcp client and to request for all sub-opti...
Page 611
2-31 z ethernet 1/0/1 belongs to vlan 2; ethernet 1/0/2 belongs to vlan 3. Z the ip address of vlan-interface 1 is 10.1.1.1/24, and that of vlan-interface 2 is 10.1.2.1/24. Z the ip address of the radius server is 10.1.2.2/24. Z dhcp accounting is enabled on the dhcp server. Z the ip addresses of th...
Page 612
2-32 [sysname-radius-123] primary accounting 10.1.2.2 [sysname] domain 123 [sysname-isp-123] scheme radius-scheme 123 [sysname-isp-123] quit # create an address pool on the dhcp server. [sysname] dhcp server ip-pool test [sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # enable dhcp acco...
Page 613
3-1 3 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent configuration z dhcp relay agent configuration e...
Page 614
3-2 figure 3-1 typical dhcp relay agent application in the process of dynamic ip address assignment through the dhcp relay agent, the dhcp client and dhcp server interoperate with each other in a similar way as they do without the dhcp relay agent. The following sections only describe the forwarding...
Page 615
3-3 figure 3-2 padding contents for sub-option 1 of option 82 figure 3-3 padding contents for sub-option 2 of option 82 mechanism of option 82 supported on dhcp relay agent the procedure for a dhcp client to obtain an ip address from a dhcp server through a dhcp relay agent is similar to that for th...
Page 616
3-4 if a switch belongs to an xrn fabric, you need to enable the udp helper function on it before configuring it as a dhcp relay agent. Dhcp relay agent configuration task list complete the following tasks to configure the dhcp relay agent: task remarks enabling dhcp required correlating a dhcp serv...
Page 617
3-5 to improve security and avoid malicious attack to the unused sockets, s5500-ei ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp 67 and udp 68 ports are disabled when dhcp is disabled. The corresponding implemen...
Page 618
3-6 to do… use the command… remarks create a static ip-to-mac binding dhcp-security static ip-address mac-address optional not created by default. Enter interface view interface interface-type interface-number — enable the address checking function address-check enable required disabled by default. ...
Page 619
3-7 currently, the dhcp relay agent handshake function on an s5500-ei series switch can only interoperate with a windows 2000 dhcp server. Enabling unauthorized dhcp server detection if there is an unauthorized dhcp server in the network, when a client applies for an ip address, the unauthorized dhc...
Page 621
3-9 network diagram figure 3-4 network diagram for dhcp relay agent switch b dhcp server switch a dhcp relay dhcp client dhcp client dhcp client dhcp client vlan-int2 10.1.1.2/24 vlan-int1 10.10.1.1/24 vlan-int2 10.1.1.1/24 configuration procedure # create dhcp server group 1 and configure an ip add...
Page 622
3-10 z check if an address pool that is on the same network segment with the dhcp clients is configured on the dhcp server. Z check if a reachable route is configured between the dhcp relay agent and the dhcp server. Z check the dhcp relay agent. Check if the correct dhcp server group is configured ...
Page 623: Dhcp Snooping Configuration
4-1 4 dhcp snooping configuration when configuring dhcp snooping, go to these sections for information you are interested in: z dhcp snooping overview z configuring dhcp snooping z displaying and maintaining dhcp snooping configuration z dhcp snooping configuration examples dhcp snooping overview in...
Page 624
4-2 figure 4-1 typical network diagram for dhcp snooping application dhcp snooping listens the following two types of packets to retrieve the ip addresses the dhcp clients obtain from dhcp servers and the mac addresses of the dhcp clients: z dhcp-request packet z dhcp-ack packet introduction to dhcp...
Page 625
4-3 figure 4-3 extended format of the remote id sub-option in practice, some network devices do not support the type and length identifiers of the circuit id and remote id sub-options. To interwork with these devices, s5500-ei series ethernet switches support option 82 in the standard format. Refer ...
Page 626
4-4 when receiving a dhcp client’s request without option 82, the dhcp snooping device will add the option field with the configured sub-option and then forward the packet. For details, see table 4-2 . Table 4-2 ways of handling a dhcp packet without option 82 sub-option configuration the dhcp-snoop...
Page 627
4-5 client cannot be recorded in the dhcp-snooping table. Consequently, this client cannot pass the ip filtering of the dhcp-snooping table, thus it cannot access external networks. To solve this problem, the switch supports the configuration of static binding table entries, that is, the binding rel...
Page 628
4-6 z if an s5500-ei ethernet switch is enabled with dhcp snooping, the clients connected to it cannot dynamically obtain ip addresses through bootp. Z you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted ...
Page 629
4-7 configuring a handling policy for dhcp packets with option 82 follow these steps to configure a handling policy for dhcp packets with option 82: to do… use the command… remarks enter system view system-view — configure a global handling policy for requests that contain option 82 dhcp-snooping in...
Page 630
4-8 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — configure the circuit id sub-option in option 82 dhcp-snooping information [ vlan vlan-id] circuit-id string string optional by default, the circuit id sub-option contains the vlan id and port in...
Page 631
4-9 z if you configure a remote id sub-option in both system view and on a port, the remote id sub-option configured on the port applies when the port receives a packet, and the global remote id applies to other interfaces that have no remote id sub-option configured. Z if you have configured a remo...
Page 632
4-10 z for details about 802.1x authentication, refer to 802.1x and system guard operation. Z you are not recommended to configure ip filtering on the ports of an aggregation group. Z enable dhcp snooping and specify trusted ports on the switch before configuring ip filtering based on the dhcp-snoop...
Page 633
4-11 dhcp snooping configuration examples dhcp-snooping option 82 support configuration example network requirements as shown in figure 4-6 , ethernet 1/0/5 of the switch is connected to the dhcp server, and ethernet 1/0/1, ethernet 1/0/2, and ethernet 1/0/3 are respectively connected to client a, c...
Page 634
4-12 [switch-ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd ip filtering configuration example network requirements as shown in figure 4-7 , ethernet 1/0/1 of the s5500-ei switch is connected to the dhcp server and ethernet 1/0/2 is connected to host a. The ip address and mac...
Page 635
4-13 [switch-ethernet1/0/2] quit [switch] interface ethernet 1/0/3 [switch-ethernet1/0/3] ip check source ip-address mac-address [switch-ethernet1/0/3] quit [switch] interface ethernet 1/0/4 [switch-ethernet1/0/4] ip check source ip-address mac-address [switch-ethernet1/0/4] quit # create static bin...
Page 636
5-1 5 dhcp packet rate limit configuration when configuring the dhcp packet rate limit function, go to these sections for information you are interested in: z introduction to dhcp packet rate limit z configuring dhcp packet rate limit z rate limit configuration example introduction to dhcp packet ra...
Page 637
5-2 to do… use the command… remarks enter port view interface interface-type interface-number — enable the dhcp packet rate limit function dhcp rate-limit enable required by default, dhcp packet rate limit is disabled. Configure the maximum dhcp packet rate allowed on the port dhcp rate-limit rate o...
Page 638
5-3 z configure dhcp packet rate limit on ethernet 1/0/11 and set the maximum dhcp packet rate allowed on the port to 100 pps. Z set the port state auto-recovery interval to 30 seconds on the switch. Networking diagram figure 5-1 network diagram for dhcp packet rate limit configuration configuration...
Page 639
6-1 6 dhcp/bootp client configuration when configuring the dhcp/bootp client, go to these sections for information you are interested in: z introduction to dhcp client z introduction to bootp client z configuring a dhcp/bootp client z displaying dhcp/bootp client configuration introduction to dhcp c...
Page 640
6-2 configuring a dhcp/bootp client follow these steps to configure a dhcp/bootp client: to do… use the command… remarks enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure the vlan interface to obtain ip address through dhcp or bootp ip address { b...
Page 641
6-3 dhcp client configuration example network requirements using dhcp, vlan-interface 1 of switch b is connected to the lan to obtain an ip address from the dhcp server. Network diagram see figure 2-1 . Configuration procedure the following describes only the configuration on switch b serving as a d...
Page 642: Table of Contents
I table of contents 1 acl configuration ········································································································ 1-1 acl overview ············································································································· 1-1 acl matching order ·····...
Page 643: Acl Configuration
1-1 1 acl configuration when configuring acl, go to these sections for information you are interested in: z acl overview z acl configuration task list z displaying and maintaining acl configuration z examples for upper-layer software referencing acls z examples for applying acls to hardware acl over...
Page 644
1-2 z config: where rules in an acl are matched in the order defined by the user. Z auto: where rules in an acl are matched in the order determined by the system, namely the “depth-first” rule (layer 2 acls and user-defined acls do not support this feature). For depth-first rule, there are two cases...
Page 645
1-3 z filtering the packets to be forwarded being referenced by upper-level software acls can also be used to filter and classify the packets to be processed by software. In this case, the rules in an acl can be matched in one of the following two ways: z config, where rules in an acl are matched in...
Page 646
1-4 task remarks configuring advanced acl required configuring layer 2 acl required configuring user-defined acl required applying acl rules on ports required applying acl rules to ports in a vlan required configuring time range time ranges can be used to filter packets. You can specify a time range...
Page 647
1-5 z if only an absolute time section is defined in a time range, the time range is active only when the system time is within the defined absolute time section. If multiple absolute time sections are defined in a time range, the time range is active only when the system time is within one of the a...
Page 649
1-7 configuring advanced acl an advanced acl can filter packets by their source and destination ip addresses, the protocols carried by ip, and protocol-specific features such as tcp/udp source and destination ports, icmp message type and message code. An advanced acl can be numbered from 3000 to 399...
Page 650
1-8 number of the rule will be the greatest rule number plus one. If the current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule. Z the content of a modified or created rule cannot be identical with the content of any exi...
Page 652
1-10 a user-defined acl can be numbered from 5000 to 5999. Configuration prerequisites to configure a time range-based user-defined acl rule, you need to define the corresponding time ranges first. For information about time range configuration, refer to configuring time range . Configuration proced...
Page 653
1-11 number is 65534, however, the system will display an error message and you need to specify a number for the rule. Z the content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts...
Page 654
1-12 [sysname-ethernet1/0/1] packet-filter inbound ip-group 2000 applying acl rules to ports in a vlan by applying acl rules to ports in a vlan, you can add filtering of packets on all the ports in the vlan. Note: the acl rules are only applied to ports that are in the vlan at the time the packet-fi...
Page 656
1-14 network diagram figure 1-2 network diagram for controlling web login users by source ip switch pc 10.110.100.46 internet configuration procedure # define acl 2001. System-view [sysname] acl number 2001 [sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [sysname-acl-basic-2001] quit #...
Page 657
1-15 configuration procedure # define a periodic time range that is active from 8:00 to 18:00 everyday. System-view [sysname] time-range test 8:00 to 18:00 daily # define acl 2000 to filter packets with the source ip address of 10.1.1.1. [sysname] acl number 2000 [sysname-acl-basic-2000] rule 1 deny...
Page 658
1-16 # apply acl 3000 on ethernet 1/0/1. [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] packet-filter inbound ip-group 3000 layer 2 acl configuration example network requirements pc 1 and pc 2 connect to the switch through ethernet 1/0/1. Pc 1’s mac address is 0011-0011-0011. Apply an acl...
Page 659
1-17 user-defined acl configuration example network requirements as shown in figure 1-6 , pc 1 and pc 2 are connected to the switch through ethernet 1/0/1 and ethernet 1/0/2 respectively. They belong to vlan 1 and access the internet through the same gateway, which has an ip address of 192.168.0.1 (...
Page 660
1-18 example for applying an acl to a vlan network requirements pc 1, pc 2 and pc 3 belong to vlan 10 and connect to the switch through ethernet 1/0/1, ethernet 1/0/2 and ethernet 1/0/3 respectively. The ip address of the database server is 192.168.1.2. Apply an acl to deny packets from pcs in vlan ...
Page 661: Table of Contents
I table of contents 1 qos configuration ········································································································ 1-1 overview ···················································································································· 1-1 introduction to qos ·...
Page 662
Ii 2 qos profile configuration ···························································································· 2-1 overview ···················································································································· 2-1 introduction to qos profile ··············...
Page 663: Qos Configuration
1-1 1 qos configuration when configuring qos, go to these sections for information you are interested in: z overview z qos supported by switch 5500-ei series z qos configuration z displaying and maintaining qos z qos configuration examples overview introduction to qos quality of service (qos) is a c...
Page 664
1-2 besides the traditional applications such as www, e-mail, and ftp, new services are developed on the internet, such as tele-education, telemedicine, video telephone, videoconference and video-on-demand (vod). Enterprise users expect to connect their regional branches together using vpn technique...
Page 665
1-3 z congestion management handles resource competition during network congestion. Generally, it adds packets to queues first, and then forwards the packets by using a scheduling algorithm. Congestion management is usually applied in the outbound direction of a port. Z congestion avoidance monitors...
Page 666
1-4 qos feature description refer to … congestion avoidance wred for information about congestion avoidance and wred, refer to congestion avoidance . Congestion management the switch 5500-ei series support sp, wfq, and wrr queue scheduling algorithms and support the following five queue scheduling m...
Page 667
1-5 priority trust mode introduction to precedence types 1) ip precedence, tos precedence, and dscp precedence figure 1-2 ds field and tos byte the tos field in an ip header contains eight bits numbered 0 through 7, among which, z the first three bits indicate ip precedence in the range 0 to 7. Z bi...
Page 668
1-6 service level can be segmented. The qos rank of the af class is lower than that of the ef class; z class selector (cs) class: this class comes from the ip tos field and includes eight subclasses; z best effort (be) class: this class is a special class without any assurance in the cs class. The a...
Page 669
1-7 2) 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where the layer 3 packet header does not need analysis but qos must be assured at layer 2. Figure 1-3 an ethernet frame with an 802.1q tag header as shown in the figure above, the 4-byte 802.1q tag h...
Page 670
1-8 local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to one of the eight hardware output queues. Packets with the highest local precedence are processed preferentially. As local precedence is used only for internal queuing...
Page 671
1-9 802.1p priority local precedence 7 7 protocol priority protocol packets generated by a switch carry their own priority. You can set a new ip precedence or dscp precedence for the specific type of protocol packets to implement qos. Priority marking the priority marking function is to reassign pri...
Page 672
1-10 figure 1-5 evaluate the traffic with the token bucket token bucket drop packet classification packets to be sent through this port continue to send put tokens in the bucket at the set rate evaluating the traffic with the token bucket when token bucket is used for traffic evaluation, the number ...
Page 673
1-11 z drop. Drop the packet whose evaluation result is “nonconforming”. Z modify the dscp precedence and forward. Modify the dscp precedence of the packets whose evaluation result is “nonconforming” and then forward them. Line rate line rate refers to limiting the total rate of inbound or outbound ...
Page 674
1-12 figure 1-6 diagram for sp queuing sp queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output que...
Page 675
1-13 figure 1-7 diagram for wfq queuing before wfq is introduced, you must understand fair queuing (fq) first. Fq is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as:...
Page 676
1-14 figure 1-8 diagram for wrr queuing wrr queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical switch 5500-ei there are eight output queues on each port. Wrr configures a weight value for each queue, for example: w7, w6,...
Page 677
1-15 peak will then occur in a certain future time. Consequently, the network traffic jitters all the time. Wred you can use weighted random early detection (wred) to avoid global tcp session synchronization. In wred algorithm, an upper limit and a lower limit are set for each queue, and the packets...
Page 678
1-16 traffic mirroring traffic mirroring identifies traffic using acls and duplicates the matched packets to the destination mirroring port or cpu depending on your configuration. For information about port mirroring, refer to the mirroringmodule of this manual. Qos configuration complete the follow...
Page 679
1-17 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — configure to trust port priority and configure the port priority priority priority-level optional by default, the switch trusts port priority and the priority of a port is 0. Follow these steps ...
Page 680
1-18 configuration procedure follow these steps to configure the mapping between 802.1p priority and local precedence: to do… use the command… remarks enter system view system-view — configure the mapping between 802.1p priority and local precedence qos cos-local-precedence-map cos0-map-local-prec c...
Page 681
1-19 on a switch 5500-ei, you can set the priority for protocol packets of telnet, ospf, snmp, and icmp. Configuration example z set the ip precedence of icmp packets to 3. Z display the configuration. Configuration procedure: system-view [sysname] protocol-priority protocol-type icmp ip-precedence ...
Page 683
1-21 configuration prerequisites z the acl rules used for traffic classification have been defined. Refer to the acl module of this manual for information about defining acl rules. Z the rate limit for traffic policing, and the actions for the packets exceeding the rate limit have been determined. Z...
Page 684
1-22 configuring line rate refer to section line rate for information about line rate. Configuration prerequisites z the port on which line rate configuration is to be performed has been determined. Z the target rate and the direction of rate limiting (inbound or outbound) have been determined. Conf...
Page 686
1-24 configuring vlan mapping refer to section vlan mapping for information about vlan mapping. Configuration prerequisites z the acl rules used for traffic classification have been defined. Refer to the acl moduleof this manual for information about defining acl rules. Z the ports on which the conf...
Page 688
1-26 configuration example z adopts wrr for queue scheduling, setting the weights of the output queues to 2, 2, 3, 3, 4, 4, 5, and 5 (in the order queue 0 through queue 7). Z verify the configuration. Configuration procedure: system-view [sysname] queue-scheduler wrr 2 2 3 3 4 4 5 5 [sysname] displa...
Page 689
1-27 configuration procedure: system-view [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] wred 2 64 20 configuring traffic accounting refer to section flow-based traffic accounting for information about traffic accounting. Configuration prerequisites z the acl rules for traffic classificat...
Page 690
1-28 enabling the burst function refer to section burst for information about the burst function. Configuration prerequisites you have determined that the burst function is required. Configuration procedure follow these steps to enable the burst function: to do… use the command… remarks enter system...
Page 693
1-31 z set the maximum rate of outbound packets sourced from the marketing department to 64 kbps. Drop the packets exceeding the rate limit. Z set the maximum rate of outbound ip packets sent by pc 1 in the r&d department to 640 kbps. Drop the packets exceeding the rate limit. Network diagram figure...
Page 694
1-32 clients pc 4 through pc 6 are connected to ethernet 1/0/3 of the switch. Server 1 (the database server), server 2 (the mail server), and server 3 (the file server) are connected to ethernet 1/0/2 of the switch. Configure priority marking and queue scheduling on the switch to mark traffic flows ...
Page 695
1-33 [sysname-ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [sysname-ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [sysname-ethernet1/0/2] quit 3) configure queue scheduling # apply sp queue scheduling algorithm. [sysname] queue-sch...
Page 696
1-34 network diagram figure 1-11 network diagram for vlan mapping configuration eth1/0/11 eth1/0/12 eth1/0/10 vlan100 vlan200 vlan100 vlan200 switcha switchb eth1/0/15 eth1/0/16 eth1/0/17 public network vlan500/600 configuration procedure # create customer vlans vlan 100 and vlan 200 and service vla...
Page 697
1-35 [switcha] interface ethernet 1/0/12 [switcha-ethernet1/0/12] port link-type trunk [switcha-ethernet1/0/12] port trunk pvid vlan 200 [switcha-ethernet1/0/12] port trunk permit vlan 200 600 [switcha-ethernet1/0/12] quit # configure ethernet 1/0/10 of switch a as a trunk port, and assign it to vla...
Page 698
1-36 [switcha-ethernet1/0/10] traffic-remark-vlanid inbound link-group 40 03 remark-vlan 200 [switcha-ethernet1/0/10] quit define the same vlan mapping rules on switch b. The detailed configuration procedure is similar to that of switch a and thus is omitted here. Configuring traffic mirroring and r...
Page 699
1-37 # create a time range trname covering the period from 8:00 to 18:00 during working days. System-view [switch] time-range trname 8:00 to 18:00 working-day 2) configure a policy for the traffic of the marketing department # create basic acl 2000 to permit the traffic of the hosts in the marketing...
Page 700: Qos Profile Configuration
2-1 2 qos profile configuration when configuring qos profile, go to these sections for information you are interested in: z overview z qos profile configuration task list z displaying and maintaining qos profile configuration z configuration example overview introduction to qos profile qos profile i...
Page 701
2-2 a user-based qos profile application fails if the traffic classification rule defined in the qos profile contains source address information (including source mac address information, source ip address information, and vlan information). Manual application mode you can use the apply command to m...
Page 703
2-4 to do… use the command… remarks configure the mode to apply a qos profile as port-based qos-profile port-based specify the mode to apply a qos profile configure the mode to apply a qos profile as user-based undo qos-profile port-based optional by default, the mode to apply a qos profile is user-...
Page 704
2-5 configuration example qos profile configuration example network requirements all departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password ...
Page 705
2-6 # set the encryption passwords for the switch to exchange packets with the authentication radius servers and accounting radius servers. [sysname-radius-radius1] key authentication money [sysname-radius-radius1] key accounting money # configure the switch to delete the user domain name from the u...
Page 706: Table of Contents
I table of contents 1 mirroring configuration································································································ 1-1 mirroring overview······································································································ 1-1 local port mirroring ········...
Page 707: Mirroring Configuration
1-1 1 mirroring configuration when configuring mirroring, go to these sections for information you are interested in: z mirroring overview z mirroring configuration z displaying and maintaining port mirroring z mirroring configuration examples mirroring overview mirroring is to duplicate packets fro...
Page 708
1-2 local port mirroring in local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device. Remote ...
Page 709
1-3 table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 ports involved in the mirroring operation switch ports involved function source port port monitored. It copies packets to the reflector port through local port mirroring. There can be more th...
Page 710
1-4 mirroring configuration complete the following tasks to configure mirroring: task remarks configuring local port mirroring optional configuring remote port mirroring optional on a switch 5500-ei, only one destination port for local port mirroring and only one reflector port can be configured, an...
Page 711
1-5 to do… use the command… remarks group mirroring-group group-id monitor-port when configuring local port mirroring, note that: z you need to configure the source and destination ports for the local port mirroring to take effect. Z the source port and the destination port cannot be a fabric port o...
Page 712
1-6 to do… use the command… remarks configure the current port as trunk port port link-type trunk required by default, the port type is access. Configure the trunk port to permit packets from the remote-probe vlan port trunk permit vlan remote-probe-vlan-id required return to system view quit — crea...
Page 713
1-7 to do… use the command… remarks enter system view system-view — create a vlan and enter vlan view vlan vlan-id vlan-id is the id of the remote-probe vlan. Configure the current vlan as the remote-probe vlan remote-probe vlan enable required return to system view quit — enter the view of the ethe...
Page 714
1-8 to do… use the command… remarks configure trunk port to permit packets from the remote-probe vlan port trunk permit vlan remote-probe-vlan-id required return to system view quit — create a remote destination mirroring group mirroring-group group-id remote-destination required configure the desti...
Page 715
1-9 the administrator wants to monitor the packets received on and sent from the r&d department and the marketing department through the data detection device. Use the local port mirroring function to meet the requirement. Perform the following configurations on switch c. Z configure ethernet 1/0/1 ...
Page 716
1-10 remote port mirroring configuration example network requirements the departments of a company connect to each other through switch 5500-ei: z switch a, switch b, and switch c are switch 5500-ei series. Z department 1 is connected to ethernet 1/0/1 of switch a. Z department 2 is connected to eth...
Page 717
1-11 # create remote source mirroring group 1. System-view [sysname] mirroring-group 1 remote-source # configure vlan 10 as the remote-probe vlan. [sysname] vlan 10 [sysname-vlan10] remote-probe vlan enable [sysname-vlan10] quit # configure the source ports, reflector port, and remote-probe vlan for...
Page 718
1-12 [sysname-ethernet1/0/2] port trunk permit vlan 10 3) configure the destination switch (switch c) # create remote destination mirroring group 1. System-view [sysname] mirroring-group 1 remote-destination # configure vlan 10 as the remote-probe vlan. [sysname] vlan 10 [sysname-vlan10] remote-prob...
Page 719: Table of Contents
I table of contents 1 web cache redirection configuration ········································································· 1-1 web cache redirection overview················································································ 1-1 web cache redirection configuration ·············...
Page 720
1-1 1 web cache redirection configuration when configuring web cache redirection, go to these sections for information you are interested in: z web cache redirection overview z web cache redirection configuration z displaying web cache redirection configuration z web cache redirection configuration ...
Page 721
1-2 that is frequently accessed by the users in the lan. It belongs to vlan 30. The switch connects to the router through vlan 40. Normally, http traffic of pc 1 and pc 2 are forwarded through vlan 40 to the router, which then sends the traffic to the internet. By enabling web cache redirection func...
Page 722
1-3 follow these steps to configure web cache redirection in ethernet port view: to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure web cache server parameters webcache address ip-address mac mac-address vlan...
Page 723
1-4 z the market department belongs to vlan 10 and is connected to port ethernet 1/0/1 of the switch. The ip address of vlan 10 interface is 192.168.1.1/24. Z the r&d department belongs to vlan 20 and is connected to port ethernet 1/0/2 of the switch. The ip address of vlan 20 interface is 192.168.2...
Page 724
1-5 configuration procedure # create vlan 10 for the market department, and assign an ip address 192.168.1.1 to the vlan-interface 10. System-view [sysname] vlan 10 [sysname-vlan10] port ethernet 1/0/1 [sysname-vlan10] quit [sysname] interface vlan-interface 10 [sysname-vlan-interface10] ip address ...
Page 725
1-6 # configure port ethernet 1/0/4 (through which the switch connects to the web cache server) as a truck port, and configure the port to allow the packets of vlan 40 and vlan 50 to pass through. [sysname] interface ethernet 1/0/4 [sysname-ethernet1/0/4] port link-type trunk [sysname-ethernet1/0/4]...
Page 726: Table of Contents
I table of contents 1 poe configuration ·····································································································································1-1 poe overview ··············································································································...
Page 727: Poe Configuration
1-1 1 poe configuration when configuring poe, go to these sections for information you are interested in: z poe overview z poe configuration z poe configuration example poe overview introduction to poe power over ethernet (poe)-enabled devices use twisted pairs through electrical ports to supply pow...
Page 728
1-2 z through the fixed 24/48 ethernet electrical ports, it can supply power to up to 24/48 remote ethernet switches with a maximum distance of 100 m (328 feet). Z each ethernet electrical port can supply at most a power of 15,400 mw to a pd. Z when ac power input is adopted for the switch, the maxi...
Page 729
1-3 task remarks upgrading the pse processing software online optional upgrading the pse processing software of fabric switches online optional displaying poe configuration optional enabling the poe feature on a port follow these steps to enable the poe feature on a port: to do… use the command… rem...
Page 730
1-4 5500-ei supports two poe management modes, auto and manual. The auto mode is adopted by default. Z auto : when the switch is close to its full load in supplying power, it will first supply power to the pds that are connected to the ports with critical priority, and then supply power to the pds t...
Page 731
1-5 configuring the pd compatibility detection function after the pd compatibility detection function is enabled, the switch can detect the pds that do not conform to the 802.3af standard and supply power to them. After the poe feature is enabled, perform the following configuration to enable the pd...
Page 732
1-6 z when the internal temperature of the switch decreases from x (x>65°c, or x>149°f) to y (60°c≤y ports. Z when the internal temperature of the switch increases from x (x (60°c ports. Upgrading the pse processing software online the online upgrading of pse processing software can update the proce...
Page 734
1-8 network diagram figure 1-1 network diagram for poe configuration procedure # upgrade the pse processing software online. System-view [switcha] poe update refresh 0290_021.S19 # enable the poe feature on ethernet 1/0/1, and set the poe maximum output power of ethernet 1/0/1 to 12,000 mw. [switcha...
Page 735: Poe Profile Configuration
2-1 2 poe profile configuration when configuring poe profile, go to these sections for information you are interested in: z introduction to poe profile z poe profile configuration z displaying poe profile configuration z poe profile configuration example introduction to poe profile on a large-sized ...
Page 738
2-4 network diagram figure 2-1 poe profile application network ip phone switch a ap ip phone ip phone ip phone ap ap ap eth1/0/1~eth1/0/5 eth1/0/6~eth1/0/10 configuration procedure # create profile 1, and enter poe profile view. System-view [switcha] poe-profile profile1 # in profile 1, add the poe ...
Page 739
2-5 [switcha-poe-profile-profile2] poe mode signal [switcha-poe-profile-profile2] poe priority high [switcha-poe-profile-profile2] poe max-power 15400 [switcha-poe-profile-profile2] quit # display detailed configuration information for profile2. [switcha] display poe-profile name profile2 poe-profil...
Page 740: Table of Contents
I table of contents 1 xrn fabric configuration·························································································································1-1 introduction to xrn··············································································································...
Page 741: Xrn Fabric Configuration
1-1 1 xrn fabric configuration when configuring xrn fabric, go to these sections for information you are interested in: z introduction to xrn z xrn fabric configuration z displaying and maintaining xrn fabric z xrn fabric configuration example introduction to xrn intelligent resilient framework (xrn...
Page 742
1-2 figure 1-2 port connection mode for switch 5500-ei series ring topology xrn fabric mode green=speed yellow=duplex rps pwr console unit 1000 base - x 1 speed:green=100mbps ,yellow=10mbps 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 duplx:green=full duplx ,yellow=half d...
Page 743
1-3 ftm as the basis of the xrn function, the fabric topology management (ftm) program manages and maintains the entire topology of a fabric. With fabric ports configured, the ftm program releases information of the device through the fabric ports. The device information includes unit id, cpu mac, d...
Page 744
1-4 status analysis solution two fabric ports of the same device (that is, the right port and the left port) are connected. Pull out one end of the cable and connect it to a fabric port of another switch. The left and right fabric ports of the devices are not connected in a crossed way. Connect the ...
Page 745
1-5 then the system automatically synchronizes the configurations to the device with the smallest unit id and changes the fabric name. With the above operations completed, the device can be added to the fabric and work normally. Z you need to enable the xrn automatic fabric function on all the devic...
Page 746
1-6 in this way, the forwarding table entries of each device in the fabric can be consistent. Even if the master fails, other devices can use the forwarding table synchronized from the master to perform layer 3 forwarding, thus ensuring the accuracy of forwarding path. After re-electing the master, ...
Page 747
1-7 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number — specify the current port as the fabric port of a switch port link-type xrn-fabric required no port is specified as the fabric port by default. Z establishing ...
Page 748
1-8 to do… use the command… remarks specify the vlan used to form an xrn fabric ftm fabric-vlan vlan-id required by default, the vlan used to form the xrn fabric is vlan 4093 you cannot specify an existing vlan to form an xrn fabric; otherwise, your configuration fails. Setting a unit id for a switc...
Page 749
1-9 z unit ids in an xrn fabric are not always arranged in order of 1 to 8. Z unit ids of an xrn fabric can be inconsecutive. After you change the unit id of switches, the following operations are performed. Z if the modified unit id does not exist in the xrn fabric, the system sets its priority to ...
Page 750
1-10 follow these steps to assign a fabric name to a switch: to do… use the command… remarks enter system view system-view — assign a fabric name to the switch sysname sysname optional by default, the xrn fabric name is 5500-ei. Setting the xrn fabric authentication mode only the switches with the s...
Page 751
1-11 z you need to enable the xrn automatic fabric function on all the devices including the newly added device in the fabric to enable the newly added device to download software and discovery neighbors and thus be added to the fabric normally. Z after you configure the xrn automatic fabric functio...
Page 752
1-12 network diagram figure 1-4 network diagram for forming an xrn fabric configuration procedure 1) configure switch a. # configure fabric ports. System-view [sysname] fabric-port gigabitethernet1/0/25 enable [sysname] fabric-port gigabitethernet1/0/26 enable # configure the unit name as unit 1. [s...
Page 753: Table of Contents
I table of contents 1 cluster ························································································································································1-1 cluster overview··································································································...
Page 754: Cluster
1-1 1 cluster when configuring cluster, go to these sections for information you are interested in: z cluster overview z cluster configuration task list z displaying and maintaining cluster configuration z cluster configuration examples cluster overview introduction to hgmp a cluster contains a grou...
Page 755
1-2 figure 1-1 a cluster implementation hgmp v2 has the following advantages: z it eases the configuration and management of multiple switches: you just need to configure a public ip address for the management device instead of for all the devices in the cluster; and then you can configure and manag...
Page 756
1-3 role configuration function member device normally, a member device is not assigned an external ip address z members of a cluster z discovers the information about its neighbors, processes the commands forwarded by the management device, and reports log. The member devices of a luster are under ...
Page 757
1-4 z neighbor discovery protocol (ndp) z neighbor topology discovery protocol (ntdp) z cluster a cluster configures and manages the devices in it through the above three protocols. Cluster management involves topology information collection and the establishment/maintenance of a cluster. Topology i...
Page 758
1-5 the management device collects the topology information periodically. You can also launch an operation of topology information collection by executing related commands. The process of topology information collection is as follows. Z the management device sends ntdp topology collection requests p...
Page 759
1-6 on the management device, you need to enable the cluster function and configure cluster parameters. On the member/candidate devices, however, you only need to enable the cluster function so that they can be managed by the management device. Cluster maintenance 1) adding a candidate device to a c...
Page 760
1-7 device to active; otherwise, it changes the state of the member device (in connect state) to disconnect, in which case the management device considers the member device disconnected. Likewise, if this member device, which is in connect state, receives a handshake packet or management packet from...
Page 761
1-8 tracing a device in a cluster in practice, you need to implement the following in a cluster sometimes: z know whether there is a loop in the cluster z locate which port on which switch initiates a network attack z determine the port and switch that a mac address corresponds to z locate which swi...
Page 762
1-9 cluster configuration task list before configuring a cluster, you need to determine the roles and functions the switches play. You also need to configure the related functions, preparing for the communication between devices within the cluster. Complete the following tasks to configure cluster: ...
Page 763
1-10 enabling ndp globally and on specific ports follow these steps to enable ndp globally and on specific ports: to do… use the command… remarks enter system view system-view — enable ndp globally ndp enable required by default, ndp is enabled globally. In system view ndp enable interface port-list...
Page 764
1-11 to do… use the command… remarks enter system view system-view — configure the range to collect topology information ntdp hop hop-value optional by default, the system collects topology information from the devices within three hops. Configure the device forward delay of topology collection requ...
Page 765
1-12 to do… use the command… remarks build a cluster build name required name: cluster name. Configure a multicast mac address for the cluster cluster-mac h-h-h required by default, the cluster multicast mac address is 0180-c200-000a. Set the interval for the management device to send multicast pack...
Page 766
1-13 to do… use the command… remarks configure a shared ftp server for the cluster ftp-server ip-address optional by default, the management device acts as the shared ftp server. Configure a shared tftp server for the cluster tftp-server ip-address optional by default, no shared tftp server is confi...
Page 767
1-14 to reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the switch 5500-ei series ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: z opening udp port 40000 (used for cluster) only whe...
Page 768
1-15 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — enable ntdp on the port ntdp enable required enabling the cluster function follow these steps to enable the cluster function: to do… use the command… remarks enter system view system-view — enab...
Page 770
1-17 configuring the enhanced cluster features complete the following tasks to configure the enhanced cluster feature: task remarks configuring cluster topology management function required configuring cluster device blacklist required configuring cluster topology management function 1) configuratio...
Page 771
1-18 configuring cluster device blacklist follow these steps to configure the cluster device blacklist on a management device: to do… use the command… remarks enter system view system-view — enter cluster view cluster — add the mac address of a specified device to the cluster blacklist black-list ad...
Page 772
1-19 when you display the cluster topology information, the devices attached to the switch that is listed in the backlist will not be displayed. Cluster configuration examples basic cluster configuration example network requirements three switches compose a cluster, where: z a switch 5500-ei series ...
Page 773
1-20 # enable ndp globally and on ethernet 1/0/1. System-view [sysname] ndp enable [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] ndp enable [sysname-ethernet1/0/1] quit # enable ntdp globally and on ethernet 1/0/1. [sysname] ntdp enable [sysname] interface ethernet 1/0/1 [sysname-ethern...
Page 774
1-21 [sysname-ethernet1/0/2] ntdp enable [sysname-ethernet1/0/2] quit [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3] ntdp enable [sysname-ethernet1/0/3] quit # set the topology collection range to 2 hops. [sysname] ntdp hop 2 # set the delay for a member device to forward topology collec...
Page 775
1-22 # connect the member device to the remote shared ftp server of the cluster. Ftp cluster # download the file named aaa.Txt from the shared tftp server of the cluster to the member device. Tftp cluster get aaa.Txt # upload the file named bbb.Txt from the member device to the shared tftp server of...
Page 776
1-23 network diagram figure 1-5 network diagram for network management interface configuration configuration procedure # enter system view and configure vlan 3 as the management vlan. System-view [sysname] management-vlan 3 # add ethernet 1/0/1 to vlan 3. [sysname] vlan 3 [sysname-vlan3] port ethern...
Page 777
1-24 [aaa_0.Sysname-cluster] # configure vlan-interface 2 as the network management interface. [aaa_0.Sysname] cluster [aaa_0.Sysname-cluster] nm-interface vlan-interface 2 enhanced cluster feature configuration example network requirements z the cluster operates properly. Z add the device with the ...
Page 778: Table of Contents
I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...
Page 779: Snmp Configuration
1-1 1 snmp configuration when configuring snmp, go to these sections for information you are interested in: z snmp overview z configuring basic snmp functions z configuring trap-related functions z enabling logging for network management z displaying snmp z snmp configuration example snmp overview t...
Page 780
1-2 z set the permission for a community to access an mib object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well. Z set the basic acl specified by the community name. ...
Page 783
1-5 configuring trap-related functions configuring basic trap functions traps refer to those sent by managed devices to the nms without request. They are used to report some urgent and important events (for example, the rebooting of managed devices). Note that basic snmp configuration is performed b...
Page 784
1-6 follow these steps to configure extended trap function: to do… use the command… remarks enter system view system-view — configure the extended trap function snmp-agent trap ifmib link extended optional by default, the linkup/linkdown trap adopts the standard format defined in if-mib. For details...
Page 786
1-8 [sysname] snmp-agent usm-user v3 managev3user managev3group authentication-mode md5 passmd5 privacy-mode des56 cfb128cfb128 # set the vlan-interface 2 as the interface used by nms. Add port ethernet 1/0/2, which is to be used for network management, to vlan 2. Set the ip address of vlan-interfac...
Page 787: Rmon Configuration
2-1 2 rmon configuration when configuring rmon, go to these sections for information you are interested in: z introduction to rmon z rmon configuration z displaying rmon z rmon configuration example introduction to rmon remote monitoring (rmon) is a kind of mib defined by internet engineering task f...
Page 788
2-2 error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the nms can further manage the networks. Commonly used rmon groups event group event group is used to define the indexes of events and the processing methods...
Page 789
2-3 statistics group statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with cyc...
Page 790
2-4 z the rmon alarm and rmon prialarm commands take effect on existing nodes only. Z for each port, only one rmon statistics entry can be created. That is, if an rmon statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for th...
Page 791
2-5 [sysname-ethernet1/0/1] quit # add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [sysname] rmon event 1 log [sysname] rmon event 2 trap 10.21.30.55 # add an entry numbered 2 to the extended alarm table to allow the system to calcu...
Page 792: Table of Contents
I table of contents 1 udp helper configuration ························································································································1-1 introduction to udp helper ······································································································...
Page 793: Udp Helper Configuration
1-1 1 udp helper configuration when configuring udp helper, go to these sections for information you are interested in: z introductiontoudphelper z configuring udp helper z displaying and maintaining udp helper z udp helper configuration example introduction to udp helper sometimes, a host needs to ...
Page 794
1-2 table 1-1 list of default udp ports protocol udp port number dns (domain name system) 53 netbios-ds (netbios datagram service) 138 netbios-ns (netbios name service) 137 tacacs (terminal access controller access control system) 49 tftp (trivial file transfer protocol) 69 time service 37 configuri...
Page 795
1-3 z on an s5500-ei series ethernet switch, the reception of directed broadcast packets to a directly connected network is disabled by default. As a result, udp helper is available only when the ip forward-broadcast command is configured in system view. For details about the ip forward-broadcast co...
Page 796
1-4 network diagram figure 1-1 network diagram for udp helper configuration configuration procedure # enable switch a to receive directed broadcasts to a directly connected network. System-view [switcha] ip forward-broadcast # enable udp helper on switch a. [switcha] udp-helper enable # configure th...
Page 797: Table of Contents
I table of contents 1 ntp configuration ·····································································································································1-1 introduction to ntp ·······································································································...
Page 798: Ntp Configuration
1-1 1 ntp configuration when configuring ntp, go to these sections for information you are interested in: z introduction to ntp z ntp configuration task list z configuring ntp implementation modes z configuring access control right z configuring ntp authentication z configuring optional ntp paramete...
Page 799
1-2 z defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly z supporting access control (see section configuring access control right ) and md5 encrypted authentication (see section configuring ntp authentication ) z sending protocol packets in unic...
Page 800
1-3 figure 1-1 implementation principle of ntp ip network ip network ip network ip network device b device a device b device a device b device a device b device a 10:00:00 am 11:00:01 am 10:00:00 am ntp message 10:00:00 am 11:00:01 am 11:00:02 am ntp message ntp message ntp message received at 10:00...
Page 801
1-4 server/client mode figure 1-2 server/client mode symmetric peer mode figure 1-3 symmetric peer mode passive peer clock synchronization request packet synchronize network active peer works in passive peer mode automatically in peer mode, both sides can be synchronized to each other response packe...
Page 802
1-5 multicast mode figure 1-5 multicast mode table 1-1 describes how the above mentioned ntp modes are implemented on 3com s5500-ei series ethernet switches. Table 1-1 ntp implementation modes on 3com s5500-ei series ethernet switches ntp implementation mode configuration on s5500-ei series switches...
Page 803
1-6 z when a 3com s5500-ei ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. Z the ntp server mode, ntp broadcast mode, or ntp multicast mode takes effect only after th...
Page 804
1-7 z execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the ntp feature and opens udp port 123 at the same time. Z execution of the ...
Page 807
1-10 configuring a switch to work in the multicast client mode follow these steps to configure a switch to work in the ntp multicast client mode: to do… use the command… remarks enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure the switch to work ...
Page 808
1-11 the access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring ntp authentication in networks with higher security requirements, the ntp authentication function must be enabled to run nt...
Page 809
1-12 configuration procedure configuring ntp authentication on the client follow these steps to configure ntp authentication on the client: to do… use the command… remarks enter system view system-view — enable the ntp authentication function ntp-service authentication enable required disabled by de...
Page 810
1-13 to do… use the command… remarks configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id required by default, no trusted authentication key is configured. Enter vlan interface view interface vlan-interface vlan-id — configure on the ntp broadcast server ntp-...
Page 811
1-14 if you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending ntp messages. Configuring the number of dynamic sessions allowed on the local switch a single device can have a maximum of 128 associations at the sa...
Page 812
1-15 to do… use the command… remarks display the information about the sessions maintained by ntp display ntp-service sessions [ verbose ] display the brief information about ntp servers along the path from the local device to the reference clock source display ntp-service trace configuration exampl...
Page 813
1-16 [deviceb] display ntp-service status clock status: synchronized clock stratum: 3 reference clock id: 1.0.1.11 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: 0.66 ms root delay: 27.47 ms root dispersion: 208.39 ms peer dispersion: 9.63 ms referen...
Page 814
1-17 configuration procedure z configure device c. # set device a as the ntp server. System-view [devicec] ntp-service unicast-server 3.0.1.31 z configure device b (after the device c is synchronized to device a). # enter system view. System-view # set device c as the peer of device b. [deviceb] ntp...
Page 815
1-18 configuring ntp broadcast mode network requirements z the local clock of device c is set as the ntp master clock, with a stratum level of 2. Configure device c to work in the ntp broadcast server mode and send ntp broadcast messages through vlan-interface 2. Z device a and device d are two s550...
Page 816
1-19 view the ntp status of device d after the clock synchronization. [deviced] display ntp-service status clock status: synchronized clock stratum: 3 reference clock id: 3.0.1.31 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: 198.7425 ms root delay:...
Page 817
1-20 network diagram figure 1-9 network diagram for ntp multicast mode configuration configuration procedure z configure device c. # enter system view. System-view # set device c as a multicast server to send multicast messages through vlan-interface 2. [devicec] interface vlan-interface 2 [devicec-...
Page 818
1-21 root dispersion: 208.39 ms peer dispersion: 9.63 ms reference time: 17:03:32.022 utc apr 2 2007 (bf422ae4.05aea86c) the output information indicates that device d is synchronized to device c, with a clock stratum level of 3, one stratum level lower than that device c. # view the information abo...
Page 819
1-22 z to synchronize device b, you need to perform the following configurations on device a. # enable the ntp authentication function. System-view [devicea] ntp-service authentication enable # configure an md5 authentication key, with the key id being 42 and the key being anicekey. [devicea] ntp-se...
Page 820: Table of Contents
I table of contents 1 ssh configuration·····································································································································1-1 ssh overview················································································································...
Page 821: Ssh Configuration
1-1 1 ssh configuration when configuring ssh, go to these sections for information you are interested: z ssh overview z ssh server and client z displaying and maintaining ssh configuration z comparison of ssh commands with the same functions z ssh configuration examples ssh overview introduction to ...
Page 822
1-2 there are two types of key algorithms: z symmetric key algorithm the same key is used for both encryption and decryption. Supported symmetric key algorithms include des, 3des, and aes, which can effectively prevent data eavesdropping. Z asymmetric key algorithm asymmetric key algorithm is also c...
Page 823
1-3 data exchange the client and the server start to communicate with each other. Z currently, the switch that serves as an ssh server supports two ssh versions: ssh2 and ssh1, and the switch that serves as an ssh client supports only ssh2. Z unless otherwise noted, ssh refers to ssh2 throughout thi...
Page 824
1-4 authentication negotiation the negotiation steps are as follows: z the client sends an authentication request to the server. The authentication request contains username, authentication type, and authentication-related information. For example, if the authentication type is password, the content...
Page 825
1-5 figure 1-2 network diagram for ssh connections configure the devices accordingly this document describes two cases: z the 3com switch acts as the ssh server to cooperate with software that supports the ssh client functions. Z the 3com switch acts as the ssh server to cooperate with another 3com ...
Page 826
1-6 configuring the ssh server the session establishment between an ssh client and the ssh server involves five stages. Similarly, ssh server configuration involves five aspects, as shown in the following table. Complete the following tasks to configure the ssh server: task remarks configuring the u...
Page 827
1-7 configuring the user interfaces for ssh clients an ssh client will access the device through a terminal “vty” user interface. Therefore, you need to configure the device user interface to accept ssh clients and allow ssh login. Note that the configuration takes effect at the next login. Follow t...
Page 828
1-8 set the ssh authentication timeout time ssh server timeout seconds optional by default, the ssh authentication timeout time is 60 seconds. Set the number of ssh authentication retry attempts ssh server authentication-retries times optional by default, the number of ssh authentication retry attem...
Page 829
1-9 as different clients may support different public key algorithms, the key pairs negotiated between the server and clients may be different. Therefore, you need to generate both rsa and dsa key pairs on the server to ensure that clients can log in to the server successfully. You can specify an al...
Page 830
1-10 destroy the dsa key pair public-key local destroy dsa creating an ssh user and specifying an authentication type this task is to create an ssh user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login. An ssh user is represented as...
Page 833
1-13 return to public key view from public key edit view public-key-code end — exit public key view and return to system view peer-public-key end — follow these steps to import the public key from a public key file: to do... Use the command... Remarks enter system view system-view — import the publi...
Page 835
1-15 the authentication mode is publickey configuring an ssh client that runs ssh client software configuring an ssh client assumed by an ssh2-capable switch whether first-authentication is supported — configuring an ssh client assumed by an ssh2-capable switch configuring an ssh client that runs ss...
Page 836
1-16 the following takes the client software of putty version 0.58 as an example to illustrate how to configure the ssh client: generating a client key to generate a client key, run puttygen.Exe, and select from the parameters area the type of key you want to generate, either ssh-2 rsa or ssh-2 dsa,...
Page 837
1-17 figure 1-4 generate the client keys (2) after the key pair is generated, click save public key and enter the name of the file for saving the public key (public in this case) to save the public key..
Page 838
1-18 figure 1-5 generate the client keys (3) likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click yes and enter the name of the file for saving the private key (“private” in this case) to save ...
Page 839
1-19 figure 1-7 generate the client keys (5) specifying the ip address of the server launch putty.Exe. The following window appears..
Page 840
1-20 figure 1-8 ssh client configuration interface 1 in the host name (or ip address) text box, enter the ip address of the server. Note that there must be a route available between the ip address of the server and the client. Selecting a protocol for remote connection as shown in figure 1-8 , selec...
Page 841
1-21 figure 1-9 ssh client configuration interface 2 under protocol options, select 2 from preferred ssh protocol version. Some ssh client software, for example, tectia client software, supports the des algorithm only when the ssh1 version is selected. The putty client software supports des algorith...
Page 842
1-22 from the category on the left of the window, select connection/ssh/auth. The following window appears. Figure 1-10 ssh client configuration interface 3 click browse… to bring up the file selection window, navigate to the private key file and click open. If the connection is normal, a user will ...
Page 843
1-23 configuring the ssh client for publickey authentication when the authentication mode is publickey, you need to configure the rsa or dsa public key of the client on the server: z to generate a key pair on the client, refer to configuring key pairs . Z to export the rsa or dsa public key of the c...
Page 844
1-24 with first-time authentication enabled, an ssh client that is not configured with the ssh server's host public key saves the host public key sent by the server without authenticating the server. Attackers may exploit the vulnerability to initiate man-in-middle attacks by acting as an ssh server...
Page 846
1-26 display the mappings between host public keys and ssh servers saved on a client display ssh server-info display the current source ip address or the ip address of the source interface specified for the ssh client. Display ssh2 source-ip comparison of ssh commands with the same functions after t...
Page 847
1-27 z after rsa key pairs are generated, the display rsa local-key-pair public command displays two public keys (the host public key and server public key) when the switch is working in ssh1-compatible mode, but only one public key (the host public key) when the switch is working in ssh2 mode. Z th...
Page 848
1-28 generating the rsa and dsa key pairs on the server is prerequisite to ssh login. # generate rsa and dsa key pairs. [switch] public-key local create rsa [switch] public-key local create dsa # set the authentication mode for the user interfaces to aaa. [switch] user-interface vty 0 4 [switch-ui-v...
Page 849
1-29 figure 1-12 ssh client configuration interface (1) in the host name (or ip address) text box, enter the ip address of the ssh server. 2) from the category on the left pane of the window, select ssh under connection. The window as shown in figure 1-13 appears..
Page 850
1-30 figure 1-13 ssh client configuration interface (2) under protocol options, select 2 from preferred ssh protocol version. 3) as shown in figure 1-13 , click open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, yo...
Page 851
1-31 network diagram figure 1-14 switch acts as server for password and radius authentication configuration procedure 1) configure the radius server this document takes cams version 2.10 as an example to show the basic radius server configurations required. # add an access device. Log in to the cams...
Page 852
1-32 figure 1-15 add an access device # add a user account for device management. From the navigation tree, select user management > user for device management, and then in the right pane, click add to enter the add account page and perform the following configurations: z add a user named hello, and...
Page 853
1-33 [switch-vlan-interface2] quit generating the rsa and dsa key pairs on the server is prerequisite to ssh login. # generate rsa and dsa key pairs. [switch] public-key local create rsa [switch] public-key local create dsa # set the authentication mode for the user interfaces to aaa. [switch] user-...
Page 854
1-34 figure 1-17 ssh client configuration interface (1) in the host name (or ip address) text box, enter the ip address of the ssh server. Z from the category on the left pane of the window, select connection > ssh. The window as shown in figure 1-18 appears..
Page 855
1-35 figure 1-18 ssh client configuration interface (2) under protocol options, select 2 from preferred ssh protocol version. Then, click open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server...
Page 856
1-36 network diagram figure 1-19 switch acts as server for password and hwtacacs authentication configuration procedure z configure the ssh server # create a vlan interface on the switch and assign it an ip address. This address will be used as the ip address of the ssh server for ssh connections. S...
Page 857
1-37 [switch-hwtacacs-hwtac] key authentication expert [switch-hwtacacs-hwtac] key authorization expert [switch-hwtacacs-hwtac] user-name-format without-domain [switch-hwtacacs-hwtac] quit # apply the scheme to the isp domain. [switch] domain bbb [switch-isp-bbb] scheme hwtacacs-scheme hwtac [switch...
Page 858
1-38 figure 1-21 ssh client configuration interface (2) under protocol options, select 2 from preferred ssh protocol version. Then, click open. If the connection is normal, you will be prompted to enter the user name client001 and the password. Once authentication succeeds, you will log in to the se...
Page 859
1-39 configuration procedure under the publickey authentication mode, either the rsa or dsa public key can be generated for the server to authenticate the client. Here takes the rsa public key as an example. Z configure the ssh server # create a vlan interface on the switch and assign an ip address,...
Page 860
1-40 before performing the following steps, you must generate an rsa public key pair (using the client software) on the client, save the key pair in a file named public, and then upload the file to the ssh server through ftp or tftp. For details, refer to the ssh client configuration part. . # impor...
Page 861
1-41 figure 1-24 generate a client key pair (2) after the key pair is generated, click save public key and enter the name of the file for saving the public key (public in this case)..
Page 862
1-42 figure 1-25 generate a client key pair (3) likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click yes and enter the name of the file for saving the private key (private.Ppk in this case). Fi...
Page 863
1-43 figure 1-27 ssh client configuration interface (1) in the host name (or ip address) text box, enter the ip address of the server. 2) from the category on the left pane of the window, select ssh under connection. The window as shown in figure 1-28 appears..
Page 864
1-44 figure 1-28 ssh client configuration interface (2) under protocol options, select 2 from preferred ssh protocol version. 3) select connection/ssh/auth.The following window appears..
Page 865
1-45 figure 1-29 ssh client configuration interface (3) click browse to bring up the file selection window, navigate to the private key file and click ok. 4) from the window shown in figure 1-29 , click open. If the connection is normal, you will be prompted to enter the username. When switch acts a...
Page 866
1-46 configuration procedure z configure switch b # create a vlan interface on the switch and assign an ip address, which the ssh client will use as the destination for ssh connection. System-view [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [...
Page 867
1-47 [switcha] ssh2 10.165.87.136 username: client001 trying 10.165.87.136 ... Press ctrl+k to abort connected to 10.165.87.136 ... The server is not authenticated. Do you continue to access it?(y/n):y do you want to save the server's public key?(y/n):n enter password: ******************************...
Page 868
1-48 # create a vlan interface on the switch and assign an ip address, which the ssh client will use as the destination for ssh connection. System-view [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [switchb-vlan-interface1] quit generating the ...
Page 869
1-49 system-view [switcha] interface vlan-interface 1 [switcha-vlan-interface1] ip address 10.165.87.137 255.255.255.0 [switcha-vlan-interface1] quit # generate a dsa key pair [switcha] public-key local create dsa # export the generated dsa key pair to a file named switch001. [switcha] public-key lo...
Page 870
1-50 network diagram figure 1-32 switch acts as client and first-time authentication is not supported configuration procedure z configure switch b # create a vlan interface on the switch and assign an ip address for it to serve as the destination of the client. System-view [switchb] interface vlan-i...
Page 871
1-51 before doing the following steps, you must first generate a dsa key pair on the client and save the key pair in a file named switch001, and then upload the file to the ssh server through ftp or tftp. For details, refer to the following “configure switch a”. # import the client’s public key file...
Page 872
1-52 # disable first-time authentication on the device. [switcha] undo ssh client first-time when first-time authentication is not supported, you must first generate a dsa key pair on the server and save the key pair in a file named switch002, and then upload the file to the ssh client through ftp o...
Page 873: Table of Contents
I table of contents 1 file system management configuration ·································································································1-1 file system configuration ··················································································································...
Page 874
1-1 1 file system management configuration when configuring file system management, go to these sections for information you are interested in: z file system configuration z file attribute configuration z configuration file backup and restoration file system configuration introduction to file system...
Page 875
1-2 directory operations the file system provides directory-related functions, such as: z creating/deleting a directory z displaying the current work directory, or contents in a specified directory follow these steps to perform directory-related operations: to do… use the command… remarks create a d...
Page 876
1-3 to do… use the command… remarks rename a file rename fileurl-source fileurl-dest optional available in user view copy a file copy fileurl-source fileurl-dest optional available in user view move a file move fileurl-source fileurl-dest optional available in user view display the content of a file...
Page 877
1-4 the format operation leads to the loss of all files, including the configuration files, on the flash memory and is irretrievable. Prompt mode configuration you can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation...
Page 878
1-5 directory of unit1>flash:/ 1 (*) -rw- 5822215 jan 01 1970 00:07:03 test.Bin 2 -rwh 4 apr 01 2000 23:55:49 snmpboots 3 -rwh 428 apr 02 2000 00:47:30 hostkey 4 -rwh 572 apr 02 2000 00:47:38 serverkey 5 -rw- 1220 apr 02 2000 00:06:57 song.Cfg 6 -rw- 26103 jan 01 1970 00:04:34 testv1r1.Bin 7 -rwh 88...
Page 879
1-6 attribute name description feature identifier backup identifies backup startup files. The backup startup file is used after a switch fails to start up using the main startup file. In the flash memory, there can be only one app file, one configuration file and one web file with the backup attribu...
Page 880
1-7 configuring file attributes you can configure and view the main attribute or backup attribute of the file used for the next startup of a switch, and change the main or backup attribute of the file. Follow these steps to configure file attributes: to do… use the command… remarks configure the app...
Page 881
1-8 configuration file backup and restoration introduction to configuration file backup and restoration formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file backup and restoration feature, you can easily back up...
Page 882: Table of Contents
I table of contents 1 ftp and sftp configuration····················································································································1-1 introduction to ftp and sftp ·······································································································...
Page 883: Ftp and Sftp Configuration
1-1 1 ftp and sftp configuration when configuring ftp and sftp, go to these sections for information you are interested in: z introduction to ftp and sftp z ftp configuration z sftp configuration introduction to ftp and sftp introduction to ftp file transfer protocol (ftp) is commonly used in ip-bas...
Page 884
1-2 z with a 3com switch 5500-ei serving as an ftp client, the seven-segment digital led on the front panel of the switch rotates clockwise when the ftp client (the 3com switch 5500-ei) is downloading files from an ftp server, and stops rotating when the file downloading is finished, as shown in fig...
Page 886
1-4 follow these steps to configure connection idle time: to do… use the command… remarks enter system view system-view — configure the connection idle time for the ftp server ftp timeout minutes optional 30 minutes by default specifying the source interface and source ip address for an ftp server y...
Page 887
1-5 disconnecting a specified user on the ftp server, you can disconnect a specified user from the ftp server to secure the network. Follow these steps to disconnect a specified user: to do… use the command… remarks enter system view system-view — on the ftp server, disconnect a specified user from ...
Page 888
1-6 figure 1-3 process of displaying a shell banner follow these steps to configure the banner display for an ftp server: to do… use the command… remarks enter system view system-view — configure a login banner header login text configure a shell banner header shell text required use either command ...
Page 890
1-8 to do… use the command… remarks download a remote file from the ftp server get remotefile [ localfile ] upload a local file to the remote ftp server put localfile [ remotefile ] rename a file on the remote server rename remote-source remote-dest log in with the specified user name and password u...
Page 891
1-9 z the specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. Z the value of the ip-address argument must be the ip address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. Z...
Page 892
1-10 [sysname] local-user switch [sysname-luser-switch] password simple hello [sysname-luser-switch] service-type ftp 2) configure the pc (ftp client) run an ftp client application on the pc to connect to the ftp server. Upload the application named switch.Bin to the root directory of the flash memo...
Page 893
1-11 z if available space on the flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the flash memory to make room for the file, and then upload the file again. The files in use cannot be deleted. If you have to delete the files in use t...
Page 894
1-12 configuration procedure 1) configure the switch (ftp server) # configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section configuration example: a switch operating as an...
Page 895
1-13 configuration procedure 1) configure the pc (ftp server) perform ftp server–related configurations on the pc, that is, create a user account on the ftp server with username switch and password hello. (for detailed configuration, refer to the configuration instruction relevant to the ftp server ...
Page 896
1-14 boot boot-loader switch.Bin reboot for information about the boot boot-loader command and how to specify the startup file for a switch, refer to the system maintenance and debugging module of this manual. Sftp configuration complete the following tasks to configure sftp: task remarks enabling a...
Page 897
1-15 to do… use the command… remarks enter system view system-view — configure the connection idle time for the sftp server ftp timeout time-out-value optional 10 minutes by default. Supported sftp client software a 3com switch 5500-ei operating as an sftp server can interoperate with sftp client so...
Page 899
1-17 if you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the sftp server. Since both rsa and dsa are available for public key authentication, you need to use the identity-key key word to specify the algorithms to...
Page 900
1-18 [sysname] public-key local create dsa # create a vlan interface on the switch and assign to it an ip address, which is used as the destination address for the client to connect to the sftp server. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 192.168.0.1 255.255.255....
Page 901
1-19 sftp-client> # display the current directory of the server. Delete the file z and verify the result. Sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey1 drwxrwxrwx 1 noon...
Page 902
1-20 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 sep 02 06:33 new2 received status: end of file received status: success # download the file pubkey2 from the server and ...
Page 903: Tftp Configuration
2-1 2 tftp configuration when configuring tftp, go to these sections for information you are interested in: z introduction to tftp z tftp configuration introduction to tftp compared with ftp, trivial file transfer protocol (tftp) features simple interactive access interface and no authentication con...
Page 904
2-2 tftp configuration complete the following tasks to configure tftp: task remarks basic configurations on a tftp client — tftp configuration: a switch operating as a tftp client specifying the source interface or source ip address for an ftp client optional tftp server configuration for details, s...
Page 906
2-4 network diagram figure 2-1 network diagram for tftp configurations configuration procedure 1) configure the tftp server (pc) start the tftp server and configure the working directory on the pc. 2) configure the tftp client (switch). # log in to the switch. (you can log in to a switch through the...
Page 907
2-5 for information about the boot boot-loader command and how to specify the startup file for a switch, refer to the system maintenance and debugging module of this manual..
Page 908: Table of Contents
I table of contents 1 information center·····································································································································1-1 information center overview ·······························································································...
Page 909: Information Center
1-1 1 information center when configuring information center, go to these sections for information you are interested in: z information center overview z information center configuration z displaying and maintaining information center z information center configuration examples information center ov...
Page 910
1-2 information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. Z if the threshold is set to 1, only information with the severity being emergencies will be output; z if the threshold is set to 8, inf...
Page 911
1-3 outputting system information by source module the system information can be classified by source module and then filtered. Some module names and description are shown in table 1-3 . Table 1-3 source module name list module name description 8021x 802.1x module acl access control list module adbm...
Page 912
1-4 module name description sysmib system mib module tac hwtacacs module telnet telnet module tftpc tftp client module vlan virtual local area network module vty virtual type terminal module xm xmodem module default default settings for all the modules to sum up, the major task of the information ce...
Page 913
1-5 z if the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to setting to output system information to a log host . Z there is the syslog process on ...
Page 914
1-6 locate and solve problems globally. In this case, you can configure the information center to add utc time zone to the time stamp of the output information, so that you can know the standard time when the information center processing each piece of information. That is, you can know the greenwic...
Page 915
1-7 source this field indicates the source of the information, such as the source ip address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context this field provides the content of the system information. Information center configuratio...
Page 916
1-8 z if the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. Z in the interaction mode, you are prompted for some information input. If the input is interrup...
Page 918
1-10 follow these steps to enable the system information display on the console: to do… use the command… remarks enable the debugging/log/trap information terminal display function terminal monitor optional enabled by default. Enable debugging information terminal display function terminal debugging...
Page 919
1-11 z when there are multiple telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such parameter made by one user will also be reflected on all other user terminals. Z to view debug...
Page 923
1-15 information center configuration examples log output to a unix log host network requirements the switch sends the following log information to the unix log host whose ip address is 202.38.1.10: the log information of the two modules arp and ip, with severity higher than “informational”. Network...
Page 924
1-16 when you edit the file “/etc/syslog.Conf”, note that: z a note must start in a new line, starting with a “#” sign. Z in each pair, a tab should be used as a separator instead of a space. Z no space is allowed at the end of a file name. Z the device name (facility) and received log information s...
Page 925
1-17 system-view [switch] info-center enable # configure the host whose ip address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [switch] info-center loghost 202.38.1.10 facility local7 [switch] info-center source ...
Page 926
1-18 log output to the console network requirements the switch sends the following information to the console: the log information of the two modules arp and ip, with severity higher than “informational”. Network diagram figure 1-3 network diagram for log output to the console configuration procedur...
Page 927
1-19 network diagram figure 1-4 network diagram configuration procedure # name the local time zone z8 and configure it to be eight hours ahead of utc time. Clock timezone z8 add 08:00:00 # set the time stamp format of the log information to be output to the log host to date. System-view system view:...
Page 928: Table of Contents
I table of contents 1 boot rom and host software loading ···································································································1-1 introduction to loading approaches ·······································································································1-...
Page 929
1-1 1 boot rom and host software loading the configuration of auto power down on ethernet interfaces is added. For the detailed configuration, refer to enabling auto power down on an ethernet port . Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming...
Page 930
1-2 local boot rom and software loading if your terminal is directly connected to the console port of the switch, you can load the boot rom and host software locally. Before loading the software, make sure that your terminal is correctly connected to the switch. The loading process of the boot rom s...
Page 931
1-3 to enter the boot menu, you should press within five seconds (full startup mode) or one second (fast startup mode) after the information “press ctrl-b to enter boot menu...” displays. Otherwise, the system starts to extract the program; and if you want to enter the boot menu at this time, you wi...
Page 932
1-4 2. Set ftp protocol parameter 3. Set xmodem protocol parameter 0. Return to boot menu enter your choice(0-3): step 2: press 3 in the above menu to download the boot rom using xmodem. The system displays the following setting menu for download baudrate: please select your download baudrate: 1.* 9...
Page 933
1-5 figure 1-1 properties dialog box figure 1-2 console port configuration dialog box step 5: click the button to disconnect the hyperterminal from the switch and then click the button to reconnect the hyperterminal to the switch, as shown in figure 1-3 ..
Page 934
1-6 figure 1-3 connect and disconnect buttons the new baudrate takes effect after you disconnect and reconnect the hyperterminal program. Step 6: press to start downloading the program. The system displays the following information: now please start transfer file with xmodem protocol. If you want to...
Page 935
1-7 figure 1-5 sending file page step 9: after the sending process completes, the system displays the following information: loading ...Cccccccccc done! Step 10: reset hyperterminal’s baudrate to 9600 bps (refer to step 4 and 5). Then, press any key as prompted. The system will display the following...
Page 936
1-8 the subsequent steps are the same as those for loading the boot rom, except that the system gives the prompt for host software loading instead of boot rom loading. You can also use the xmodem get command to load host software through the console port (of aux type). The load procedures are as fol...
Page 937
1-9 tftp server program is not provided with the 3com series ethernet switches. Step 3: run the hyperterminal program on the configuration pc. Start the switch. Then enter the boot menu. At the prompt "enter your choice(0-9):" in the boot menu, press or , and then press to enter the boot rom update ...
Page 938
1-10 when loading boot rom and host software using tftp through boot menu, you are recommended to use the pc directly connected to the device as tftp server to promote upgrading reliability. Loading by ftp through ethernet port introduction to ftp ftp is an application-layer protocol in the tcp/ip p...
Page 939
1-11 step 4: enter 2 in the above menu to download the boot rom using ftp. Then set the following ftp-related parameters as required: load file name :switch.Btm switch ip address :10.1.1.2 server ip address :10.1.1.1 ftp user name :switch ftp user password :abc step 5: press . The system displays th...
Page 940
1-12 as shown in figure 1-8 , a pc is used as both the configuration device and the ftp server. You can telnet to the switch, and then execute the ftp commands to download the boot rom program switch.Btm from the remote ftp server (whose ip address is 10.1.1.1) to the switch. Figure 1-8 remote loadi...
Page 941
1-13 loading the host software is the same as loading the boot rom program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch. After the above operations, the boot rom...
Page 942
1-14 [sysname-luser-test] password simple pass [sysname-luser-test] service-type ftp step 4: enable ftp client software on the pc. Refer to figure 1-10 for the command line interface in windows operating system. Figure 1-10 command line interface step 5: use the cd command on the interface to enter ...
Page 943
1-15 figure 1-12 log on to the ftp server step 7: use the put command to upload the file switch.Btm to the switch, as shown in figure 1-13 . Figure 1-13 upload file switch.Btm to the switch step 8: configure switch.Btm to be the boot rom at next startup, and then restart the switch. Boot bootrom swi...
Page 944
1-16 2) loading host software loading the host software is the same as loading the boot rom program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for the next startup of the switch. Z the steps...
Page 945
2-1 2 basic system configuration and debugging when configuring basic system configuration and debugging, go to these sections for information you are interested in: z basic system configuration z displaying the system status z debugging the system basic system configuration perform the following ba...
Page 946
2-2 displaying the system status to do… use the command… remarks display the current date and time of the system display clock display the version of the system display version display the information about users logging onto the switch display users [ all ] available in any view debugging the syste...
Page 947
2-3 you can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: to do… use the command… remarks enable system debugging for specific module debugging module-name [ debugging-option ] required disabled for all modul...
Page 948: Network Connectivity Test
3-1 3 network connectivity test when configuring network connectivity test, go to these sections for information you are interested in: z ping z tracert network connectivity test ping you can use the ping command to check the network connectivity and the reachability of a host. To do… use the comman...
Page 949: Device Management
4-1 4 device management when configuring device management, go to these sections for information you are interested in: z introduction to device management z device management configuration z displaying the device management configuration z remote switch app upgrade configuration example introductio...
Page 950
4-2 before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations use the following command to reboot the ether...
Page 951
4-3 enabling of this function consumes some amounts of cpu resources. Therefore, if your network has a high cpu usage requirement, you can disable this function to release your cpu resources. Specifying the app to be used at reboot app is the host software of the switch. If multiple apps exist in th...
Page 952
4-4 currently, in the s5500-ei series ethernet switches, the auto power down configuration does not take effect on 1000base-x sfp ports . Upgrading the host software in the fabric you can execute the following command on any device in a fabric to use specified host software to upgrade all devices in...
Page 953
4-5 to do… use the command… remarks display main parameters of the pluggable transceiver(s) display transceiver interface [ interface-type interface-number ] available for all pluggable transceivers display part of the electrical label information of the anti-spoofing transceiver(s) customized by h3...
Page 954
4-6 to do… use the command… remarks display system diagnostic information or save system diagnostic information to a file with the extension .Diag into the flash memory display diagnostic-information display enabled debugging on a specified switch or all switches in the fabric display debugging{ fab...
Page 955
4-7 refer to the login operation part of this manual for configuration commands and steps about telnet user. 3) execute the telnet command on the pc to log into the switch. The following prompt appears: if the flash memory of the switch is not sufficient, delete the original applications before down...
Page 956
4-8 unit 1: the current boot app is: switch.App the main boot app is: switch.App the backup boot app is: # reboot the switch to upgrade the boot rom and host software of the switch. Reboot start to check configuration with next startup configuration file, please wait...... This command will reboot t...
Page 957: Table of Contents
I table of contents 1 vlan-vpn configuration··························································································································1-1 vlan-vpn overview ················································································································...
Page 958: Vlan-Vpn Configuration
1-1 1 vlan-vpn configuration when configuring vlan-vpn, go to these sections for information you are interested in: z vlan-vpn overview z vlan-vpn configuration z displaying and maintaining vlan-vpn configuration z vlan-vpn configuration example vlan-vpn overview introduction to vlan-vpn virtual pri...
Page 959
1-2 figure 1-2 structure of packets with double-layer vlan tags destination mac address 0 31 data source mac address 15 inner vlan tag outer vlan tag compared with mpls-based layer 2 vpn, vlan-vpn has the following features: z it provides layer 2 vpn tunnels that are simpler. Z vlan-vpn can be imple...
Page 960
1-3 vlan-vpn frame as needed. When doing that, you should set the same tpid on both the customer-side port and the service provider-side port. The tpid in an ethernet frame has the same position with the protocol type field in a frame without a vlan tag. To avoid problems in packet forwarding and ha...
Page 961
1-4 task remarks enabling the vlan-vpn feature for a port required configuring the tpid value for vlan-vpn packets on a port optional configuring the inner-to-outer tag priority replicating and mapping feature optional enabling transparent igmp message transmission on a vlan-vpn port optional cautio...
Page 962
1-5 note: z besides the default tpid 0x8100, you can configure only one tpid value on a switch 5500-ei switch. Z for the switch 5500-ei series to exchange packets with the public network device properly, you should configure the tpid value used by the public network device on both the customer-side ...
Page 963
1-6 to do… use the command… description enable transparent igmp message transmission on the vlan-vpn port igmp transparent enable required by default, transparent igmp message transmission is disabled on a vlan-vpn port. Caution: z if your switch is required to process the igmp messages received on ...
Page 964
1-7 network diagram figure 1-4 network diagram for vlan-vpn configuration configuration procedure z configure switch a. # enable the vlan-vpn feature on ethernet 1/0/11 of switch a and tag the packets received on this port with the tag of vlan 1040 as the outer vlan tag. System-view [switcha] vlan 1...
Page 965
1-8 [switchb] interface ethernet 1/0/21 [switchb-ethernet1/0/21] vlan-vpn enable # set the tpid value of ethernet1/0/22 to 0x9200 (for intercommunication with the devices in the public network) and set the port as a trunk port permitting packets of vlan 1040. [switchb-ethernet1/0/22] vlan-vpn tpid 9...
Page 966: Selective Qinq Configuration
2-1 2 selective qinq configuration when configuring selective qinq, go to these sections for information you are interested in: z selective qinq overview z selective qinq configuration z selective qinq configuration example selective qinq overview selective qinq overview selective qinq is an enhance...
Page 967
2-2 telephone users (in vlan 201 to vlan 300). Packets of all these users are forwarded by switch a to the public network. After the selective qinq feature and the inner-to-outer tag mapping feature are enabled on the port connecting switch a to these users, the port will add different outer vlan ta...
Page 968
2-3 likewise, the entries in the mac address table of the outer vlan can also be replicated to that of the default vlan on a port, through which the outbound port to the service provider network can be determined through the mac address table of the default vlan and user packets destined for the ser...
Page 969
2-4 note: do not enable both the selective qinq function and the dhcp snooping function on a switch. Otherwise, the dhcp snooping function may operate improperly. Enabling the inter-vlan mac address replicating feature follow these steps to enable the inter-vlan mac address replicating feature: to d...
Page 970
2-5 z the public network permits packets of vlan 1000 and vlan 1200. Apply qos policies for these packets to reserve bandwidth for packets of vlan 1200. That is, packets of vlan 1200 have higher transmission priority over packets of vlan 1000. Z employ the selective qinq feature on switch a and swit...
Page 971
2-6 [switcha-ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [switcha-ethernet1/0/5] quit # configure ethernet 1/0/3 as a hybrid port and configure vlan 5 as its default vlan. Configure ethernet 1/0/3 to remove vlan tags when forwarding packets of vlan 5, vlan 1000, and vlan 1200. [switcha] inter...
Page 972
2-7 [switchb] interface ethernet 1/0/11 [switchb-ethernet1/0/11] port link-type hybrid [switchb-ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # configure ethernet1/0/12 as a hybrid port and configure vlan 12 as its default vlan . Configure ethernet 1/0/12 to remove vlan tags when forwardin...
Page 973: Bpdu Tunnel Configuration
3-1 3 bpdu tunnel configuration when configuring bpdu tunnel, go to these sections for information you are interested in: z bpdu tunnel overview z bpdu tunnel configuration z displaying and maintaining bpdu tunnel configuration z bpdu tunnel configuration example bpdu tunnel overview introduction to...
Page 974
3-2 figure 3-1 bpdu tunnel network hierarchy z when a bpdu packet coming from a customer network reaches an edge device in the service provider network, the edge device changes the destination mac address carried in the packet from a protocol-specific mac address to a private multicast mac address, ...
Page 975
3-3 caution: to prevent the devices in the service provider network from processing the tunnel packets as other protocol packets, the mac address of a tunnel packet must be a multicast address uniquely assigned to the bpdu tunnel in the service provider network. Bpdu tunnel configuration you can est...
Page 976
3-4 note: z the bpdu tunnel is unavailable to all the ports of a device if the device has the fabric feature enabled on one of its ports. Z if bpdu tunnel transparent transmission is enabled for packets of a protocol, the protocol cannot be enabled on the port. For example, if you execute the bpdu-t...
Page 977
3-5 network diagram figure 3-4 network diagram for bpdu tunnel configuration configuration procedure 1) configure provide1. # disable stp on ethernet1/0/1. System-view [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp disable # enable the bpdu tunnel feature for stp bpdus on ethernet1/0...
Page 978
3-6 # configure the destination mac address for the packets transmitted in the tunnel. [sysname-ethernet1/0/4] quit [sysname] bpdu-tunnel tunnel-dmac 010f-e233-8b22 # configure ethernet1/0/3 as a trunk port that permits packets of all vlans. [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3]...
Page 979: Table of Contents
I table of contents 1 remote-ping configuration ·······················································································································1-1 remote-ping overview ············································································································...
Page 980: Remote-Ping Configuration
1-1 1 remote-ping configuration when configuring remote-ping, go to these sections for information you are interested in: z remote-ping overview z remote-ping configuration z remote-ping configuration examples remote-ping overview introduction to remote-ping remote-ping is a network diagnostic tool....
Page 981
1-2 test types supported by remote-ping among the test types supported by remote-ping, only the icmp test can be performed when xrn fabric is enabled; all other test types cannot be performed when xrn fabric is enabled. Table 1-1 test types supported by remote-ping supported test types description i...
Page 982
1-3 test parameter description test type (test-type) z you can use remote-ping to test a variety of protocols, see table 1-1 for details. Z to perform a type of test, you must first create a test group of this type. One test group can be of only one remote-ping test type. Z if you modify the test ty...
Page 983
1-4 test parameter description file name for ftp operation (filename) name of a file to be transferred between remote-ping client and ftp server size of a file to be uploaded in an ftp test(filesize) size of a file to be uploaded in an ftp test number of jitter test packets to be sent per probe (jit...
Page 984
1-5 note that: z the remote-ping server function is needed only for jitter, tcp, and udp tests. Z you can configure multiple tcp/udp listening services on one remote-ping server, with each listening service corresponding to a specific destination ip address and port number. Remote-ping client config...
Page 985
1-6 to do… use the command… remarks configure the number of probes per test count times optional by default, each test makes one probe. Configure the packet size datasize size optional by default, the packet size is 56 bytes. Configure a stuffing character string datafill string optional by default,...
Page 986
1-7 to do… use the command… remarks configure the probe timeout time timeout time optional by default, a probe times out in three seconds. Configure the type of service (tos) tos value optional by default, the service type is zero. Start the test test-enable required display test results display rem...
Page 987
1-8 to do… use the command… remarks enable history record history-record enable optional by default, history record is not enabled. Configure the retaining time of history record history keep-time keep-time optional by default, the retaining time of history record is 120 minutes. Configure statistic...
Page 988
1-9 to do… use the command… remarks configure the source ip address source-ip ip-address required by default, no source ip address is configured. Configure the source port source-port port-number optional by default, no source port is configured. Configure the test type test-typeftp required by defa...
Page 990
1-11 to do… use the command… remarks configure the source port source-port port-number optional by default, no source port is configured. Configure the test type test-typehttp required by default, the test type is icmp. Configure the number of probes per test count times optional by default, each te...
Page 992
1-13 to do… use the command… remarks configure the source port source-port port-number optional by default, no source port is configured. Configure the test type test-typejitter [ codec codec-value ] required by default, the test type is icmp. Configure the number of probes per test count times opti...
Page 993
1-14 to do… use the command… remarks configure the ttl ttl number optional by default, ttl is 20. The sendpacket passroute command voids the ttl command. Configure the automatic test interval frequency interval optional by default, the automatic test interval is zero seconds, indicating no automatic...
Page 994
1-15 to do… use the command… remarks configure the source port source-port port-number optional by default, no source port is configured. Configure the test type test-typesnmpquery required by default, the test type is icmp. Configure the number of probes per test count times optional by default, ea...
Page 995
1-16 to do… use the command… remarks configure the probe timeout time timeout time optional by default, a probe times out in three seconds. Configure the type of service tos value optional by default, the service type is zero. Start the test test-enable required display test results display remote-p...
Page 996
1-17 to do… use the command… remarks configure the number of probes per test count times optional by default, one probe is made per time. Configure a test description description string optional by default, no description information is configured. Configure the automatic test interval frequency int...
Page 997
1-18 8) configuring udp test on remote-ping client follow these steps to configure udp test on remote-ping client: to do… use the command… remarks enter system view system-view — enable the remote-ping client function remote-ping-agent enable required by default, the remote-ping client function is d...
Page 998
1-19 to do… use the command… remarks configure a test description description string optional by default, no description information is configured. Enable history record history-record enable optional by default, history record is not enabled. Configure the retaining time of history record history k...
Page 999
1-20 to do… use the command… remarks enable the remote-ping client function remote-ping-agent enable required by default, the remote-ping client function is disabled. Create a remote-ping test group and enter its view remote-ping administrator-name operation- tag required by default, no test group i...
Page 1000
1-21 to do… use the command… remarks configure the automatic test interval frequency interval optional by default, the automatic test interval is zero seconds, indicating no automatic test will be made. Configure the probe timeout time timeout time optional by default, a probe times out in three sec...
Page 1001
1-22 to do… use the command… remarks enter system view system-view — enable the remote-ping client function remote-ping-agent enable required by default, the remote-ping client function is disabled. Create a remote-ping test group and enter its view remote-ping administrator-name operation- tag requ...
Page 1002
1-23 configuration procedure z configure remote-ping client (switch a): # enable the remote-ping client. System-view [sysname] remote-ping-agent enable # create a remote-ping test group, setting the administrator name to administrator and test tag to icmp. [sysname] remote-ping administrator icmp # ...
Page 1003
1-24 5 3 1 0 2000-04-02 20:55:12.2 for detailed output description, see the corresponding command manual. Dhcp test network requirements both the remote-ping client and the dhcp server are switches. Perform a remote-ping dhcp test between the two switches to test the time required for the remote-pin...
Page 1004
1-25 remote-ping entry(admin administrator, tag dhcp) test result: send operation times: 10 receive response times: 10 min/max/average round trip time: 1018/1037/1023 square-sum of round trip time: 10465630 last complete test time: 2000-4-3 9:51:30.9 extend result: sd maximal delay: 0 ds maximal del...
Page 1005
1-26 network diagram figure 1-4 network diagram for the ftp test configuration procedure z configure ftp server (switch b): configure ftp server on switch b. For specific configuration of ftp server, refer to the ftp-sftp-tftp part of the manual. Z configure remote-ping client (switch a): # enable t...
Page 1006
1-27 [sysname-remote-ping-administrator-ftp] display remote-ping results administrator ftp remote-ping entry(admin administrator, tag ftp) test result: destination ip address:10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 3245/15891/12157 square-sum of ...
Page 1007
1-28 network diagram figure 1-5 network diagram for the http test configuration procedure z configure http server: use windows 2003 server as the http server. For http server configuration, refer to the related instruction on windows 2003 server configuration. Z configure remote-ping client (switch ...
Page 1008
1-29 system busy operation number: 0 connection fail number: 0 operation sequence errors: 0 drop operation number: 0 other operation errors: 0 http result: dns resolve time: 0 http operation time: 675 dns resolve min time: 0 http test total time: 748 dns resolve max time: 0 http transmission success...
Page 1009
1-30 network diagram figure 1-6 network diagram for the jitter test configuration procedure z configure remote-ping server (switch b): # enable the remote-ping server and configure the ip address and port to listen on. System-view [sysname] remote-ping-server enable [sysname] remote-ping-server udpe...
Page 1010
1-31 last complete test time: 2000-4-2 8:14:58.2 extend result: sd maximal delay: 10 ds maximal delay: 10 packet lost in test: 0% disconnect operation number: 0 operation timeout number: 0 system busy operation number: 0 connection fail number: 0 operation sequence errors: 0 drop operation number: 0...
Page 1011
1-32 network diagram figure 1-7 network diagram for the snmp test configuration procedure z configure snmp agent (switch b): # start snmp agent and set snmp version to v2c, read-only community name to public, and read-write community name to private. System-view [sysname] snmp-agent [sysname] snmp-a...
Page 1012
1-33 # start the test. [sysname-remote-ping-administrator-snmp] test-enable # display test results [sysname-remote-ping-administrator-snmp] display remote-ping results administrator snmp remote-ping entry(admin administrator, tag snmp) test result: destination ip address:10.2.2.2 send operation time...
Page 1013
1-34 configuration procedure z configure remote-ping server (switch b): # enable the remote-ping server and configure the ip address and port to listen on. System-view [sysname] remote-ping-server enable [sysname] remote-ping-server tcpconnect 10.2.2.2 8000 z configure remote-ping client (switch a):...
Page 1014
1-35 [sysname-remote-ping-administrator-tcpprivate] display remote-ping history administrator tcpprivate remote-ping entry(admin administrator, tag tcpprivate) history record: index response status lastrc time 1 4 1 0 2000-04-02 08:26:02.9 2 5 1 0 2000-04-02 08:26:02.8 3 4 1 0 2000-04-02 08:26:02.8 ...
Page 1015
1-36 [sysname-remote-ping-administrator-udpprivate] test-type udpprivate # configure the ip address of the remote-ping server as 10.2.2.2. [sysname-remote-ping-administrator-udpprivate] destination-ip 10.2.2.2 # configure the destination port on the remote-ping server. [sysname-remote-ping-administr...
Page 1016
1-37 dns test network requirements an switch serves as the remote-ping client, and a pc serves as the dns server. Perform a remote-ping dns test between the switch and the dns server to test the time required from the client sends a dns request to it receives a resolution result from the dns server....
Page 1017
1-38 min/max/average round trip time: 6/10/8 square-sum of round trip time: 756 last complete test time: 2006-11-28 11:50:40.9 extend result: sd maximal delay: 0 ds maximal delay: 0 packet lost in test: 0% disconnect operation number: 0 operation timeout number: 0 system busy operation number: 0 con...
Page 1018: Table of Contents
I table of contents 1 dns configuration·····································································································································1-1 dns overview················································································································...
Page 1019: Dns Configuration
1-1 1 dns configuration when configuring dns, go to these sections for information you are interested in: z dns overview z configuring domain name resolution z displaying and maintaining dns z dns configuration examples z troubleshooting dns dns overview domain name system (dns) is a mechanism used ...
Page 1020
1-2 figure 1-1 dynamic domain name resolution figure 1-1 shows the relationship between user program, dns client, and dns server. The resolver and cache comprise the dns client. The user program and dns client run on the same device, while the dns server and the dns client usually run on different d...
Page 1021
1-3 z the ip address you assign to a host name last time will overwrite the previous one if there is any. Z you may create up to 50 static mappings between domain names and ip addresses. Configuring dynamic domain name resolution follow these steps to configure dynamic domain name resolution: to do…...
Page 1022
1-4 dns configuration examples static domain name resolution configuration example network requirements the switch uses static domain name resolution to access host 10.1.1.2 through domain name host.Com. Network diagram figure 1-2 network diagram for static dns configuration configuration procedure ...
Page 1023
1-5 network diagram figure 1-3 network diagram for dynamic dns configuration 2.1.1.2/16 2.1.1.1 dns server switch dns client 1.1.1/16 host. Com ip network host /16 1. 3.1.1.1/ 16 configuration procedure before doing the following configuration, make sure that: z the routes between the dns server, sw...
Page 1024
1-6 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms troubleshooting dns symptom after enabling the dynamic domain name resolution, the user cannot get the correct ip address. Solution z use the display dns dynamic-host command to check that the specified domain name is in th...
Page 1025: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-1 smart link overview ············································································································...
Page 1026: Smart Link Configuration
1-1 1 smart link configuration when configuring smart link, go to these sections for information you are interested in: z smart link overview z configuring smart link z displaying and maintaining smart link z smart link configuration example smart link overview as shown in figure 1-1 , dual-uplink n...
Page 1027
1-2 slave port the slave port can be either an ethernet port or a manually-configured or static lacp aggregation group. For example, you can configure ethernet 1/0/2 of switch a in figure 1-1 as the slave port through the command line. Flush message when a forwarding link fails, the device will swit...
Page 1028
1-3 operating mechanism of smart link figure 1-2 network diagram of smart link operating mechanism block switch a switch b eth1/0/1 eth1/0/2 switch c switch d switch e eth1/0/1 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/2 eth1/0/11 eth1/0/12 as shown in figure 1-2 , ethernet 1/0/1 on switch a is active and e...
Page 1029
1-4 task remarks create a smart link group add member ports to the smart link group configuring a smart link device enable the function of sending flush messages in the specified control vlan required configuring associated devices enable the function of processing flush messages received from the s...
Page 1030
1-5 configuring associated devices an associated device mentioned in this document refers to a device that supports smart link and locally configured to process flush messages received from the specified control vlan so as to work with the corresponding smart link device. As shown in figure 1-2 , al...
Page 1031
1-6 z if no control vlan is configured for flush message processing, the device will forward received flush messages without processing them. Z if the control vlan for receiving flush messages configured on an associated device is different than the one for sending flush messages configured on the c...
Page 1032
1-7 network diagram figure 1-3 network diagram for smart link configuration switch a eth1/0/1 eth1/0/2 switch c server eth1/0/1 eth1/0/2 eth1/0/2 host switch d switch e eth1/0/3 eth1/0/2 eth1/0/1 configuration procedure z configure a smart link group on switch a and configure member ports for it. En...
Page 1033
1-8 # enable the function of processing flush messages received from vlan 1 on ethernet 1/0/2. Smart-link flush enable control-vlan 1 port ethernet 1/0/2 z enable the function of processing flush messages received from vlan 1 on switch d. # enter system view. System-view # enable the function of pro...
Page 1034: Monitor Link Configuration
2-1 2 monitor link configuration when configuring monitor link, go to these sections for information you are interested in: z introduction to monitor link z configuring monitor link z displaying monitor link configuration z monitor link configuration example introduction to monitor link monitor link...
Page 1035
2-2 how monitor link works figure 2-2 network diagram for a monitor link group implementation block switch a switch b eth1/0/1 eth1/0/2 switch c switch d switch e eth1/0/1 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/2 eth1/0/11 eth1/0/12 as shown in figure 2-2 , the devices switch c and switch d are connected...
Page 1036
2-3 configuring monitor link before configuring a monitor link group, you must create a monitor link group and configure member ports for it. A monitor link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static lacp link aggregati...
Page 1037
2-4 to do… use the command… remarks monitor link group view port interface-type interface-number uplink quit interface interface-type interface-number configure the specified ethernet port as the uplink port of the monitor link group ethernet port view port monitor-link group group-id uplink configu...
Page 1039
2-6 [switcha] interface ethernet 1/0/1 [switcha-ethernet1/0/1] stp disable [switcha-ethernet1/0/1] quit [switcha] interface ethernet 1/0/2 [switcha-ethernet1/0/2] stp disable # return to system view. [switcha-ethernet1/0/2] quit # create smart link group 1 and enter smart link group view. [switcha] ...
Page 1040: Table of Contents
I table of contents 1 access management configuration ·············································································· 1-1 access management overview ···················································································· 1-1 configuring access management ·················...
Page 1041
1-1 1 access management configuration when configuring access management, go to these sections for information you are interested in: z access management overview z configuring access management z access management configuration examples access management overview normally, client pcs in a network a...
Page 1042
1-2 z a port without an access management ip address pool configured allows the hosts to access external networks only if their ip addresses are not in the access management ip address pools of other ports of the switch. Note that the ip addresses in the access management ip address pool configured ...
Page 1043
1-3 access management configuration examples access management configuration example network requirements client pcs are connected to the external network through switch a (an ethernet switch). The ip addresses of the pcs of organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24. The ip a...
Page 1044
1-4 [sysname-ethernet1/0/1] am ip-pool 202.10.20.1 20 combining access management with port isolation network requirements client pcs are connected to the external network through switch a (an ethernet switch). The ip addresses of the pcs of organization 1 are in the range 202.10.20.1/24 to 202.10.2...
Page 1045
1-5 # set the ip address of vlan-interface 1 to 202.10.20.200/24. [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 202.10.20.200 24 [sysname-vlan-interface1] quit # configure the access management ip address pool on ethernet 1/0/1. [sysname] interface ethernet 1/0/1 [sysname...
Page 1046: Table of Contents
I table of contents 1 lldp configuration···································································································································1-1 introduction to lldp ········································································································...
Page 1047: Lldp Configuration
1-1 1 lldp configuration when configuring lldp, go to these sections for information you are interested in: z introduction to lldp z lldp configuration task list z performing basic lldp configuration z configuring the encapsulation format for lldpdus z configuring cdp compatibility z configuring lld...
Page 1048
1-2 to enable the neighboring devices to be informed of the existence of a device or an lldp operating mode change (from the disable mode to txrx mode, or from the rx mode to tx mode) timely, a device can invoke the fast sending mechanism. In this case, the interval to send lldpdus changes to one se...
Page 1049
1-3 type description remarks management address tlv carries the management address, the corresponding port number, and oid (object identifier). If the management address is not configured, it is the ip address of the interface of the vlan with the least vlan id among those permitted on the port. If ...
Page 1050
1-4 z firmware revision tlv, which carries the firmware version of an med device. Z software revision tlv, which carries the software version of an med device . Z serial number tlv, which carries the serial number of an med device. Z manufacturer name tlv, which carries the manufacturer name of an m...
Page 1051
1-5 to do… use the command… remarks enable lldp globally lldp enable required by default, lldp is disabled globally. Enter ethernet interface view interface interface-type interface-number required enable lldp lldp enable optional, the configuration applies to the current port only. By default, lldp...
Page 1053
1-7 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number required enable lldp polling and set the polling interval lldp check-change-interval value optional, the configuration applies to the current port only. Disable...
Page 1054
1-8 z with snap encapsulation configured, an lldp port sends lldpdus in snap frames and processes only snap encapsulated incoming lldpdus. By default, lldpdus are encapsulated in ethernet ii frames. If the neighbor devices encapsulate lldpdus in snap frames, you can configure the encapsulation forma...
Page 1055
1-9 configuration prerequisites before configuring cdp compatibility, make sure that: z lldp is enabled globally. Z lldp is enabled on the port connected to an ip phone and is configured to operate in txrx mode on the port. Configuring cdp compatibility follow these steps to enable lldp to be compat...
Page 1056
1-10 to do… use the command… remarks enable lldp trap sending lldp notification remote-change enable required , the configuration applies to the current port only. Disabled by default quit to system view quit — set the interval to send lldp traps lldp timer notification-interval value optional 5 sec...
Page 1057
1-11 figure 1-1 network diagram for lldp configuration nms switch a switch b med device eth1/0/1 eth1/0/2 eth1/0/1 configuration procedure 1) configure switch a. # enable lldp globally. System-view [switcha] lldp enable # enable lldp on ethernet 1/0/1 and ethernet 1/0/2, setting the lldp operating m...
Page 1058
1-12 hold multiplier : 4 reinit delay : 2s transmit delay : 2s trap interval : 5s fast start times : 3 port 1 [ethernet1/0/1] : port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of ...
Page 1059
1-13 roll time : 0s number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 5 port 2 [ethernet1/0/2] : port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors : 0 nu...
Page 1060
1-14 [switcha] interface ethernet 1/0/1 [switcha-ethernet1/0/1] voice vlan 2 enable [switcha-ethernet1/0/1] quit [switcha] interface ethernet 1/0/2 [switcha-ethernet1/0/2] voice vlan 2 enable [switcha-ethernet1/0/2] quit 2) configure cdp-compatible lldp on switch a. # enable lldp globally. [switcha]...
Page 1061: Table of Contents
I table of contents 1 password control configuration operations ·························································································1-1 introduction to password control configuration ·····················································································1-1 passwor...
Page 1062
1-1 1 password control configuration operations introduction to password control configuration the password control feature is designed to manage the following passwords: z telnet passwords: passwords for logging into the switch through telnet. Z ssh passwords: passwords for logging into the switch ...
Page 1063
1-2 function description application encrypted display: the switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on user terminal. Password protection and encryption saving passwords in ciphertext: the switch ...
Page 1064
1-3 password control configuration configuration prerequisites a user pc is connected to the switch to be configured; both devices are operating normally. Configuration tasks the following sections describe the configuration tasks for password control: z configuring password aging z configuring the ...
Page 1065
1-4 operation command description create a local user or enter local user view local-user user-name — configure a password aging time for the local user password-control aging aging-time optional by default, the aging time is 90 days. In this section, you must note the effective range of the same co...
Page 1066
1-5 z you can configure the password aging time when password aging is not yet enabled, but these configured parameters will not take effect. Z after the user changes the password successfully, the switch saves the old password in a readable file in the flash memory. Z the switch does not provide th...
Page 1067
1-6 in this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: z global settings in system view apply to all local user passwords and super passwords. Z settings in the local user view apply to the local user password ...
Page 1068
1-7 table 1-5 manually remove history password records operation command description remove history password records of one or all users reset password-control history-record [ user-name user-name ] executing this command without the user-name user-name option removes the history password records of...
Page 1069
1-8 z lock-time: in this mode, the system inhibits the user from re-logging in within a certain time period. After the period, the user is allowed to log into the switch again. By default, this time is 120 minutes. Z lock: in this mode, the system inhibits the user from re-logging in forever. The us...
Page 1070
1-9 table 1-9 configure the timeout time for users to be authenticated operation command description enter system view system-view — configure the timeout time for users to be authenticated password-control authentication-timeout authentication-timeout optional by default, it is 60 seconds. Configur...
Page 1071
1-10 operation command description configure the password composition policy for the local user password-control composition type-number policy-type [ type-length type-length ] optional by default, the minimum number of types a password should contain is 1 and the minimum number of characters of eac...
Page 1072
1-11 z for the superpassword, the minimum number of password composition types is 3 and the minimum number of characters in each composition type is 3. Z for a local user named test, the minimum password length is 6 characters, the minimum number of password composition types is 2, the minimum numbe...