DL manuals
3Com
Switch
S7902E
Configuration Manual

3Com S7902E Configuration Manual

Other manuals for S7902E: Datasheet, Getting Started Manual, Command Reference Manual

Page of 2621

Download

Print this page

Bookmark us

3Com S7900E Family

Configuration Guide

Release 6600 Series

S7910E

S7906E

S7906E-V

S7903E

S7903E-S

S7902E

Manual Version:

20091015-C-1.00

www.3com.com

3Com Corporation

350 Campus Drive, Marlborough,

MA, USA 01752 3064

1 2 3 4 5 6 7 Next › »

Summary of S7902E

Page 1
3com s7900e family configuration guide release 6600 series s7910e s7906e s7906e-v s7903e s7903e-s s7902e manual version: 20091015-c-1.00 www.3com.Com 3com corporation 350 campus drive, marlborough, ma, usa 01752 3064.
Page 2
Copyright © 2009, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3com corporation. 3com corporation reserves th...
Page 3
About this manual organization 3com s7900e family configuration guide - release 6600 series is organized as follows: volume features 00-product overview includes obtaining the documentation, product features and acronyms. Ethernet port link aggregation port isolation service loopback group loopback ...
Page 4
Volume features dual-srpu system vrrp smart link monitor link rrpp dldp ethernet oam connectivity fault detection 08-high availability volume bfd track gr overview login basic system configuration device management file system management snmp rmon mac address table management system maintenance and ...
Page 5
Convention description button names are inside angle brackets. For example, click . [ ] window names, menu items, data table and field names are inside square brackets. For example, pop up the [new user] window. / multi-level menus are separated by forward slashes. For example, [file/create/folder]....
Page 6: Table of Contents
I table of contents 1 product features ·······································································································································1-1 introduction to product ··································································································...
Page 7: Product Features
1-1 1 product features introduction to product the s7900e switch is a cost-effective layer 3 switch with high capacity. It is designed to operate at the core layer of small and medium-sized networks, convergence layer of large enterprise networks, and convergence layer and access layer of the metrop...
Page 8
1-2 volume features 06-qos volume qos user profile aaa 802.1x mac authentication portal port security ip source guard ssh2.0 public key 07-security volume acl arp attack protection urpf dual-srpu system vrrp smart link monitor link rrpp dldp ethernet oam connectivity fault detection 08-high availabi...
Page 9: Features
2-1 2 features the following sections provide an overview of the main features of each module supported by the s7900e series. Access volume table 2-1 features in access volume features description ethernet port this document describes: z combo port configuration z management ethernet interface confi...
Page 10
2-2 features description loopback interface and null interface this document describes: z introduction to loopback interface z configuring a loopback interface z introduction to null interface z configuring a null 0 interface mstp mstp is used to eliminate loops in a lan. It is compatible with stp a...
Page 11
2-3 features description port mirroring port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. This document describes: z introduction and configuration of port mirroring z ...
Page 12
2-4 features description ipv6 basics internet protocol version 6 (ipv6), also called ip next generation (ipng), was designed by the internet engineering task force (ietf) as the successor to internet protocol version 4 (ipv4). This document describes: z ipv6 overview z basic ipv6 functions configura...
Page 13
2-5 features description static routing a static route is manually configured by the administrator. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications. This document describes: z static route configuration z det...
Page 14
2-6 features description ipv6 ospfv3 ospfv3 is ospf version 3 for short, supporting ipv6 and compliant with rfc2740 (ospf for ipv6). This document describes: z enabling ospfv3 z configuring ospfv3 area parameters z configuring ospfv3 network types z configuring ospfv3 routing information control z t...
Page 15
2-7 features description igmp internet group management protocol (igmp) is a protocol in the tcp/ip suite responsible for management of ip multicast members. This document describes: z igmp overview z configuring basic functions of igmp z configuring igmp performance parameters z configuring igmp ss...
Page 16
2-8 features description mld mld is used by an ipv6 router or a ethernet switch to discover the presence of multicast listeners on directly-attached subnets. This document describes: z configuring basic functions of mld z adjusting mld performance z configuring mld ssm mapping z configuring mld prox...
Page 17
2-9 features description mpls basics mpls integrates both layer 2 fast switching and layer 3 routing and forwarding, satisfying the networking requirements of various new applications. This document describes: z mpls overview z mpls configuration basics z ldp overview z configuring mpls basic capabi...
Page 18
2-10 qos volume table 2-6 features in the qos volume features description qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a network, you can improve the qos by guaranteeing the bandwidth, and reducing the del...
Page 19
2-11 features description portal portal authentication, as its name implies, helps control access to the internet. This document describes: z portal overview z portal configuration port security port security is a mac address-based security mechanism for network access controlling. It is an extensio...
Page 20
2-12 high availability volume table 2-8 features in the high availability volume features description dual-srpu system the s7900e series switches are typically equipped with two srpus to provide active-standby backup. This document describes: z dual-srpu system overview z ignoring version check of t...
Page 21
2-13 features description ethernet oam ethernet oam is a tool monitoring layer-2 link status. It helps network administrators manage their networks effectively. This document describes: z ethernet oam overview z configuring basic ethernet oam functions z configuring link monitoring z enabling oam lo...
Page 22
2-14 features description basic system configuration basic system configuration involves the configuration of device name, system clock, welcome message, and user privilege levels. This document describes: z basic configurations z cli features device management through the device management function...
Page 23
2-15 features description information center as the system information hub, information center classifies and manages all types of system information. This document describes: z information center overview z setting to output system information to the console z setting to output system information t...
Page 24
2-16 features description irf intelligent resilient framework (irf) allows you to build an irf, namely a united device, by interconnecting multiple devices through irf ports. You can manage all the devices in the irf by managing the united device. This document describes: z irf overview z irf workin...
Page 25: Appendix A Acronyms
A-1 appendix a acronyms # a b c d e f g h i k l m n o p q r s t u v w x z acronyms full spelling # return 10ge ten-gigabitethernet a return aaa authentication, authorization and accounting abc activity based costing abr area border router ac alternating current ack acknowledgement acl access control...
Page 26
A-2 acronyms full spelling bgp border gateway protocol bims branch intelligent management system bootp bootstrap protocol bpdu bridge protocol data unit bri basic rate interface bsr bootstrap router bt bittorrent bt burst tolerance c return ca call appearance ca certificate authority car committed a...
Page 27
A-3 acronyms full spelling cv connectivity verification d return dar deeper application recognition dce data circuit-terminal equipment dd database description ddn digital data network dhcp dynamic host configuration protocol dis designated is dlci data link connection identifier dldp device link de...
Page 28
A-4 acronyms full spelling fdi forward defect indication fec forwarding equivalence class ffd fast failure detection fg forwarding group fib forwarding information base fifo first in first out fqdn full qualified domain name fr frame relay frr fast reroute frtt fairness round trip time ft functional...
Page 29
A-5 acronyms full spelling ibm international business machines icmp internet control message protocol icmpv6 internet control message protocol for ipv6 id identification/identity ieee institute of electrical and electronics engineers ietf internet engineering task force igmp internet group managemen...
Page 30
A-6 acronyms full spelling lacp link aggregation control protocol lacpdu link aggregation control protocol data unit lan local area network lcp link control protocol ldap lightweight directory access protocol ldp label distribution protocol ler label edge router lfib label forwarding information bas...
Page 31
A-7 acronyms full spelling mld multicast listener discovery protocol mld-snooping multicast listener discovery snooping mmc meet-me conference modem modulator-demodulator mp multilink ppp mp-bgp multiprotocol extensions for bgp-4 mpe middle-level pe mp-group multilink point to point protocol group m...
Page 32
A-8 acronyms full spelling nms network management station npdu network protocol data unit npe network provider edge nqa network quality analyzer nsap network service access point nsc netstream collector n-sel nsap selector nssa not-so-stubby area ntdp neighbor topology discovery protocol ntp network...
Page 33
A-9 acronyms full spelling poe power over ethernet pop point of presence pos packet over sdh ppp point-to-point protocol pptp point to point tunneling protocol ppvpn provider-provisioned virtual private network pq priority queuing prc primary reference clock pri primary rate interface ps protection ...
Page 34
A-10 acronyms full spelling rpr resilient packet ring rpt rendezvous point tree rrpp rapid ring protection protocol rsb reservation state block rsoh regenerator section overhead rstp rapid spanning tree protocol rsvp resource reservation protocol rtcp real-time transport control protocol rte route t...
Page 35
A-11 acronyms full spelling spf shortest path first spt shortest path tree ssh secure shell ssm synchronization status marker ssm source-specific multicast st shared tree stm-1 sdh transport module -1 stm-16 sdh transport module -16 stm-16c sdh transport module -16c stm-4c sdh transport module -4c s...
Page 36
A-12 acronyms full spelling v return vbr variable bit rate vci virtual channel identifier ve virtual ethernet vfs virtual file system vlan virtual local area network vll virtual leased lines vod video on demand voip voice over ip vos virtual operate system vpdn virtual private dial-up network vpdn v...
Page 37: Access Volume Organization
Access volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the access volume is organized as follows: features description ethernet port this document describes: z combo port configuration z management ethernet interface configuration z basic ethern...
Page 38
Features description service loopback group to increase service redirecting throughput, you can bundle multiple service loopback ports into a logical link, called a service loopback group. This document describes: z introduction to service loopback groups z configuring a service loopback group loopb...
Page 39
Features description bpdu tunnel bpdu tunneling enables transparently transmission of customer network bpdu frames over the service provider network. This document describes: z introduction to bpdu tunnel z configuring bpdu tunnel vlan mapping the vlan mapping feature maps cvlan tags to svlan tags. ...
Page 40: Table of Contents
I table of contents 1 ethernet port configuration ·····················································································································1-1 ethernet port configuration ·····································································································...
Page 41: Ethernet Port Configuration
1-1 1 ethernet port configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. For introduction of irf, refer to irf in the system volume. When configuring e...
Page 42
1-2 z for a combo port, only one port (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Z you can use the display port combo command to display the combo ports on the cur...
Page 43
1-3 similarly, if you configure the transmission rate for an ethernet port by using the speed command with the auto keyword specified, the transmission rate is determined through auto-negotiation too. For a 100 mbps or gigabit layer 2 ethernet port, you can specify the transmission rate by its auto-...
Page 44
1-4 for an s7900e series ethernet switch in an irf, its 100-mbps, ge and 10ge ports are numbered in the format of interface type a/b/c/d; for an s7900e series ethernet switch not in any irf, its 100-mbps, ge and 10ge ports are numbered in the format of interface type b/c/d. Z a: number of the switch...
Page 45
1-5 to do… use the command… remarks enter system view system-view — enter ethernet port or onu port view interface interface-type interface-number — configure physical-link-down-state change suppression time link-delay delay-time required disabled by default follow these steps to configure the suppr...
Page 46
1-6 z as for the internal loopback test and external loopback test, if a port is down, only the former is available on it; if the port is shut down, both are unavailable. Z the speed, duplex, mdi, and shutdown commands are not applicable during loopback testing. Z with the loopback testing enabled, ...
Page 47
1-7 figure 1-1 an application diagram of auto-negotiation transmission rate as shown in figure 1-1, the network card transmission rate of the server group (server 1, server 2, and server 3) is 1000 mbps, and the transmission rate of gigabitethernet 2/0/4, which provides access to the external networ...
Page 48
1-8 traffic on the port exceeds the threshold, the system discards packets until the traffic drops below the threshold. The storm suppression ratio settings configured for an ethernet port may become invalid if you enable the storm constrain for the port. For information about the storm constrain fu...
Page 49
1-9 to do… use the command… remarks interface interface-type interface-number configure the interval for collecting port statistics flow-interval interval optional by default, the interval for collecting port statistics is 300 seconds. Enabling forwarding of jumbo frames due to tremendous amount of ...
Page 50
1-10 when a loop is detected on an access port, the device operates on the port according to the pre-configured loopback detection actions, sends trap messages and log information to the terminal, and deletes the corresponding mac address forwarding entry. When a loop is detected on a trunk port or ...
Page 51
1-11 configuring the mdi mode for an ethernet port the optical port of an sfp or xfp port does not support this function. Two types of ethernet cables can be used to connect ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an ethernet port on a ...
Page 52
1-12 testing the cable on an ethernet port z the optical port of an sfp or xfp port does not support this feature. The support of other ethernet ports for this feature depends on the device model. Z a link in the up state goes down and then up automatically if you perform the operation described in ...
Page 53
1-13 follow these steps to configure the storm constrain function on an ethernet port: to do… use the command… remarks enter system view system-view — set the interval for generating traffic statistics storm-constrain interval seconds optional 10 seconds by default enter ethernet port view interface...
Page 54
1-14 configuring the connection mode of an ethernet port this feature is supported on the internal 10ge ports. When configuring an oaa application, to ensure the normal communication between the device and the oap card, you need to set the connection mode of the 10 ge ports connecting the device and...
Page 56: Table of Contents
I table of contents 1 link aggregation configuration ··············································································································1-1 overview ····························································································································...
Page 57
1-1 1 link aggregation configuration when configuring link aggregation, go to these sections for information you are interested in: z overview z link aggregation configuration task list z configuring an aggregation group z configuring an aggregate interface z configuring load sharing for link aggreg...
Page 58
1-2 aggregation group an aggregation group is created automatically when you create an aggregate interface and is numbered the same as the aggregate interface. You can assign ethernet interfaces to the aggregate group to create a link aggregation but the type of ethernet interface assignable to the ...
Page 59
1-3 z switches of the s7900e series that support extended lacp functions can function as both member devices and intermediate devices in lacp mad implementation. Z for details about irf, member devices, intermediate devices, and the lacp mad mechanism, see irf in the system volume. Operational key w...
Page 60
1-4 link aggregation modes depending on the link aggregation procedure, link aggregation operates in one of the following two modes: z static aggregation mode. Static aggregation is stable. After a static link aggregation group is configured, the selected state of the member ports will not be affect...
Page 61
1-5 determine port state based on the port ids on the end with the preferred system id. The following is the detailed negotiation procedure: z compare the system id (comprising the system lacp priority and the system mac address) of the actor with that of the partner. The system with the lower lacp ...
Page 62
1-6 z the maximum total number of load-sharing aggregation groups and load-sharing service loopback groups supported on an s7900e series ethernet switch is 128. For more information about service loopback groups, see service loopback group configuration in the access volume. Z after hardware resourc...
Page 63
1-7 configuring a static aggregation group follow these steps to configure a static aggregation group: to do... Use the command... Remarks enter system view system-view — create a layer 2 aggregate interface and enter the layer 2 aggregate interface view interface bridge-aggregation interface-number...
Page 64
1-8 to do... Use the command... Remarks configure the aggregation group to work in dynamic aggregation mode link-aggregation mode dynamic required by default, an aggregation group works in static aggregation mode. Exit to system view quit — enter layer 2 ethernet interface view interface interface-t...
Page 65
1-9 mac address table synchronization manually depending on their types and operating modes, as shown in figure 1-1 . As shown in the figure, you need to enable mac address table synchronization for cards in different areas or different type of cards in the same area. For example, if link aggregatio...
Page 66
1-10 configuring the description of an aggregate interface follow these steps to configure the description of an aggregate interface: to do... Use the command... Remarks enter system view system-view — enter aggregate interface view interface bridge-aggregation interface-number — configure the descr...
Page 67
1-11 to do... Use the command... Remarks shut down the aggregate interface shutdown required by default, aggregate interfaces are up. You are recommended not to perform the undo shutdown and then shutdown commands on a member port of the aggregation group corresponding to an aggregate interface that...
Page 68
1-12 currently, when you configure load-balancing link aggregation groups in system view, the switch supports configuring hash keys in the following modes: z use a source ip address, a destination ip address, a source mac address, or a destination mac address alone as a hash key. Z combine a source ...
Page 69
1-13 configuring the local-first load sharing mechanism for link aggregation in an irf, if the egress port for packets that enter a device is an aggregate interface, and the member ports of the corresponding link aggregation group are located on the current device as well as on other member devices ...
Page 70
1-14 link aggregation configuration examples in an aggregation group, the port to be a selected port must be the same as the reference port in port attributes, and class-two configurations. To keep these configurations consistent, you should configure the port manually. Z reference port: select a po...
Page 71
1-15 # create layer 2 aggregate interface bridge-aggregation 1. [devicea] interface bridge-aggregation 1 [devicea-bridge-aggregation1] quit # assign layer 2 ethernet interfaces gigabitethernet 2/0/1 through gigabitethernet 2/0/3 to aggregation group 1. [devicea] interface gigabitethernet 2/0/1 [devi...
Page 72
1-16 [devicea-bridge-aggregation1] link-aggregation mode dynamic [devicea-bridge-aggregation1] quit # assign layer 2 ethernet interfaces gigabitethernet 2/0/1 through gigabitethernet 2/0/3 to aggregation group 1. [devicea] interface gigabitethernet 2/0/1 [devicea-gigabitethernet2/0/1] port link-aggr...
Page 73
1-17 [devicea] interface gigabitethernet 2/0/1 [devicea-gigabitethernet2/0/1] port link-aggregation group 1 [devicea-gigabitethernet2/0/1] quit [devicea] interface gigabitethernet 2/0/2 [devicea-gigabitethernet2/0/2] port link-aggregation group 1 [devicea-gigabitethernet2/0/2] quit # create a layer ...
Page 74: Table of Contents
I table of contents 1 port isolation configuration ·····················································································································1-1 introduction to port isolation ·································································································...
Page 75: Port Isolation Configuration
1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z introduction to port isolation z configuring the isolation group z displaying and maintaining isolation groups z port isolation configuration example introduction to port...
Page 76
1-2 to do… use the command… remarks assign the port or ports to the isolation group as an isolated port or ports port-isolate enable required no ports are added to the isolation group by default. After you configure a command on a layer-2 aggregate interface, the system starts applying the configura...
Page 77
1-3 figure 1-1 networking diagram for port isolation configuration configuration procedure # add ports gigabitethernet 2/0/1, gigabitethernet 2/0/2 and gigabitethernet 2/0/3 to the isolation group. System-view [device] interface gigabitethernet 2/0/1 [device-gigabitethernet2/0/1] port-isolate enable...
Page 78: Table of Contents
I table of contents 1 service loopback group configuration ·································································································1-1 overview ···································································································································...
Page 79
1-1 1 service loopback group configuration when configuring a service loopback group, go to these sections for information you are interested in: z overview z configuring a service loopback group z displaying and maintaining service loopback groups z configuration example overview functions of servi...
Page 80
1-2 z the port is not configured with mstp, the member port of an isolation group, 802.1x, mac address authentication, port security mode, or ip source guard. Additionally, the member port of a service loopback group cannot be configured with any of the above-mentioned configurations. Z the port bel...
Page 81
1-3 z the maximum total number of load-sharing aggregation groups and load-sharing service loopback groups supported on an s7900e series ethernet switch is 128. For more information about aggregation groups, see link aggregation configuration in the access volume. Z you can change the service type o...
Page 82
1-4 [devicea] interface tunnel 1 [devicea-tunnel1] service-loopback-group 1.
Page 83: Table of Contents
I table of contents 1 loopback interface and null interface configuration············································································1-1 loopback interface·································································································································...
Page 84: Configuration
1-1 1 loopback interface and null interface configuration when configuring loopback interfaces and null interfaces, go to these sections for information you are interested in: z loopback interface z null interface z displaying and maintaining loopback and null interfaces loopback interface introduct...
Page 85
1-2 to do… use the command… remarks create a loopback interface and enter loopback interface view interface loopback interface-number — set a description for the loopback interface description text optional by default, the description of an interface is the interface name followed by the “interface”...
Page 86
1-3 to do… use the command… remarks enter null interface view interface null 0 required the null 0 interface is the default null interface on your device. It cannot be manually created or removed. Set a description for the null interface description text optional by default, the description of an in...
Page 87: Table of Contents
I table of contents 1 mstp configuration ··································································································································1-1 overview ····················································································································...
Page 88: Mstp Configuration
1-1 1 mstp configuration when configuring mstp, go to these sections for information you are interested in: z overview z introduction to stp z introduction to rstp z introduction to mstp z mstp configuration task list z configuring mstp z remotely configuring mstp for an onu z displaying and maintai...
Page 89
1-2 z topology change notification (tcn) bpdus, used for notifying the concerned devices of network topology changes, if any. Basic concepts in stp root bridge a tree network must have a root; hence the concept of root bridge was introduced in stp. There is one and only one root bridge in the entire...
Page 90
1-3 figure 1-1 a schematic diagram of designated bridges and designated ports all the ports on the root bridge are designated ports. Path cost path cost is a reference value used for link selection in stp. By calculating path costs, stp selects relatively robust links and blocks redundant links, and...
Page 91
1-4 for simplicity, the descriptions and examples below involve only four fields of configuration bpdus: z root bridge id (represented by device priority) z root path cost (related to the rate of the link connecting the port) z designated bridge id (represented by device priority) z designated port ...
Page 92
1-5 initially, each stp-enabled device on the network assumes itself to be the root bridge, with the root bridge id being its own device id. By exchanging configuration bpdus, the devices compare their root bridge ids to elect the device with the smallest root bridge id as the root bridge. Z selecti...
Page 93
1-6 figure 1-2 network diagram for the stp algorithm ap1 ap2 device a with priority 0 device b with priority 1 device c with priority 2 bp1 bp2 cp1 cp2 5 10 4 z initial state of each device table 1-4 shows the initial state of each device. Table 1-4 initial state of each device device port name bpdu...
Page 94
1-7 device comparison process bpdu of port after comparison z port bp1 receives the configuration bpdu of device a {0, 0, 0, ap1}. Device b finds that the received configuration bpdu is superior to the configuration bpdu of the local port {1, 0, 1, bp1}, and updates the configuration bpdu of bp1. Z ...
Page 95
1-8 device comparison process bpdu of port after comparison after comparison: z because the root path cost of cp2 (9) (root path cost of the bpdu (5) plus path cost corresponding to cp2 (4)) is smaller than the root path cost of cp1 (10) (root path cost of the bpdu (0) + path cost corresponding to c...
Page 96
1-9 z if a path becomes faulty, the root port on this path will no longer receive new configuration bpdus and the old configuration bpdus will be discarded due to timeout. In this case, the device will generate a configuration bpdu with itself as the root and send out the bpdus and tcn bpdus. This t...
Page 97
1-10 introduction to mstp why mstp weaknesses of stp and rstp stp does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge ...
Page 98
1-11 basic concepts in mstp figure 1-4 basic concepts in mstp cst region a0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region b0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region c0 vlan 1 mapped to instance 1 vlan 2 and...
Page 99
1-12 vlan-to-instance mapping table as an attribute of an mst region, the vlan-to-instance mapping table describes the mapping relationships between vlans and mstis. In figure 1-4 , for example, the vlan-to-instance mapping table of region a0 is as follows: vlan 1 is mapped to msti 1, vlan 2 to msti...
Page 100
1-13 during mstp calculation, a boundary port’s role on an msti is consistent with its role on the cist. But that is not true with master ports. A master port on mstis is a root port on the cist. Roles of ports mstp calculation involves these port roles: root port, designated port, master port, alte...
Page 101
1-14 port states in mstp, port states fall into the following three: z forwarding: the port learns mac addresses and forwards user traffic; z learning: the port learns mac addresses but does not forward user traffic; z discarding: the port neither learns mac addresses nor forwards user traffic. When...
Page 102
1-15 z within an mst region, the packet is forwarded along the corresponding msti. Z between two mst regions, the packet is forwarded along the cst. Implementation of mstp on devices mstp is compatible with stp and rstp. Stp and rstp protocol packets can be recognized by devices running mstp and use...
Page 103
1-16 task remarks enabling the mstp feature required configuring an mst region required configuring the work mode of an mstp device optional configuring the timeout factor optional configuring the maximum port rate optional configuring ports as edge ports optional configuring path costs of ports opt...
Page 104
1-17 an s7900e switch installed with an olt card can work as an epon olt. In this case, you can remote configure stp/rstp/mstp for onus in onu port view to remove loops between attached onus, and you can also remotely configure rstp for unis on an onu to remove loops between unis and terminal users....
Page 105
1-18 z two or more mstp-enabled devices belong to the same mst region only if they are configured to have the same format selector (0 by default, not configurable), mst region name, the same vlan-to-instance mapping entries in the mst region and the same mst region revision level, and they are inter...
Page 106
1-19 configuring the current device as a secondary root bridge of a specific spanning tree follow these steps to configure the current device as a secondary root bridge of a specific spanning tree: to do... Use the command... Remarks enter system view system-view — configure the current device as a ...
Page 107
1-20 the priority of a device to a low value, you can specify the device as the root bridge of the spanning tree. An mstp-enabled device can have different priorities in different mstis. Make this configuration on the root bridge only. Follow these steps to configure the priority of a device in a sp...
Page 108
1-21 follow these steps to configure the network diameter of a switched network: to do... Use the command... Remarks enter system view system-view — configure the network diameter of the switched network stp bridge-diameter diameter required 7 by default z based on the network diameter you configure...
Page 109
1-22 to do... Use the command... Remarks configure the forward delay timer stp timer forward-delay time optional 1,500 centiseconds (15 seconds) by default configure the hello timer stp timer hello time optional 200 centiseconds (2 seconds) by default configure the max age timer stp timer max-age ti...
Page 110
1-23 sometimes a device may fail to receive a bpdu from the upstream device because the upstream device is busy. A spanning tree calculation that occurs in this case not only is unnecessary, but also wastes the network resources. In a very stable network, you can avoid such unwanted spanning tree ca...
Page 111
1-24 make this configuration on the root bridge and on the leaf nodes separately. Follow these steps to specify a port or a group of ports as edge port or ports: to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view int...
Page 112
1-25 table 1-7 link speed vs. Path cost link speed duplex state 802.1d-1998 802.1t private standard 0 — 65535 200,000,000 200,000 10 mbps single port aggregate link 2 ports aggregate link 3 ports aggregate link 4 ports 100 100 100 100 2,000,000 1,000,000 666,666 500,000 2,000 1,800 1,600 1,400 100 m...
Page 113
1-26 z if you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. Z when the path cost of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. If you use 0...
Page 114
1-27 z when the priority of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. Z generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends...
Page 115
1-28 z dot1s :802.1s-compliant standard format, and z legacy :compatible format by default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two mstp packet formats, and determines the format of packets it will send based on the recognized format....
Page 117
1-30 by then, you can perform an mcheck operation to force the port to migrate to the mstp (or rstp) mode. You can perform mcheck on a port through the following two approaches, which lead to the same result. Performing mcheck globally follow these steps to perform global mcheck: to do... Use the co...
Page 118
1-31 before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run mstp. Configuring the digest snooping feature you can enable digest snooping only on a device that is connected to a third-party device that uses its private key to calculate the conf...
Page 119
1-32 digest snooping configuration example 1) network requirements z device a and device b connect to device c, a third-party device, and all these devices are in the same region. Z enable digest snooping on device a and device b so that the three devices can communicate with one another. Figure 1-6...
Page 120
1-33 figure 1-7 shows the rapid state transition mechanism on mstp designated ports. Figure 1-7 rapid state transition of an mstp designated port figure 1-8 shows rapid state transition of an rstp designated port. Figure 1-8 rapid state transition of an rstp designated port root port designated port...
Page 121
1-34 to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface or port group view enter port group view port-group manual port-group-name required use either command...
Page 122
1-35 configuration prerequisites mstp has been correctly configured on the device. Enabling bpdu guard for access layer devices, the access ports generally connect directly with user terminals (such as pcs) or file servers. In this case, the access ports are configured as edge ports to allow rapid t...
Page 123
1-36 follow these steps to enable root guard: to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manu...
Page 124
1-37 enabling tc-bpdu guard when receiving topology change (tc) bpdus (the bpdus used to notify topology changes), a switch flushes its forwarding address entries. If someone forges tc-bpdus to attack the switch, the switch will receive a large number of tc-bpdus within a short time and be busy with...
Page 125
1-38 z when stp is enabled globally on an olt switch, you must enable stp on all onus. Z stp runs normally only when all attached onus are 3com onus. Z stp configurations in the system view of the olt switch take effect on all attached onus. Z an onu port supports only msti 0 among all mstis. Theref...
Page 126
1-39 mstp configuration commands in onu port view are the same as those in ethernet port view, and thus are not otherwise described. Displaying and maintaining mstp to do... Use the command... Remarks view information about abnormally blocked ports display stp abnormal-port available in any view vie...
Page 127
1-40 figure 1-10 network diagram for mstp configuration g e 2/ 0/ 1 g e 2/0 /1 g e 2/ 0/ 1 g e 2/0 /1 configuration procedure 1) vlan and vlan member port configuration create vlan 10, vlan 20, and vlan 30 on device a and device b respectively, create vlan 10, vlan 20, and vlan 40 on device c, and c...
Page 128
1-41 system-view [deviceb] stp region-configuration [deviceb-mst-region] region-name example [deviceb-mst-region] instance 1 vlan 10 [deviceb-mst-region] instance 3 vlan 30 [deviceb-mst-region] instance 4 vlan 40 [deviceb-mst-region] revision-level 0 # activate mst region configuration. [deviceb-mst...
Page 129
1-42 # activate mst region configuration. [deviced-mst-region] active region-configuration [deviced-mst-region] quit # enable mstp globally. [deviced] stp enable 6) verifying the configurations you can use the display stp brief command to display brief spanning tree information on each device after ...
Page 130
1-43 3 gigabitethernet2/0/2 alte discarding none 4 gigabitethernet2/0/3 root forwarding none based on the above information, you can draw the msti corresponding to each vlan, as shown in figure 1-11 . Figure 1-11 mstis corresponding to different vlans.
Page 131: Table of Contents
I table of contents 1 lldp configuration···································································································································1-1 overview ····················································································································...
Page 132: Lldp Configuration
1-1 1 lldp configuration when configuring lldp, go to these sections for information you are interested in: z overview z lldp configuration task list z performing basic lldp configuration z configuring cdp compatibility z configuring lldp trapping z displaying and maintaining lldp z lldp configurati...
Page 133
1-2 figure 1-1 ethernet ii-encapsulated lldp frame format the fields in the frame are described in table 1-1 : table 1-1 description of the fields in an ethernet ii-encapsulated lldp frame field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0...
Page 134
1-3 field description source mac address the mac address of the sending port. If the port does not have a mac address, the mac address of the sending bridge is used. Type the snap type for the upper layer protocol. It is 0xaaaa-0300-0000-88cc for lldp. Data lldpdu. Fcs frame check sequence, a 32-bit...
Page 135
1-4 type description remarks port description port description of the sending port. System name assigned name of the sending device. System description description of the sending device. System capabilities identifies the primary functions of the sending device and the primary functions that have be...
Page 136
1-5 the power stateful control tlv is defined in ieee p802.3at d1.0. The later versions no longer support this tlv. H3c devices send this type of tlvs only after receiving them. Lldp-med tlvs lldp-med tlvs provide multiple advanced applications for voice over ip (voip), such as basic configuration, ...
Page 137
1-6 z txrx mode. A port in this mode sends and receives lldp frames. Z tx mode. A port in this mode only sends lldp frames. Z rx mode. A port in this mode only receives lldp frames. Z disable mode. A port in this mode does not send or receive lldp frames. Each time the lldp operating mode of a port ...
Page 138
1-7 task remarks configuring the management address and its encoding format optional setting other lldp parameters optional setting an encapsulation format for lldpdus optional configuring cdp compatibility optional configuring lldp trapping optional lldp-related configurations made in ethernet inte...
Page 139
1-8 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Set the lldp operating mod...
Page 140
1-9 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure the tlvs to be advertised lldp tlv-enable { basi...
Page 141
1-10 setting other lldp parameters the ttl tlv carried in an lldpdu determines how long the device information carried in the lldpdu can be saved on a recipient device. You can configure the ttl of locally sent lldp frames to determine how long information about the local device can be saved on a ne...
Page 142
1-11 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Set the encapsulation for...
Page 143
1-12 configuring cdp compatibility cdp-compatible lldp operates in one of the follows two modes: z txrx, where cdp packets can be transmitted and received. Z disable, where cdp packets can neither be transmitted nor be received. To make cdp-compatible lldp take effect on certain ports, first enable ...
Page 144
1-13 to do… use the command… remarks quit to system view quit — set the interval to send lldp traps lldp timer notification-interval interval optional 5 seconds by default displaying and maintaining lldp to do… use the command… remarks display the global lldp information or the information contained...
Page 145
1-14 configuration procedure 1) configure switch a. # enable lldp globally. System-view [switcha] lldp enable # enable lldp on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 (you can skip this step because lldp is enabled on ports by default), setting the lldp operating mode to rx. [switcha] interf...
Page 146
1-15 number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 0 port 2 [gigabitethernet2/0/2]: port status of lldp : enable admin status : rx_only trap flag : no polling interval : 0s number of neighbors : 1 numb...
Page 147
1-16 port 2 [gigabitethernet2/0/2]: port status of lldp : enable admin status : rx_only trap flag : no polling interval : 0s number of neighbors : 0 number of med neighbors : 0 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 0 as the sample output shows, ...
Page 148
1-17 # enable lldp globally and enable lldp to be compatible with cdp globally. [switcha] lldp enable [switcha] lldp compliance cdp # enable lldp (you can skip this step because lldp is enabled on ports by default), configure lldp to operate in txrx mode, and configure cdp-compatible lldp to operate...
Page 149: Table of Contents
I table of contents 1 vlan configuration ··································································································································1-1 introduction to vlan ········································································································...
Page 150
Ii configuring the priority trust setting for voice vlan traffic on an interface ································4-5 setting a port to operate in manual voice vlan assignment mode ·············································4-6 displaying and maintaining voice vlan··································...
Page 151: Vlan Configuration
1-1 1 vlan configuration when configuring vlan, go to these sections for information you are interested in: z introduction to vlan z configuring basic vlan settings z configuring basic settings of a vlan interface z port-based vlan configuration z mac-based vlan configuration z protocol-based vlan c...
Page 152
1-2 2) confining broadcast traffic within individual vlans. This reduces bandwidth waste and improves network performance. 3) improving lan security. By assigning user groups to different vlans, you can isolate them at layer 2. To enable communication between vlans, routers or layer 3 switches are r...
Page 153
1-3 z the ethernet ii encapsulation format is used here. Besides the ethernet ii encapsulation format, other encapsulation formats, including 802.2 llc, 802.2 snap, and 802.3 raw, are also supported by ethernet. The vlan tag fields are also added to frames encapsulated in these formats for vlan iden...
Page 154
1-4 z as the default vlan, vlan 1 cannot be created or removed. Z you cannot manually create or remove vlans reserved for special purposes. Z dynamic vlans cannot be removed with the undo vlan command. Z a vlan with a qos policy applied cannot be removed. Z after associating an isolate-user-vlan wit...
Page 155
1-5 before creating a vlan interface for a vlan, create the vlan first. Port-based vlan configuration introduction to port-based vlan port-based vlans group vlan members by port. A port forwards traffic for a vlan only after it is assigned to the vlan. Port link type you can configure the link type ...
Page 156
1-6 z do not set the voice vlan as the default vlan of a port in automatic voice vlan assignment mode. For information about voice vlan, refer to voice vlan configuration . Z you are recommended to set the same default vlan id for the local and remote ports. Z ensure that a port is assigned to its d...
Page 157
1-7 to do… use the command… remarks enter vlan view vlan vlan-id required if the specified vlan does not exist, this command creates the vlan first. Assign one or a group of access ports to the current vlan port interface-list required by default, all ports belong to vlan 1. In vlan view, you only a...
Page 158
1-8 z before assigning an access port to a vlan, create the vlan first. Z after you configure a command on a layer 2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interfac...
Page 159
1-9 z to change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. Z after configuring the default vlan for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the default vlan to pass th...
Page 160
1-10 z to change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. Z before assigning a hybrid port to a vlan, create the vlan first. Z after configuring the default vlan for a hybrid port, you must use the port hybrid vlan command to configure t...
Page 161
1-11 dynamically assigning ports to vlans based on mac addresses after a port on a device receives a packet with an unknown source mac address, the device checks the list of mac address-to-vlan mappings for a match. If a match is found, the device dynamically learns the mac address and assigns the r...
Page 162
1-12 to do... Use the command... Remarks enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name use either command. In ethernet interface view, the subsequent configurations appl...
Page 163
1-13 z if the packet matches a protocol template, the packet will be tagged with the vlan tag corresponding to the protocol template. Z if the packet matches no protocol template, the packet will be tagged with the default vlan id of the port. The port processes a tagged packet as it processes tagge...
Page 164
1-14 z do not configure both the dsap-id and ssap-id arguments in the protocol-vlan command as 0xe0 or 0xff when configuring the user-defined template for llc encapsulation. Otherwise, the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respect...
Page 165
1-15 to do… use the command… remarks associate an ip subnet with the current vlan ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ] required the ip network segment or ip address to be associated with a vlan cannot be a multicast network segment or a multicast address. Return to system view q...
Page 167
1-17 # create vlan 2, vlan 6 through vlan 50, and vlan 100. System-view [devicea] vlan 2 [devicea-vlan2] quit [devicea] vlan 100 [devicea-vlan100] vlan 6 to 50 please wait... Done. # enter gigabitethernet 2/0/1 interface view. [devicea] interface gigabitethernet 2/0/1 # configure gigabitethernet 2/0...
Page 168
1-18 vlan passing : 2, 6-50, 100 vlan permitted: 2, 6-50, 100 trunk port encapsulation: ieee 802.1q port priority: 0 last 300 seconds input: 0 packets/sec 0 bytes/sec last 300 seconds output: 0 packets/sec 0 bytes/sec input (total): 0 packets, 0 bytes 0 broadcasts, 0 multicasts input (normal): 0 pac...
Page 169: Super Vlan Configuration
2-1 2 super vlan configuration when configuring super vlan, go to these sections for information you are interested in: z overview z configuring a super vlan z displaying and maintaining super vlan z super vlan configuration example overview super vlan, also called vlan aggregation, was introduced t...
Page 171
2-3 figure 2-1 network diagram for super-vlan configuration configuration procedure # create vlan 10, and configure its vlan interface ip address as 10.0.0.1/24. System-view [sysname] vlan 10 [sysname-vlan10] interface vlan-interface 10 [sysname-vlan-interface10] ip address 10.0.0.1 255.255.255.0 # ...
Page 172
2-4 supervlan id : 10 subvlan id : 2 3 5 vlan id: 10 vlan type: static it is a super vlan. Route interface: not configured description: vlan 0010 name: vlan 0010 tagged ports: none untagged ports: none vlan id: 2 vlan type: static it is a sub vlan. Route interface: not configured description: vlan 0...
Page 173
3-1 3 isolate-user-vlan configuration when configuring an isolate-user vlan, go to these sections for information you are interested in: z overview z configuring isolate-user-vlan z displaying and maintaining isolate-user-vlan z isolate-user-vlan configuration example overview an isolate-user-vlan a...
Page 174
3-2 3) assign non-trunk ports to the isolate-user-vlan and ensure that at least one port takes the isolate-user-vlan as its default vlan; 4) assign non-trunk ports to each secondary vlan and ensure that at least one port in a secondary vlan takes the secondary vlan as its default vlan; 5) associate ...
Page 175
3-3 after associating an isolate-user-vlan with the specified secondary vlans, you cannot add/remove a access port to/from each involved vlan or remove each involved vlan. To do that, you must cancel the association first. Displaying and maintaining isolate-user-vlan to do... Use the command... Rema...
Page 176
3-4 [deviceb] vlan 5 [deviceb-vlan5] isolate-user-vlan enable [deviceb-vlan5] port gigabitethernet 2/0/5 [deviceb-vlan5] quit # configure the secondary vlans. [deviceb] vlan 3 [deviceb-vlan3] port gigabitethernet 2/0/1 [deviceb-vlan3] quit [deviceb] vlan 2 [deviceb-vlan2] port gigabitethernet 2/0/2 ...
Page 177
3-5 gigabitethernet2/0/1 gigabitethernet2/0/2 gigabitethernet2/0/5 vlan id: 2 vlan type: static isolate-user-vlan type : secondary route interface: not configured description: vlan 0002 name: vlan 0002 tagged ports: none untagged ports: gigabitethernet2/0/2 gigabitethernet2/0/5 vlan id: 3 vlan type:...
Page 178: Voice Vlan Configuration
4-1 4 voice vlan configuration when configuring a voice vlan, go to these sections for information you are interested in: z overview z configuring a voice vlan z displaying and maintaining voice vlan z voice vlan configuration overview a voice vlan is configured specially for voice traffic. After as...
Page 179
4-2 z in general, as the first 24 bits of a mac address (in binary format), an oui address is a globally unique identifier assigned to a vendor by ieee. Oui addresses mentioned in this document, however, are different from those in common sense. Oui addresses in this document are used by the system ...
Page 180
4-3 voice vlan assignment mode voice traffic type port link type access: not supported trunk: supported if the default vlan of the connecting port exists and is not the voice vlan and the connecting port belongs to the default vlan tagged voice traffic hybrid: supported if the default vlan of the co...
Page 181
4-4 vlans are vulnerable to traffic attacks. Vicious users can forge a large amount of voice packets and send them to voice vlan-enabled ports to consume the voice vlan bandwidth, affecting normal voice communication. Z security mode: in this mode, only voice packets whose source mac addresses compl...
Page 182
4-5 to do... Use the command... Remarks add a recognizable oui address voice vlan mac-address oui mask oui-mask[ description text] optional by default, each voice vlan has default oui addresses configured. Refer to table 4-1 for the default oui addresses of different vendors. Enter ethernet interfac...
Page 183
4-6 to do... Use the command... Remarks set the interface not to trust priority carried in incoming voice vlan traffic voice vlan qos cos-value dscp-value set the priority trust setting on the interface set the interface to trust the priority carried in incoming voice vlan traffic voice vlan qos tru...
Page 184
4-7 to do... Use the command... Remarks access port refer to assigning an access port to a vlan . Trunk port refer to assigning a trunk port to a vlan . Assign the port in manual voice vlan assignment mode to the voice vlan hybrid port refer to assigning a hybrid port to a vlan . Use one of the thre...
Page 185
4-8 z device a uses voice vlan 2 to transmit voice packets for ip phone a and voice vlan 3 to transmit voice packets for ip phone b. Configure gigabitethernet 2/0/1 and gigabitethernet 2/0/2 to work in automatic voice vlan assignment mode. In addition, if one of them has not received any voice packe...
Page 186
4-9 [devicea-gigabitethernet2/0/1] voice vlan 2 enable [devicea-gigabitethernet2/0/1] quit # configure gigabitethernet 2/0/2. [devicea] interface gigabitethernet 2/0/2 [devicea-gigabitethernet2/0/2] voice vlan mode auto [devicea-gigabitethernet2/0/2] port link-type hybrid [devicea-gigabitethernet2/0...
Page 187
4-10 figure 4-2 network diagram for manual voice vlan assignment mode configuration configuration procedure # configure the voice vlan to operate in security mode. (optional. A voice vlan operates in security mode by default.) system-view [devicea] voice vlan security enable # add a recognizable oui...
Page 188
4-11 00e0-7500-0000 ffff-ff00-0000 polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # display the current voice vlan state. Display voice vlan state maximum of voice vlans: 128 current voice vlans: 1 voice vlan security mode: security voice vlan aging time: 1440 minutes voice vlan enabled port...
Page 189: Table of Contents
I table of contents 1 gvrp configuration ··································································································································1-1 introduction to gvrp ········································································································...
Page 190: Gvrp Configuration
1-1 1 gvrp configuration the garp vlan registration protocol (gvrp) is a garp application. It functions based on the operating mechanism of garp to maintain and propagate dynamic vlan registration information for the gvrp devices on the network. When configuring gvrp, go to these sections for inform...
Page 191
1-2 z hold timer –– when a garp application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one join message. This helps you save bandwidth. Z join timer –– a garp participant send...
Page 192
1-3 figure 1-1 garp message format table 1-1 describes the garp message fields. Table 1-1 description on the garp message fields field description value protocol id protocol identifier for garp 1 message one or multiple messages, each containing an attribute type and an attribute list –– attribute t...
Page 193
1-4 gvrp gvrp enables a device to propagate local vlan registration information to other participant devices and dynamically update the vlan registration information from other devices to its local database about active vlan members and through which port they can be reached. It thus ensures that al...
Page 194
1-5 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter ethernet interface view or port-group view enter port-group view port-group manual port-group-name re...
Page 195
1-6 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter ethernet interface view or port-group view enter port-group view port-group manual port-group-name re...
Page 196
1-7 to do… use the command… remarks display garp timers for specified or all ports display garp timer [ interface interface-list ] available in any view display the local vlan information maintained by gvrp display gvrp local-vlan interface interface-type interface-number available in any view displ...
Page 197
1-8 # create vlan 2 (a static vlan). [devicea] vlan 2 2) configure device b # enable gvrp globally. System-view [deviceb] gvrp # configure port gigabitethernet 2/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 2/0/1 [deviceb-gigabitethernet2/0/1] port lin...
Page 198
1-9 # configure port gigabitethernet 2/0/1 as a trunk port, allowing all vlans to pass through. [devicea] interface gigabitethernet 2/0/1 [devicea-gigabitethernet2/0/1] port link-type trunk [devicea-gigabitethernet2/0/1] port trunk permit vlan all # enable gvrp on gigabitethernet 2/0/1. [devicea-gig...
Page 199
1-10 network diagram figure 1-4 network diagram for gvrp configuration configuration procedure 1) configure device a # enable gvrp globally. System-view [devicea] gvrp # configure port gigabitethernet 2/0/1 as a trunk port, allowing all vlans to pass through. [devicea] interface gigabitethernet 2/0/...
Page 200
1-11 [deviceb] display vlan dynamic no dynamic vlans exist!.
Page 201: Table of Contents
I table of contents 1 qinq configuration ···································································································································1-1 introduction to qinq ·······································································································...
Page 202: Qinq Configuration
1-1 1 qinq configuration when configuring qinq, go to these sections for information you are interested in: z introduction to qinq z configuring basic qinq z configuring selective qinq z configuring the tpid of a vlan tag z configure outer vlan tag priority z qinq configuration example z throughout ...
Page 203
1-2 how qinq works the devices in the public network forward a frame only according to its outer vlan tag and learn its source mac address into the mac address table of the outer vlan. The inner vlan tag of the frame is transmitted as the payload. Figure 1-1 schematic diagram of the qinq feature net...
Page 204
1-3 figure 1-2 single-tagged frame structure vs. Double-tagged ethernet frame structure the default maximum transmission unit (mtu) of an interface is 1500 bytes. The size of an outer vlan tag is 4 bytes. Therefore, you are recommended to increase the mtu of each interface on the service provider ne...
Page 205
1-4 figure 1-3 vlan tag structure of an ethernet frame an s7900e switch determines whether a received frame is vlan tagged by comparing its own tpid with the tpid field in the received frame. If they match, the frame is considered as a vlan tagged frame. If not, the switch tags the frame with the de...
Page 206
1-5 configuring outer vlan tag priority by default, when tagging a tagged frame, the s7900e series ethernet switches copy the priority carried in the inner vlan tag to the outer vlan tag of the frame and uses the priority as the transmission priority of the frame in the service provider network. Whe...
Page 207
1-6 z basic qinq should be configured on the ports connecting customer networks. Z it is recommended that you do not configure qinq on an rrpp-enabled port, because rrpp packets may be transmitted to the wrong vlans, causing rrpp to become invalid. If you really need to configure qinq on an rrpp-ena...
Page 208
1-7 z before configuring vlan transparent transmission, enable basic qinq on the port. Z when configuring transparent transmission for a vlan, you need to configure all the devices on the transmission path to permit packets of this vlan to pass through. Z for vlans whose packets are to be transparen...
Page 209
1-8 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter the ethernet port view of the customer network-side port enter port group view port-group { manual por...
Page 210
1-9 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter ethernet port view or port group view of a service provider-side port or ports enter port group view p...
Page 211
1-10 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter the view of the ethernet port/layer-2 aggregate interface/port group connecting to the customer netwo...
Page 212
1-11 network diagram figure 1-4 network diagram for qinq configuration ge2/0/1 ge2/0/2 ge2/0/3 ge2/0/1 ge2/0/2 vlan 10, vlan 20 vlan 10 vlan 20 customer b customer a customer c provider b provider a public network vlan 1000/2000/3000 tpid=0x8200 customer d ge2/0/3 configuration procedure with this c...
Page 213
1-12 [providera-classifier-a10] if-match customer-vlan-id 10 [providera-classifier-a10] quit # create a traffic behavior p1000 and configure the action of tagging frames with the outer vlan tag 1000 for the traffic behavior. [providera] traffic behavior p1000 [providera-behavior-p1000] nest top-most...
Page 214
1-13 z configuration on gigabitethernet 2/0/1 # configure the port as a trunk port, and permit frames of vlan 1000, vlan 2000 and vlan 3000 to pass. System-view [providerb] interface gigabitethernet 2/0/1 [providerb-gigabitethernet2/0/1] port link-type trunk [providerb-gigabitethernet2/0/1] port tru...
Page 215: Table of Contents
I table of contents 1 bpdu tunneling configuration················································································································1-1 introduction to bpdu tunneling ·······································································································...
Page 216: Bpdu Tunneling Configuration
1-1 1 bpdu tunneling configuration when configuring bpdu tunneling, go to these sections for information you are interested in: z introduction to bpdu tunneling z configuring bpdu tunneling z bpdu tunneling configuration examples introduction to bpdu tunneling as a layer 2 tunneling technology, bpdu...
Page 217
1-2 3) the encapsulated layer 2 protocol packet (called bridge protocol data unit, bpdu) is forwarded to pe 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination mac address of the packet, and then sends the packet to user a network 2. D...
Page 218
1-3 z bpdus can be transparently transmitted. Bpdus of the same customer network can be broadcast in a specific vlan across the service provider network, so that the geographically dispersed networks of the same customer can implement consistent spanning tree calculation across the service provider ...
Page 219
1-4 configuring bpdu tunneling configuration prerequisites z before configuring bpdu tunneling for a protocol, enable the protocol in the customer network first. Z assign the port on which you want to enable bpdu tunneling on the pe device and the connected port on the ce device to the same vlan. Z ...
Page 221
1-6 figure 1-3 network diagram for configuring bpdu tunneling for stp configuration procedure 1) configuration on pe 1 # configure the destination multicast mac address for bpdus as 0x0100-0ccd-cdd0. System-view [pe1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # create vlan 2 and assign gigabitethernet ...
Page 222
1-7 z all ports that connect service provider devices and customer devices and those that interconnect service provider devices are trunk ports and allow packets of any vlan to pass through. Z pvst is enabled for vlans 1 through 4094 on user a’s network. It is required that, after the configuration,...
Page 223: Table of Contents
I table of contents 1 vlan mapping configuration ··················································································································1-1 vlan mapping overview ···············································································································...
Page 224: Vlan Mapping Configuration
1-1 1 vlan mapping configuration when configuring vlan mapping, go to these sections for information you are interested in: z vlan mapping overview z vlan mapping configuration task list z configuring one-to-one vlan mapping z configuring many-to-one vlan mapping z configuring one-to-two vlan mappin...
Page 225
1-2 figure 1-1 scenario for one-to-one/multiple-to-one vlan mapping pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan 3 home gateway home gateway … … home gateway home gateway campus switch vlan 1-> vlan 101 vlan 2-> vla...
Page 226
1-3 figure 1-2 scenario for one-to-two/two-to-two vlan mapping the vpn a user in site 1 belongs to vlan 10. When the packet tagged with vlan 10 arrives at the edge of the sp 1 network, pe 1 tags the packet with vlan 100, the vlan id assigned to the vpn a user in sp 1. The packet thus becomes double-...
Page 227
1-4 basic concepts of vlan mapping figure 1-1 basic concepts of vlan mapping before you configure vlan mappings, be aware of the following concepts, which will be used throughout this document. Z uplink traffic: traffic transmitted from a user network to a distribution network or an sp network. Z do...
Page 228
1-5 many-to-one vlan mapping on the downlink port on the uplink port for uplink traffic for downlink traffic do... Based on… do... Based on… map all specified customer vlans (cvlan) to one service provider vlan (svlan) uplink policy in the inbound direction replace the svlan with the original cvlan ...
Page 229
1-6 on the downlink port on the uplink port for uplink traffic for downlink traffic for uplink traffic do... Based on… do... Based on… do... Based on… replace the original svlan with the new svlan uplink policy in the inbound direction replace the new svlan and cvlan with the original svlan and cvla...
Page 230
1-7 z enable the dynamic address binding support of ip source guard to filter packets received on a port based on the source ip address and mac address bindings created dynamically to prevent illegal packets from passing through the port. For information about this feature, refer to ip source guard ...
Page 231
1-8 to do... Use the command... Remarks exit to system view quit — enter the interface view of the uplink port interface interface-type interface-number — set the link type of the uplink port to trunk port link-type trunk required configure the uplink port to permit the specified svlans to pass thro...
Page 232
1-9 to do... Use the command... Remarks specify the cvlan for the vlan mapping remark customer-vlan-id vlan-id-value required exit to system view quit — create a qos policy and enter qos policy view qos policy policy-name required map the svlan to the cvlan by associating the traffic class with the ...
Page 233
1-10 to do... Use the command... Remarks enable customer side qinq qinq enable downlink required disabled by default. Apply the uplink policy to the downlink port in the inbound direction qos apply policy policy-name inbound required exit to system view quit — enter the interface view of the uplink ...
Page 234
1-11 to do... Use the command... Remarks exit to system view quit — z to guard against attacks, you are recommended to enable arp detection on each cvlan. Z before applying a qos policy to the downlink port, enable customer-side qinq on the port; before disabling customer-side qinq on the downlink p...
Page 236
1-13 follow these steps to configure a two-to-two vlan mapping: to do... Use the command... Remarks enter system view system-view — configure an uplink policy for the uplink port to replace the original cvlan with the new cvlan refer to table 1-5 . Required configure an uplink policy for the downlin...
Page 238
1-15 to do... Use the command... Remarks map the original svlan and cvlan to the new svlan by associating the traffic class with the traffic behavior classifier tcl-name behavior behavior-name required exit to system view quit — table 1-7 configure a downlink policy for the downlink port to do... Us...
Page 239
1-16 use vlan 501 for pc traffic, vlan 502 for vod traffic, and vlan 503 for voip traffic. Network diagram figure 1-2 scenario for one-to-one/multiple-to-one vlan mapping pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan 3 pc vod voip vlan 1 vlan 2 vlan...
Page 240
1-17 [switcha] traffic classifier c1 [switcha-classifier-c1] if-match customer-vlan-id 1 [switcha-classifier-c1] traffic classifier c2 [switcha-classifier-c2] if-match customer-vlan-id 2 [switcha-classifier-c2] traffic classifier c3 [switcha-classifier-c3] if-match customer-vlan-id 3 [switcha-classi...
Page 241
1-18 [switcha-behavior-b11] traffic behavior b22 [switcha-behavior-b22] remark customer-vlan-id 2 [switcha-behavior-b22] traffic behavior b33 [switcha-behavior-b33] remark customer-vlan-id 3 [switcha-behavior-b33] quit [switcha] qos policy p11 [switcha-policy-p11] classifier c11 behavior b11 [switch...
Page 242
1-19 [switcha-gigabitethernet2/0/3] port trunk permit vlan 101 201 301 102 202 302 2) configuration on switch b system-view # create the cvlans and the svlans. [switchb] vlan 2 to 3 [switchb] vlan 111 to 112 [switchb] vlan 211 to 212 [switchb] vlan 311 to 312 # configure uplink policies to map the c...
Page 243
1-20 [switchb-classifier-c33] if-match service-vlan-id 311 [switchb-classifier-c33] traffic classifier c44 [switchb-classifier-c44] if-match service-vlan-id 112 [switchb-classifier-c44] traffic classifier c55 [switchb-classifier-c55] if-match service-vlan-id 212 [switchb-classifier-c55] traffic clas...
Page 244
1-21 [switchb-gigabitethernet2/0/2] qinq enable # apply the uplink policy p2 to the inbound direction of gigabitethernet 2/0/2. [switchb-gigabitethernet2/0/2] qos apply policy p2 inbound # apply the downlink policy p22 to the outbound direction of gigabitethernet 2/0/2. [switchb-gigabitethernet2/0/2...
Page 245
1-22 [switchc-vlan503] arp detection enable [switchc-vlan503] quit # configure uplink policies to map the cvlans for the same service of different users to the same svlan. [switchc] traffic classifier c1 [switchc-classifier-c1] if-match customer-vlan-id 101 to 200 [switchc-classifier-c1] traffic cla...
Page 246
1-23 [switchc] interface gigabitethernet 2/0/2 [switchc-gigabitethernet2/0/2] port link-type trunk [switchc-gigabitethernet2/0/2] port trunk permit vlan 111 211 311 112 212 312 501 502 503 # enable customer-side qinq on gigabitethernet 2/0/2. [switchc-gigabitethernet2/0/2] qinq enable downlink # app...
Page 247
1-24 network diagram figure 1-3 network diagram for one-to-two/two-to-two vlan mapping configuration sp 2 vpn 1 vlan 10 vlan 10/100 vlan 10/200 vlan 30/200 sp 1 vlan 30/200 ge2/0/1 device b ge2/0/2 ge2/0/1 ge2/0/2 ge2/0/2 ge2/0/1 device c device d device a ge2/0/1 vpn 1 vlan 30 ge2/0/2 vlan 10/100 v...
Page 248
1-25 # enter system view. System-view # configure gigabitethernet 2/0/1 to permit frames of vlan 100 to pass through. [deviceb] interface gigabitethernet 2/0/1 [deviceb-gigabitethernet2/0/1] port link-type trunk [deviceb-gigabitethernet2/0/1] port trunk permit vlan 100 [deviceb-gigabitethernet2/0/1]...
Page 249
1-26 [devicec-qospolicy-downlink_out] classifier downlink_out behavior downlink_out [devicec-qospolicy-downlink_out] quit # specify the original cvlan and the new svlan in the vlan mapping for outgoing vpn 1 traffic on gigabitethernet 2/0/2. [devicec] traffic classifier uplink_out [devicec-classifie...
Page 250
1-27 [deviced] interface gigabitethernet 2/0/1 [deviced-gigabitethernet2/0/1] port link-type trunk [deviced-gigabitethernet2/0/1] port trunk permit vlan 200 # configure gigabitethernet 2/0/2 to forward the traffic of vlan 200 with the outer vlan tag removed. [deviced] interface gigabitethernet 2/0/2...
Page 251: Table of Contents
I table of contents 1 port mirroring configuration ····················································································································1-1 introduction to port mirroring ··································································································...
Page 252: Port Mirroring Configuration
1-1 1 port mirroring configuration when configuring port mirroring, go to these sections for information you are interested in: z introduction to port mirroring z configuring local port mirroring z configuring layer 2 remote port mirroring z configuring layer 3 remote port mirroring z configuring lo...
Page 253
1-2 the following subsections describe how local port mirroring, layer 2 remote port mirroring, and layer 3 remote port mirroring are implemented. Local port mirroring local port mirroring is implemented through a local mirroring group. In local port mirroring, packets passing through a port (mirror...
Page 254
1-3 copies the packets passing through the mirroring port, broadcasts the packets in the remote probe vlan for remote mirroring through the egress port, and transmits the packets to the destination device via the intermediate device. When receiving these mirrored packets, the destination device comp...
Page 255
1-4 figure 1-3 layer 3 remote port mirroring implementation on the source device, packets of the mirroring port (or cpu) are mirrored to the tunnel interface that serves as the monitor port in the remote source mirroring group, and then transmitted to the destination device through the gre tunnel. T...
Page 256
1-5 creating a local mirroring group follow these steps to create a local mirroring group: to do… use the command… remarks enter system view system-view — create a local mirroring group mirroring-group group-id local required a local mirroring group takes effect only after you configure a monitor po...
Page 257
1-6 configuring the monitor port for the local mirroring group you can configure the monitor port for a mirroring group in system view, or assign the current port to a mirroring group as the monitor port in interface view. The two modes lead to the same result. Configuring the monitor port in system...
Page 258
1-7 configuring layer 2 remote port mirroring layer 2 remote port mirroring configuration task list configuring layer 2 remote port mirroring is to configure remote mirroring groups. When doing that, configure the remote source mirroring group on the source device and the cooperating remote destinat...
Page 259
1-8 the remote source mirroring group on the source device and the remote destination mirroring group on the destination device must use the same remote probe vlan. Configuring a remote source mirroring group (on the source device) to configure a remote source mirroring group, make the following con...
Page 260
1-9 z a mirroring group can contain multiple mirroring ports. Z to ensure that the port mirroring function works properly, do not assign a mirroring port to the remote probe vlan. Configuring the egress port for the remote source mirroring group you can configure the egress port for a mirroring grou...
Page 261
1-10 to do… use the command… remarks enter system view system-view — configure the remote probe vlan mirroring-group group-id remote-probe vlan rprobe-vlan-id required by default, no remote probe vlan is configured for a mirroring group. Z you are recommended to use the remote probe vlan for port mi...
Page 262
1-11 follow these steps to configure the monitor port for the remote destination mirroring group in interface view: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — configure the current port as the monitor port [ mirror...
Page 263
1-12 to do… use the command… remarks enter system view system-view — enter the interface view of the monitor port interface interface-type interface-number — for an access port port access vlan vlan-id for a trunk port port trunk permit vlan vlan-id assign the port to the probe vlan for a hybrid por...
Page 264
1-13 generally, a port can belong to only one mirroring group. On an sd or eb series lpu, however, a port can be assigned to two mirroring groups as a mirroring port. Configuration prerequisites before configuring layer 3 remote port mirroring, make sure that you have created a gre tunnel that conne...
Page 266
1-15 z a mirroring group contains only one monitor port. Z to ensure that the port mirroring function can work properly, do not enable stp, mstp, or rstp on the monitor port. Z you are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receiv...
Page 268
1-17 [devicea] display mirroring-group all mirroring-group 1: type: local status: active mirroring port: gigabitethernet2/0/1 both gigabitethernet2/0/2 both monitor port: gigabitethernet2/0/3 after the above configurations are completed, you can monitor all the packets received and sent by the marke...
Page 269
1-18 [devicea] mirroring-group 1 monitor-egress gigabitethernet 2/0/2 # configure gigabitethernet 2/0/2 as a trunk port that permits the packets of vlan 2 to pass through. [devicea] interface gigabitethernet 2/0/2 [devicea-gigabitethernet2/0/2] port link-type trunk [devicea-gigabitethernet2/0/2] por...
Page 270
1-19 layer 3 remote port mirroring configuration example network requirements on the network shown in figure 1-6 : z device a connects to the marketing department through gigabitethernet 2/0/1, and to gigabitethernet 2/0/1 of device b through gigabitethernet 2/0/2; device c connects to the server th...
Page 271
1-20 [devicea-gigabitethernet2/0/3] port service-loopback group 1 # in tunnel interface view, configure the tunnel to reference service loopback group 1. [devicea-gigabitethernet2/0/3] quit [devicea] interface tunnel 0 [devicea-tunnel0] service-loopback-group 1 [devicea-tunnel0] quit # enable the os...
Page 272
1-21 [devicec] interface gigabitethernet 2/0/3 [devicec-gigabitethernet2/0/3] undo stp enable [devicec-gigabitethernet2/0/3] port service-loopback group 1 # in tunnel interface view, configure the tunnel to reference service loopback group 1. [devicec-gigabitethernet2/0/3] quit [devicec] interface t...
Page 273
1-22 figure 1-7 network diagram for local port mirroring configuration onu device a olt3/0/1 server pos uni 1 uni 2 uni 3 hosta hostb configuration procedure # enter system view. System-view # enter onu port view. [devicea] interface onu 3/0/1:1 # configure uni 1 as the mirroring port for local port...
Page 274
2-1 2 traffic mirroring configuration when configuring traffic mirroring, go to these sections for information you are interested in: z traffic mirroring overview z configuring traffic mirroring z displaying and maintaining traffic mirroring z traffic mirroring configuration examples traffic mirrori...
Page 275
2-2 to do… use the command… remarks configure the match criteria if-match match-criteria required return to system view quit — create a traffic behavior and enter traffic behavior view traffic behavior behavior-name required configure the traffic mirroring action for the traffic behavior mirror-to {...
Page 276
2-3 configurations on the destination device you need only configure a remote destination mirroring group on the destination device. For the detailed configuration procedure, refer to creating a remote destination mirroring group . Displaying and maintaining traffic mirroring to do… use the command…...
Page 277
2-4 [sysname] traffic classfier 1 [sysname-classifier-1] if-match acl 2000 [sysname-classifier-1] quit # create traffic behavior 1 and configure the action of mirroring traffic to gigabitethernet 2/0/2 for the traffic behavior. [sysname] traffic behavior 1 [sysname-behavior-1] mirror-to interface gi...
Page 278
2-5 [switcha-acl-basic-2000] quit # create class 1 and use basic ipv4 acl 2000 as the match criteria. [switcha] traffic classfier 1 [switcha-classifier-1] if-match acl 2000 [switcha-classifier-1] quit # create behavior 1 and configure the action of mirroring traffic to gigabitethernet 2/0/1 for the ...
Page 279
2-6 z configuration on switch c # configure gigabitethernet 2/0/1 as a trunk port and assign it to vlan 2. System-view [switchc] interface gigabitethernet 2/0/1 [switchc-gigabitethernet2/0/1] port link-type trunk [switchc-gigabitethernet2/0/1] port trunk permit vlan 2 [switchc-gigabitethernet2/0/1] ...
Page 280: Table of Contents
I table of contents 1 epon configuration ··································································································································1-1 introduction to epon system ·································································································...
Page 281
Ii configuring traffic encryption ·······································································································3-13 testing the link between an onu and the olt···········································································3-14 testing the cable connected to an u...
Page 282: Epon Configuration
1-1 1 epon configuration after an epon card is installed in an s7900e switch, the switch can work as an olt device in an epon system. Note that: when the switch operates in independent mode (that is, irf stacking is not enabled on the switch), the olt function can operate normally; when the switch o...
Page 283
1-2 figure 1-1 a typical epon architecture odn olt pos onu2 onu1 onun olt an olt, generally an ethernet switch, router, or multimedia conversion platform, is located at the central office (co) as a core device of the whole epon system to provide core data and video-to-telephone network interfaces fo...
Page 284
1-3 epon application mode based on where onus are deployed, epon application mode can be fiber to the curb (fftc), fiber to the building (fttb), and fiber to the home (ftth). Fttc in an fttc system, onus are deployed at roadside or beside the junction boxes of telegraph poles. Usually, twisted-pair ...
Page 285
1-4 discovery gate messages, which discover onus in broadcast mode. An onu registration process is as follows: 1) an olt broadcasts a discovery gate message to notify the start time and length of the discovery timeslot to all the onus. 2) an unregistered onu responds to the discovery gate message an...
Page 286
1-5 bandwidth allocation once the extended oam connection is established, downlink data transmission can begin. Uplink data transmission can begin only after uplink bandwidth is allocated. In bandwidth allocation, mainly two types of mpcp messages: gate and report, are used: a gate message is sent b...
Page 287
1-6 figure 1-4 uplink data transmission in an epon system the time division multiple access (tdma) technology is used to transmit uplink data. This ensures that one optical fiber between the olt and the pos can transmit data signals from multiple onus to the olt without signal interference. Epon sys...
Page 288
1-7 for example, when a trunk fiber is broken or an olt port becomes abnormal, a switchover is performed automatically between the two olts, which act as backup for each other. You can also perform a manual switchover between two olt ports added to the backup group as needed. Figure 1-5 depicts a fi...
Page 289
1-8 figure 1-6 an epon system olt port each pon port on an epon card in an s7900e switch is an independent olt device. For an s7900e switch, a pon port is an olt port. An olt port number is in the format epon card slot number/sub-card slot number/olt port number , such as olt 3/0/1, as shown in figu...
Page 290
1-9 task remarks uni port configuration uni port introduction configuration procedure of uni remote management through olt alarm configuration configurations of all the alarms in an epon system supported switch features and restrictions switch features supported by olts and onus, related manuals, an...
Page 291: Olt Configuration
2-1 2 olt configuration when working as an olt device, an s7900e switch supports abundant features. This chapter describes only the functions of an s7900e switch working as an olt device. For other functions, see olt port features and restrictions . If the olt configurations in this manual take effe...
Page 292
2-2 epon system parameter configuration configuring the maximum onu-olt rtt during onu registration, an olt obtains the round trip time (rtt) value of an onu through the exchange of discovery gate messages and register_req messages between the olt and the onu. By configuring a maximum rtt at the olt...
Page 293
2-3 when the oui and oam version number list on an epon service board changes due to addition or removal of user-defined list entry, all onus under the board will re-register. It is recommended that you configure the maximum onu-olt rtt only when necessary. The relationship between the rtt and the d...
Page 295
2-5 to do... Use the command... Remarks enter system view system-view — enter olt port view interface olt interface-number — enable grant filtering on the olt port grant-filtering enable optional enabled by default configuring the link type of an olt port you can configure an olt port as a hybrid po...
Page 296
2-6 with layer-2 communication enabled between the onus attached to an olt port, all onus attached to the olt port can communicate with each other at layer 2. With layer-2 communication enabled between the onus attached to an olt port, if you create an onu port on the olt, the onu connected to the n...
Page 297
2-7 up to two olt ports can be added to one backup group. An olt port can be added to only one backup group at a time. The port added to the backup group earlier will be the master port, while the other port will be the standby port. Only one of the two olt ports in a fiber backup group can be in th...
Page 298
2-8 to do... Use the command... Remarks display the registration and deregistration information of an onu display onu-event interface interface-type interface-number display all the configuration information display current-configuration display the configuration information in the current view disp...
Page 299
2-9 configuration procedure # add olt 3/0/1 and olt 3/0/2 to an isolation group. System-view [sysname] interface olt3/0/1 [sysname-olt3/0/1] port-isolate enable [sysname-olt3/0/1] quit [sysname] interface olt3/0/2 [sysname-olt3/0/2] port-isolate enable [sysname-olt3/0/2] quit # display the isolation...
Page 300
2-10 [sysname-fiber-group1] group member olt3/0/2 [sysname-fiber-group1] display fiber-backup group 1 fiber backup group 1 information: member role state ----------------------------------------- olt3/0/1 master active olt3/0/2 slave ready # perform a master/slave switchover between olt 3/0/1 and ol...
Page 301
3-1 3 onu remote management configuration when an s7900e switch is working as an olt device, you can configure a variety of functions on its onu ports so that you can manage the connected onus remotely. This chapter describes only the functions and commands developed specially for onu ports on such ...
Page 302
3-2 task remarks configuring an onu to report information to the olt optional configuring traffic encryption optional for h3c onus only testing the link between an onu and the olt optional configurations testing the cable connected to an uni port optional deregistering an onu optional updating onus ...
Page 303
3-3 to do... Use the command... Remarks enter system view system-view — enter onu port view interface onu interface-number — bind the current onu port to an onu bind onuid onuid required an onu port can only be bound with one onu mac address. Conversely, an onu mac address can only be bound to one o...
Page 304
3-4 this binding method is applicable to occasions where the registration of invalid onus is not taken into consideration and the onus attached to the olt are completely trusted. In this way, concern about binding is completely ignored. In this case, to remove a binding, disable automatic onu bindin...
Page 305
3-5 to do... Use the command... Remarks bring up the management vlan interface undo shutdown management-vlan-interface required by default, a management vlan interface is down. After the undo shutdown management-vlan-interface command is used: a management vlan interface is down if all the ethernet ...
Page 306
3-6 the configuration of prioritizing high-priority packets and that of the downlink bandwidth limit take effect only when the downlink bandwidth allocation policy is enabled. The configured downlink bandwidth limit takes effect only on known unicasts, but not on unknown unicasts, multicasts, or bro...
Page 307
3-7 if the request packet contains no pppoe tag, the onu adds the tag (containing the uni port information) to the request packet and forwards the packet to the olt side. If the request packet contains a pppoe tag, the onu directly forwards the request packet to the olt side without adding any tag. ...
Page 308
3-8 to do... Use the command... Remarks enable igmp snooping globally igmp-snooping required disabled by default return to system view quit — enter vlan view of a multicast vlan vlan vlan-id — enable igmp snooping igmp-snooping enable required disabled by default drop unknown multicast traffic igmp-...
Page 309
3-9 to do... Use the command... Remarks enter system view system-view — enter onu port view interface onu interface-number — configure the multicast mode of the onu as igmp snooping multicast-mode igmp-snooping optional by default, the multicast mode of the onu is igmp snooping. Add a uni to the spe...
Page 310
3-10 the olt identifies users through user llids and the vlan tags (consistent with uni port numbers) carried in uplink igmp report messages, and determines whether a user has the right to access the requested multicast service and, if yes, the related parameters. The olt uses extended multicast con...
Page 311
3-11 configuring the link type of an onu port you can configure an onu port as an access port or trunk port. When a pc is directly connected to the onu port, you can configure the onu port as an access port, which receives and transmits only untagged packets. When a home gateway or layer-2 switch is...
Page 312
3-12 to do… use the command… remarks enter system view system-view — enter onu port view interface onu interface-number — set the link type of the onu port to access port link-type access optional by default, the link type of an onu port is access. Assign the onu port to the specified vlan port acce...
Page 313
3-13 enabling fec forward error correction (fec) can implement downlink error correction on the olt and uplink error correction on the onu to lower the bit error rate and extend the optical transmission distance. The packets enabled with fec carry error correction codes. Therefore, the actual uplink...
Page 314
3-14 to do... Use the command... Remarks enable traffic encryption encrypt enable optional by default, data encryption is enabled for downlink data. Configure an encryption key encrypt key key-value optional if no encryption key is configured, the system uses the default encryption key. Currently, t...
Page 315
3-15 deregistering an onu after being deregistered, an onu will try to register again. Follow these steps to deregister an onu: to do... Use the command... Remarks enter system view system-view — enter onu port view interface onu interface-number — deregister the onu deregister onu required updating...
Page 316
3-16 table 3-3 onu update methods to do… use the method… remarks update multiple onus by type in ftth view, update all the onus of the specified type attached to the switch (you can update different types of onus by specifying multiple update files). Update one onu in onu port view, use the onu upda...
Page 317
3-17 onu update configuration follow these steps to update all the onus of the specified type: to do… use the command… remarks enter system view system-view — enter ftth view ftth — update all the onus of the specified type under the switch update onu onu-type onu-type filename file-url required aft...
Page 318
3-18 after you configure the updating of the onus corresponding to all the created onu ports under an olt port, if the onu port corresponding to an onu that goes online is created before the update command is used, the onu will be updated directly (if it matches the update files); otherwise, the onu...
Page 319
3-19 network diagram figure 3-1 network diagram for onu port-to-onu binding configuration onu1 olt olt3/0/1 pos onu2 configuration procedure # configure the oui and extended oam version number list. System-view system view: return to user view with ctrl+z. [sysname] ftth [sysname-ftth] epon-paramete...
Page 320
3-20 enabling rstp on the onu can suppress such a problem. Network diagram figure 3-2 network diagram for onu rstp configuration configuration procedure # enable rstp on the onu to suppress the broadcast storm between uni 2 and uni 3. System-view [sysname] interface onu 3/0/1:1 [sysname-onu3/0/1:1] ...
Page 321
3-21 [sysname-ftth] multicast vlan-id 1002 dest-ip 225.1.2.1 to 225.1.2.255 [sysname-ftth] multicast vlan-id 1003 dest-ip 225.1.3.1 to 225.1.3.255 [sysname-ftth] quit # enable igmp snooping globally. [sysname] igmp-snooping [sysname-igmp-snooping] quit # enable igmp snooping in vlan 1002 and vlan 10...
Page 322
3-22 user 1 has full access to channel 1 and 60-second preview access to channel 2. User 2 has access to channel 2 only. Network diagram figure 3-4 network diagram for multicast configuration (in multicast control mode) onu olt olt3/0/1 pos user1 uni1 uni2 user2 eth2/0/1 multicast source configurati...
Page 323
3-23 # configure uni 2 to allow the user attached to it to access channel 2 only, and configure the port to remove the multicast vlan tags from downlink multicast packets. [sysname-onu3/0/1:1] uni 2 multicast-control multicast-address 225.1.1.1 rule deny [sysname-onu3/0/1:1] uni 2 multicast-control ...
Page 324
3-24 network diagram figure 3-5 network diagram for onu update pos onu onu onu pos onu onu onu onu onu onu pos olt3/0/2 ol t3 /0/ 3 olt switch at the city central office district c branch office olt 3/ 0/1 for a simplified network diagram, the figure above shows only three of the olt ports. Configur...
Page 325
3-25 update flash:/ a110.App?[y/n]:y info: download file to onu may take a long time, please wait... Please wait while the firmware is being burnt, and check the software version after re-registration! [sysname-onu3/0/1:1] quit # update all the type-a onus attached to the s7900e switch to version 11...
Page 326: Uni Port Configuration
4-1 4 uni port configuration uni port configuration task list if an h3c ec1001 inserted with a subcard serves as an onu, a uni port here refers to the internal port connecting the subcard to the ec1001, but not the ethernet port of the ec1001. Complete these tasks to configure a uni port: task remar...
Page 327
4-2 table 4-1 uni port basic configuration to do... Use the command... Remarks enter system view system-view — enter onu port view interface onu interface-number — configure a description for a uni uni uni-number description text optional by default, no description is configured for a uni. Shut down...
Page 328
4-3 of whether the ethernet packets contain vlan tags or not) to the olt without changing them. Downlink ethernet packets are also forwarded transparently. Table 4-2 describes the detailed packet processing in this mode. Tag mode tag mode is suitable for situations where the vlan tags generated by t...
Page 329
4-4 vlan operation mode direction with or without vlan tag packet processing with vlan tag if the vlan id in the vlan tag matches a vlan translation entry on the port, the vlan id is replaced with the vlan id corresponding to the entry, and then the packet is forwarded. If the vlan id in the tag is ...
Page 330
4-5 configuring fast-leave processing for a uni with the fast-leave processing feature enabled, when the onu receives an igmp leave message from a host announcing its leaving a multicast group, the onu immediately deletes that port from the outgoing port list of the forwarding table. After that, whe...
Page 331
4-6 only one isolation group can be created on an onu device, and there is no limit on the number of ports in an isolation group. Displaying and maintaining uni port configuration to do... Use the command... Remarks display the information about the current status of a uni display uni-information un...
Page 332: Alarm Configuration
5-1 5 alarm configuration introduction to alarm sampling and alarms sampling means the system retrieves statistics data at the sampling interval at the alarm monitor interval, the system samples the alarm variables and will trigger an alarm if the value of a variable exceeds its alarm threshold. Ala...
Page 333
5-2 to do... Use the command... Remarks enable the statistics sampling function sample enable optional enabled by default configure the statistics sampling function configure the statistics sampling interval timer sample seconds optional 4 seconds by default enable alarm monitoring function for the ...
Page 334
5-3 to do... Use the command... Remarks enable the device fatal error alarm function alarm device-fatal-error enable optional by default, this function is enabled. Enable the frame error rate alarm function alarm frame-error-rate enable optional when the total number of error frames or the error fra...
Page 335
5-4 to do... Use the command... Remarks enable the dying gasp alarm function alarm oam dying-gasp enable optional the system generates a dying gasp alarm when a system error, a data loading error, or any other nonreversible errors occur. Enable the error frame period alarm function alarm oam error-f...
Page 336
5-5 to do... Use the command... Remarks enable the error frame seconds summary alarm function alarm oam error-frame-seconds-summa ry enable optional the system generates an error frame seconds summary alarm when the number of error frame seconds (in an error frame second, at least one error frame oc...
Page 337
5-6 to do... Use the command... Remarks enable the registration error alarm function alarm registration-error enable optional the system generates a registration error alarm when an error occurs during the registration of an onu. By default, this function is enabled. Enable the remote stable alarm f...
Page 339
5-8 to do... Use the command... Remarks enable the local stable alarm function alarm local-stable enable optional the system generates a local stable alarm when an onu misuse occurs in the system, for example, when an oam 2.0 onu and an oam 3.3 onu are mixed in the same system. (all onus in the same...
Page 340
5-9 to do... Use the command... Remarks enable the error frame alarm function alarm oam error-frame enable optional the system generates an error frame alarm when the number of error frames in a specific time period (that is, the window size) exceeds the corresponding predefined threshold. By defaul...
Page 342
5-11 to do... Use the command... Remarks enable the onu over limitation alarm function alarm onu-over-limitation enable optional the system generates an onu over limitation alarm when the total number of onus connected with the olt exceeds the limit. By default, this function is enabled. Configuring...
Page 343
5-12 to do... Use the command... Remarks enable the error frame alarm function alarm oam error-frame enable optional the system generates an error frame alarm when the number of error frames in a specific time period (that is, the window size) exceeds the corresponding predefined threshold. By defau...
Page 345
5-14 alarm command configuration view alarm configuration display view remarks ftth view ftth view for an alarm configuration command available in ftth view only, you can use the display this command in ftth view to display the alarm configuration..
Page 346
6-1 6 supported switch features and restrictions olt port features and restrictions table 6-1 olt port features feature remarks related section basic parameters configuring an olt port description string enabling/disabling an olt port displaying and clearing port statistics information port-related ...
Page 347
6-2 feature remarks related section bpdu tunnel configuring bpdu tunneling on an olt port qinq-bpdu tunnel port mirroring configuring olt port mirroring port mirroring qos configuring port rate limit configuring traffic shaping configuring qos policies configuring congestion management configuring p...
Page 348
6-3 the priority configured for an olt port (with the qos priority priority-value command) takes effect only when qinq is enabled on the olt port. After mac authentication is enabled on an olt port, the port directly discards the unicast packets that fail to pass the authentication, while the corres...
Page 349
6-4 feature remarks reference dhcp snooping configuring dhcp snooping to support option82 configuring the option82 padding formats configuring a strategy for dhcp snooping to handle request packets containing option82 configuring the padding format and contents of non-custom circuit id sub-options c...
Page 350
6-5 feature remarks reference qos configuring port priority configuring qos policies configuring congestion management configuring the priority trust mode of a port configuring traffic classification and priority marking for uplink traffic of a uni configure traffic policing for uplink/downlink traf...
Page 351
6-6 feature restrictions qos when an acl rule is referenced in a qos policy, the action defined in the acl rule (deny or permit) does not work. Instead, the action on the packets that match the acl rule is determined by the traffic behavior defined in the qos policy. Onu ports support packet filteri...
Page 352
Ip services volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the ip services volume is organized as follows: features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the in...
Page 353
Features description ipv6 basics internet protocol version 6 (ipv6), also called ip next generation (ipng), was designed by the internet engineering task force (ietf) as the successor to internet protocol version 4 (ipv4). This document describes: z ipv6 overview z basic ipv6 functions configuration...
Page 354: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 355: Ip Addressing Configuration
1-1 1 ip addressing configuration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying and maintaining ip addressing ip addressing overview this section covers these topi...
Page 356
1-2 table 1-1 ip address classes and ranges class address range remarks a 0.0.0.0 to 127.255.255.255 the ip address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packe...
Page 357
1-3 in the absence of subnetting, some special addresses such as the addresses with the net id of all zeros and the addresses with the host id of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeof...
Page 358
1-4 z the primary ip address you assigned to the interface can overwrite the old one if there is any. Z you cannot assign secondary ip addresses to an interface that has dhcp, configured. Z the primary and secondary ip addresses you assign to the interface can be located on the same network segment....
Page 359
1-5 ping 172.16.1.2: 56 data bytes, press ctrl_c to break reply from 172.16.1.2: bytes=56 sequence=1 ttl=255 time=25 ms reply from 172.16.1.2: bytes=56 sequence=2 ttl=255 time=27 ms reply from 172.16.1.2: bytes=56 sequence=3 ttl=255 time=26 ms reply from 172.16.1.2: bytes=56 sequence=4 ttl=255 time=...
Page 360: Table of Contents
I table of contents 1 ip performance optimization configuration···························································································1-1 ip performance optimization overview ··································································································1-1 ena...
Page 361
1-1 1 ip performance optimization configuration when optimizing ip performance, go to these sections for information you are interested in: z ip performance optimization overview z enabling reception and forwarding of directed broadcasts to a directly connected network z configuring tcp attributes z...
Page 362
1-2 to do… use the command… remarks enter system view system-view — enable the device to receive directed broadcasts ip forward-broadcast required by default, the switch is disabled from receiving directed broadcasts. Enabling forwarding of directed broadcasts to a directly connected network follow ...
Page 363
1-3 system-view [switcha] ip forward-broadcast # configure ip addresses for vlan-interface 3 and vlan-interface 2. [switcha] interface vlan-interface 3 [switcha-vlan-interface3] ip address 1.1.1.2 24 [switcha-vlan-interface3] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip add...
Page 364
1-4 the actual length of the finwait timer is determined by the following formula: actual length of the finwait timer = (configured length of the finwait timer – 75) + configured length of the synwait timer configuring icmp to send error packets sending error packets is a major function of icmp. In ...
Page 365
1-5 z when receiving a packet with the destination being local and transport layer protocol being udp, if the packet’s port number does not match the running process, the device will send the source a “port unreachable” icmp error packet. Z if the source uses “strict source routing" to send packets,...
Page 366
1-6 to do… use the command… remarks display udp statistics display udp statistics available in any view display statistics of ip packets (for distributed devices) display ip statistics [ slot slot-number ] available in any view display statistics of ip packets (for distributed irf devices) display i...
Page 367: Table of Contents
I table of contents 1 arp configuration·····································································································································1-1 arp overview················································································································...
Page 368: Arp Configuration
1-1 this document is organized as follows: z arp configuration z proxy arp configuration 1 arp configuration when configuring arp, go to these sections for information you are interested in: z arp overview z configuring arp z configuring gratuitous arp z displaying and maintaining arp arp overview t...
Page 369
1-2 figure 1-1 arp message format the following describe the fields in figure 1-1 . Z hardware type: this field specifies the hardware address type. The value “1” represents ethernet. Z protocol type: this field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” ...
Page 370
1-3 figure 1-2 arp address resolution process if host a is not on the same subnet with host b, host a first sends an arp request to the gateway. The target ip address in the arp request is the ip address of the gateway. After obtaining the mac address of the gateway from an arp reply, host a sends t...
Page 371
1-4 z usually arp dynamically resolves ip addresses to mac addresses, without manual intervention. Z to allow communication with a device using a fixed ip-to-mac mapping, configure a non-permanent static arp entry for it. To allow communication with a device through a specific interface and using a ...
Page 372
1-5 to do… use the command… remarks set the maximum number of dynamic arp entries that an interface can learn arp max-learning-num number optional 8192 by default setting the aging time for dynamic arp entries to keep pace with the network changes, the arp table is refreshed. Each dynamic arp entry ...
Page 373
1-6 default mask length is 8, these two ip addresses are on the same natural network. In this way, vlan-interface 10 can learn the mac address corresponding to the source ip address 10.11.11.1. Follow these steps to enable the support for arp requests from a natural network: to do… use the command… ...
Page 374
1-7 [switch-vlan-interface10] ip address 192.168.1.2 8 [switch-vlan-interface10] quit # configure a static arp entry with ip address 192.168.1.1 and mac address 00e0-fc01-0000. The outgoing interface corresponding to the static arp entry is gigabitethernet 2/0/1 belonging to vlan 10. [switch] arp st...
Page 376: Proxy Arp Configuration
2-1 2 proxy arp configuration when configuring proxy arp, go to these sections for information you are interested in: z proxy arp overview z enabling proxy arp z displaying and maintaining proxy arp proxy arp overview if a host sends an arp request for the mac address of another host that actually r...
Page 377
2-2 you can solve the problem by enabling proxy arp on switch. After that, switch can reply to the arp request from host a with the mac address of vlan-interface1, and forward packets sent from host a to host b. In this case, switch seems like a proxy of host b. A main advantage of proxy arp is that...
Page 378
2-3 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number required enable local proxy arp local-proxy-arp enable [ ip-range startip to endip ] required disabled by default. Displaying and maintaining proxy arp to do… use the co...
Page 379
2-4 configuration procedure # create vlan 2. System-view [switch] vlan 2 [switch-vlan2] quit # specify the ip address of interface vlan-interface 1. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168.10.99 255.255.255.0 # enable proxy arp on interface vlan-interface 1. [...
Page 380
2-5 z switch b in this diagram is a distributed device. Z switch b has layer 2 and layer 3 port isolation configured in this configuration example, so you need to configure local proxy arp on vlan-interface 2 of switch a to enable communication between host a and host b. If the two ports on switch b...
Page 381
2-6 layer 3 communication is implemented between the sub-vlans. Figure 2-5 network diagram for local proxy arp in super vlan configuration procedure # create the super vlan and the sub-vlans. Add gigabitethernet2/0/2 to vlan 2 and gigabitethernet2/0/1 to vlan 3. Configure the ip address 192.168.10.1...
Page 382
2-7 configure local proxy arp on switch a to implement layer 3 communication between vlan 2 and vlan 3. Figure 2-6 network diagram for local proxy arp configuration in isolate-user-vlan configuration procedure 1) configure switch b # create vlan 2, vlan 3, and vlan 5 on switch b. Add gigabitethernet...
Page 383
2-8 [swticha-vlan-interface5] local-proxy-arp enable the ping operation from host a to host b is successful after the configuration..
Page 384: Table of Contents
I table of contents 1 dhcp overview··········································································································································1-1 introduction to dhcp ······································································································...
Page 385
Ii self-defined option configuration example··················································································2-19 troubleshooting dhcp server configuration ·······················································································2-20 3 dhcp relay agent configuration ··...
Page 386: Dhcp Overview
1-1 this document is organized as follows: z dhcp overview z dhcp server configuration z dhcp relay agent configuration z dhcp client configuration z dhcp snooping configuration 1 dhcp overview introduction to dhcp the fast expansion and growing complexity of networks result in scarce ip addresses a...
Page 387
1-2 dhcp address allocation allocation mechanisms dhcp supports three mechanisms for ip address allocation. Z manual allocation: the network administrator assigns an ip address to a client like a www server, and dhcp conveys the assigned address to the client. Z automatic allocation: dhcp assigns a ...
Page 388
1-3 z after receiving the dhcp-ack message, the client probes whether the ip address assigned by the server is in use by broadcasting a gratuitous arp packet. If the client receives no response within a specified time, the client can use this ip address. Otherwise, the client sends a dhcp-decline me...
Page 389
1-4 z secs: filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. Z flags: the leftmost bit is defined as the broadcast (b) flag. If this flag is set to 0, the dhcp server sent a reply back...
Page 390
1-5 z option 121: classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Z option 33: static route option. It specifies a list of classful static routes (the d...
Page 391
1-6 figure 1-6 format of the value field of the acs parameter sub-option z the value field of the service provider identifier sub-option contains the service provider identifier. Z figure 1-7 shows the format of the value field of the pxe server address sub-option. Currently, the value of the pxe se...
Page 392
1-7 figure 1-8 sub-option 1 in normal padding format z sub-option 2: padded with the mac address of the dhcp relay agent interface or the mac address of the dhcp snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that...
Page 393
1-8 z sub-option 1: ip address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Z sub-option 2: ip address of the backup network calling processor that dhcp clients will contact when the primary one is unreacha...
Page 394: Dhcp Server Configuration
2-1 2 dhcp server configuration when configuring the dhcp server, go to these sections for information you are interested in: z introduction to dhcp server z dhcp server configuration task list z configuring an address pool for the dhcp server z enabling dhcp z enabling the dhcp server on an interfa...
Page 395
2-2 dhcp address pool address pool types dhcp address pools can be classified into two types: z common address pool: supports both static binding and dynamic allocation. Z extended address pool: supports dynamic allocation only. Common address pool structure in response to a client’s request, the dh...
Page 396
2-3 the client’s request (if a dhcp relay agent is in-between). If no ip address is available in the address pool, the dhcp server will fail to assign an address to the client because it cannot assign an ip address from the father address pool to the client. For the configuration of such address poo...
Page 397
2-4 task remarks applying an extended address pool on an interface required by the extended address pool configuration when configuring a common address pool, ignore this task. Configuring the dhcp server security functions optional configuring the handling mode for option 82 optional configuring an...
Page 398
2-5 a common address pool and an extended address pool are different in address allocation mode configuration. Configurations of other parameters (such as the domain name suffix and dns server address) for them are the same. Configuring an address allocation mode for a common address pool you can co...
Page 399
2-6 z use the static-bind ip-address command together with static-bind mac-address or static-bind client-identifier to accomplish a static binding configuration. Z in a dhcp address pool, if you execute the static-bind mac-address command before the static-bind client-identifier command, the latter ...
Page 400
2-7 z in common address pool view, using the network command repeatedly overwrites the previous configuration. Z after you exclude ip addresses from automatic allocation using the dhcp server forbidden-ip command, neither a common address pool nor an extended address pool can assign these ip address...
Page 401
2-8 configuring a domain name suffix for the client you can specify a domain name suffix in each dhcp address pool on the dhcp server to provide the clients with the domain name suffix. With this suffix assigned, the client only needs to input part of a domain name, and the system will add the domai...
Page 402
2-9 z h (hybrid)-node: a combination of peer-to-peer first and broadcast second. The h-node client unicasts the destination name to the wins server, if no response is received, then broadcasts it to get the destination ip address. Follow these steps to configure wins servers and netbios node type in...
Page 403
2-10 to do… use the command… remarks enter dhcp address pool view dhcp server ip-pool pool-name [ extended ] — specify gateways gateway-list ip-address& required no gateway is specified by default. Configuring option 184 parameters for the client with voice service to assign voice calling parameters...
Page 404
2-11 request from the dhcp server for parameters, such as an ip address and name of a tftp server, and the bootfile name. 2) after getting related parameters, the dhcp client will send a tftp request to obtain the configuration file from the specified tftp server for system initialization. If the cl...
Page 405
2-12 table 2-1 description of common options option option name corresponding command command parameter 3 router option gateway-list ip-address 6 domain name server option dns-list ip-address 15 domain name domain-name ascii 44 netbios over tcp/ip name server option nbns-list ip-address 46 netbios o...
Page 406
2-13 if a dhcp relay agent exists between the dhcp server and client, the dhcp server, regardless of whether the subaddress keyword is used, will select an ip address from the address pool containing the primary ip address of the dhcp relay agent’s interface (connected to the client) for a requestin...
Page 407
2-14 configuration prerequisites before performing this configuration, complete the following configurations on the dhcp server: z enable dhcp z configure the dhcp address pool enabling unauthorized dhcp server detection unauthorized dhcp servers may exist on networks, and they reply dhcp clients wi...
Page 408
2-15 to do… use the command… remarks configure a timeout waiting for ping responses dhcp server ping timeout milliseconds optional 500 ms by default. The value 0 indicates that no ping operation is performed. Configuring the handling mode for option 82 when the dhcp server receives a message with op...
Page 410
2-17 figure 2-1 network diagram for static ip address assignment vlan-int2 10.1.1.1/25 switch b dhcp client dns server 10.1.1.2/25 switch a dhcp server gateway 10.1.1.126/25 switch c bootp client vlan-int2 vlan-int2 configuration procedure 1) configure the ip address of vlan-interface 2 on switch a....
Page 411
2-18 dynamic ip address assignment configuration example network requirements z as shown in figure 2-2 , the dhcp server (switch a) assigns ip addresses to clients in subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. Z the ip addresses of vlan-interfaces 1 and 2 on switch a ...
Page 412
2-19 [switcha] dhcp server forbidden-ip 10.1.1.4 [switcha] dhcp server forbidden-ip 10.1.1.126 [switcha] dhcp server forbidden-ip 10.1.1.254 # configure dhcp address pool 0 (address range, client domain name suffix, and dns server address). [switcha] dhcp server ip-pool 0 [switcha-dhcp-pool-0] netwo...
Page 413
2-20 figure 2-3 network diagram for self-defined option configuration (a switch as the dhcp server) switch a dhcp server switch b dhcp client vlan-int2 10.1.1.1/24 vlan-int2 configuration procedure 1) specify ip addresses for the interfaces (omitted). 2) configure the dhcp server # enable dhcp. Syst...
Page 414
3-1 3 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z dhcp relay agent configuration task list z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent confi...
Page 415
3-2 figure 3-2 dhcp relay agent work process as shown in figure 3-2 , the dhcp relay agent works as follows: 1) after receiving a dhcp-discover or dhcp-request broadcast message from a dhcp client, the dhcp relay agent fills the giaddr field of the message with its ip address and forwards the messag...
Page 416
3-3 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… — normal forward the message after adding the option 82 padded in normal format. — verbose forward the message after adding the option 82 padded in verbose format. No option 82 — user-defined forwar...
Page 417
3-4 to do… use the command… remarks enable the dhcp relay agent on the current interface dhcp select relay required with dhcp enabled, interfaces work in the dhcp server mode. If the dhcp client obtains an ip address via the dhcp relay agent, the address pool of the subnet to which the ip address of...
Page 418
3-5 configuring the dhcp relay agent security functions creating static bindings and enabling ip address check the dhcp relay agent can dynamically record clients’ ip-to-mac bindings after clients get ip addresses. It also supports static bindings, that is, you can manually configure ip-to-mac bindi...
Page 419
3-6 z if the server returns a dhcp-ack message or does not return any message within a specified interval, which means the ip address is assignable now, the dhcp relay agent will age out the client entry with this ip address. Z if the server returns a dhcp-nak message, which means the ip address is ...
Page 420
3-7 follow these steps to configure the dhcp relay agent in system view to send a dhcp-release request: to do… use the command… remarks enter system view system-view — configure the dhcp relay agent to send a dhcp-release request dhcp relay release ip client-ip required configuring the dhcp relay ag...
Page 421
3-8 to do… use the command… remarks configure the padding content for the circuit id sub-option dhcp relay information circuit-id string circuit-id optional by default, the padding content depends on the padding format of option 82. Configure user-defined option 82 configure the padding content for ...
Page 422
3-9 to do… use the command… remarks clear packet statistics from relay agent reset dhcp relay statistics [ server-group group-id ] available in user view dhcp relay agent configuration examples dhcp relay agent configuration example network requirements as shown in figure 3-3 , dhcp clients reside o...
Page 423
3-10 security command to view bindings of dhcp relay agents, and use the display dhcp relay statistics command to view statistics of dhcp packets forwarded by dhcp relay agents. Z performing the configuration on the dhcp server is also required to guarantee the client-server communication via the re...
Page 424
3-11 you need to perform corresponding configurations on the dhcp server to make the option 82 configurations function normally. Troubleshooting dhcp relay agent configuration symptom dhcp clients cannot obtain any configuration parameters via the dhcp relay agent. Analysis some problems may occur w...
Page 425: Dhcp Client Configuration
4-1 4 dhcp client configuration when configuring the dhcp client, go to these sections for information you are interested in: z introduction to dhcp client z enabling the dhcp client on an interface z displaying and maintaining the dhcp client z dhcp client configuration example when multiple vlan i...
Page 426
4-2 z an interface can be configured to acquire an ip address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. Z after the dhcp client is enabled on an interface, no secondary ip address can be configured for the interface. Z if the i...
Page 427
4-3 configuration procedure 1) configure switch a # specify the ip address of vlan-interface 2. System-view [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 10.1.1.1 24 [switcha-vlan-interface2] quit # enable the dhcp service. [switcha] dhcp enable # exclude an ip address fr...
Page 428
4-4 [switchb-vlan-interface2] display ip routing-table routing tables: public destinations : 5 routes : 5 destination/mask proto pre cost nexthop interface 10.1.1.0/24 direct 0 0 10.1.1.3 vlan2 10.1.1.3/32 direct 0 0 127.0.0.1 inloop0 20.1.1.0/24 static 70 0 10.1.1.2 vlan2 127.0.0.0/8 direct 0 0 127...
Page 429: Dhcp Snooping Configuration
5-1 5 dhcp snooping configuration when configuring dhcp snooping, go to these sections for information you are interested in: z dhcp snooping overview z configuring dhcp snooping basic functions z configuring dhcp snooping to support option 82 z displaying and maintaining dhcp snooping z dhcp snoopi...
Page 430
5-2 from authorized dhcp servers only, while unauthorized dhcp servers cannot assign ip addresses to dhcp clients. Recording ip-to-mac mappings of dhcp clients dhcp snooping reads dhcp-request messages and dhcp-ack messages from trusted ports to record dhcp snooping entries, including mac addresses ...
Page 431
5-3 to save system resources, you can disable the trusted ports, which are indirectly connected to dhcp clients, from recording clients’ ip-to-mac bindings upon receiving dhcp requests. Figure 5-2 configure trusted ports in a cascaded network table 5-1 describes roles of the ports shown in figure 5-...
Page 432
5-4 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal fo...
Page 433
5-5 z you need to specify the ports connected to the authorized dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted port and the port connected to the dhcp client must be in the same vlan. Z currently, you can specify layer 2 ethernet interfaces and layer 2...
Page 435
5-7 z you can enable dhcp snooping to support option 82 on layer 2 ethernet interfaces,onu port and layer 2 aggregation interfaces only. Z if a layer 2 ethernet interface is added to an aggregation group, enabling dhcp snooping to support option 82 on the interface will not take effect. After the in...
Page 436
5-8 dhcp snooping configuration examples dhcp snooping configuration example network requirements as shown in figure 5-3 , switch b is connected to a dhcp server through gigabitethernet2/0/1, and to two dhcp clients through gigabitethernet2/0/2 and gigabitethernet2/0/3. Gigabitethernet2/0/1 forwards...
Page 437
5-9 configuration procedure # enable dhcp snooping. System-view [switchb] dhcp-snooping # specify gigabitethernet2/0/1 as trusted. [switchb] interface gigabitethernet2/0/1 [switchb-gigabitethernet2/0/1] dhcp-snooping trust [switchb-gigabitethernet2/0/1] quit # configure gigabitethernet2/0/2 to suppo...
Page 438: Table of Contents
I table of contents 1 ipv4 dns configuration ····························································································································1-1 dns overview···················································································································...
Page 439: Ipv4 Dns Configuration
1-1 1 ipv4 dns configuration when configuring dns, go to these sections for information you are interested in: z dns overview z configuring the ipv4 dns client z configuring the dns proxy z displaying and maintaining ipv4 dns z ipv4 dns configuration examples z troubleshooting ipv4 dns configuration...
Page 440
1-2 figure 1-1 dynamic domain name resolution figure 1-1 shows the relationship between the user program, dns client, and dns server. The resolver and cache comprise the dns client. The user program and dns client can run on the same device or different devices, while the dns server and the dns clie...
Page 441
1-3 dns proxy introduction to dns proxy a dns proxy forwards dns requests and replies between dns clients and a dns server. As shown in figure 1-2 , a dns client sends a dns request to the dns proxy, which forwards the request to the designated dns server, and conveys the reply from the dns server t...
Page 442
1-4 z the ipv4 address you last assign to the host name will overwrite the previous one if there is any. Z you may create up to 50 static mappings between domain names and ipv4 addresses. Configuring dynamic domain name resolution to send dns queries to a correct server for resolution, dynamic domai...
Page 443
1-5 displaying and maintaining ipv4 dns to do… use the command… remarks display the static ipv4 domain name resolution table display ip host available in any view display ipv4 dns server information display dns server [ dynamic ] available in any view display dns suffixes display dns domain [ dynami...
Page 444
1-6 0.00% packet loss round-trip min/avg/max = 1/2/4 ms dynamic domain name resolution configuration example network requirements as shown in figure 1-4 , the ip address of the dns server is 2.1.1.2/16 and the name suffix is com. The mapping between domain name host and ip address 3.1.1.1/16 is stor...
Page 445
1-7 figure 1-5 create a zone # create a mapping between host name and ip address. Figure 1-6 add a host in figure 1-6 , right click zone com, and then select new host to bring up a dialog box as shown in figure 1-7 . Enter host name host and ip address 3.1.1.1..
Page 446
1-8 figure 1-7 add a mapping between domain name and ip address 2) configure the dns client # enable dynamic domain name resolution. System-view [sysname] dns resolve # specify the dns server 2.1.1.2. [sysname] dns server 2.1.1.2 # configure com as the name suffix. [sysname] dns domain com 3) config...
Page 447
1-9 dns proxy configuration example network requirements as shown in figure 1-8 , specify switch a as the dns server of switch b (the dns client). Switch a acts as a dns proxy. The ip address of the real dns server is 4.1.1.1. Switch b implements domain name resolution through switch a. Figure 1-8 n...
Page 448
1-10 # specify the dns server 2.1.1.2. [switchb] dns server 2.1.1.2 4) configuration verification # execute the ping host.Com command on switch b to verify that the communication between the switch and the host is normal and that the corresponding destination ip address is 3.1.1.1. [switchb] ping ho...
Page 449: Ipv6 Dns Configuration
2-1 2 ipv6 dns configuration ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features. Introduction to ipv6 dns ipv6 dns is responsible for translating domain names into ipv6 addresses. Similar to ipv4 dns, ipv6 dns involves static domain name resolution and dynamic domain name res...
Page 450
2-2 in addition, you can configure a dns suffix that the system will automatically add to the provided domain name for resolution. Follow these steps to configure dynamic domain name resolution: to do… use the command… remarks enter system view system-view — enable dynamic domain name resolution dns...
Page 451
2-3 ipv6 dns configuration examples static domain name resolution configuration example network requirements as shown in figure 2-1 , static domain name resolution is configured on the switch and thus the switch can use the domain name host.Com to access the host whose ipv6 address is 1::2. Figure 2...
Page 452
2-4 dynamic domain name resolution and the domain name suffix are configured on the switch that serves as a dns client, and thus the switch can use domain name host to access the host with the domain name host.Com and the ipv6 address 1::1/64. Figure 2-2 network diagram of dynamic domain name resolu...
Page 453
2-5 as shown in figure 2-3 , right click forward lookup zones, select new zone, and then follow the instructions to create a new zone named com. Figure 2-3 create a zone # create a mapping between the host name and the ipv6 address. As shown in figure 2-4 , right click zone com. Figure 2-4 create a ...
Page 454
2-6 figure 2-5 select the resource record type as shown in figure 2-6 , type host name host and ipv6 address 1::1, and then click ok. Figure 2-6 add a mapping between domain name and ipv6 address.
Page 455
2-7 2) configure the dns client # enable dynamic domain name resolution. System-view [switch] dns resolve # specify the dns server 2::2. [switch] dns server ipv6 2::2 # configure com as the dns suffix. [switch] dns domain com 3) configuration verification # use the ping ipv6 host command on the swit...
Page 456: Table of Contents
I table of contents 1 ipv6 basics configuration ························································································································1-1 ipv6 overview ··················································································································...
Page 457: Ipv6 Basics Configuration
1-1 1 ipv6 basics configuration when configuring ipv6 basics, go to these sections for information you are interested in: z ipv6 overview z ipv6 basics configuration task list z configuring basic ipv6 functions z configuring ipv6 ndp z configuring pmtu discovery z configuring ipv6 tcp properties z c...
Page 458
1-2 ipv6 features header format simplification ipv6 cuts down some ipv4 header fields or move them to the ipv6 extension headers to reduce the length of the basic ipv6 header. Ipv6 uses the basic header with a fixed length, thus making ipv6 packet handling simple and improving the forwarding efficie...
Page 459
1-3 built-in security ipv6 uses ipsec as its standard extension header to provide end-to-end security. This feature provides a standard for network security solutions and enhances the interoperability between different ipv6 applications. Qos support the flow label field in the ipv6 header allows the...
Page 460
1-4 an ipv6 address prefix is written in ipv6-address/prefix-length notation, where the ipv6-address is in any of the notations above mentioned, and prefix-length is a decimal number indicating how many bits from the left-most of an ipv6 address is the address prefix. Ipv6 address classification ipv...
Page 461
1-5 z the link-local addresses are used for communication between link-local nodes in neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links. Z ipv6 unicast site-local addresses are similar to private ipv4 addresse...
Page 462
1-6 figure 1-2 convert a mac address into an eui-64 interface identifier z tunnel interfaces: the lower 32 bits of the interface identifier are the source ipv4 address of the tunnel interface. The higher 32 bits of the interface identifier of an isatap tunnel interface are 0000:5efe, while those of ...
Page 463
1-7 icmpv6 message number function redirect message 137 when a certain condition is satisfied, the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router to forward packets. The ndp mainly provides the following functions: address resoluti...
Page 464
1-8 figure 1-4 duplicate address detection the dad procedure is as follows: 1) node a sends an ns message whose source address is the unassigned address :: and destination address is the corresponding solicited-node multicast address of the ipv6 address to be detected. The ns message contains the ip...
Page 465
1-9 redirection when a host is started, its routing table may contain only the default route to the gateway. When certain conditions are satisfied, the gateway sends an icmpv6 redirect message to the source host so that the host can select a better next hop to forward packets (similar to the icmp re...
Page 466
1-10 z dual stack is the most direct transition approach. A network node that supports both ipv4 and ipv6 is called a dual stack node. A dual stack node configured with an ipv4 address and an ipv6 address can forward both ipv4 and ipv6 packets. For an upper layer application supporting both ipv4 and...
Page 467
1-11 task remarks configuring pmtu discovery optional configuring ipv6 tcp properties optional configuring icmpv6 packet sending optional configuring basic ipv6 functions enabling ipv6 before performing ipv6-related configurations, you need to enable ipv6. Otherwise, an interface cannot forward ipv6...
Page 469
1-13 z the manually configured global unicast address takes precedence over the one automatically generated. If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous one. Afte...
Page 470
1-14 configuring the maximum number of neighbors dynamically learned the device can dynamically acquire the link-layer address of a neighbor node through ns and na messages and add it into the neighbor table. Too large a neighbor table may reduce the forwarding performance of the device. You can res...
Page 471
1-15 parameters description retrans timer if the device fails to receive a response message within the specified time after sending an ns message, the device will retransmit the ns message. Reachable time if the neighbor reachability detection shows that a neighbor is reachable, the device considers...
Page 472
1-16 to do… use the command… remarks set the m flag bit to 1 ipv6 nd autoconfig managed-address-flag optional by default, the m flag bit is set to 0, that is, hosts acquire ipv6 addresses through stateless autoconfiguration. Set the o flag bit to 1 ipv6 nd autoconfig other-flag optional by default, ...
Page 473
1-17 to do… use the command… remarks configure the number of attempts to send an ns message for dad ipv6 nd dad attempts value optional 1 by default. When the value argument is set to 0, dad is disabled. Configuring pmtu discovery configuring a static pmtu for a specified ipv6 address you can config...
Page 474
1-18 are received, the finwait timer is reset upon receipt of the last non-fin packet and the connection is terminated after the finwait timer expires. Z size of the ipv6 tcp sending/receiving buffer. Follow these steps to configure ipv6 tcp properties: to do… use the command… remarks enter system v...
Page 475
1-19 follow these steps to enable replying to multicast echo requests: to do… use the command… remarks enter system view system-view — enable replying to multicast echo requests ipv6 icmpv6 multicast-echo-reply enable required not enabled by default. Enabling sending of icmpv6 time exceeded packets ...
Page 477
1-21 to do… use the command… remarks clear the statistics of ipv6 and icmpv6 packets (for distributed devices) reset ipv6 statistics [ slot slot-number ] available in user view clear the statistics of ipv6 and icmpv6 packets (for distributed irf devices) reset ipv6 statistics [ chassis chassis-numbe...
Page 478
1-22 # specify an aggregatable global unicast address for vlan-interface 1, and allow it to advertise ra messages (no interface advertises ra messages by default). [switcha] interface vlan-interface 1 [switcha-vlan-interface1] ipv6 address 2001::1/64 [switcha-vlan-interface1] undo ipv6 nd ra halt [s...
Page 479
1-23 hosts use stateless autoconfig for addresses ipv6 packet statistics: inreceives: 25829 intooshorts: 0 intruncatedpkts: 0 inhoplimitexceeds: 0 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 47 outrequests:...
Page 480
1-24 hosts use stateless autoconfig for addresses ipv6 packet statistics: inreceives: 272 intooshorts: 0 intruncatedpkts: 0 inhoplimitexceeds: 0 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 159 outrequests: ...
Page 481
1-25 inreceives: 117 intooshorts: 0 intruncatedpkts: 0 inhoplimitexceeds: 0 inbadheaders: 0 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 117 outrequests: 83 outforwdatagrams: 0 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 ...
Page 482
1-26 reply from 2001::15b:e0ea:3524:e791 bytes=56 sequence=1 hop limit=63 time = 3 ms --- 2001::15b:e0ea:3524:e791 ping statistics --- 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms as shown in the output information, switch b can ping switch a and h...
Page 483: Table of Contents
I table of contents 1 dhcpv6 configuration ······························································································································1-1 dhcpv6 configuration overview··································································································...
Page 484: Dhcpv6 Configuration
1-1 1 dhcpv6 configuration when configuring dhcpv6, go to these sections for information you are interested in: z dhcpv6 configuration overview z configuring the dhcpv6 client z configuring the dhcpv6 relay agent z displaying and maintaining dhcpv6 z dhcpv6 configuration examples ea boards (such as ...
Page 485
1-2 figure 1-1 format of duid-ll typical dhcpv6 network application figure 1-2 network diagram for dhcpv6 figure 1-2 shows a typical dhcpv6 network. A dhcpv6 client uses a multicast address to contact the dhcpv6 server on the local link to obtain an ipv6 address and other configuration parameters. I...
Page 486
1-3 stateless address autoconfiguration means that a node automatically generates an ipv6 address based on the information obtained through router/prefix discovery. For details, refer to ipv6 basics configuration in the ip services volume. With an ipv6 address obtained through stateless address auto...
Page 487
1-4 figure 1-4 operating process of a dhcpv6 relay agent (1) dhcpv6 message from client (4) dhcpv6 message to client dhcpv6 client dhcpv6 relay agent dhcpv6 server (2) relay-forward (3) relay-reply as shown in figure 1-4 , the dhcpv6 relay agent works as follows: 1) the dhcpv6 client sends a request...
Page 488
1-5 to do… use the command… remarks enable ipv6 stateless address autoconfiguration ipv6 address auto required z for detailed information about the ipv6 address auto command, refer to ipv6 basics commands in the ip services volume. Z with an ipv6 address obtained through stateless address autoconfig...
Page 489
1-6 z executing the ipv6 dhcp relay server-address command repeatedly can specify multiple dhcpv6 servers, and up to eight dhcp servers can be specified for an interface. After receiving requests from dhcpv6 clients, the dhcpv6 relay agent forwards the requests to all the specified dhcpv6 servers. Z...
Page 490
1-7 figure 1-5 stateless dhcpv6 configuration configuration procedure 1) configure switch b # enable the ipv6 packet forwarding function. System-view [switchb] ipv6 # configure the ipv6 address of vlan-interface 2. [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address 1::1 64 #...
Page 491
1-8 duid : 0003000100137ff6c818 dns servers : 1:2:3::5 1:2:4::7 domain names : abc.Com sysname.Com # you can use the display ipv6 dhcp client statistics command to view the current client statistics. [switcha-vlan-interface2] display ipv6 dhcp client statistics interface : vlan-interface2 packets re...
Page 492
1-9 # enable the ipv6 packet forwarding function. System-view [switcha] ipv6 # configure the ipv6 addresses of vlan-interface 1 and vlan-interface 2 respectively. [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ipv6 address 2::1 64 [switcha-vlan-interface2] quit [switcha] interface vl...
Page 493: Table of Contents
I table of contents 1 tunneling configuration ···························································································································1-1 tunneling overview ············································································································...
Page 494
Ii displaying and maintaining tunneling configuration············································································1-45 troubleshooting tunneling configuration ·····························································································1-45.
Page 495: Tunneling Configuration
1-1 1 tunneling configuration when configuring tunneling, go to these sections for information you are interested in: z tunneling overview z tunneling configuration task list z configuring an ipv6 manual tunnel z configuring a 6to4 tunnel z configuring an isatap tunnel z configuring an ipv4 over ipv...
Page 496
1-2 z the term tunnel used throughout this document refers to an ipv4/ipv6 transition tunnel, ipv4 over ipv4 tunnel or ipv6 over ipv6 tunnel unless otherwise specified. Z for information about mpls te, refer to mpls te configuration in the mpls volume. Introduction to ipv4/ipv6 transition tunnels th...
Page 497
1-3 the devices at both ends of an ipv6 over ipv4 tunnel must support the ipv4/ipv6 dual stack. Figure 1-1 ipv6 over ipv4 tunnel the ipv6 over ipv4 tunnel processes packets in the following way: 1) a host in the ipv6 network sends an ipv6 packet to the device at the source end of the tunnel. 2) afte...
Page 498
1-4 tunnel type tunnel mode manually configured tunnel ipv6 manual tunnel 6to4 tunnel automatic tunnel intra-site automatic tunnel addressing protocol (isatap) tunnel the configuration parameters for each tunnel mode are listed in the following table: tunnel mode source/destination ip address of the...
Page 499
1-5 ip-address is a 32-bit source ipv4 address in the form of a.B.C.D or abcd:efgh, which need not be globally unique. Through the embedded ipv4 address, an isatap tunnel can automatically be created to transfer ipv6 packets. The isatap tunnel is mainly used for connection between ipv6 routers or be...
Page 500
1-6 1) the ip packet received from the ipv4 network interface is sent to the ip protocol stack, which then checks the protocol number in the ip header. 2) if the protocol number is ipv4, the ip packet is sent to the tunnel module for decapsulation. 3) the decapsulated ip packet is sent back to the i...
Page 501
1-7 a gre tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are encapsulated at one end of the tunnel and decapsulated at the other end. Figure 1-5 depicts the encapsulation and decapsulation processes. Figure 1-5 x protocol networks interconnected through ...
Page 502
1-8 z passenger protocol: protocol that the payload packet uses, ipx in the example. Z encapsulation or carrier protocol: protocol used to encapsulate the payload packet, that is, gre. Z delivery or transport protocol: protocol used to encapsulate the gre packet and then forward the packet to the ot...
Page 503
1-9 configuring a tunnel interface follow these steps to configure a tunnel interface: to do… use the command… remarks enter system view system-view — create a tunnel interface and enter its view interface tunnel number required by default, no tunnel interface is created. Configure the description f...
Page 504
1-10 configuration procedure follow these steps to configure an ipv6 manual tunnel: to do… use the command… remarks enter system view system-view — enable ipv6 ipv6 required by default, the ipv6 packet forwarding function is disabled. Enter tunnel interface view interface tunnel number — ipv6 addres...
Page 505
1-11 z after a tunnel interface is deleted, all the above features configured on the tunnel interface will be deleted. Z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so ...
Page 506
1-12 system-view [switcha] ipv6 # configure an ipv4 address for vlan-interface 100. [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ip address 192.168.100.1 255.255.255.0 [switcha-vlan-interface100] quit # configure an ipv6 address for vlan-interface 101. [switcha] interface vlan-...
Page 507
1-13 # configure an ipv6 manual tunnel. [switchb] interface tunnel 0 [switchb-tunnel0] ipv6 address 3001::2/64 [switchb-tunnel0] source vlan-interface 100 [switchb-tunnel0] destination 192.168.100.1 [switchb-tunnel0] tunnel-protocol ipv6-ipv4 [switchb-tunnel0] quit # create service loopback group 1 ...
Page 508
1-14 line protocol current state :up ipv6 is enabled, link-local address is fe80::c0a8:3201 global unicast address(es): 3001::2, subnet is 3001::/64 joined group address(es): ff02::1:ff00:0 ff02::1:ff00:1 ff02::1:ffa8:3201 ff02::2 ff02::1 mtu is 1480 bytes nd reachable time is 30000 milliseconds nd ...
Page 509
1-15 configuration procedure follow these steps to configure a 6to4 tunnel: to do… use the command… remarks enter system view system-view — enable ipv6 ipv6 required by default, the ipv6 packet forwarding function is disabled. Enter tunnel interface view interface tunnel number — ipv6 address { ipv6...
Page 510
1-16 z no destination address needs to be configured for a 6to4 tunnel because the destination address can automatically be obtained from the ipv4 address embedded in the 6to4 ipv6 address. Z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a...
Page 511
1-17 configuration procedure make sure that switch a and switch b have the corresponding vlan interfaces created and are reachable to each other. Z configuration on switch a # enable ipv6. System-view [switcha] ipv6 # configure an ipv4 address for vlan-interface 100. [switcha] interface vlan-interfa...
Page 512
1-18 system-view [switchb] ipv6 # configure an ipv4 address for vlan-interface 100. [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ip address 5.1.1.1 24 [switchb-vlan-interface100] quit # configure an ipv6 address for vlan-interface 101. [switchb] interface vlan-interface 101 [sw...
Page 513
1-19 packets: sent = 4, received = 4, lost = 0 (0% loss), approximate round trip times in milli-seconds: minimum = 0ms, maximum = 13ms, average = 3ms configuring an isatap tunnel configuration prerequisites z configure ip addresses for interfaces (such as the vlan interface, and loopback interface) ...
Page 514
1-20 z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a route to the peer must be configured at both ends so that the encapsulated packet can be forwarded normally. You can configure static or dynamic routing. Automatic tunnels do not suppo...
Page 515
1-21 # configure addresses for interfaces. [switch] interface vlan-interface 100 [switch-vlan-interface100] ipv6 address 3001::1/64 [switch-vlan-interface100] quit [switch] interface vlan-interface 101 [switch-vlan-interface101] ip address 1.1.1.1 255.0.0.0 [switch-vlan-interface101] quit # configur...
Page 516
1-22 preferred link-local fe80::5efe:2.1.1.2, life infinite link mtu 1280 (true link mtu 65515) current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms dad transmits 0 default site prefix length 48 # a link-local address (fe80::5efe:2.1.1.2) in the isatap format wa...
Page 517
1-23 configuration verification after the above configurations, the isatap host can access the host in the ipv6 network. Configuring an ipv4 over ipv4 tunnel configuration prerequisites z configure ip addresses for interfaces (such as the vlan interface, and loopback interface) on the device to ensu...
Page 518
1-24 z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded normally. You need to configure a static or dynamic route at both en...
Page 519
1-25 # configure an ipv4 address for vlan-interface 100. System-view [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ip address 10.1.1.1 255.255.255.0 [switcha-vlan-interface100] quit # configure an ipv4 address for vlan-interface 101 (configured on the physical interface of the t...
Page 520
1-26 [switchb] interface vlan-interface 101 [switchb-vlan-interface101] ip address 3.1.1.1 255.255.255.0 [switchb-vlan-interface101] quit # create the interface tunnel 2. [switchb] interface tunnel 2 # configure an ipv4 address for the interface tunnel 2. [switchb-tunnel2] ip address 10.1.2.2 255.25...
Page 521
1-27 4 packets input, 256 bytes 0 input error 12 packets output, 768 bytes 0 output error display interface tunnel 2 tunnel2 current state: up line protocol current state: up description: tunnel2 interface the maximum transmit unit is 1480 internet address is 10.1.2.2/24 primary encapsulation is tun...
Page 522
1-28 configuration prerequisites z configure ip addresses for interfaces (such as the vlan interface, and loopback interface) on the device to ensure normal communication. Z specify one of the above interfaces as the source interface of the tunnel. Z ensure reachability between the tunnel source and...
Page 523
1-29 z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded normally. You need to configure a static or dynamic route at both en...
Page 524
1-30 # configure an ipv4 address for vlan-interface 100. [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ip address 30.1.1.1 255.255.255.0 [switcha-vlan-interface100] quit # configure an ipv6 address for vlan-interface 101 (the physical interface of the tunnel) [switcha] interface...
Page 525
1-31 # configure an ipv6 address for vlan-interface 101 (the physical interface of the tunnel). [switchb] interface vlan-interface 101 [switchb-vlan-interface101] ipv6 address 2002::2:1 64 [switchb-vlan-interface101] quit # create the interface tunnel 2. [switchb] interface tunnel 2 # configure an i...
Page 526
1-32 last clearing of counters: never last 300 seconds input: 0 bytes/sec, 0 packets/sec last 300 seconds output: 0 bytes/sec, 0 packets/sec 152 packets input, 9728 bytes 0 input error 168 packets output, 10752 bytes 0 output error display interface tunnel 2 tunnel2 current state: up line protocol c...
Page 527
1-33 configuration prerequisites z configure ip addresses for interfaces (such as the vlan interface, and loopback interface) on the device to ensure normal communication. Z specify one of the above interfaces as the source interface of the tunnel. Z ensure reachability between the tunnel source and...
Page 528
1-34 z if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded normally. You can configure static or dynamic routes. For the detail...
Page 529
1-35 z configuration on switch a # enable ipv6. System-view [switcha] ipv6 # configure an ipv6 address for vlan-interface 100. [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ipv6 address 2002:1::1 64 [switcha-vlan-interface100] quit # configure an ipv6 address for vlan-interface ...
Page 530
1-36 [switchb] ipv6 # configure an ipv6 address for vlan-interface 100. [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ipv6 address 2002:3::1 64 [switchb-vlan-interface100] quit # configure an ipv6 address for vlan-interface 101 (the physical interface of the tunnel). [switchb] i...
Page 531
1-37 global unicast address(es): 3001::1:1, subnet is 3001::/64 joined group address(es): ff02::1:ff13:1 ff02::1:ff01:1 ff02::1:ff00:0 ff02::2 ff02::1 mtu is 1460 bytes nd reachable time is 30000 milliseconds nd retransmit interval is 1000 milliseconds hosts use stateless autoconfig for addresses ip...
Page 532
1-38 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/19/31 ms configuring a gre over ipv4 tunnel eb boards and sd boards support only the gre over ipv4 tunnel. Configuration prerequisites interfaces on a device, such as vlan interfaces, and loopback interfac...
Page 533
1-39 to do… use the command… remarks configure a route through the tunnel refer to the ip routing volume. Optional each end of the tunnel must have a route (static or dynamic) through the tunnel to the other end. Note that: z the source address and destination address of a tunnel uniquely identify a...
Page 534
1-40 [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-interface101] ip address 1.1.1.1 255.255.255.0 [switcha-vlan-interface101] quit # create an interface named tunnel 1. [switcha] interface tunnel 1 # configure an ipv4 address for interface tunnel 1. [switcha-t...
Page 535
1-41 # configure the tunnel encapsulation mode. [switchb-tunnel1] tunnel-protocol gre # configure the source address for interface tunnel 1. [switchb-tunnel1] source vlan-interface 101 # configure the destination address for interface tunnel 1. [switchb-tunnel1] destination 1.1.1.1 [switchb-tunnel1]...
Page 537
1-43 configuration example network requirements two ipv4 subnets group 1 and group 2 are interconnected through a gre tunnel over the ipv6 network between switch a and switch b. Figure 1-15 network diagram for a gre over ipv6 tunnel configuration procedure before the configuration, make sure that sw...
Page 538
1-44 # configure the destination address of interface tunnel 0 to be the ip address of interface vlan-interface 101 on switch b. [switcha-tunnel0] destination 2002::2:1 [switcha-tunnel0] quit # create service loopback group 1, setting the service type to tunnel. [switcha] service-loopback group 1 ty...
Page 539
1-45 [switchb-tunne10] quit # create service loopback group 1, setting the service type to tunnel. [switchb] service-loopback group 1 type tunnel # add interface gigabitethernet 2/0/3 to service loopback group 1. [switchb] interface gigabitethernet 2/0/3 [switchb-gigabitethernet2/0/3] undo stp enabl...
Page 540: Table of Contents
I table of contents 1 udp helper configuration ························································································································1-1 introduction to udp helper ······································································································...
Page 541: Udp Helper Configuration
1-1 1 udp helper configuration when configuring udp helper, go to these sections for information you are interested in: z introduction to udp helper z configuring udp helper z displaying and maintaining udp helper z udp helper configuration examples udp helper can be currently configured on vlan int...
Page 542
1-2 to do… use the command… remarks enter interface view interface interface-type interface-number — specify the destination server to which udp packets are to be forwarded udp-helper server ip-address required no destination server is specified by default. Z the udp helper enabled device cannot for...
Page 543
1-3 figure 1-1 network diagram for udp helper configuration configuration procedure the following configuration assumes that a route from switch a to the network segment 10.2.0.0/16 is available. # enable udp helper. System-view [switcha] udp-helper enable # enable the forwarding broadcast packets w...
Page 544: Table of Contents
I table of contents 1 ftp configuration ·····································································································································1-1 ftp overview ··············································································································...
Page 545: Ftp Configuration
1-1 1 ftp configuration when configuring ftp, go to these sections for information you are interested in: z ftp overview z configuring the ftp client z configuring the ftp server z displaying and maintaining ftp ftp overview introduction to ftp the file transfer protocol (ftp) is an application laye...
Page 546
1-2 table 1-1 configuration when the device serves as the ftp client device configuration remarks device (ftp client) use the ftp command to establish the connection to the remote ftp server if the remote ftp server supports anonymous ftp, the device can log in to it directly; if not, the device mus...
Page 547
1-3 only users with the manage level can use the ftp command to log in to an ftp server, enter ftp client view, and execute directory and file related commands. However, whether the commands can be executed successfully depends on the authorizations of the ftp server. Establishing an ftp connection ...
Page 549
1-5 to do… use the command… remarks exit the current working directory and return to an upper level directory of the remote ftp server cdup optional display the working directory that is being accessed pwd optional create a directory on the remote ftp server mkdir directory optional remove the speci...
Page 550
1-6 to do… use the command… remarks upload a file to the ftp server put localfile [ remotefile ] optional download a file from the ftp server get remotefile [ localfile ] optional using another username to log in to an ftp server after the device serving as the ftp client has established a connectio...
Page 551
1-7 to do… use the command… remarks terminate the connection to the ftp server without exiting ftp client view disconnect optional equal to the close command. Terminate the connection to the ftp server without exiting ftp client view close optional equal to the disconnect command. Terminate the conn...
Page 552
1-8 user(10.1.1.1:(none)):abc 331 give me your password, please password: 230 logged in successfully # set the file transfer mode to binary. [ftp] binary 200 type set to i. # download the startup file newest.App from pc to device. Z download the startup file newest.App from pc to the root directory ...
Page 553
1-9 ftp client configuration example (distributed irf device) network requirements z as shown in figure 1-3 , device is a irf system, which is composed of a master and a slave. The member id of the master is 1, and the slot numbers of the amb and the smb on the master are 0 and 1 respectively. The m...
Page 554
1-10 200 type set to i. # download the startup file newest.App from pc to the device. Z download the startup file newest.App from pc to the root directory of the storage medium on the amb of the irf (that is, the amb on the master). [ftp] get newest.App z download the startup file newest.App from pc...
Page 555
1-11 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Configuring the...
Page 556
1-12 configuring authentication and authorization on the ftp server to allow an ftp user to access certain directories on the ftp server, you need to create an account for the user, authorizing access to the directories and associating the username and password with the account. The following config...
Page 557
1-13 ftp server configuration example (distributed device) network requirements z as shown in figure 1-4 , use device as an ftp server, and the pc as the ftp client. Their ip addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between device and pc. Z pc keeps the updated...
Page 558
1-14 delete /unreserved flash:/back.Cfg 2) configure the pc (ftp client) # log in to the ftp server through ftp. C:\> ftp 1.1.1.1 connected to 1.1.1.1. 220 ftp service ready. User(1.1.1.1:(none)):ftp 331 password required for ftp. Password: 230 user logged in. # download the configuration file confi...
Page 559
1-15 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Ftp server conf...
Page 560
1-16 system-view [sysname] local-user ftp [sysname-luser-ftp] password simple pwd [sysname-luser-ftp] authorization-attribute work-directory level 3 [sysname-luser-ftp] authorization-attribute work-directory flash:/ to access an smb of the irf (suppose that the member id and slot number of the membe...
Page 561
1-17 copy newest.App chassis1#slot1#flash:/ copy newest.App chassis2#slot0#flash:/ copy newest.App chassis2#slot1#flash:/ # specify newest.App as the main startup file to be used at the next startup for all the main boards of the irf. Boot-loader file newest.App chassis 1 slot 0 main this command wi...
Page 562: Tftp Configuration
2-1 2 tftp configuration when configuring tftp, go to these sections for information you are interested in: z tftp overview z configuring the tftp client z displaying and maintaining the tftp client z tftp client configuration example (distributed device) z tftp client configuration example (distrib...
Page 563
2-2 before using tftp, the administrator needs to configure ip addresses for the tftp client and server, and make sure that there is a reachable route between the tftp client and server. When the device serves as the tftp client, you need to perform the following configuration: table 2-1 configurati...
Page 564
2-3 z if you use the tftp client source command and the tftp command to specify a source address respectively, the source address configured with the tftp command is used to communicate with a tftp server. The source address specified with the tftp client source command is valid for all tftp connect...
Page 565
2-4 tftp client configuration example (distributed device) network requirements z as shown in figure 2-2 , use a pc as the tftp server and device as the tftp client. Their ip addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads a s...
Page 566
2-5 this command will set the boot file of the specified board. Continue? [y/n]:y the specified file will be used as the main boot file at the next reboot on slot 1! # reboot the device and the software is upgraded. Reboot the startup file used for the next startup must be saved under the root direc...
Page 567
2-6 if the available memory space of the device is insufficient, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # enter system view. System-view # download application file newest.Ap...
Page 568
2-7 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume..
Page 569: Table of Contents
I table of contents 1 sflow configuration ··································································································································1-1 sflow overview··············································································································...
Page 570: Sflow Configuration
1-1 1 sflow configuration when configuring sflow, go to these sections for information you are interested in: z sflowoverview z configuring sflow z displaying and maintaining sflow z sflow configuration example z troubleshooting sflow configuration the s7900e series ethernet switches are distributed...
Page 571
1-2 currently, only the sflow agent function is supported on the device. Operation of sflow sflow operates as follows: 1) with sflow enabled, a physical port encapsulates sampled data into packets and sends them to the sflow agent. 2) the sflow agent periodically collects the statistics of all sflow...
Page 572
1-3 z the sflow agent and sflow collector must not have the same ip address. Z currently, you can specify at most two sflow collectors on the device. Z the sflow agent and sflow collector must be configured with the same version of ip addresses. Displaying and maintaining sflow to do… use the comman...
Page 573
1-4 [switch] sflow agent ip 3.3.3.1 # specify the ip address and port number of the sflow collector. [switch] sflow collector ip 3.3.3.2 # set the sflow interval to 30 seconds. [switch] sflow interval 30 # enable sflow in both the inbound and outbound directions on gigabitethernet 2/0/1. [switch] in...
Page 574
Ip routing volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the ip routing volume is organized as follows: features description ip routing basics this document describes: z introduction to ip routing and routing table z routing protocol overview ...
Page 575
Features description is-is intermediate system-to-intermediate system (is-is) is a link state protocol, which uses the shortest path first (spf) algorithm. This document describes: z configuring is-is basic functions z configuring is-is routing information control z tuning and optimizing is-is netwo...
Page 576
Features description ipv6 bgp to support multiple network layer protocols, ietf extended bgp-4 by introducing ipv6 bgp. This document describes: z configuring ipv6 bgp basic functions z controlling route distribution and reception z configuring ipv6 bgp route attributes z tuning and optimizing ipv6 ...
Page 577: Table of Contents
I table of contents 1 ip routing basics configuration ·············································································································1-1 ip routing and routing table·········································································································...
Page 578
1-1 1 ip routing basics configuration go to these sections for information you are interested in: z ip routing and routing table z routing protocol overview z configuring a router id z displaying and maintaining a routing table z the term “router” in this document refers to a router in a generic sen...
Page 579
1-2 z network mask: specifies, in company with the destination address, the address of the destination network. A logical and operation between the destination address and the network mask yields the address of the destination network. For example, if the destination address is 129.102.8.10 and the ...
Page 580
1-3 figure 1-1 a sample routing table router a router b router h router e 16.0.0.2 17.0.0.3 15.0.0.0 12.0.0.0 17.0.0.0 11.0.0.0 16.0.0.0 13.0.0.0 14.0.0.0 router c router d router f router g 11.0.0.1 12.0.0.1 12.0.0.2 15.0.0.1 15.0.0.2 17.0.0.1 16.0.0.1 13.0.0.1 13.0.0.2 14.0.0.1 14.0.0.2 14.0.0.3 1...
Page 581
1-4 z exterior gateway protocols (egps): work between autonomous systems. The most popular one is bgp. An autonomous system refers to a group of routers that share the same routing policy and work under the same administration. Routing algorithm z distance-vector protocols: rip and bgp. Bgp is also ...
Page 582
1-5 routing approach priority ospf nssa 150 ibgp 255 ebgp 255 unknown 256 z the smaller the priority value, the higher the priority. Z the priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. Z each static route can...
Page 583
1-6 route recursion the nexthops of some bgp routes (except ebgp routes) and static routes configured with nexthops may not be directly connected. To forward the packets, the outgoing interface to reach the nexthop must be available. Route recursion is used to find the outgoing interface based on th...
Page 584
1-7 to do… use the command… remarks display statistics about the network routing table or a vpn routing table display ip routing-table [ vpn-instance vpn-instance-name ] statistics available in any view display the router id display router id available in any view clear statistics for the routing ta...
Page 585: Table of Contents
I table of contents 1 static routing configuration····················································································································1-1 introduction ·····················································································································...
Page 586: Static Routing Configuration
1-1 1 static routing configuration when configuring a static route, go to these sections for information you are interested in: z introduction z configuring a static route z configuring bfd for static routes z displaying and maintaining static routes z static route configuration example the term “ro...
Page 587
1-2 z the network administrator can configure a default route with both destination and mask being 0.0.0.0. The router forwards any packet whose destination address fails to match any entry in the routing table to the next hop of the default static route. Z some dynamic routing protocols, such as os...
Page 589
1-4 a dynamic routing protocol notifies bfd of its neighbor information. Bfd uses such information to establish sessions with neighbors by sending bfd control packets. Static routing, which has no neighbor discovery mechanism, implements bfd as follows: bfd control packet mode to use bfd control pac...
Page 590
1-5 z if route flaps occur, enabling bfd may worsen the route flaps. Therefore, enable bfd with care in such cases. Z the source address of echo packets must be configured if the bfd session operates in the echo mode. Z if you configure bfd for a static route, you need to specify the outbound interf...
Page 591
1-6 figure 1-1 network diagram for static route configuration configuration procedure 1) configuring ip addresses for interfaces (omitted) 2) configuring static routes # configure a default route on switch a. System-view [switcha] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # configure two static routes...
Page 592
1-7 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 # display the ip routing table of switch b. [switchb] display ip routing-table routing tables: public destinations : 10 routes : 10 destination/mask proto pre cost nexthop interface 1.1.2.0/24 static 60 0 1.1.4.1 vlan500 1.1.3.0/24 static 60 0 1.1.5.6 vl...
Page 593
1-8 configuring bfd echo packet mode for static routing network requirements as shown in the following figure, configure a static route on switch a to switch c and enable bfd. When the link between switch a and switch b fails, switch a selects switch d to reach switch c. Figure 1-2 network diagram f...
Page 594
1-9 static routing table status : summary count : 1 destination/mask proto pre cost nexthop interface 120.1.1.1/24 static 65 0 10.1.1.100 vlan10 direct routing table status : summary count : 1 destination/mask proto pre cost nexthop interface 120.1.1.1/24 static 60 0 11.1.1.2 vlan11 # enable bfd deb...
Page 595
1-10 configuring bfd control packet mode for static routing network requirements as shown in the following figure, configure a static route to subnet 14.1.1.0/24 on switch a and configure a static route to subnet 13.1.1.0/24 on switch b. Both routes have bfd control packet mode enabled. When the lin...
Page 596
1-11 display ip routing-table protocol static public routing table : static summary count : 1 static routing table status : summary count : 1 destination/mask proto pre cost nexthop interface 14.1.1.0/24 static 60 0 12.1.1.2 vlan12 static routing table status : summary count : 0 # enable bfd debuggi...
Page 597: Table of Contents
I table of contents 1 rip configuration ······································································································································1-1 rip overview ·············································································································...
Page 598
Ii.
Page 599: Rip Configuration
1-1 1 rip configuration the term “router” in this document refers to a router in a generic sense or a layer 3 switch. When configuring rip, go to these sections for information you are interested in: z rip overview z configuring rip basic functions z configuring rip route control z configuring rip n...
Page 600
1-2 z next hop: ip address of the adjacent router’s interface to reach the destination. Z egress interface: packet outgoing interface. Z metric: cost from the local router to the destination. Z route time: time elapsed since the routing entry was last updated. The time is reset to 0 every time the r...
Page 601
1-3 rip version rip has two versions, ripv1 and ripv2. Ripv1, a classful routing protocol, supports message advertisement via broadcast only. Ripv1 protocol messages do not carry mask information, which means it can only recognize routing information of natural networks such as class a, b, c. That i...
Page 602
1-4 z ip address: destination ip address of the route. It can be a natural network, subnet or a host address. Z metric: cost of the route, 16 for request messages. Ripv2 message format the format of ripv2 message is similar to ripv1. Figure 1-2 shows it. Figure 1-2 ripv2 message format command afi i...
Page 603
1-5 z rfc 1723 only defines plain text authentication. For information about md5 authentication, refer to rfc 2453 “rip version 2”. Z with ripv1, you can configure the authentication mode in interface view. However, the configuration will not take effect because ripv1 does not support authentication...
Page 604
1-6 to do… use the command… remarks enter system view system-view –– enable a rip process and enter rip view rip [ process-id ] [ vpn-instance vpn-instance-name ] required not enabled by default enable rip on the interface attached to the specified network network network-address required disabled b...
Page 605
1-7 z if neither global nor interface rip version is configured, the interface sends ripv1 broadcasts and can receive ripv1 broadcast and unicast packets, and ripv2 broadcast, multicast, and unicast packets. Z if an interface has no rip version configured, it uses the global rip version; otherwise i...
Page 606
1-8 z configure an ip address for each interface, and make sure all neighboring routers are reachable to each other. Z configure rip basic functions configuring an additional routing metric an additional routing metric (hop count) can be added to the metric of an inbound or outbound rip route. The o...
Page 607
1-9 advertising a summary route you can configure ripv2 to advertise a summary route on the specified interface. To do so, use the following commands: to do… use the command… remarks enter system view system-view –– enter rip view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– disable ripv...
Page 608
1-10 advertising a default route you can configure rip to advertise a default route with a specified metric to rip neighbors. Z in rip view, you can configure all the interfaces of the rip process to advertise a default route; in interface view, you can configure a rip interface of the rip process t...
Page 610
1-12 to do… use the command… remarks enter rip view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– configure a default metric for redistributed routes default cost value optional the default metric of a redistributed route is 0 by default. Redistribute routes from another protocol import-r...
Page 611
1-13 based on network performance, you need to make rip timers of rip routers identical to each other to avoid unnecessary traffic or route oscillation. Configuring split horizon and poison reverse if both split horizon and poison reverse are configured, only the poison reverse function takes effect...
Page 612
1-14 to do… use the command… remarks enable poison reverse rip poison-reverse required disabled by default configuring the maximum number of load balanced routes this task allows you to implement load balancing over multiple equal-cost rip routes. Follow these steps to configure the maximum number o...
Page 613
1-15 to do… use the command… remarks enter system view system-view –– enter rip view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– enable source ip address check on incoming rip messages validate-source-address optional enabled by default the source ip address check feature should be disa...
Page 614
1-16 to do… use the command… remarks enter system view system-view –– enter rip view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– specify a rip neighbor peer ip-address required disable source address check on incoming rip updates undo validate-source-address required not disabled by def...
Page 615
1-17 to do… use the command… remarks configure the maximum number of rip packets that can be sent at the specified interval output-delay time count count optional by default, an interface sends up to three rip packets every 20 milliseconds. Configuring bfd for rip for more information about bfd, ref...
Page 616
1-18 to do… use the command… remarks specify a rip neighbor peer ip-address required by default, rip does not unicast updates to any peer. Enter interface view interface interface-type interface-number — enable bfd on the rip interface rip bfd enable required disabled by default z unidirectional det...
Page 617
1-19 figure 1-4 network diagram for rip version configuration configuration procedure 1) configure an ip address for each interface (omitted) 2) configure basic rip functions # configure switch a. [switcha] rip [switcha-rip-1] network 192.168.1.0 [switcha-rip-1] network 172.16.0.0 [switcha-rip-1] ne...
Page 618
1-20 peer 192.168.1.2 on vlan-interface100 destination/mask nexthop cost tag flags sec 10.0.0.0/8 192.168.1.2 1 0 ra 50 10.2.1.0/24 192.168.1.2 1 0 ra 16 10.1.1.0/24 192.168.1.2 1 0 ra 16 from the routing table, you can see ripv2 uses classless subnet mask. Since ripv1 routing information has a long...
Page 619
1-21 # enable rip 100 and rip 200 and specify rip version 2 on switch b. System-view [switchb] rip 100 [switchb-rip-100] network 11.0.0.0 [switchb-rip-100] version 2 [switchb-rip-100] undo summary [switchb-rip-100] quit [switchb] rip 200 [switchb-rip-200] network 12.0.0.0 [switchb-rip-200] version 2...
Page 620
1-22 16.4.1.0/24 direct 0 0 16.4.1.1 vlan400 16.4.1.1/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 4) configure an filtering policy to filter redistributed routes # define acl 2000 and reference it to a filtering policy to filter ...
Page 621
1-23 figure 1-6 network diagram for rip interface additional metric configuration configuration procedure 1) configure ip addresses for the interfaces (omitted). 2) configure rip basic functions. # configure switch a. System-view [switcha] rip 1 [switcha-rip-1] network 1.0.0.0 [switcha-rip-1] versio...
Page 622
1-24 [switche-rip-1] undo summary # display the ip routing table of switch a. [switcha] display rip 1 database 1.0.0.0/8, cost 0, classfulsumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 1,...
Page 623
1-25 figure 1-7 network diagram for rip summary route advertisement configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure ospf basic functions # configure switch a. System-view [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0...
Page 624
1-26 system-view [switchd] rip 1 [switchd-rip-1] network 11.0.0.0 [switchd-rip-1] version 2 [switchd-rip-1] undo summary [switchd-rip-1] quit # configure rip to redistribute the routes from ospf process 1 and direct routes on switch c. [switchc-rip-1] import-route direct [switchc-rip-1] import-route...
Page 625
1-27 configuring bfd for rip (single-hop detection in bfd echo packet mode) network requirements as shown in the following figure: z switch a and switch c are interconnected through a layer 2 switch. Vlan-interface 100 of the two switches runs rip process 1, bfd is enabled on vlan-interface 100 of s...
Page 626
1-28 [switchb] rip 1 [switchb-rip-1] network 192.168.2.0 [switchb-rip-1] network 192.168.3.0 [switchb-rip-1] quit # configure switch c. [switchc] rip 1 [switchc-rip-1] network 192.168.1.0 [switchc-rip-1] network 192.168.3.0 [switchc-rip-1] import-route static [switchc-rip-1] quit 3) configure bfd pa...
Page 627
1-29 nexthop: 192.168.2.2 interface: vlan-interface 200 bknexthop: 0.0.0.0 bkinterface: relynexthop: 0.0.0.0 neighbor : 192.168.2.2 tunnel id: 0x0 label: null state: inactive adv age: 00h12m50s tag: 0 # enable rip event debugging on switch a. Debugging rip 1 event terminal debugging # when the link ...
Page 628
1-30 z switch a is connected to switch c through switch b. Vlan-interface 100 on switch a, vlan-interface 200 on switch c, and vlan-interface 200 and vlan-interface 100 on switch b run rip process 1. Z configure a static route to switch c on switch a, and configure a static route to switch a on swit...
Page 629
1-31 [switcha] rip 2 [switcha-rip-2] network 192.168.3.0 [switcha-rip-2] quit # configure switch c. [switchc] rip 1 [switchc-rip-1] network 192.168.2.0 [switchc-rip-1] network 192.168.4.0 [switchc-rip-1] peer 192.168.1.1 [switchc-rip-1] undo validate-source-address [switchc-rip-1] import-route stati...
Page 630
1-32 total session num: 1 init mode: active session working under ctrl mode: ld/rd sourceaddr destaddr state holdtime interface 6/3 192.168.1.1 192.168.2.2 up 1700ms vlan100 # display the rip route 100.1.1.0/24 learned on switch a. Display ip routing-table 100.1.1.0 24 verbose routing table : public...
Page 631
1-33 p - permanent, a - aging, s - suppressed, g - garbage-collect ---------------------------------------------------------------------------- # display the rip route 100.1.1.0/24 learned on switch a. Display ip routing-table 100.1.1.0 24 verbose routing table : public summary count : 1 destination...
Page 632: Table of Contents
I table of contents 1 ospf configuration ··································································································································1-1 introduction to ospf·········································································································...
Page 633
Ii disabling interfaces from sending ospf packets········································································1-39 configuring stub routers ··············································································································1-40 configuring ospf authentication ··...
Page 634: Ospf Configuration
1-1 1 ospf configuration open shortest path first (ospf) is a link state interior gateway protocol developed by the ospf working group of the internet engineering task force (ietf). At present, ospf version 2 (rfc 2328) is used. When configuring ospf, go to these sections for information you are int...
Page 635
1-2 z loop-free: computes routes with the shortest path first (spf) algorithm according to collected link states, so no route loops are generated. Z area partition: allows an as to be split into different areas for ease of management and routing information transmitted between areas is summarized to...
Page 636
1-3 z lsack (link state acknowledgment) packet: acknowledges received lsu packets. It contains the headers of received lsas (a packet can acknowledge multiple lsas). Lsa types ospf sends routing information in lsas, which, as defined in rfc 2328, have the following types: z router lsa: type-1 lsa, o...
Page 637
1-4 in addition, as the topology of a large network is prone to changes, enormous ospf packets may be created, reducing bandwidth utilization. Each topology change makes all routers perform route calculation. To solve this problem, ospf splits an as into multiple areas, which are identified by area ...
Page 638
1-5 figure 1-2 virtual link application 1 another application of virtual links is to provide redundant links. If the backbone area cannot maintain internal connectivity due to a physical link failure, configuring a virtual link can guarantee logical connectivity in the backbone area, as shown below....
Page 639
1-6 z a (totally) stub area cannot have an asbr because as external routes cannot be distributed into the stub area. Z virtual links cannot transit (totally) stub areas. Nssa area similar to a stub area, an nssa area imports no as external lsa (type-5 lsa) but can import type-7 lsas that are generat...
Page 640
1-7 z compared with a totally stub area, a stub area can import inter-area routes. Z compared with a stub area, an nssa area can import external routes through type 7 lsas advertised by the asbr. Z compared with an nssa area, a totally nssa area does not import inter-area routes. Router types classi...
Page 641
1-8 route types ospf prioritize routes into four levels: z intra-area route z inter-area route z type-1 external route z type-2 external route the intra-area and inter-area routes describe the network topology of the as, while external routes describe routes to destinations outside the as. Ospf clas...
Page 642
1-9 an nbma network is fully meshed, which means any two routers in the nbma network have a direct virtual link for communication. If direct connections are not available between some routers, the type of interfaces associated should be configured as p2mp, or as p2p for interfaces with only one neig...
Page 643
1-10 dr/bdr election the dr and bdr in a network are elected by all routers rather than configured manually. The dr priority of an interface determines its qualification for dr/bdr election. Interfaces attached to the network and having priorities higher than 0 are election candidates. The election ...
Page 644
1-11 z router id: id of the advertising router. Z area id: id of the area where the advertising router resides. Z checksum: checksum of the message. Z autype: authentication type from 0 to 2, corresponding with non-authentication, simple (plaintext) authentication and md5 authentication respectively...
Page 645
1-12 z rtr pri: router priority. A value of 0 means the router cannot become the dr/bdr. Z routerdeadinterval: time before declaring a silent router down. If two routers have different time values, they cannot become neighbors. Z designated router: ip address of the dr interface. Z backup designated...
Page 646
1-13 lsr packet after exchanging dd packets, any two routers know which lsas of the peer routers are missing from the local lsdbs. In this case, they send lsr (link state request) packets, requesting the missing lsas. The packets contain the digests of the missing lsas. The following figure shows th...
Page 647
1-14 lsack packet link state acknowledgment (lsack) packets are used to acknowledge received lsu packets by carrying lsa headers to describe corresponding lsas. Multiple lsas can be acknowledged in a single lsack packet. The following figure gives its format. Figure 1-14 lsack packet format ... Lsa ...
Page 648
1-15 figure 1-16 router lsa format major fields: z link state id: id of the router that originated the lsa. Z v (virtual link): set to 1 if the router that originated the lsa is a virtual link endpoint. Z e (external): set to 1 if the router that originated the lsa is an asbr. Z b (border): set to 1...
Page 649
1-16 figure 1-17 network lsa format network mask ... Attached router ls age link state id advertising router options 2 ls sequence number ls checksum length 0 7 15 31 major fields: z link state id: the interface address of the dr z network mask: the mask of the network (a broadcast or nbma network) ...
Page 650
1-17 a type-3 lsa can be used to advertise a default route, having the link state id and network mask set to 0.0.0.0. 4) as external lsa an as external lsa originates from an asbr, describing routing information to a destination outside the as. Figure 1-19 as external lsa format major fields: z link...
Page 651
1-18 figure 1-20 nssa external lsa format supported ospf features multi-process with multi-process support, multiple ospf processes can run on a router simultaneously and independently. Routing information interactions between different processes seem like interactions between different routing prot...
Page 652
1-19 to avoid unnecessary spf calculation, when a router restarts, it will inform neighboring routers the shutdown is temporary. Then these routers will not delete the router from their neighbor tables, and other routers have no idea about this restart. After recovering to normal, the router obtains...
Page 653
1-20 for ospf te configuration, refer to mpls te configuration in the mpls volume. Igp shortcut and forwarding adjacency igp shortcut and forwarding adjacency enable ospf to use an lsp as the outbound interface for a destination. Without them, ospf cannot use the lsp as the outbound interface. Diffe...
Page 654
1-21 if a router connects to a pe router in the same area and establishes an internal route (backdoor route) to a destination, in this case, since an ospf intraarea route has a higher priority than a backbone route, vpn traffic will always travel on the backdoor route rather than the backbone route....
Page 655
1-22 task remarks enabling ospf required configuring a stub area configuring an nssa area configuring ospf areas configuring a virtual link optional configuring the ospf network type for an interface as broadcast optional configuring the ospf network type for an interface as nbma optional configurin...
Page 656
1-23 task remarks configuring ospf to give priority to receiving and processing hello packets optional configuring the lsu transmit rate optional configuring the ospf gr restarter optional configuring the ospf gr helper optional configuring ospf graceful restart triggering ospf graceful restart opti...
Page 657
1-24 to do… use the command… remarks configure a description for the ospf process description description optional not configured by default. Configure an ospf area and enter ospf area view area area-id required not configured by default. Configure a description for the area description description ...
Page 658
1-25 neither as external routes nor inter-area routing information will be distributed into the area. All the packets destined outside of the as or area will be sent to the abr for forwarding. Follow these steps to configure ospf areas: to do… use the command… remarks enter system view system-view —...
Page 659
1-26 to do… use the command… remarks specify a cost for the default route advertised to the nssa area default-cost cost optional defaults to 1. Z it is required to use the nssa command on all the routers attached to an nssa area. Z using the default-cost command only takes effect on the abr/asbr of ...
Page 660
1-27 z p2p: when the link layer protocol is ppp, lapb, hdlc, or pos, ospf considers the network type as p2p by default. You can change the network type of an interface as needed. For example: z when an nbma network becomes fully meshed through address mapping, namely, when any two routers in the net...
Page 661
1-28 follow these steps to configure the ospf network type for an interface as nbma: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — configure the ospf network type for the interface as nbma ospf network-type nbma requi...
Page 662
1-29 to do… use the command… remarks configure the ospf network type for the interface as p2mp ospf network-type p2mp [ unicast ] required by default, the network type of an interface depends on the link layer protocol. After you configure the ospf network type for an interface as p2mp unicast, all ...
Page 663
1-30 configuring ospf route summarization route summarization: an abr or asbr summarizes routes with the same prefix into a single route and distribute it to other areas. Through route summarization, routing information across areas and the size of routing tables on routers will be reduced, improvin...
Page 667
1-34 to do… use the command… remarks configure a priority for ospf preference [ ase ] [ route-policy route-policy-name ] value optional the priority of ospf internal routes defaults to 10. The priority of ospf external routes defaults to 150. Configuring ospf route redistribution configure route red...
Page 670
1-37 to do… use the command… remarks specify the hello interval ospf timer hello seconds optional the hello interval on p2p, broadcast interfaces defaults to 10 seconds and defaults to 30 seconds on p2mp and nbma interfaces. Specify the poll interval ospf timer poll seconds optional the poll interva...
Page 671
1-38 specifying spf calculation interval the lsdb changes lead to spf calculations. When an ospf network changes frequently, a large amount of network resources will be occupied, reducing the working efficiency of routers. You can adjust the spf calculation interval for the network to reduce negativ...
Page 672
1-39 specifying the lsa generation interval with this feature configured, you can protect network resources and routers from being over consumed due to frequent network changes. Follow these steps to configure the lsa generation interval: to do… use the command… remarks enter system view system-view...
Page 673
1-40 z different ospf processes can disable the same interface from sending ospf packets. Use of the silent-interface command disables only the interfaces associated with the current process rather than interfaces associated with other processes. Z after an ospf interface is set to silent, other int...
Page 674
1-41 to configure ospf authentication, you need to configure the same area authentication mode on all the routers in the area. In addition, the authentication mode and password for all interfaces attached to the same area must be identical. Follow these steps to configure ospf authentication: to do…...
Page 676
1-43 configuring ospf network management after trap generation is enabled for ospf, ospf generates traps to report important events. Traps fall into the following levels: z level-3, for fault traps z level-4, for alarm traps z level-5, for normal but important traps z level-6, for notification traps...
Page 677
1-44 enabling the advertisement and reception of opaque lsas with this feature enabled, the ospf router can receive and advertise type 9, type 10 and type 11 opaque lsas. Follow these steps to enable the advertisement and reception of opaque lsas: to do… use the command… remarks enter system view sy...
Page 678
1-45 to do… use the command… remarks configure the lsu transmit rate transmit-pacing interval interval count count optional by default, an ospf interface sends up to three lsu packets every 20 milliseconds. Configuring ospf graceful restart one device can act as both a gr restarter and gr helper at ...
Page 681
1-48 to do… use the command… description enable bfd on the interface ospf bfd enable required not enabled by default z one network segment can only belong to one area and you need to specify each ospf interface to belong to the specific area. Z both ends of a bfd session must be on the same network ...
Page 683
1-50 system-view [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1] area 1 [switcha-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [switcha-ospf-1-area-0.0.0.1] quit [switcha-ospf-1] quit # configure sw...
Page 684
1-51 dead timer due in 37 sec neighbor is up for 06:03:59 authentication sequence: [ 0 ] neighbor state change count: 5 neighbors area 0.0.0.1 interface 10.2.1.1(vlan-interface200)'s neighbors router id: 10.4.1.1 address: 10.2.1.2 gr state: normal state: full mode: nbr is master priority: 1 dr: 10.2...
Page 685
1-52 area: 0.0.0.1 type linkstate id advrouter age len sequence metric router 10.2.1.1 10.2.1.1 769 36 80000012 0 router 10.4.1.1 10.4.1.1 1663 48 80000012 0 network 10.2.1.1 10.2.1.1 769 32 80000010 0 sum-net 10.5.1.0 10.2.1.1 769 28 80000003 14 sum-net 10.3.1.0 10.2.1.1 1069 28 8000000f 4 sum-net ...
Page 686
1-53 z switch c is configured as an asbr to redistribute external routes (static routes). Routing information is propagated properly in the as. Figure 1-22 network diagram for ospf redistributing routes from outside of an as configuration procedure 1) configure ip addresses for interfaces (omitted)....
Page 687
1-54 10.3.1.0/24 10 transit 10.3.1.2 10.3.1.1 0.0.0.2 10.4.1.0/24 25 inter 10.3.1.1 10.3.1.1 0.0.0.2 10.5.1.0/24 10 stub 10.5.1.1 10.5.1.1 0.0.0.2 10.1.1.0/24 12 inter 10.3.1.1 10.3.1.1 0.0.0.2 routing for ases destination cost type tag nexthop advrouter 3.1.2.0/24 1 type2 1 10.3.1.1 10.4.1.1 total ...
Page 688
1-55 system-view [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1] quit # configure switch b. System-view [switchb] ospf [switchb-ospf-1] area 0 [switchb-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 ...
Page 689
1-56 [switchc-bgp] import-route ospf 4) configure route redistribution on switch b. # configure ospf to redistribute routes from bgp on switch b. [switchb] ospf [switchb-ospf-1] import-route bgp # display the ospf routing table of switch a. [switcha] display ip routing-table routing tables: public d...
Page 690
1-57 figure 1-24 network diagram for ospf stub area configuration configuration procedure 1) configure ip addresses for interfaces (omitted). 2) configure ospf basic functions (refer to configuring ospf basic functions ). 3) configure switch d to redistribute static routes. [switchd] ip route-static...
Page 691
1-58 destination cost type tag nexthop advrouter 3.1.2.0/24 1 type2 1 10.2.1.1 10.5.1.1 total nets: 6 intra area: 2 inter area: 3 ase: 1 nssa: 0 in the above output, since switch c resides in a normal ospf area, its routing table contains an external route. 4) configure area 1 as a stub area. # conf...
Page 692
1-59 when switch c resides in the stub area, a default route takes the place of the external route. # filter type-3 lsas out the stub area [switcha] ospf [switcha-ospf-1] area 1 [switcha-ospf-1-area-0.0.0.1] stub no-summary [switcha-ospf-1-area-0.0.0.1] quit # display ospf routing information on swi...
Page 693
1-60 figure 1-25 network diagram for ospf nssa area configuration configuration procedure 1) configure ip addresses for interfaces. 2) configure ospf basic functions (refer to configuring ospf basic functions ). 3) configure area 1 as an nssa area. # configure switch a. [switcha] ospf [switcha-ospf-...
Page 694
1-61 destination cost type nexthop advrouter area 0.0.0.0/0 65536 inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 65535 transit 10.2.1.2 10.4.1.1 0.0.0.1 10.4.1.0/24 3 stub 10.4.1.1 10.4.1.1 0.0.0.1 total nets: 3 intra area: 2 inter area: 1 ase: 0 nssa: 0 4) configure switch c to redistribute static rou...
Page 695
1-62 figure 1-26 network diagram for ospf dr election configuration configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure ospf basic functions # configure switch a. System-view [switcha] router id 1.1.1.1 [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0...
Page 696
1-63 [switchd-ospf-1-area-0.0.0.0] quit [switchd-ospf-1] return # display ospf neighbor information on switch a. [switcha] display ospf peer verbose ospf process 1 with router id 1.1.1.1 neighbors area 0.0.0.0 interface 192.168.1.1(vlan-interface1)'s neighbors router id: 2.2.2.2 address: 192.168.1.2...
Page 697
1-64 ospf process 1 with router id 4.4.4.4 neighbors area 0.0.0.0 interface 192.168.1.4(vlan-interface1)'s neighbors router id: 1.1.1.1 address: 192.168.1.1 gr state: normal state: full mode:nbr is slave priority: 100 dr: 192.168.1.4 bdr: 192.168.1.3 mtu: 0 dead timer due in 31 sec neighbor is up fo...
Page 698
1-65 dr: 192.168.1.1 bdr: 192.168.1.3 mtu: 0 dead timer due in 39 sec neighbor is up for 00:01:40 authentication sequence: [ 0 ] router id: 2.2.2.2 address: 192.168.1.2 gr state: normal state: 2-way mode: none priority: 0 dr: 192.168.1.1 bdr: 192.168.1.3 mtu: 0 dead timer due in 35 sec neighbor is u...
Page 699
1-66 the interface state drother means the interface is not the dr/bdr. Configuring ospf virtual links network requirements z in the following figure, area 2 has no direct connection to area 0, and area 1 acts as the transit area to connect area 2 to area 0 via a configured virtual link between swit...
Page 700
1-67 system-view [switchc] ospf 1 router-id 3.3.3.3 [switchc-ospf-1] area 1 [switchc-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [switchc-ospf-1-area-0.0.0.1] quit [switchc-ospf-1] area 2 [switchc–ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [switchc–ospf-1-area-0.0.0.2] quit # configure swit...
Page 701
1-68 [switchb] display ospf routing ospf process 1 with router id 2.2.2.2 routing tables routing for network destination cost type nexthop advrouter area 10.2.1.0/24 2 transit 10.2.1.1 3.3.3.3 0.0.0.1 10.3.1.0/24 5 inter 10.2.1.2 3.3.3.3 0.0.0.0 10.1.1.0/24 2 transit 10.1.1.2 2.2.2.2 0.0.0.0 total n...
Page 702
1-69 [switcha-ospf-100] area 0 [switcha-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [switcha-ospf-100-area-0.0.0.0] return 3) configure switch b system-view [switchb] acl number 2000 [switchb-acl-basic-2000] rule 10 permit source 192.1.1.1 0.0.0.0 [switchb-acl-basic-2000] quit [switchb] route...
Page 703
1-70 ospf 1 deleted oob progress timer for neighbor 192.1.1.2. Ospf 1 gr wait timeout timer fired. Ospf 1 deleted gr wait timer. Ospf 1 deleted gr interval timer. Ospf 1 gr completed for ospf router ospf 1 notified rm that ospf process left gr. Rm notified that all protocol left gr. Ospf 1 started f...
Page 704
1-71 # on switch c, configure a static route destined for network 3.1.3.0/24. [switchc] ip route-static 3.1.3.0 24 10.4.1.2 # on switch c, configure ospf to redistribute static routes. [switchc] ospf 1 [switchc-ospf-1] import-route static [switchc-ospf-1] quit # display the ospf routing table of swi...
Page 705
1-72 10.2.1.1/32 direct 0 0 127.0.0.1 inloop0 10.3.1.0/24 ospf 10 4 10.1.1.2 vlan100 10.4.1.0/24 ospf 10 13 10.2.1.2 vlan200 10.5.1.0/24 ospf 10 14 10.1.1.2 vlan100 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 the route destined for network 3.1.3.0/24 is filtere...
Page 706
1-73 figure 1-30 network diagram for bfd configuration on an ospf link configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure ospf basic functions. # configure switch a. [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 10.1.0.0 0.0.0.255 [...
Page 707
1-74 [switchb] bfd session init-mode active [switchb] interface vlan-interface 10 [switchb-vlan-interface10] bfd min-transmit-interval 500 [switchb-vlan-interface10] bfd min-receive-interval 500 [switchb-vlan-interface10] bfd detect-multiplier 6 [switchb-vlan-interface10] bfd authentication-mode sim...
Page 708
1-75 *0.50673831 switcha bfd/8/scm:no application in session, delete session[10.1.0.102/10.1.0.100, vlan10] *0.50673831 switcha bfd/8/scm:sess[10.1.0.102/10.1.0.100, vlan10], oper: delete *0.50673832 switcha bfd/8/scm:delete send-packet timer *0.50673833 switcha bfd/8/scm:delete session entry *0.506...
Page 709
1-76 incorrect routing information symptom ospf cannot find routes to other areas. Analysis the backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone. The backbone cannot be configured as a stub ar...
Page 710: Table of Contents
I table of contents 1 is-is configuration ····································································································································1-1 is-is overview ···········································································································...
Page 711
Ii enabling the logging of neighbor state changes················································································1-34 enabling is-is snmp trap ···················································································································1-34 binding an is-is proc...
Page 712: Is-Is Configuration
1-1 1 is-is configuration when configuring is-is, go to these sections for information you are interested in: z is-is overview z is-is configuration task list z configuring is-is basic functions z configuring is-is routing information control z tuning and optimizing is-is networks z configuring is-i...
Page 713
1-2 z end system (es). An es refers to a host system in tcp/ip. Iso defines the es-is protocol for communication between an es and an is, and therefore an es does not participate in the is-is processing. Z routing domain (rd). A group of iss exchanges routing information with each other using the sa...
Page 714
1-3 the system id of a device can be generated from the router id. For example, a router uses the ip address 168.10.1.1 of loopback 0 as the router id, and the system id in is-is can be obtained in the following way: z extend each decimal number of the ip address to 3 digits by adding 0s from the le...
Page 715
1-4 3) level-1-2 router a router with both level-1 and level-2 router functions is a level-1-2 router. It can establish level-1 neighbor relationships with the level-1 and level-1-2 routers in the same area, or establish level-2 neighbor relationships with the level-2 and level-1-2 routers in differ...
Page 716
1-5 figure 1-3 is-is topology the is-is backbone does not need to be a specific area. Both the is-is level-1 and level-2 routers use the spf algorithm to generate the shortest path tree (spt). Route leaking an is-is routing domain is comprised of only one level-2 area and multiple level-1 areas. A l...
Page 717
1-6 for a non-broadcast multi-access (nbma) interface, such as an atm interface, you need to configure subinterfaces for it and configure the interface type for the subinterfaces as point-to-point or broadcast. Is-is cannot run on point to multipoint (p2mp) links. Dis and pseudonodes on an is-is bro...
Page 718
1-7 on is-is broadcast networks, all routers are adjacent with each other. However, the dis is responsible for the synchronization of their lsdbs. Is-is pdu format pdu header format is-is packets are encapsulated into link layer frames. The protocol data unit (pdu) consists of two parts, the headers...
Page 719
1-8 table 1-1 pdu type type pdu type acronym 15 level-1 lan is-is hello pdu l1 lan iih 16 level-2 lan is-is hello pdu l2 lan iih 17 point-to-point is-is hello pdu p2p iih 18 level-1 link state pdu l1 lsp 20 level-2 link state pdu l2 lsp 24 level-1 complete sequence numbers pdu l1 csnp 25 level-2 com...
Page 720
1-9 z holding time: if no hello packets are received from the neighbor within the holding time, the neighbor is considered down. Z pdu length: total length of the pdu in bytes. Z priority: dis priority. Z lan id: includes the system id and a one-byte pseudonode id. Figure 1-8 shows the hello packet ...
Page 721
1-10 figure 1-9 l1/l2 lsp format z pdu length: total length of the pdu in bytes. Z remaining lifetime: lsp remaining lifetime in seconds. Z lsp id: consists of the system id, the pseudonode id (one byte) and the lsp fragment number (one byte). Z sequence number: lsp sequence number. Z checksum: lsp ...
Page 722
1-11 snp format a sequence number pdu (snp) acknowledges the latest received lsps. It is similar to an acknowledge packet, but more efficient. Snp involves complete snp (csnp) and partial snp (psnp), which are further divided into level-1 csnp, level-2 csnp, level-1 psnp and level-2 psnp. Csnp cover...
Page 723
1-12 figure 1-12 l1/l2 psnp format intradomain routing protocol discriminator reserved version r id length version/protocol id extension length indicator maximum area address r r pdu type no. Of octets 1 1 1 1 1 1 1 1 pdu length source id variable length fields 2 id length+1 clv the variable fields ...
Page 724
1-13 clv code name pdu type 132 ip interface address iih, lsp code 1 to 10 of clv are defined in iso 10589 (code 3 and 5 are not shown in the table), and others are defined in rfc 1195. Supported is-is features multiple instances and processes is-is supports multiple instances and processes. Multipl...
Page 725
1-14 is-is te is-is traffic engineering (te) creates and maintains the label switched path (lsp). When creating the constraint-based routed lsp (cr lsp), mpls needs to get the traffic attribute information of all links in the local area. The traffic engineering information of links is obtained from ...
Page 726
1-15 extended lsps are generated by virtual systems. The system id in its lsp id field is the virtual system id. After additional system ids are configured, an is-is router can advertise more link state information in extended lsp fragments. Each virtual system can be considered a virtual router. An...
Page 727
1-16 protocols and standards z iso 10589 iso is-is routing protocol z iso 9542 es-is routing protocol z iso 8348/ad2 network services access points z rfc 1195: use of osi is-is for routing in tcp/ip and dual environments z rfc 2763: dynamic hostname exchange mechanism for is-is z rfc 2966: domain-wi...
Page 728
1-17 task remarks configuring neighbor relationship authentication optional configuring area authentication optional configuring is-is authentication configuring routing domain authentication optional configuring a static system id to host name mapping optional configuring system id to host name map...
Page 729
1-18 z configure the is level of all routers as level-1 or level-2 and don’t configure different levels in this case because there is no need for all routers to maintain two identical lsdbs; z configure the is level as level-2 on all routers in an ip network for scalability. For an interface of a le...
Page 730
1-19 you can only perform this configuration for a broadcast network with only two attached routers. Configuring is-is routing information control configuration prerequisites before the configuration, accomplish the following tasks: z configure network layer addresses for interfaces, and make sure a...
Page 733
1-22 advertising a default route a router running is-is cannot redistribute any default route and thus cannot advertise a default route to other neighbors. You can use the following commands to advertise a default route of 0.0.0.0/0 to the same level neighbors. Follow these steps to advertise a defa...
Page 734
1-23 z only active routes can be redistributed. You can use the display ip routing-table protocol command to display route state information. Z for how to configure the working mode, refer to the switch-mode configuration in device management configuration in the system volume. Configuring is-is rou...
Page 735
1-24 configuring is-is route leaking with is-is route leaking enabled, the level-1-2 router can advertise the routing information of other level-1 areas and level-2 area routing information to level-1 routers. Follow these steps to configure is-is route leaking: to do… use the command… remarks enter...
Page 736
1-25 the interval between hello packets sent by the dis is 1/3 the hello interval set with the isis timer hello command. Specifying the is-is hello multiplier if a neighbor receives no hello packets from the router within the advertised hold time, it considers the router down and recalculates the ro...
Page 737
1-26 disabling an interface from sending/receiving is-is packets after disabled from sending and receiving hello packets, an interface cannot form any neighbor relationship, but can advertise directly connected networks in lsps through other interfaces. By doing so, you can save bandwidth and cpu re...
Page 738
1-27 to do… use the command… remarks specify the maximum lsp age timer lsp-max-age seconds optional 1200 seconds by default 2) specify the lsp refresh interval and generation interval each router needs to refresh lsps generated by itself at a configurable interval and send them to other routers to p...
Page 739
1-28 configure a proper lsp retransmission interval to avoid unnecessary retransmissions. Specifying lsp lengths is-is messages cannot be fragmented at the ip layer because they are directly encapsulated in frames. Therefore, is-is routers in an area need to send lsps smaller than the smallest inter...
Page 741
1-30 follow these steps to add an interface into a mesh group and block an interface: to do… use the command… remarks enter system view system-view –– enter interface view interface interface-type interface-number –– add the interface to a mesh group isis mesh-group mesh-group-number block the inter...
Page 744
1-33 to do… use the command... Remarks configure a system id to host name mapping for a remote is is-name map sys-id map-sys-name required a system id can only correspond to a host name. Configuring dynamic system id to host name mapping you need to configure a static system id to host name mapping ...
Page 745
1-34 you can enable the gr restarter to suppress the suppress-advertisement (sa) bit in the hello pdus. In this way, its neighbors will still advertise the adjacencies within the specified period. Follow these steps to configure gr on the gr restarter and gr helper respectively: to do… use the comma...
Page 746
1-35 binding an is-is process with mibs follow these steps to bind an is-is process with mibs: to do… use the command… remarks enter system view system-view — enter is-is view isis [ process-id ] [ vpn-instance vpn-instance-name ] — bind the is-is process with mibs isis mib-binding process-id requir...
Page 748
1-37 figure 1-15 network diagram for is-is basic configuration configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure is-is # configure switch a. System-view [switcha] isis 1 [switcha-isis-1] is-level level-1 [switcha-isis-1] network-entity 10.0000.0000.0001.00 [swit...
Page 749
1-38 [switchc-vlan-interface200] quit [switchc] interface vlan-interface 300 [switchc-vlan-interface300] isis enable 1 [switchc-vlan-interface300] quit # configure switch d. System-view [switchd] isis 1 [switchd-isis-1] is-level level-2 [switchd-isis-1] network-entity 20.0000.0000.0004.00 [switchd-i...
Page 750
1-39 0000.0000.0002.01-00* 0x00000005 0xd2b3 1188 55 0/0/0 0000.0000.0003.00-00 0x00000014 0x194a 1190 111 1/0/0 0000.0000.0003.01-00 0x00000002 0xabdb 995 55 0/0/0 *-self lsp, +-self lsp(extended), att-attached, p-partition, ol-overload [switchc] display isis lsdb database information for isis(1) -...
Page 751
1-40 *-self lsp, +-self lsp(extended), att-attached, p-partition, ol-overload # display the is-is routing information of each switch. Level-1 switches should have a default route with the next hop being the level-1-2 switch. The level-2 switch should have both routing information of level-1 and leve...
Page 752
1-41 172.16.0.0/16 20 null vlan300 192.168.0.2 r/-/- flags: d-direct, r-added to rm, l-advertised in lsps, u-up/down bit set [switchd] display isis route route information for isis(1) ----------------------------- isis(1) ipv4 level-2 forwarding table ------------------------------------- ipv4 desti...
Page 753
1-42 system-view [switcha] isis 1 [switcha-isis-1] network-entity 10.0000.0000.0001.00 [switcha-isis-1] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] isis enable 1 [switcha-vlan-interface100] quit # configure switch b. System-view [switchb] isis 1 [switchb-isis-1] network-e...
Page 754
1-43 state: up holdtime: 27s type: l1 pri: 64 system id: 0000.0000.0002 interface: vlan-interface100 circuit id: 0000.0000.0004.01 state: up holdtime: 28s type: l2(l1l2) pri: 64 system id: 0000.0000.0004 interface: vlan-interface100 circuit id: 0000.0000.0004.01 state: up holdtime: 30s type: l2 pri:...
Page 755
1-44 # display is-is neighbors of switch a. [switcha] display isis peer peer information for isis(1) ---------------------------- system id: 0000.0000.0002 interface: vlan-interface100 circuit id: 0000.0000.0001.01 state: up holdtime: 21s type: l1(l1l2) pri: 64 system id: 0000.0000.0003 interface: v...
Page 756
1-45 state: up holdtime: 25s type: l1 pri: 64 system id: 0000.0000.0001 interface: vlan-interface100 circuit id: 0000.0000.0001.01 state: up holdtime: 7s type: l1 pri: 100 [switchc] display isis interface interface information for isis(1) --------------------------------- interface: vlan-interface10...
Page 757
1-46 figure 1-17 is-is route redistribution configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure is-is basic functions # configure switch a. System-view [switcha] isis 1 [switcha-isis-1] is-level level-1 [switcha-isis-1] network-entity 10.0000.0000.0001.00 [switcha...
Page 758
1-47 [switchc-vlan-interface100] quit [switchc] interface vlan-interface 300 [switchc-vlan-interface300] isis enable 1 [switchc-vlan-interface300] quit # configure switch d. System-view [switchd] isis 1 [switchd-isis-1] is-level level-2 [switchd-isis-1] network-entity 20.0000.0000.0004.00 [switchd-i...
Page 759
1-48 flags: d-direct, r-added to rm, l-advertised in lsps, u-up/down bit set isis(1) ipv4 level-2 forwarding table ------------------------------------- ipv4 destination intcost extcost exitinterface nexthop flags -------------------------------------------------------------------------- 10.1.1.0/24...
Page 760
1-49 # display is-is routing information on switch c. [switchc] display isis route route information for isis(1) ----------------------------- isis(1) ipv4 level-1 forwarding table ------------------------------------- ipv4 destination intcost extcost exitinterface nexthop flags --------------------...
Page 761
1-50 configuration procedure 1) configure ip addresses of the interfaces on each switch and configure is-is. Follow figure 1-18 to configure the ip address and subnet mask of each interface. The configuration procedure is omitted. Configure is-is on the switches, ensuring that switch a, switch b and...
Page 762
1-51 t3 timer status: remaining time: 140 t2 timer status: remaining time: 59 is-is authentication configuration example network requirements as shown in figure 1-19 , switch a, switch b, switch c and switch d reside in the same is-is routing domain. Switch a, switch b, and switch c belong to area 1...
Page 763
1-52 [switchb-vlan-interface200] isis enable 1 [routerb--vlan-interface200] quit # configure switch c. System-view [switchc] isis 1 [switchc-isis-1] network-entity 10.0000.0000.0003.00 [switchc-isis-1] quit [switchc] interface vlan-interface 200 [switchc-vlan-interface200] isis enable 1 [switchc-vla...
Page 764
1-53 [switchc-vlan-interface300] quit [switchd] interface vlan-interface 300 [switchd-vlan-interface300] isis authentication-mode md5 hsec [switchd-vlan-interface300] quit 4) configure area authentication. Specify the md5 authentication mode and password 10sec on switch a, switch b and switch c. [sw...
Page 765
1-54 system-view [switcha] interface vlan-interface 10 [switcha-vlan-interface10] ip address 167.1.1.1 24 [switcha-vlan-interface10] quit # configure switch b. System-view [switchb] interface vlan-interface 10 [switchb-vlan-interface10] ip address 167.1.1.2 24 [switchb-vlan-interface10] quit 2) conf...
Page 766
1-55 total session num: 1 init mode: active session working under ctrl mode: ld/rd sourceaddr destaddr state holdtime interface 5/3 167.1.1.1 167.1.1.2 up 1900ms vlan10 # display the is-is neighbor information of switch a. Display isis peer 1 system id: 0000.0000.0002 interface: vlan10 circuit id: 0...
Page 767
1-56 display bfd session # display the is-is neighbor information of switch a. You can see that switch a has removed its neighbor relationship with switch b and therefore no information is output. Display isis peer 1.
Page 768: Table of Contents
I table of contents 1 bgp configuration ····································································································································1-1 bgp overview················································································································...
Page 769
Ii enabling the bgp orf capability ································································································1-34 enabling quick ebgp session reestablishment··········································································1-35 enabling md5 authentication for tcp connec...
Page 770: Bgp Configuration
1-1 1 bgp configuration the border gateway protocol (bgp) is a dynamic inter-as exterior gateway protocol. When configuring bgp, go to these sections for information you are interested in: z bgp overview z bgp configuration task list z configuring bgp basic functions z controlling route generation z...
Page 771
1-2 a router advertising bgp messages is called a bgp speaker. It establishes peer relationships with other bgp speakers to exchange routing information. When a bgp speaker receives a new route or a route better than the current one from another as, it will advertise the route to all the other bgp p...
Page 772
1-3 figure 1-2 bgp open message format z version: this 1-byte unsigned integer indicates the protocol version number. The current bgp version is 4. Z my autonomous system: this 2-byte unsigned integer indicates the autonomous system number of the sender. Z hold time: when establishing a peer relatio...
Page 773
1-4 z nlri (network layer reachability information): each feasible route is represented as prefix>. Notification a notification message is sent when an error is detected. The bgp connection is closed immediately after sending it. The notification message format is shown below: figure 1-4 bgp notific...
Page 774
1-5 z optional non-transitive: if a bgp router does not support this attribute, it will not advertise routes with this attribute. The usage of each bgp path attribute is described in the following table. Table 1-1 usage of bgp path attributes name category origin well-known mandatory as_path well-kn...
Page 775
1-6 figure 1-6 as_path attribute 8.0.0.0 as 10 d = 8.0.0.0 (10) d = 8.0.0.0 (10) as 20 as 40 d = 8.0.0.0 (20,10) as 30 as 50 d = 8.0.0.0 (30,20,10) d = 8.0.0.0 (40,10) in general, a bgp router does not receive routes containing the local as number to avoid routing loops. The current implementation s...
Page 776
1-7 figure 1-7 next_hop attribute 4) med (multi_exit_disc) the med attribute is exchanged between two neighboring ass, each of which does not advertise the attribute to any other as. Similar with metrics used by igp, med is used to determine the best route for traffic going into an as. When a bgp ro...
Page 777
1-8 the local_pref attribute is exchanged between ibgp peers only, and thus is not advertised to any other as. It indicates the priority of a bgp router. Local_pref is used to determine the best route for traffic leaving the local as. When a bgp router obtains from several ibgp peers multiple routes...
Page 778
1-9 z select the route with the smallest next hop cost z select the route with the shortest cluster_list z select the route with the smallest originator_id z select the route advertised by the router with the smallest router id z select the route with the lowest ip address z cluster_ids of route ref...
Page 779
1-10 z bgp implements load balancing only on routes that have the same as_path, origin, local_pref and med. Z bgp load balancing is applicable between ebgp peers, between ibgp peers and between confederations. Z if multiple routes to the same destination are available, bgp selects a configurable num...
Page 780
1-11 ibgp and igp synchronization routing information synchronization between ibgp and igp avoids giving wrong directions to routers outside of the local as. If a non-bgp router works in an as, it may discard a packet due to an unreachable destination. As shown in figure 1-11 , router e has learned ...
Page 781
1-12 in most cases, bgp is used in complex networks, where route changes are very frequent. To solve the problem caused by route flaps, bgp route dampening is used to suppress unstable routes. Bgp route dampening uses a penalty value to judge the stability of a route. The bigger the value, the less ...
Page 782
1-13 besides using well-known community attributes, you can define extended community attributes by using a community list to define a routing policy. Route reflector ibgp peers should be fully meshed to maintain connectivity. If there are n routers in an as, the number of ibgp connections is n (n-1...
Page 783
1-14 after route reflection is disabled between clients, routes can still be reflected between a client and a non-client. Confederation confederation is another method to deal with growing ibgp connections in ass. It splits an as into multiple sub-ass. In each sub-as, ibgp peers are fully meshed, an...
Page 784
1-15 2) upon receipt of this message, the peer is aware that the sending router is capable of graceful restart, and sends an open message with gr capability to the gr restarter to establish a gr session. If neither party has the gr capability, the session established between them will not be gr capa...
Page 785
1-16 z for information about the vpn extension application, refer to mpls l3vpn configuration in the mpls volume. Z for information about the ipv6 extension application, refer to ipv6 bgp configuration in the ip routing volume. Z this chapter gives no detailed commands related to any specific extens...
Page 786
1-17 task remarks configuring bgp route summarization advertising a default route to a peer or peer group configuring bgp route distribution/reception filtering policies enabling bgp and igp route synchronization limiting prefixes received from a peer/peer group configuring bgp route dampening contr...
Page 787
1-18 configuring bgp basic functions this section does not differentiate between bgp and mp-bgp. Prerequisites the neighboring nodes are accessible to each other at the network layer. Creating a bgp connection a router id is the unique identifier of a bgp router in an as. Z to ensure the uniqueness ...
Page 788
1-19 z since a router can reside in only one as, the router can run only one bgp process. Z you need to create a peer group before configuring it. Specifying the source interface for tcp connections bgp uses tcp as the transport layer protocol. By default, bgp uses the output interface of the optima...
Page 791
1-22 to do… use the command… remarks configure automatic route summarization summary automatic required not configured by default. Configure manual route summarization by configuring manual route summarization, you can summarize both redistributed routes and routes injected using the network command...
Page 792
1-23 for how to configure an acl, refer to acl configuration in the security volume. For how to configure an ip prefix list, route policy and as-path acl, refer to route policy configuration in the routing volume. Configure bgp route distribution filtering policies follow these steps to configure bg...
Page 796
1-27 configure the default local preference the local preference is used to determine the best route for traffic leaving the local as. When a bgp router obtains from several ibgp peers multiple routes to the same destination but with different next hops, it considers the route with the highest local...
Page 797
1-28 figure 1-16 route selection based on med as shown in the figure above, router d learns network 10.0.0.0 from both router a and router b. Because router b has a smaller router id, the route learned from it is optimal. Network nexthop med locprf prefval path/ogn *>i 10.0.0.0 2.2.2.2 50 0 300e * i...
Page 798
1-29 enable the comparison of med of routes from confederation peers follow these steps to enable the comparison of med of routes from confederation peers: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enable the comparison of med of routes from confe...
Page 799
1-30 figure 1-18 next hop attribute configuration note that: if you have configured bgp load balancing on a bgp router, the router will set it as the next hop for routes sent to an ibgp peer/peer group regardless of whether the peer next-hop-local command is configured. Follow these steps to configu...
Page 800
1-31 to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — disable bgp from considering as_path during best route selection bestroute as-path-neglect optional by default, bgp considers as_path during best route selection. Specify a fake as number for a peer/p...
Page 801
1-32 as shown in the above figure, ce 1 and ce 2 use the same as number of 800. If as number substitution for ce 2 is configured on pe 2, when pe 2 receives a bgp update sent from ce 1, it replaces as number 800 as its own as number 100. Similar configuration should also be made on pe 1. Follow thes...
Page 803
1-34 configure automatic soft-reset after route refresh is enabled for peers and then a policy is modified, the router advertises a route-refresh message to the peers, which then resend their routing information to the router. In this way, the router can perform dynamic route update and apply the ne...
Page 804
1-35 policies (if any), to filter updates to the bgp speaker, thus reducing the number of exchanged update messages and saving network resources. After you enable the bgp orf capability, the local bgp router negotiates the orf capability with the bgp peer through open messages (that is, determine wh...
Page 805
1-36 follow these steps to enable quick ebgp session reestablishment: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enable quick ebgp session reestablishment ebgp-interface-sensitive optional not enabled by default enabling md5 authentication for tcp ...
Page 807
1-38 configure an ebgp peer group if peers in an ebgp group belong to the same external as, the ebgp peer group is a pure ebgp peer group; if not, it is a mixed ebgp peer group. There are three approaches for configuring an ebgp peer group: z create the ebgp peer group, specify its as number, and ad...
Page 808
1-39 peers added in the group can have different as numbers. Follow these steps to configure an ebgp peer group using the third approach: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — create an ebgp peer group group group-name external required add a ...
Page 810
1-41 configuring a bgp confederation configuring a bgp confederation is another way for reducing ibgp connections in an as. A confederation contains sub ass. In each sub as, ibgp peers are fully meshed. Between sub ass, ebgp connections are established. If routers not compliant with rfc 3065 exist i...
Page 811
1-42 a device can act as a gr restarter and gr helper at the same time. Follow these steps to configure bgp gr: to do… use the command… remarks enter system view system-view — enable bgp, and enter its view bgp as-number — enable gr capability for bgp graceful-restart required disabled by default co...
Page 814
1-45 to do… use the command… remarks reset the bgp connections to a peer group reset bgp group group-name reset all ibgp connections reset bgp internal reset all ipv4 unicast bgp connections reset bgp ipv4 all clearing bgp information to do… use the command… remarks clear dampened mbgp routing infor...
Page 815
1-46 system-view [switchb] bgp 65009 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 3.3.3.3 as-number 65009 [switchb-bgp] peer 3.3.3.3 connect-interface loopback 0 [switchb-bgp] quit [switchb] ospf 1 [switchb-ospf-1] area 0 [switchb-ospf-1-area-0.0.0.0] network 2.2.2.2 32 [switchb-ospf-1-area-0....
Page 816
1-47 [switchb] bgp 65009 [switchb-bgp] peer 3.1.1.2 as-number 65008 [switchb-bgp] quit # display bgp peer information on switch b. [switchb] display bgp peer bgp local router id : 2.2.2.2 local as number : 65009 total number of peers : 2 peers in established state : 2 peer as msgrcvd msgsent outq pr...
Page 817
1-48 4) redistribute direct routes configure bgp to redistribute direct routes on switch b, so that switch a can obtain the route to 9.1.1.0/24 and switch c can obtain the route to 3.1.1.0/24. # configure switch b. [switchb] bgp 65009 [switchb-bgp] import-route direct # display the bgp routing table...
Page 818
1-49 0.00% packet loss round-trip min/avg/max = 2/2/2 ms bgp and igp synchronization configuration network requirements as shown below, all devices of company a belong to as 65008 while all devices of company b belong to as 65009. As 65008 and as 65009 are connected through switch a and switch b. It...
Page 819
1-50 [switcha-bgp] peer 3.1.1.1 as-number 65009 [switcha-bgp] network 8.1.1.0 24 [switcha-bgp] quit # configure switch b. [switchb] bgp 65009 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 3.1.1.2 as-number 65008 4) configure bgp and igp synchronization z configure bgp to redistribute routes fro...
Page 820
1-51 [switcha] ping -a 8.1.1.1 9.1.2.1 ping 9.1.2.1: 56 data bytes, press ctrl_c to break reply from 9.1.2.1: bytes=56 sequence=1 ttl=254 time=15 ms reply from 9.1.2.1: bytes=56 sequence=2 ttl=254 time=31 ms reply from 9.1.2.1: bytes=56 sequence=3 ttl=254 time=47 ms reply from 9.1.2.1: bytes=56 sequ...
Page 821
1-52 figure 1-22 network diagram for bgp load balancing configuration (on switches) configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configure bgp connections z on switch a, establish ebgp connections with switch b and switch c respectively; configure bgp to advertise ne...
Page 822
1-53 # configure switch c. System-view [switchc] bgp 65009 [switchc-bgp] router-id 3.3.3.3 [switchc-bgp] peer 3.1.2.2 as-number 65008 [switchc-bgp] peer 2.2.2.2 as-number 65009 [switchc-bgp] peer 2.2.2.2 connect-interface loopback 0 [switchc-bgp] network 9.1.1.0 255.255.255.0 [switchc-bgp] quit [swi...
Page 823
1-54 z the route 9.1.1.0/24 has two next hops 3.1.1.1 and 3.1.2.1, both of which are marked with a greater-than sign (>), indicating they are the best routes. Z using the display ip routing-table command, you can find two routes to 9.1.1.0/24: one with next hop 3.1.1.1 and outbound interface vlan-in...
Page 824
1-55 [switchc-bgp] peer 200.1.3.1 as-number 20 [switchc-bgp] quit # display the bgp routing table on switch b. [switchb] display bgp routing-table 9.1.1.0 bgp local router id : 2.2.2.2 local as number : 20 paths: 1 available, 1 best bgp routing table entry information of 9.1.1.0/24: from : 200.1.2.1...
Page 825
1-56 paths: 1 available, 1 best bgp routing table entry information of 9.1.1.0/24: from : 200.1.2.1 (1.1.1.1) original nexthop: 200.1.2.1 community : no-export as-path : 10 origin : igp attribute value : med 0, pref-val 0, pre 255 state : valid, external, best, not advertised to any peers yet the ro...
Page 826
1-57 # configure switch b. System-view [switchb] bgp 200 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 192.1.1.1 as-number 100 [switchb-bgp] peer 193.1.1.1 as-number 200 [switchb-bgp] peer 193.1.1.1 next-hop-local [switchb-bgp] quit # configure switch c. System-view [switchc] bgp 200 [switchc-b...
Page 827
1-58 bgp local router id is 200.1.2.1 status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, s - stale origin : i - igp, e - egp, ? - incomplete network nexthop med locprf prefval path/ogn i 1.0.0.0 193.1.1.2 0 100 0 100i switch d learned route 1.0.0.0/8 from switc...
Page 828
1-59 [switcha-bgp] peer 10.1.2.2 as-number 65003 [switcha-bgp] peer 10.1.2.2 next-hop-local [switcha-bgp] quit # configure switch b. System-view [switchb] bgp 65002 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] confederation id 200 [switchb-bgp] confederation peer-as 65001 65003 [switchb-bgp] peer 1...
Page 829
1-60 [switcha] bgp 65001 [switcha-bgp] peer 200.1.1.2 as-number 100 [switcha-bgp] quit # configure switch f. System-view [switchf] bgp 100 [switchf-bgp] router-id 6.6.6.6 [switchf-bgp] peer 200.1.1.1 as-number 200 [switchf-bgp] network 9.1.1.0 255.255.255.0 [switchf-bgp] quit 5) verify above configu...
Page 830
1-61 origin : i - igp, e - egp, ? - incomplete network nexthop med locprf prefval path/ogn *>i 9.1.1.0/24 10.1.3.1 0 100 0 100i [switchd] display bgp routing-table 9.1.1.0 bgp local router id : 4.4.4.4 local as number : 65001 paths: 1 available, 1 best bgp routing table entry information of 9.1.1.0/...
Page 831
1-62 vlan-int200 193.1.1.1/24 switch c vlan-int400 195.1.1.2/24 switch b vlan-int100 192.1.1.2/24 vlan-int200 193.1.1.2/24 vlan-int300 194.1.1.2/24 configuration procedure 1) configure ip addresses for interfaces (omitted). 2) configure ospf on switch b, c, and d. # configure switch b. System-view [...
Page 832
1-63 [switchb-bgp] quit # configure switch c. [switchc] bgp 200 [switchc-bgp] peer 193.1.1.1 as-number 100 [switchc-bgp] peer 195.1.1.1 as-number 200 [switchc-bgp] quit # configure switch d. [switchd] bgp 200 [switchd-bgp] peer 194.1.1.2 as-number 200 [switchd-bgp] peer 195.1.1.2 as-number 200 [swit...
Page 833
1-64 *>i 1.0.0.0 193.1.1.1 50 100 0 100i * i 192.1.1.1 100 100 0 100i you can find route 1.0.0.0/8 is the optimal. Z configure different local preferences on switch b and c for route 1.0.0.0/8, making switch d give priority to the route from switch c. # define an acl numbered 2000 on router c, permi...
Page 834
1-65 figure 1-27 network diagram for bfd configuration on a bgp link bfd as 100 l2 switch switch a switch b vlan-int10 10.1.0.102/24 vlan-int10 10.1.0.100/24 configuration procedure 1) configure vlan interfaces. # configure switch a. System-view [switcha-vlan10] interface vlan-interface 10 [switcha-...
Page 835
1-66 # configure switch b. [switchb] bfd session init-mode active [switchb-vlan10] interface vlan-interface 10 [switchb-vlan-interface10] bfd min-transmit-interval 500 [switchb-vlan-interface10] bfd min-receive-interval 500 [switchb-vlan-interface10] bfd detect-multiplier 6 4) verify the configurati...
Page 836
1-67 bgp gr configuration network requirements in the following figure are all bgp switches. Between switch a and switch b is an ebgp connection. Switch b and switch c are connected over an ibgp connection. Enable gr capability for bgp so that the communication between switch a and switch c is not a...
Page 837
1-68 # configure ip addresses for interfaces (omitted). # configure the ibgp connection. System-view [switchb] bgp 65009 [switchb-bgp] router-id 3.3.3.3 [switchc-bgp] peer 9.1.1.1 as-number 65009 # redistribute direct routes. [switchc-bgp] import-route direct # enable gr capability for bgp. [switchc...
Page 838: Table of Contents
I table of contents 1 ipv6 static routing configuration ···········································································································1-1 introduction to ipv6 static routing··································································································...
Page 839
1-1 1 ipv6 static routing configuration when configuring ipv6 static routing, go to these sections for information you are interested in: z introduction to ipv6 static routing z configuring an ipv6 static route z displaying and maintaining ipv6 static routes z ipv6 static routing configuration examp...
Page 840
1-2 configuration prerequisites z configuring parameters for the related interfaces z configuring link layer attributes for the related interfaces z enabling ipv6 packet forwarding z ensuring that the neighboring nodes are ipv6 reachable configuring an ipv6 static route follow these steps to configu...
Page 841
1-3 figure 1-1 network diagram for static routes configuration procedure 1) configure the ipv6 addresses of all vlan interfaces (omitted) 2) configure ipv6 static routes. # configure the default ipv6 static route on switcha. System-view [switcha] ipv6 route-static :: 0 4::2 # configure two ipv6 stat...
Page 842
1-4 destination : 1::/64 protocol : direct nexthop : 1::1 preference : 0 interface : vlan-interface100 cost : 0 destination : 1::1/128 protocol : direct nexthop : ::1 preference : 0 interface : inloop0 cost : 0 destination : fe80::/10 protocol : direct nexthop : :: preference : 0 interface : null0 c...
Page 843: Table of Contents
I table of contents 1 ripng configuration··································································································································1-1 introduction to ripng ·······································································································...
Page 844: Ripng Configuration
1-1 1 ripng configuration when configuring ripng, go to these sections for information you are interested in: z introduction to ripng z configuring ripng basic functions z configuring ripng route control z tuning and optimizing the ripng network z displaying and maintaining ripng z ripng configurati...
Page 845
1-2 each ripng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: z destination address: ipv6 address of a host or a network. Z next hop address: ipv6 address of a neighbor along the path to the destination. Z...
Page 846
1-3 figure 1-3 ipv6 prefix rte format ipv6 prefix (16 octets) route tag prefix length metric 0 7 15 31 z ipv6 prefix: destination ipv6 address prefix. Z route tag: route tag. Z prefix len: length of the ipv6 address prefix. Z metric: cost of a route. Ripng packet processing procedure request packet ...
Page 847
1-4 z configure an ip address for each interface, and make sure all nodes are reachable to one another. Configuration procedure follow these steps to configure the basic ripng functions: to do… use the command… remarks enter system view system-view –– create a ripng process and enter ripng view ripn...
Page 848
1-5 the inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route’s metric is changed. Follow these steps to configure an inbound/outbound additional routing metric: to do… use the command… remarks enter system view system-vie...
Page 849
1-6 configuring a ripng route filtering policy you can reference a configured ipv6 acl or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow the...
Page 850
1-7 tuning and optimizing the ripng network this section describes how to tune and optimize the performance of the ripng network as well as applications under special network environments. Before tuning and optimizing the ripng network, complete the following tasks: z configure a network layer addre...
Page 851
1-8 configuring split horizon and poison reverse if both split horizon and poison reverse are configured, only the poison reverse function takes effect. Configure split horizon the split horizon function disables a route learned from an interface from being advertised through the same interface to p...
Page 852
1-9 discarded. If you are sure that all packets are trusty, you can disable the zero field check to reduce the cpu processing time. Follow these steps to configure ripng zero field check: to do… use the command… remarks enter system view system-view –– enter ripng view ripng [ process-id ] –– enable...
Page 853
1-10 ripng configuration example configure ripng basic functions network requirements as shown in figure 1-4 , all switches run ripng. Configure switch b to filter the route (3::/64) learnt from switch c, which means the route will not be added to the routing table of switch b, and switch b will not...
Page 854
1-11 [switchc-vlan-interface200] quit [switchc] interface vlan-interface 500 [switchc-vlan-interface500] ripng 1 enable [switchc-vlan-interface500] quit [switchc] interface vlan-interface 600 [switchc-vlan-interface600] ripng 1 enable [switchc-vlan-interface600] quit # display the routing table of s...
Page 855
1-12 [switchb-ripng-1] filter-policy 2000 export # display routing tables of switch b and switch a. [switchb] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-collect ---------------------------------------------------------------- peer fe80::20f:e2ff:fe23:82f5 on vlan-inter...
Page 856
1-13 configuration procedure 1) configure ipv6 addresses for the interfaces (omitted) 2) configure ripng basic functions # enable ripng 100 on switch a. System-view [switcha] ripng 100 [switcha-ripng-100] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ripng 100 enable [switc...
Page 857
1-14 interface : vlan100 cost : 0 destination: 1::1/128 protocol : direct nexthop : ::1 preference: 0 interface : inloop0 cost : 0 destination: 2::/64 protocol : direct nexthop : 2::1 preference: 0 interface : vlan200 cost : 0 destination: 2::1/128 protocol : direct nexthop : ::1 preference: 0 inter...
Page 858
1-15 destination: 2::1/128 protocol : direct nexthop : ::1 preference: 0 interface : inloop0 cost : 0 destination: 4::/64 protocol : ripng nexthop : fe80::200:bff:fe01:1c02 preference: 100 interface : vlan100 cost : 4 destination: fe80::/10 protocol : direct nexthop : :: preference: 0 interface : nu...
Page 859: Table of Contents
I table of contents 1 ospfv3 configuration ······························································································································1-1 introduction to ospfv3·········································································································...
Page 860
Ii configuring ospfv3 route redistribution····················································································1-23 configuring ospfv3 gr ···············································································································1-26 troubleshooting ospfv3 configur...
Page 861: Ospfv3 Configuration
1-1 1 ospfv3 configuration when configuring ospf, go to these sections for information you are interested in: z introduction to ospfv3 z ipv6 ospfv3 configuration task list z enabling ospfv3 z configuring ospfv3 area parameters z configuring ospfv3 network types z configuring ospfv3 routing informat...
Page 862
1-2 ospfv3 packets ospfv3 has also five types of packets: hello, dd, lsr, lsu, and lsack. The five packets have the same packet header, which different from the ospfv2 packet header is only 16 bytes in length, has no authentication field, but is added with an instance id field to support multi-insta...
Page 863
1-3 z intra-area-prefix-lsa: each intra-area-prefix-lsa contains ipv6 prefix information on a router, stub area or transit area information, and has area flooding scope. It was introduced because router-lsas and network-lsas contain no address information now. Rfc 5187 defines the type 11 lsa, grace...
Page 864
1-4 z ospfv3 stub area z ospfv3 multi-process, which enable a router to run multiple ospfv3 processes z ospfv3 gr protocols and standards z rfc 2740: ospf for ipv6 z rfc 2328: ospf version 2 z rfc 5187: ospfv3 graceful restart ipv6 ospfv3 configuration task list complete the following tasks to confi...
Page 865
1-5 z enable ipv6 packet forwarding enabling ospfv3 to enable an ospfv3 process on a router, you need to enable the ospfv3 process globally, assign the ospfv3 process a router id, and enable the ospfv3 process on related interfaces. A router id uniquely identifies a router within an as. Therefore, y...
Page 866
1-6 to do… use the command… remarks enter system view system-view — enter ospfv3 view ospfv3 [ process-id ] — enter ospfv3 area view area area-id — configure the area as a stub area stub [ no-summary ] required not configured by default specify a cost for the default route advertised to the stub are...
Page 867
1-7 z both ends of a virtual link are abrs that must be configured with the vlink-peer command. Z do not configure virtual links in the areas of a gr-capable process. Configuring ospfv3 network types ospfv3 classifies networks into four types upon the link layer protocol: by default, the default osp...
Page 868
1-8 configuring an nbma or p2mp neighbor for nbma and p2mp interfaces (only when in unicast mode), you need to specify the link-local ip addresses of their neighbors because such interfaces cannot find neighbors via broadcasting hello packets. You can also specify dr priorities for neighbors. Follow...
Page 869
1-9 the abr-summary command takes effect on abrs only. Configuring ospfv3 inbound route filtering you can configure ospfv3 to filter routes that are computed from received lsas according to some rules. Follow these steps to configure ospfv3 inbound route filtering: to do… use the command… remarks en...
Page 870
1-10 to do… use the command… remarks configure an ospfv3 cost for the interface ospfv3 cost value [ instance instance-id ] optional by default, ospfv3 computes an interface’s cost according to its bandwidth. The cost value defaults to 1 for vlan interfaces and defaults to 0 for loopback interfaces. ...
Page 871
1-11 to do… use the command… remarks configure a priority for ospfv3 preference [ ase ] [ route-policy route-policy-name ] preference optional by default, the priority of ospfv3 internal routes is 10, and priority of ospfv3 external routes is 150. Configuring ospfv3 route redistribution follow these...
Page 872
1-12 tuning and optimizing ospfv3 networks this section describes configurations of ospfv3 timers, interface dr priority, mtu check ignorance for dd packets, and disabling interfaces from sending ospfv3 packets. Ospfv3 timers: z packet timer: specified to adjust topology convergence speed and networ...
Page 873
1-13 to do… use the command… remarks configure the spf timers spf timers delay-interval hold-interval optional by default, delay-interval is 5 seconds, and hold-interval is 10 seconds. Z the dead interval set on neighboring interfaces cannot be too short. Otherwise, a neighbor is easily considered d...
Page 874
1-14 to do… use the command… remarks ignore mtu check for dd packets ospfv3 mtu-ignore [ instance instance-id ] required not ignored by default disable interfaces from sending ospfv3 packets follow these steps to disable interfaces from sending ospfv3 packets: to do… use the command… remarks enter s...
Page 875
1-15 configuring ospfv3 gr you cannot configure ospfv3 gr after configuring ospfv3 virtual links, becase they are not supported at the same time. To prevent service interruption after a master/backup switchover, a gr restarter running ospfv3 must complete the following tasks: z keep the gr restarter...
Page 876
1-16 to do… use the command… remarks enable strict lsa checking graceful-restart helper strict-lsa-checking optional disabled by default. Displaying and maintaining ospfv3 to do… use the command… remarks display ospfv3 debugging state information display debugging ospfv3 display ospfv3 process brief...
Page 877
1-17 to do… use the command… remarks display the gr status of the specified ospfv3 process display ospfv3 [ process-id ] graceful-restart status ospfv3 configuration examples configuring ospfv3 areas network requirements in the following figure, all switches run ospfv3. The as is split into three ar...
Page 878
1-18 # configure switch b. System-view [switchb] ipv6 [switchb] ospfv3 [switchb-ospf-1] router-id 2.2.2.2 [switchb-ospf-1] quit [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ospfv3 1 area 0 [switchb-vlan-interface100] quit [switchb] interface vlan-interface 200 [switchb-vlan-int...
Page 879
1-19 # display ospfv3 neighbor information on switch c. [switchc] display ospfv3 peer ospfv3 area id 0.0.0.0 (process 1) ---------------------------------------------------------------------- neighbor id pri state dead time interface instance id 2.2.2.2 1 full/backup 00:00:39 vlan100 0 ospfv3 area i...
Page 880
1-20 # display ospfv3 routing table information on switch d. You can find a default route is added, and its cost is the cost of a direct route plus the configured cost. [switchd] display ospfv3 routing e1 - type 1 external route, ia - inter area route, i - intra area route e2 - type 2 external route...
Page 881
1-21 configuring ospfv3 dr election network requirements in the following figure: z the priority of switch a is 100, the highest priority on the network, so it will be the dr. Z the priority of switch c is 2, the second highest priority on the network, so it will be the bdr. Z the priority of switch...
Page 882
1-22 system-view [switchc] ipv6 [switchc] ospfv3 [switchc-ospfv3-1] router-id 3.3.3.3 [switchc-ospfv3-1] quit [switchc] interface vlan-interface 100 [switchc-vlan-interface100] ospfv3 1 area 0 [switchc-vlan-interface100] quit # configure switch d. System-view [switchd] ipv6 [switchd] ospfv3 [switchd...
Page 883
1-23 [switchc] interface vlan-interface 100 [switchc-vlan-interface100] ospfv3 dr-priority 2 [switchc-vlan-interface100] quit # display neighbor information on switch a. You can find dr priorities have been updated, but the dr and bdr are not changed. [switcha] display ospfv3 peer ospfv3 area id 0.0...
Page 884
1-24 z ospfv3 process 1 and ospfv3 process 2 are enabled on switch b. Switch b communicates with switch a and switch c through ospfv3 process 1 and ospfv3 process 2 respectively. Z configure ospfv3 process 2 to redistribute direct routes and the routes from ospfv3 process 1 on switch b and set the d...
Page 885
1-25 [switchb-vlan-interface300] ospfv3 2 area 2 [switchb-vlan-interface300] quit # enable ospfv3 process 2 on switch c. System-view [switchc] ipv6 [switchc] ospfv3 2 [switchc-ospfv3-2] router-id 4.4.4.4 [switchc-ospfv3-2] quit [switchc] interface vlan-interface 300 [switchc-vlan-interface300] ospfv...
Page 886
1-26 [switchb-ospfv3-2] default cost 3 [switchb-ospfv3-2] import-route ospfv3 1 [switchb-ospfv3-2] import-route direct [switchb-ospfv3-2] quit # display the routing table of switch c. [switchc] display ipv6 routing-table routing table : destinations : 8 routes : 8 destination: ::1/128 protocol : dir...
Page 887
1-27 z switch a acts as the gr restarter. Switch b and switch c are the gr helpers and synchronize their lsdbs with switch a through out-of-band (oob) communication of gr. Figure 1-5 network diagram for ospfv3 gr configuration configuration procedure 1) configure ipv6 addresses for interfaces (omitt...
Page 888
1-28 [switchc-vlan-interface100] ospfv3 1 area 1 [switchc-vlan-interface100] quit 3) verify the configuration # after all switches function properly, perform a master/backup switchover on switch a to trigger a ospfv3 gr operation. Troubleshooting ospfv3 configuration no ospfv3 neighbor relationship ...
Page 889
1-29 3) use the display ospfv3 lsdb command to display link state database information to check integrity. 4) display information about area configuration using the display current-configuration configuration command. If more than two areas are configured, at least one area is connected to the backb...
Page 890: Table of Contents
I table of contents 1 ipv6 is-is configuration····························································································································1-1 introduction to ipv6 is-is ···································································································...
Page 891: Ipv6 Is-Is Configuration
1-1 1 ipv6 is-is configuration z the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Z ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features. Z ipv6 is-is supports all the features of ipv4 is-is except that it advertises ipv6 routing inf...
Page 892
1-2 configuring ipv6 is-is basic functions you can implement ipv6 inter-networking through configuring ipv6 is-is in ipv6 network environment. Configuration prerequisites before the configuration, accomplish the following tasks first: z enable ipv6 globally z configure ip addresses for interfaces, a...
Page 895
1-5 figure 1-1 network diagram for ipv6 is-is basic configuration configuration procedure 1) configure ipv6 addresses for interfaces (omitted) 2) configure ipv6 is-is # configure switch a. System-view [switcha] isis 1 [switcha-isis-1] is-level level-1 [switcha-isis-1] network-entity 10.0000.0000.000...
Page 896
1-6 [switchc-vlan-interface100] quit [switchc] interface vlan-interface 200 [switchc-vlan-interface200] isis ipv6 enable 1 [switchc-vlan-interface200] quit [switchc] interface vlan-interface 300 [switchc-vlan-interface300] isis ipv6 enable 1 [switchc-vlan-interface300] quit # configure switch d. Sys...
Page 897: Table of Contents
I table of contents 1 ipv6 bgp configuration ····························································································································1-1 ipv6 bgp overview ·············································································································...
Page 898
Ii ipv6 bgp basic configuration ······································································································1-21 ipv6 bgp route reflector configuration ······················································································1-23 troubleshooting ipv6 bgp config...
Page 899: Ipv6 Bgp Configuration
1-1 1 ipv6 bgp configuration z the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Z ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features. Z this chapter describes only configuration for ipv6 bgp. For bgp related information, refer to b...
Page 900
1-2 configuration task list complete the following tasks to configure ipv6 bgp: task remarks specifying an ipv6 bgp peer required injecting a local ipv6 route optional configuring a preferred value for routes from a peer/peer group optional specifying the source interface for establishing tcp connec...
Page 901
1-3 configuring ipv6 bgp basic functions prerequisites before configuring this task, you need to: z specify ip addresses for interfaces. Z enable ipv6. You need create a peer group before configuring basic functions for it. For related information, refer to configuring ipv6 bgp peer group . Specifyi...
Page 903
1-5 z to improve stability and reliability, you can specify a loopback interface as the source interface for establishing tcp connections to a bgp peer. By doing so, a connection failure upon redundancy availability will not affect tcp connection establishment. Z to establish a bgp connection, you n...
Page 904
1-6 the peer group to be configured with a description must have been created. Disabling session establishment to an ipv6 peer/peer group follow these steps to disable session establishment to a peer/peer group: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-nu...
Page 905
1-7 z enable ipv6 z configure the ipv6 bgp basic functions configuring ipv6 bgp route redistribution follow these steps to configure ipv6 bgp route redistribution: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv6 address family view ipv6-famil...
Page 907
1-9 ipv6 bgp advertises routes passing the specified policy to peers. Using the protocol argument can filter only the routes redistributed from the specified protocol. If no protocol is specified, ipv6 bgp filters all routes to be advertised, including redistributed routes and routes imported with t...
Page 908
1-10 by default, when a bgp router receives an ibgp route, it only checks the reachability of the route’s next hop before advertisement. If the synchronization feature is configured, only the ibgp route is advertised by igp can the route be advertised to ebgp peers. Follow these steps to configure i...
Page 910
1-12 to do… use the command… remarks enable the comparison of med for routes from each as bestroute compare-med optional disabled by default enable the comparison of med for routes from confederation peers bestroute med-confederation optional disabled by default configuring the as_path attribute fol...
Page 911
1-13 after modifying a route selection policy, you have to reset ipv6 bgp connections to make the new one take effect, causing a short time disconnection. The current ipv6 bgp implementation supports the route-refresh feature that enables dynamic ipv6 bgp routing table refresh without needing to dis...
Page 913
1-15 after you enable the bgp orf capability, the local bgp router negotiates the orf capability with the bgp peer through open messages (that is, determine whether to carry orf information in messages; if yes, whether to carry non-standard orf information in the packets). After completing the negot...
Page 914
1-16 to do… use the command… remarks configure the maximum number of load balanced routes balance number required by default, no load balancing is enabled. Configuring a large scale ipv6 bgp network in a large-scale ipv6 bgp network, configuration and maintenance become no convenient due to too many...
Page 915
1-17 creating a pure ebgp peer group follow these steps to configure a pure ebgp group: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv6 address family view ipv6-family — create an ebgp peer group group ipv6-group-name external required config...
Page 916
1-18 when creating a mixed ebgp peer group, you need to create a peer and specify its as number that can be different from as numbers of other peers, but you cannot specify as number for the ebgp peer group. Configuring ipv6 bgp community advertise community attribute to an ipv6 peer/peer group foll...
Page 917
1-19 configuring an ipv6 bgp route reflector follow these steps to configure an ipv6 bgp route reflector: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv6 address family view ipv6-family — configure the router as a route reflector and specify ...
Page 918
1-20 to do… use the command… remarks display ipv6 bgp routing information matching an as path acl display bgp ipv6 routing-table as-path-acl as-path-acl-number display ipv6 bgp routing information with the specified community attribute display bgp ipv6 routing-table community [aa:nn ] [ no-advertise...
Page 920
1-22 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] ipv6-family [switchb-bgp-af-ipv6] peer 9:1::2 as-number 65009 [switchb-bgp-af-ipv6] peer 9:3::2 as-number 65009 [switchb-bgp-af-ipv6] quit [switchb-bgp] quit # configure switch c. System-view [switchc] ipv6 [switchc] bgp 65009 [switchc-bgp] router-i...
Page 921
1-23 total number of peers : 3 peers in established state : 3 peer as msgrcvd msgsent outq prefrcv up/down state 10::2 65008 3 3 0 0 00:01:16 established 9:3::2 65009 2 3 0 0 00:00:40 established 9:1::2 65009 2 4 0 0 00:00:19 established # display ipv6 peer information on switch c. [switchc] display...
Page 922
1-24 [switcha] ipv6 [switcha] bgp 100 [switcha-bgp] router-id 1.1.1.1 [switcha-bgp] ipv6-family [switcha-bgp-af-ipv6] peer 100::2 as-number 200 [switcha-bgp-af-ipv6] network 1:: 64 #configure switch b. System-view [switchb] ipv6 [switchb] bgp 200 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] ipv6-fa...
Page 923
1-25 analysis to become ipv6 bgp peers, any two routers need to establish a tcp session using port 179 and exchange open messages successfully. Processing steps 1) use the display current-configuration command to verify the peer’s as number. 2) use the display bgp ipv6 peer command to verify the pee...
Page 924: Table of Contents
I table of contents 1 route policy configuration ······················································································································1-1 introduction to route policy ····································································································...
Page 925: Route Policy Configuration
1-1 1 route policy configuration a route policy is used on a router for route filtering and attributes modification when routes are received, advertised, or redistributed. When configuring route policy, go to these sections for information you are interested in: z introduction to route policy z rout...
Page 926
1-2 acl acl involves ipv4 acl and ipv6 acl. An acl is configured to match the destinations or next hops of routing information. For acl configuration, refer to acl configuration in the security volume. Ip prefix list ip prefix list involves ipv4 prefix list and ipv6 prefix list. An ip prefix list is...
Page 927
1-3 route policy application a route policy is applied on a router to filter routes when they are received, advertised or redistributed and to modify some attributes of permitted routes. Route policy configuration task list complete the following tasks to configure a route policy: task defining an i...
Page 928
1-4 if all the items are set to the deny mode, no routes can pass the ipv4 prefix list. Therefore, you need to define the permit 0.0.0.0 0 less-equal 32 item following multiple deny items to allow other ipv4 routing information to pass. For example, the following configuration filters routes 10.1.0....
Page 929
1-5 [sysname] ip ipv6-prefix abc index 40 permit :: 0 less-equal 128 defining an as path list you can define multiple items for an as path list that is identified by number. The relation between items is logical or, that is, if a route matches one of these items, it passes the as path list. Follow t...
Page 930
1-6 configuring a route policy a route policy is used to filter routing information, and modify attributes of matching routing information. The match criteria of a route policy can be configured by referencing filters above mentioned. A route policy can comprise multiple nodes, and each route policy...
Page 931
1-7 z if a route policy node has the permit keyword specified, routing information matching all the if-match clauses of the node will be handled using the apply clauses of this node, without needing to match against the next node. If routing information does not match the node, it will go to the nex...
Page 934
1-10 to do… use the command… remarks set a preferred value for bgp routing information apply preferred-value preferred-value optional not set by default. Set a tag value for rip, ospf or is-is routing information apply tag value optional not set by default. Z the difference between ipv4 and ipv6 app...
Page 935
1-11 figure 1-1 network diagram for route policy application to route redistribution configuration procedure 1) specify ip addresses for interfaces (omitted). 2) configure is-is. # configure switch c. System-view [switchc] isis [switchc-isis-1] is-level level-2 [switchc-isis-1] network-entity 10.000...
Page 936
1-12 # configure ospf on switch a. System-view [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1] quit # on switch b, configure ospf and enable route redistribution from is-is. [switchb] ospf [switchb...
Page 937
1-13 [switchb] route-policy isis2ospf permit node 20 [switchb-route-policy] if-match acl 2002 [switchb-route-policy] apply tag 20 [switchb-route-policy] quit [switchb] route-policy isis2ospf permit node 30 [switchb-route-policy] quit 6) apply the route policy to route redistribution. # on switch b, ...
Page 938
1-14 figure 1-2 network diagram for route policy application to route redistribution configuration procedure 1) configure switch a. # configure ipv6 addresses for vlan-interface 100 and vlan-interface 200. System-view [switcha] ipv6 [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ...
Page 939
1-15 # enable ripng on vlan-interface 100. [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # enable ripng. [switchb] ripng # display ripng routing table information. [switchb-ripng-1] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-collect ------...
Page 940
1-16 # configure switch a. System-view [switcha] bgp 100 [switcha-bgp] router-id 1.1.1.1 [switcha-bgp] peer 1.1.1.2 as-number 300 # configure switch b. System-view [switchb] bgp 200 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 1.1.2.2 as-number 300 # configure switch c. System-view [switchc] b...
Page 941
1-17 *> 6.6.6.0/24 1.1.3.1 0 300 100i *> 7.7.7.0/24 1.1.3.1 0 300 200i *> 8.8.8.0/24 1.1.3.1 0 300 200i *> 9.9.9.0/24 1.1.3.1 0 300 200i the display above shows that switch d has learned routes 4.4.4.0/24, 5.5.5.0/24, and 6.6.6.0/24 from as 100 and 7.7.7.0/24, 8.8.8.0/24, and 9.9.9.0/24 from as 200....
Page 942
1-18 analysis at least one item of the ip prefix list should be configured as permit mode, and at least one node in the route policy should be configured as permit mode. Solution 1) use the display ip ip-prefix command to display ip prefix list information. 2) use the display route-policy command to...
Page 943: Table of Contents
I table of contents 1 policy routing configuration···················································································································1-1 policy routing overview ···········································································································...
Page 944: Policy Routing Configuration
1-1 1 policy routing configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; i...
Page 945
1-2 z apply the qos policy, that is, to define the occasion to which the policy routing applies. Configuring a qos policy follow these steps to configure traffic redirecting: to do… use the command… remarks enter system view system-view — create a class and enter class view traffic classifier tcl-na...
Page 946
1-3 follow these steps to apply the qos policy globally: to do… use the command… remarks enter system view system-view — apply the qos policy globally qos apply policy policy-name global inbound required follow these steps to apply the qos policy to an interface: to do… use the command… remarks ente...
Page 948
1-5 [switcha-behavior-a] redirect next-hop 202.1.1.2 [switcha-behavior-a] quit # associate class a with behavior a in qos policy a. [switcha] qos policy a [switcha-qospolicy-a] classifier a behavior a [switcha-qospolicy-a] quit # apply qos policy a to the incoming traffic of gigabitethernet 2/0/1. [...
Page 949
1-6 [switcha-behavior-a] quit # associate class a with behavior a in qos policy a. [switcha] qos policy a [switcha-qospolicy-a] classifier a behavior a [switcha-qospolicy-a] quit # apply qos policy a to the incoming traffic of gigabitethernet 2/0/1. [switcha] interface gigabitethernet 2/0/1 [switcha...
Page 950
Ip multicast volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the ip multicast volume is organized as follows: features description multicast overview this document describes the main concepts in multicast: z introduction to multicast z multicast...
Page 951
Features description msdp multicast source discovery protocol (msdp) describes interconnection mechanism of multiple pim-sm domains. It is used is to discover multicast source information in other pim-sm domains. This document describes: z msdp configuration z configuring an msdp peer connection z c...
Page 952
Features description ipv6 mbgp as an ipv6 multicast extension of mp-bgp, ipv6 mbgp enables bgp to provide routing information for ipv6 multicast applications. This document describes: z configuring ipv6 mbgp basic functions z configuring ipv6 mbgp route attributes z configuring a large scale ipv6 mb...
Page 953: Table of Contents
I table of contents 1 multicast overview ····································································································································1-1 introduction to multicast ·································································································...
Page 954: Multicast Overview
1-1 1 multicast overview z this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Z ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features introduction to multicast a...
Page 955
1-2 figure 1-1 unicast transmission source receiver receiver receiver host a host b host c host d host e packets for host b packets for host d packets for host e ip network assume that host b, host d and host e need the information. A separate transmission channel needs to be established from the in...
Page 956
1-3 figure 1-2 broadcast transmission assume that only host b, host d, and host e need the information. If the information is broadcast to the subnet, host a and host c also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet. Therefore, broad...
Page 957
1-4 figure 1-3 multicast transmission the multicast source (source in the figure) sends only one copy of the information to a multicast group. Host b, host d and host e, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the inf...
Page 958
1-5 manage multicast group memberships on stub subnets with attached group members. A multicast router itself can be a multicast group member. For a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of tv programs, as shown in table 1-1 . Ta...
Page 959
1-6 z multimedia and streaming applications, such as web tv, web radio, and real-time video/audio conferencing. Z communication for training and cooperative operations, such as distance learning and telemedicine. Z data warehouse and financial applications (stock quotes). Z any other point-to-multip...
Page 960
1-7 2) host registration: receiver hosts are allowed to join and leave multicast groups dynamically. This mechanism is the basis for group membership management. 3) multicast routing: a multicast distribution tree (namely a forwarding path tree for multicast data on the network) is constructed for d...
Page 961
1-8 table 1-3 some reserved multicast addresses address description 224.0.0.1 all systems on this subnet, including hosts and routers 224.0.0.2 all multicast routers on this subnet 224.0.0.3 unassigned 224.0.0.4 distance vector multicast routing protocol (dvmrp) routers 224.0.0.5 open shortest path ...
Page 962
1-9 table 1-4 description on the bits of the flags field bit description 0 reserved, set to 0 r z when set to 0, it indicates that this address is an ipv6 multicast address without an embedded rp address z when set to 1, it indicates that this address is an ipv6 multicast address with an embedded rp...
Page 963
1-10 figure 1-6 ipv4-to-mac address mapping the high-order four bits of a multicast ipv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a mac address, so five bits of the multicast ipv4 address are lost. As a result, 32 ...
Page 964
1-11 multicast protocols z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp/mld, pim/ipv6 pim, msdp, and mbgp/ipv6 mbgp; we refer to ip multicast working at the data link...
Page 965
1-12 a multicast routing protocol runs on layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently. Multicast routes constitute a loop-free data transmission path from a data source to multiple receivers, namely, a multicast distrib...
Page 966
1-13 data to each vlan of the layer 2 device. With the multicast vlan or ipv6 multicast vlan feature enabled on the layer 2 device, the layer 3 multicast device needs to send only one copy of multicast to the multicast vlan or ipv6 multicast vlan on the layer 2 device. This avoids waste of network b...
Page 967
1-14 figure 1-10 networking diagram for vpn vpn a vpn a vpn a vpn b vpn b public network p pe 1 pe 2 pe 3 ce b3 ce a2 ce a3 ce b1 ce a1 ce b2 z the p device belongs to the public network. The ce devices belong to their respective vpns. Each ce device serves its own network and maintains only one set...
Page 968
1-15 z only one set of unified multicast service runs on a non-pe device. It is called public instance. Z the configuration made in vpn instance view only takes effect on the vpn instance interface only. An interface that does not belong to any vpn instance is called public instance interface. Z for...
Page 969: Table of Contents
I table of contents 1 multicast routing and forwarding configuration··················································································1-1 multicast routing and forwarding overview ··························································································1-1 introducti...
Page 970
1-1 1 multicast routing and forwarding configuration when configuring multicast routing and forwarding, go to these sections for information you are interested in: z multicast routing and forwarding overview z configuration task list z displaying and maintaining multicast routing and forwarding z co...
Page 971
1-2 multicast data delivery along the correct path. In addition, the rpf check mechanism also helps avoid data loops caused by various reasons. Rpf check process the basis for an rpf check is a unicast route, an mbgp route, or a multicast static route. Z a unicast routing table contains the shortest...
Page 972
1-3 implementation of rpf check in multicast implementing an rpf check on each received multicast data packet would bring a big burden to the router. The use of a multicast forwarding table is the solution to this issue. When creating a multicast routing entry and a multicast forwarding entry for a ...
Page 973
1-4 z when a multicast packet arrives on vlan-interface20 of router c, as the interface is the incoming interface of the (s, g) entry, the router forwards the packet to all outgoing interfaces. Z when a multicast packet arrives on vlan-interface10 of router c, as the interface is not the incoming in...
Page 974
1-5 figure 1-3 creating an rpf route as shown in figure 1-3 , the rip domain and the ospf domain are unicast isolated from each other. When no multicast static route is configured, the hosts (receivers) in the ospf domain cannot receive the multicast packets sent by the multicast source (source) in ...
Page 975
1-6 figure 1-4 multicast data transmission through a gre tunnel gre tunnel unicast router unicast router unicast router unicast router multicast router multicast router router a source receiver router b as shown in figure 1-4 , with a gre tunnel established between router a and router b, router a en...
Page 976
1-7 the packet, and forwards the request packet via unicast to the previous hop for the given multicast source and group. 3) from the last-hop router to the multicast source, each hop adds a response data block to the end of the request packet and unicasts it to the previous hop. 4) when the first-h...
Page 977
1-8 enabling ip multicast routing in a vpn instance follow these steps to enable ip multicast routing in a vpn instance: to do… use the command… remarks enter system view system-view — create a vpn instance and enter vpn instance view ip vpn-instance vpn-instance-name — configure a route distinguish...
Page 978
1-9 when configuring a multicast static route, you cannot specify an rpf neighbor by providing the type and number (interface-type interface-number) of the interface connecting the rpf neighbor if the interface type of the rpf neighbor is ethernet, layer 3 aggregate, loopback, rpr, or vlan-interface...
Page 979
1-10 configuring a multicast forwarding range multicast packets do not travel without a boundary in a network. The multicast data corresponding to each multicast group must be transmitted within a definite scope. Presently, you can define a multicast forwarding range by specifying boundary interface...
Page 980
1-11 configuring the multicast forwarding table size in the public instance follow these steps to configure the multicast forwarding table size in the public instance: to do... Use the command... Remarks enter system view system-view — configure the maximum number of entries in the multicast forward...
Page 981
1-12 configuring a static multicast mac address entry in interface view table 1-2 configure static multicast mac address entries in interface view to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate inter...
Page 983
1-14 z the reset command clears the information in the multicast routing table or the multicast forwarding table, and thus may cause failure of multicast transmission. Z when a routing entry is deleted from the multicast routing table, the corresponding forwarding entry will also be deleted from the...
Page 984
1-15 configure the ip address and subnet mask for each interface as per figure 1-5 . The detailed configuration steps are omitted here. Enable ospf on the switches in the pim-dm domain. Ensure the network-layer interoperation among the switches in the pim-dm domain. Ensure that the switches can dyna...
Page 985
1-16 3) configure a multicast static route # configure a multicast static route on switch b, specifying switch c as its rpf neighbor on the route to source. [switchb] ip rpf-route-static 50.1.1.100 24 20.1.1.2 4) verify the configuration # use the display multicast rpf-info command to view the infor...
Page 986
1-17 configure the ip address and subnet mask for each interface as per figure 1-6. The detailed configuration steps are omitted here. Enable ospf on switch b and switch c. Ensure the network-layer interoperation among switch b and switch c. Ensure that the switches can dynamically update their rout...
Page 987
1-18 [switchb] display multicast rpf-info 50.1.1.100 rpf information about source 50.1.1.100: rpf interface: vlan-interface102, rpf neighbor: 30.1.1.2 referenced route/mask: 50.1.1.0/24 referenced route type: multicast static route selection rule: preference-preferred load splitting rule: disable [s...
Page 988
1-19 [switcha] interface tunnel 0 [switcha-tunnel0] ip address 50.1.1.1 24 # configure tunnel 0 to work in the gre tunnel mode and specify the source and destination addresses of the interface. [switcha-tunnel0] tunnel-protocol gre [switcha-tunnel0] source 20.1.1.1 [switcha-tunnel0] destination 30.1...
Page 989
1-20 # enable multicast routing on switch a and enable pim-dm on each interface. [switcha] multicast routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim dm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-interface101] pim dm [sw...
Page 990
1-21 1: vlan-interface200 protocol: igmp, uptime: 00:04:25, expires: never (10.1.1.100, 225.1.1.1) protocol: pim-dm, flag: act uptime: 00:06:14 upstream interface: tunnel0 upstream neighbor: 50.1.1.1 rpf prime neighbor: 50.1.1.1 downstream interface(s) information: total number of downstreams: 1 1: ...
Page 991
1-22 multicast data fails to reach receivers symptom the multicast data can reach some routers but fails to reach the last hop router. Analysis if a multicast forwarding boundary has been configured through the multicast boundary command, any multicast packet will be kept from crossing the boundary....
Page 992: Table of Contents
I table of contents 1 igmp configuration ···································································································································1-1 igmp overview ··············································································································...
Page 993: Igmp Configuration
1-1 1 igmp configuration when configuring igmp, go to the following sections for the information you are interested in: z igmp overview z igmp configuration task list z igmp configuration examples z troubleshooting igmp z the term "router" in this document refers to a router in a generic sense or a ...
Page 994
1-2 for more information about the asm and ssm models, see multicast overview of the ip multicast volume. Introduction to igmpv1 igmpv1 manages multicast group memberships mainly based on the query and response mechanism. Of multiple multicast routers on the same subnet, all the routers can hear igm...
Page 995
1-3 1) the hosts send unsolicited igmp reports to the addresses of the multicast groups that they want to join, without having to wait for the igmp queries from the igmp querier. 2) the igmp querier periodically multicasts igmp queries (with the destination address of 224.0.0.1) to all hosts and rou...
Page 996
1-4 “leave group” mechanism in igmpv1, when a host leaves a multicast group, it does not send any notification to the multicast router. The multicast router relies on host response timeout to know whether a group no longer has members. This adds to the leave latency. In igmpv2, on the other hand, wh...
Page 997
1-5 in the case of igmpv1 or igmpv2, host b cannot select multicast sources when it joins multicast group g. Therefore, multicast streams from both source 1 and source 2 will flow to host b whether it needs them or not. When igmpv3 is running between the hosts and routers, host b can explicitly expr...
Page 998
1-6 figure 1-3 network diagram for igmp ssm mapping ssm igmpv1 report igmpv2 report igmpv3 report router a querier host a (igmpv1) host b (igmpv2) host c (igmpv3) receiver receiver receiver as shown in figure 1-3 , on an ssm network, host a, host b and host c are running igmpv1, igmpv2 and igmpv3 re...
Page 999
1-7 figure 1-4 network diagram for igmp proxying query from router a report from router b ethernet router interface host interface proxy & querier router b querier router a host b receiver host a receiver host c query from router b report from host pim domain as shown in figure 1-4 , two types of in...
Page 1000
1-8 z rfc 4605: internet group management protocol (igmp)/multicast listener discovery (mld)-based multicast forwarding ("igmp/mld proxying") igmp configuration task list complete these tasks to configure igmp: task remarks enabling igmp required configuring igmp versions optional configuring static...
Page 1001
1-9 z acl rule for multicast group filtering z the maximum number of multicast groups that can be joined on an interface enabling igmp first, igmp must be enabled on the interface on which the multicast group memberships are to be established and maintained. Enabling igmp in the public instance foll...
Page 1002
1-10 configuring igmp versions because the protocol packets of different igmp versions vary in structure and type, the same igmp version should be configured for all routers on the same subnet before igmp can work properly. Configuring an igmp version globally follow these steps to configure an igmp...
Page 1003
1-11 z before you can configure an interface of a pim-sm device as a static member of a multicast group or a multicast source and group, if the interface is pim-sm enabled, it must be a pim-sm dr; if this interface is igmp enabled but not pim-sm enabled, it must be an igmp querier. For more informat...
Page 1004
1-12 this configuration takes effect for dynamically joined multicast groups but not the statically configured multicast groups. Adjusting igmp performance for the configuration tasks described in this section: z configurations performed in igmp view are effective on all interfaces, while configurat...
Page 1005
1-13 z by default, for the consideration of compatibility, the device does not check the router-alert option, namely it processes all the igmp messages it received. In this case, igmp messages are directly passed to the upper layer protocol, no matter whether the igmp messages carry the router-alert...
Page 1006
1-14 upon receiving an igmp leave message, the igmp querier sends “last member query count” igmp group-specific queries at the “igmp last member query interval”. Igmp is robust to “robustness variable minus 1” packet losses on a network. Therefore, a greater value of the robustness variable makes th...
Page 1007
1-15 to do... Use the command... Remarks configure the other querier present interval timer other-querier-present interval optional for the system default, see “note” below. Configuring igmp query and response parameters on an interface follow these steps to configure igmp query and response paramet...
Page 1008
1-16 z if not statically configured, the startup query interval is 1/4 of the “igmp query interval”. By default, the igmp query interval is 60 seconds, so the startup query interval = 60 / 4 = 15 (seconds). Z if not statically configured, the startup query count is set to the igmp querier robustness...
Page 1009
1-17 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the igmp ssm mapping feature igmp ssm-mapping enable required disabled by default to ensure ssm service for all hosts on a subnet, regardless of the igmp versi...
Page 1010
1-18 z configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. Z enable ip multicast routing. Enabling igmp proxying you can enable igmp proxying on the interface in the direction toward the root of the multicast forwarding tree to make the de...
Page 1011
1-19 to do… use the command… remarks enter interface view interface interface-type interface-number — enable multicast forwarding on a non-querier downstream interface igmp proxying forwarding required disabled by default. On a multi-access network with more than one igmp proxy device, you cannot en...
Page 1013
1-21 network diagram figure 1-5 network diagram for basic igmp functions configuration ether net ethe rnet configuration procedure 1) configure ip addresses and unicast routing configure the ip address and subnet mask of each interface as per figure 1-5 . The detailed configuration steps are omitted...
Page 1014
1-22 [switchb-vlan-interface200] pim dm [switchb-vlan-interface200] quit [switchb] interface vlan-interface 201 [switchb-vlan-interface201] pim dm [switchb-vlan-interface201] quit # enable ip multicast routing on switch c, enable pim-dm on each interface, and enable igmp on vlan-interface 200. Syste...
Page 1015
1-23 network diagram figure 1-6 network diagram for igmp ssm mapping configuration device interface ip address device interface ip address source 1 — 133.133.1.1/24 source 3 — 133.133.3.1/24 source 2 — 133.133.2.1/24 receiver — 133.133.4.1/24 switch a vlan-int100 133.133.1.2/24 switch c vlan-int300 ...
Page 1016
1-24 [switchd-vlan-interface104] pim sm [switchd-vlan-interface104] quit # enable ip multicast routing on switch a, and enable pim-sm on each interface. System-view [switcha] multicast routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100...
Page 1017
1-25 use the display igmp ssm-mapping group command to view the multicast group information created based on the configured igmp ssm mappings. # display the igmp multicast group information created based on the igmp ssm mappings on switch d. [switchd] display igmp ssm-mapping group total 1 igmp ssm-...
Page 1018
1-26 network diagram figure 1-7 network diagram for igmp proxying configuration configuration procedure 1) configure ip addresses configure the ip address and subnet mask of each interface as per figure 1-7 . The detailed configuration steps are omitted here. 2) enable ip multicast routing, pim-dm, ...
Page 1019
1-27 [switchb] display igmp interface vlan-interface 100 verbose vlan-interface100(192.168.1.2): igmp proxy is enabled current igmp version is 2 multicast routing on this interface: enabled require-router-alert: disabled version1-querier-present-timer-expiry: 00:00:20 use the display igmp group comm...
Page 1020
1-28 multicast routing-enable command in system view to enable ip multicast routing. In addition, check that igmp is enabled on the corresponding interfaces. 3) check the igmp version on the interface. You can use the display igmp interface command to check whether the igmp version on the interface ...
Page 1021: Table of Contents
I table of contents 1 pim configuration······································································································································1-1 pim overview···············································································································...
Page 1022
Ii pim-sm non-scoped zone configuration example······································································1-43 pim-sm admin-scope zone configuration example ····································································1-48 pim-ssm configuration example······························...
Page 1023: Pim Configuration
1-1 1 pim configuration when configuring pim, go to these sections for information you are interested in: z pim overview z configuring pim-dm z configuring pim-sm z configuring pim-ssm z configuring pim common features z displaying and maintaining pim z pim configuration examples z troubleshooting p...
Page 1024
1-2 to facilitate description, a network comprising pim-capable routers is referred to as a “pim domain” in this document. Introduction to pim-dm pim-dm is a type of dense mode multicast protocol. It uses the “push mode” for multicast forwarding, and is suitable for small-sized networks with densely...
Page 1025
1-3 1) in a pim-dm domain, when a multicast source s sends multicast data to multicast group g, the multicast packet is first flooded throughout the domain: the router first performs rpf check on the multicast packet. If the packet passes the rpf check, the router creates an (s, g) entry and forward...
Page 1026
1-4 pruning has a similar implementation in pim-sm. Graft when a host attached to a pruned node joins a multicast group, to reduce the join latency, pim-dm uses a graft mechanism to resume data forwarding to that branch. The process is as follows: 1) the node that needs to receive multicast data sen...
Page 1027
1-5 2) if both routers have the same unicast route preference to the source, the router with a smaller metric to the source wins; 3) if there is a tie in route metric to the source, the router with a higher ip address of the local interface wins. Introduction to pim-sm pim-dm uses the “flood and pru...
Page 1028
1-6 neighbor discovery pim-sm uses a similar neighbor discovery mechanism as pim-dm does. For details, refer to neighbor discovery . Dr election pim-sm also uses hello messages to elect a dr for a multi-access network (such as ethernet). The elected dr will be the only multicast forwarder on this mu...
Page 1029
1-7 when the dr fails, a timeout in receiving hello message triggers a new dr election process among the other routers. Rp discovery the rp is the core of a pim-sm domain. For a small-sized, simple network, one rp is enough for forwarding information throughout the network, and the position of the r...
Page 1030
1-8 2) if all the c-rps have the same priority, their hash values are calculated through the hashing algorithm. The c-rp with the largest hash value wins. 3) if all the c-rps have the same priority and hash value, the c-rp with the highest ip address wins. The hashing algorithm used for rp calculati...
Page 1031
1-9 the multicast data addressed to the multicast group g flows through the rp, reaches the corresponding dr along the established rpt, and finally is delivered to the receiver. When a receiver is no longer interested in the multicast data addressed to multicast group g, the directly connected dr se...
Page 1032
1-10 the rp is configured to initiate an spt switchover as described in this section. Otherwise, the dr at the multicast source side keeps encapsulating multicast data in register messages and the registration process will not stop unless no outgoing interfaces exist in the (s, g) entry on the rp. S...
Page 1033
1-11 pim-sm builds spts through spt switchover more economically than pim-dm does through the “flood and prune” mechanism. Assert pim-sm uses a similar assert mechanism as pim-dm does. For details, refer to assert . Introduction to administrative scoping in pim-sm division of pim-sm domains typicall...
Page 1034
1-12 figure 1-7 relationship between admin-scope zones and the global scope zone in geographic space as shown in figure 1-7 , for multicast groups in the same address range, admin-scope zones must be geographically separated from one another. Namely, a router must not serve different admin-scope zon...
Page 1035
1-13 ssm model implementation in pim the source-specific multicast (ssm) model and the any-source multicast (asm) model are two opposite models. Presently, the asm model includes the pim-dm and pim-sm modes. The ssm model can be implemented by leveraging part of the pim-sm technique. The ssm model p...
Page 1036
1-14 as shown in figure 1-9 , host b and host c are multicast information receivers. They send igmpv3 report messages to the respective drs to express their interest in the information of the specific multicast source s. Upon receiving a report message, the dr first checks whether the group address ...
Page 1037
1-15 task remarks configuring state-refresh parameters optional configuring pim-dm graft retry period optional configuring pim common features optional configuration prerequisites before configuring pim-dm, complete the following task: z configure any unicast routing protocol so that all devices in ...
Page 1038
1-16 to do... Use the command... Description enable ip multicast routing multicast routing-enable required disabled by default enter interface view interface interface-type interface-number — enable pim-dm pim dm required disabled by default z all the interfaces in the same vpn instance on the same ...
Page 1039
1-17 a router may receive multiple state-refresh messages within a short time, of which some may be duplicated messages. To keep a router from receiving such duplicated messages, you can configure the time the router must wait before receiving the next state-refresh message. If a new state-refresh m...
Page 1040
1-18 configuring pim-sm pim-sm configuration task list complete these tasks to configure pim-sm: task remarks configuring pim-sm required configuring a static rp optional configuring a c-rp optional enabling auto-rp optional configuring an rp configuring c-rp timers globally optional configuring a c...
Page 1041
1-19 z bs period z bs timeout z an acl rule for register message filtering z register suppression time z register probe time z the acl rule, and sequencing rule for an spt switchover enabling pim-sm with pim-sm enabled, a router sends hello messages periodically to discover pim neighbors and process...
Page 1042
1-20 all the interfaces in the same vpn instance on the same router must work in the same pim mode. Z for details about the ip vpn-instance and route-distinguisher commands, see mpls l3vpn commands in the mpls volume. Z for details about the multicast routing-enable command, see multicast routing an...
Page 1043
1-21 announcements from other routers and organizes the information into an rp-set, which is flooded throughout the entire network. Then, the other routers in the network calculate the mappings between specific group ranges and the corresponding rps based on the rp-set. We recommend that you configu...
Page 1044
1-22 configuring c-rp timers globally to enable the bsr to distribute the rp-set information within the pim-sm domain, c-rps must periodically send c-rp-adv messages to the bsr. The bsr learns the rp-set information from the received messages, and encapsulates its own ip address together with the rp...
Page 1045
1-23 configuring a legal range of bsr addresses enables filtering of bootstrap messages based on the address range, thus to prevent a maliciously configured host from masquerading as a bsr. The same configuration needs to be made on all routers in the pim-sm domain. The following are typical bsr spo...
Page 1046
1-24 configuring a pim domain border as the administrative core of a pim-sm domain, the bsr sends the collected rp-set information in the form of bootstrap messages to all routers in the pim-sm domain. A pim domain border is a bootstrap message boundary. Each bsr has its specific service scope. A nu...
Page 1047
1-25 about the hash mask length and c-bsr priority: z you can configure these parameters at three levels: global configuration level, global scope zone level, and admin-scope zone level. Z the value of these parameters configured at the global scope zone level or admin-scope zone level have preferen...
Page 1048
1-26 about the bs period: z by default, the bs period is determined by this formula: bs period = (bs timeout – 10) / 2. The default bs timeout is 130 seconds, so the default bs period = (130 – 10) / 2 = 60 (seconds). Z if this parameter is manually configured, the system will use the configured valu...
Page 1051
1-29 receiving multicast data from the multicast source, the rp sends a register-stop message to the source-side dr. Upon receiving this message, the dr stops sending register messages encapsulated with multicast data and starts a register-stop timer. When the register-stop timer expires, the dr sen...
Page 1052
1-30 to do... Use the command... Remarks disable the spt switchover spt-switch-threshold infinity [ group-policy acl-number [ order order-value] ] optional by default, the device switches to the spt immediately after it receives the first multicast packet. For an s7900e series ethernet switch, once ...
Page 1053
1-31 enabling pim-sm the ssm model is implemented based on some subsets of pim-sm. Therefore, a router is pim-ssm capable after you enable pim-sm on it. When deploying a pim-sm domain, you are recommended to enable pim-sm on non-border interfaces of the routers. Enabling pim-sm globally in the publi...
Page 1054
1-32 z for details about the ip vpn-instance and route-distinguisher commands, see mpls l3vpn commands in the mpls volume. Z for details about the multicast routing-enable command, see multicast routing and forwarding commands in the ip multicast volume. Configuring the ssm group range as for whethe...
Page 1055
1-33 for the functions or parameters that can be configured in both pim view and interface view described in this section: z configurations performed in pim view are effective to all interfaces, while configurations performed in interface view are effective to the current interface only. Z if the sa...
Page 1056
1-34 z maximum number of (s, g) entries in a join/prune message configuring a multicast data filter no matter in a pim-dm domain or a pim-sm domain, routers can check passing-by multicast data based on the configured filtering rules and determine whether to continue forwarding the multicast data. In...
Page 1057
1-35 with the hello message filter configured, if hello messages of an existing pim neighbor fail to pass the filter, the pim neighbor will be removed automatically when it times out. Configuring pim hello options no matter in a pim-dm domain or a pim-sm domain, the hello messages sent among routers...
Page 1058
1-36 to do... Use the command... Remarks enter public instance pim view or vpn instance pim view pim [ vpn-instance vpn-instance-name ] — configure the priority for dr election hello-option dr-priority priority optional 1 by default configure pim neighbor timeout time hello-option holdtime interval ...
Page 1059
1-37 follow these steps to configure the prune delay time to do... Use the command... Remarks enter system view system-view — enter public instance pim view or vpn instance pim view pim [ vpn-instance vpn-instance-name ] — configure the prune delay interval prune delay interval optional 3 seconds by...
Page 1060
1-38 configuring pim common timers on an interface follow these steps to configure pim common timers on an interface: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — configure the hello interval pim timer hello inte...
Page 1062
1-40 pim configuration examples pim-dm configuration example network requirements z receivers receive vod information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire pim domain operates in the...
Page 1063
1-41 configure the ip address and subnet mask for each interface as per figure 1-10 . Detailed configuration steps are omitted here. Configure the ospf protocol for interoperation among the switches in the pim-dm domain. Ensure the network-layer interoperation in the pim-dm domain and enable dynamic...
Page 1064
1-42 # view the pim neighboring relationships on switch d. [switchd] display pim neighbor total number of neighbors = 3 neighbor interface uptime expires dr-priority 192.168.1.1 vlan103 00:02:22 00:01:27 1 192.168.2.1 vlan101 00:00:22 00:01:29 3 192.168.3.1 vlan102 00:00:23 00:01:31 5 assume that ho...
Page 1065
1-43 uptime: 00:03:27 upstream interface: vlan-interface300 upstream neighbor: null rpf prime neighbor: null downstream interface(s) information: total number of downstreams: 3 1: vlan-interface103 protocol: pim-dm, uptime: 00:03:27, expires: never 2: vlan-interface101 protocol: pim-dm, uptime: 00:0...
Page 1066
1-44 network diagram figure 1-11 network diagram for pim-sm non- scoped zone configuration ether net ether net e thernet n1 n2 vl an- in t101 vlan- int10 1 device interface ip address device interface ip address switch a vlan-int100 10.110.1.1/24 switch d vlan-int300 10.110.5.1/24 vlan-int101 192.16...
Page 1067
1-45 [switcha] interface vlan-interface 101 [switcha-vlan-interface101] pim sm [switcha-vlan-interface101] quit [switcha] interface vlan-interface 102 [switcha-vlan-interface102] pim sm [switcha-vlan-interface102] quit the configuration on switch b and switch c is similar to that on switch a. The co...
Page 1068
1-46 priority: 20 hash mask length: 32 state: accept preferred scope: not scoped uptime: 00:40:40 expires: 00:01:42 # view the bsr information and the locally configured c-rp information in effect on switch d. [switchd] display pim bsr-info elected bsr address: 192.168.9.2 priority: 20 hash mask len...
Page 1069
1-47 to view the rp information discovered on a switch, use the display pim rp-info command. For example: # view the rp information on switch a. [switcha] display pim rp-info pim-sm bsr rp information: group/masklen: 225.1.1.0/24 rp: 192.168.4.2 priority: 0 holdtime: 150 uptime: 00:51:45 expires: 00...
Page 1070
1-48 upstream neighbor: 192.168.1.2 rpf prime neighbor: 192.168.1.2 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 protocol: pim-sm, uptime: 00:00:42, expires: 00:03:06 the information on switch b and switch c is similar to that on switch a. # view the pim r...
Page 1071
1-49 information from only source 2. Source 3 sends multicast information to multicast group 224.1.1.1. Host c is a multicast receiver for this multicast group. Z vlan-interface 101 of switch b acts as a c-bsr and c-rp of admin-scope zone 1, which serve the multicast group range 239.0.0.0/8. Vlan-in...
Page 1072
1-50 configuration procedure 1) configure ip addresses and unicast routing configure the ip address and subnet mask for each interface as per figure 1-12 . The detailed configuration steps are omitted here. Configure ospf for interoperation among the switches in the pim-sm domain. Ensure the network...
Page 1073
1-51 3) configure an admin-scope zone boundary # on switch b, configure vlan-interface 102 and vlan-interface 103 to be the boundary of admin-scope zone 1. [switchb] interface vlan-interface 102 [switchb-vlan-interface102] multicast boundary 239.0.0.0 8 [switchb-vlan-interface102] quit [switchb] int...
Page 1074
1-52 system-view [switchf] pim [switchf-pim] c-bsr global [switchf-pim] c-bsr vlan-interface 109 [switchf-pim] c-rp vlan-interface 109 [switchf-pim] quit 5) verify the configuration to view the bsr election information and the c-rp information on a switch, use the display pim bsr-info command. For e...
Page 1075
1-53 priority: 0 hash mask length: 30 state: elected scope: 239.0.0.0/8 uptime: 00:03:48 next bsr message scheduled at: 00:01:12 candidate bsr address: 10.110.4.2 priority: 0 hash mask length: 30 state: elected scope: 239.0.0.0/8 candidate rp: 10.110.4.2(vlan-interface104) priority: 0 holdtime: 150 ...
Page 1076
1-54 expires: 00:01:51 group/masklen: 239.0.0.0/8 rp: 10.110.1.2 (local) priority: 0 holdtime: 150 uptime: 00:07:44 expires: 00:01:51 # view the rp information on switch d. [switchd] display pim rp-info pim-sm bsr rp information: group/masklen: 224.0.0.0/4 rp: 10.110.9.1 priority: 0 holdtime: 150 up...
Page 1077
1-55 z switch b and switch c connect to stub network n2 through their respective vlan-interface 200, and to switch e through vlan-interface 103 and vlan-interface 104 respectively. Z switch e connects to switch a, switch b, switch c and switch d. Z the ssm group range is 232.1.1.0/24. Z igmpv3 is to...
Page 1078
1-56 system-view [switcha] multicast routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-interface100] igmp enable [switcha-vlan-interface100] igmp version 3 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-inter...
Page 1079
1-57 protocol: pim-ssm, flag: uptime: 00:13:25 upstream interface: vlan-interface101 upstream neighbor: 192.168.1.2 rpf prime neighbor: 192.168.1.2 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 protocol: igmp, uptime: 00:13:25, expires: 00:03:25 the informa...
Page 1080
1-58 rpf interface and the next hop will be taken as the rpf neighbor. The rpf interface completely relies on the existing unicast route, and is independent of pim. The rpf interface must be pim-enabled, and the rpf neighbor must also be a pim neighbor. If pim is not enabled on the router where the ...
Page 1081
1-59 2) check the multicast filter configuration. Use the display current-configuration command to check the multicast filter configuration. Change the acl rule defined in the source-policy command so that the source/group address of the multicast data can pass acl filtering. Rps unable to join spt ...
Page 1082
1-60 route to the bsr, the bsr has a unicast route to each c-rp, and all the routers in the entire network have a unicast route to the rp. 2) check the rp and bsr information. Pim-sm needs the support of the rp and bsr. Use the display pim bsr-info command to check whether the bsr information is ava...
Page 1083: Table of Contents
I table of contents 1 msdp configuration··································································································································1-1 msdp overview·················································································································...
Page 1084: Msdp Configuration
1-1 1 msdp configuration when configuring msdp, go to these sections for information you are interested in: z msdp overview z msdp configuration task list z displaying and maintaining msdp z msdp configuration examples z troubleshooting msdp z the term “router” in this document refers to a router in...
Page 1085
1-2 z msdp is applicable only if the intra-domain multicast protocol is pim-sm. Z msdp is meaningful only for the any-source multicast (asm) model. How msdp works msdp peers with one or more pairs of msdp peers configured in the network, an msdp interconnection map is formed, where the rps of differ...
Page 1086
1-3 2) msdp peers created on common pim-sm routers (other than rps) router a and router b are msdp peers on common multicast routers. Such msdp peers just forward received sa messages. In a pim-sm network running the bsr mechanism, the rp is dynamically elected from c-rps. To enhance network robustn...
Page 1087
1-4 2) as the source-side rp, rp 1 creates sa messages and periodically sends the sa messages to its msdp peer. An sa message contains the source address (s), the multicast group address (g), and the address of the rp which has created this sa message (namely rp 1). 3) on msdp peers, each sa message...
Page 1088
1-5 if only one msdp peer exists in a pim-sm domain, this pim-sm domain is also called a stub domain. For example, as 4 in figure 1-3 is a stub domain. The msdp peer in a stub domain can have multiple remote msdp peers at the same time. You can configure one or more remote msdp peers as static rpf p...
Page 1089
1-6 because the sa message is from a static rpf peer (rp 6), rp 7 accepts the sa message and forwards it to other peer (rp 8). 6) when rp 8 receives the sa message from rp 7 a bgp or mbgp route exists between two msdp peers in different ass. Because the sa message is from an msdp peer (rp 7) in a di...
Page 1090
1-7 1) the multicast source registers with the nearest rp. In this example, source registers with rp 1, with its multicast data encapsulated in the register message. When the register message arrives at rp 1, rp 1 decapsulates the message. 2) receivers send join messages to the nearest rp to join in...
Page 1091
1-8 msdp configuration task list complete these tasks to configure msdp: task remarks enabling msdp required creating an msdp peer connection required configuring basic functions of msdp configuring a static rpf peer optional configuring msdp peer description optional configuring an msdp mesh group ...
Page 1092
1-9 to do... Use the command... Remarks enter system view system-view — enable ip multicast routing multicast routing-enable required disabled by default enable msdp and enter public instance msdp view msdp required disabled by default enabling msdp in a vpn instance to do... Use the command... Rema...
Page 1093
1-10 to do... Use the command... Remarks create an msdp peer connection peer peer-address connect-interface interface-type interface-number required no msdp peer connection created by default if an interface of the router is shared by an msdp peer and a bgp/mbgp peer at the same time, we recommend t...
Page 1094
1-11 z description information of msdp peers z name of an msdp mesh group z msdp peer connection retry interval configuring msdp peer description with the msdp peer description information, the administrator can easily distinguish different msdp peers and thus better manage msdp peers. Follow these ...
Page 1095
1-12 z before grouping multiple routers into an msdp mesh group, make sure that these routers are interconnected with one another. Z if you configure more than one mesh group name on an msdp peer, only the last configuration is effective. Configuring msdp peer connection control msdp peers are inter...
Page 1096
1-13 z ttl threshold for multicast packet encapsulation in sa messages z maximum number of (s, g) entries learned from the specified msdp peer that the router can cache configuring sa message content some multicast sources send multicast data at an interval longer than the aging time of (s, g) entri...
Page 1097
1-14 to do... Use the command... Remarks enter system view system-view — enter public instance msdp view or vpn instance msdp view msdp [ vpn-instance vpn-instance-name ] — enable the device to send sa request messages peer peer-address request-sa-enable optional disabled by default configure a filt...
Page 1098
1-15 follow these steps to configure a filtering rule for receiving or forwarding sa messages: to do... Use the command... Remarks enter system view system-view — enter public instance msdp view or vpn instance msdp view msdp [ vpn-instance vpn-instance-name ] — configure an sa message creation rule...
Page 1100
1-17 network diagram figure 1-5 network diagram for inter-as multicast configuration leveraging bgp routes vlan-int101 vlan-int102 switch b switch a source 1 as 100 pim-sm 1 pim-sm 3 pim-sm 2 loop0 switch c switch d switch e switch f source 2 vlan-int100 vl an- int 103 vlan-int101 vlan-int102 vlan-i...
Page 1101
1-18 [switcha-vlan-interface103] pim sm [switcha-vlan-interface103] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 200 [switcha-vlan-interface200] igmp enable [switcha-vlan-interface200] pim sm [switc...
Page 1102
1-19 # redistribute bgp routes into ospf on switch b. [switchb] ospf 1 [switchb-ospf-1] import-route bgp [switchb-ospf-1] quit the configuration on switch c and switch e is similar to the configuration on switch b. 5) configure msdp peers # configure an msdp peer on switch b. [switchb] msdp [switchb...
Page 1103
1-20 # view the information about bgp peering relationships on switch e. [switche] display bgp peer bgp local router id : 3.3.3.3 local as number : 200 total number of peers : 1 peers in established state : 1 peer v as msgrcvd msgsent outq prefrcv up/down state 192.168.3.1 4 200 16 14 0 1 00:10:58 e...
Page 1104
1-21 1 1 0 0 0 0 peer's address state up/down time as sa count reset count 192.168.1.2 up 00:12:27 200 13 0 # view the brief information about msdp peering relationships on switch c. [switchc] display msdp brief msdp peer brief information configured up listen connect shutdown down 2 2 0 0 0 0 peer'...
Page 1105
1-22 incoming/outgoing sa responses: 0/0 incoming/outgoing data packets: 0/0 inter-as multicast configuration leveraging static rpf peers network requirements z there are two ass in the network, as 100 and as 200 respectively. Ospf is running within each as, and bgp is running between the two ass. Z...
Page 1106
1-23 network diagram figure 1-6 network diagram for inter-as multicast configuration leveraging static rpf peers vlan-int101 vlan- int10 2 switch b switch a source 1 as 100 pim-sm 1 pim-sm 3 pim-sm 2 loop0 switch c switch d switch e switch f source 2 vlan-int100 vlan- in t103 vlan-int101 vlan-int104...
Page 1107
1-24 [switcha-vlan-interface103] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 200 [switcha-vlan-interface200] igmp enable [switcha-vlan-interface200] pim sm [switcha-vlan-interface200] quit the conf...
Page 1108
1-25 [switche-msdp] peer 192.168.3.1 connect-interface vlan-interface 102 [switche-msdp] static-rpf-peer 192.168.3.1 rp-policy list-c [switche-msdp] quit 5) verify the configuration carry out the display bgp peer command to view the bgp peering relationships between the switches. If the command give...
Page 1109
1-26 z it is required to configure the anycast rp application so that the receiver-side drs and the source-side drs can initiate a join message to their respective rps that are the topologically nearest to them. Z on switch b and switch d, configure the interface loopback 10 as a c-bsr, and loopback...
Page 1110
1-27 # enable ip multicast routing on switch b, enable pim-sm on each interface, and enable igmp on the host-side interface vlan-interface 100. System-view [switchb] multicast routing-enable [switchb] interface vlan-interface 100 [switchb-vlan-interface100] igmp enable [switchb-vlan-interface100] pi...
Page 1111
1-28 you can use the display msdp brief command to view the brief information of msdp peering relationships between the switches. # view the brief msdp peer information on switch b. [switchb] display msdp brief msdp peer brief information configured up listen connect shutdown down 1 1 0 0 0 0 peer's...
Page 1112
1-29 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 protocol: pim-sm, uptime: - , expires: - # view the pim routing information on switch d. [switchd] display pim routing-table no information is output on switch d. Host a has left multicast group g. Source 1...
Page 1113
1-30 sa message filtering configuration network requirements z three pim-sm domains exist in the network, and ospf runs within and among the domains to provide unicast routing. Z configure respective loopback 0 of switch a, switch c and switch d as a c-bsr and c-rp in the respective pim-sm domain. Z...
Page 1114
1-31 configure the ip address and subnet mask for each interface as per figure 1-8 . The detailed configuration steps are omitted here. Configure ospf for interoperation among the switches. Ensure the network-layer interoperation within and between the pim-sm domains and ensure dynamic update of rou...
Page 1115
1-32 the configuration on switch c and switch d is similar to the configuration on switch a. The specific configuration steps are omitted here. 4) configure msdp peers # configure an msdp peer on switch a. [switcha] msdp [switcha-msdp] peer 192.168.1.2 connect-interface vlan-interface 101 [switcha-m...
Page 1116
1-33 (10.110.3.100, 225.1.1.0) 1.1.1.1 ? ? 02:03:30 00:05:31 (10.110.3.100, 225.1.1.1) 1.1.1.1 ? ? 02:03:30 00:05:31 (10.110.3.100, 225.1.1.2) 1.1.1.1 ? ? 02:03:30 00:05:31 (10.110.3.100, 225.1.1.3) 1.1.1.1 ? ? 02:03:30 00:05:31 (10.110.3.100, 226.1.1.0) 1.1.1.1 ? ? 02:03:30 00:05:31 (10.110.3.100, ...
Page 1117
1-34 no sa entries in the router’s sa cache symptom msdp fails to send (s, g) entries through sa messages. Analysis z the import-source command is used to control sending (s, g) entries through sa messages to msdp peers. If this command is executed without the acl-number argument, all the (s, g) ent...
Page 1118
1-35 3) check the configuration of the originating-rp command. In the anycast rp application environment, be sure to use the originating-rp command to configure the rp address in the sa messages, which must be the local interface address. 4) verify that the c-bsr address is different from the anycas...
Page 1119: Table of Contents
I table of contents 1 mbgp configuration ·································································································································1-1 mbgp overview·················································································································...
Page 1120: Mbgp Configuration
1-1 1 mbgp configuration the term “router” refers to a router or a layer 3 switch in this document. When configuring mbgp, go to these sections for information you are interested in: z mbgp overview z protocols and standards z mbgp configuration task list z configuring mbgp basic functions z control...
Page 1121
1-2 protocols and standards z rfc2858: multiprotocol extensions for bgp-4 z rfc3392: capabilities advertisement with bgp-4 z draft-ietf-idmr-bgp-mcast-attr-00: bgp attributes for multicast tree construction z rfc4271: a border gateway protocol 4 (bgp-4) z rfc5291: outbound route filtering capability...
Page 1123
1-4 z the origin attribute of routes redistributed into the mbgp routing table with the import-route command is incomplete. Z the origin attribute of routes injected into the mbgp routing table with the network command is igp. Z the networks to be injected must exist in the local ip routing table, a...
Page 1127
1-8 prerequisites before configuring this task, you need to configure mbgp basic functions. Configuring mbgp route preferences you can reference a route policy to set preferences for routes matching it. Routes not matching it use the default preferences. Follow these steps to configure mbgp route pr...
Page 1128
1-9 to do… use the command… remarks configure the default med value default med med-value optional 0 by default. Enable the comparison of the med of routes from different ass compare-different-as-med optional not enabled by default enable the comparison of the med of routes from each as bestroute co...
Page 1129
1-10 follow these steps to configure the as-path attribute: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv4 mbgp address family view ipv4-family multicast — specify the maximum number of times the local as number can appear in routes from the...
Page 1131
1-12 for the parameters configured on both sides for orf capability negotiation, refer to table 1-1 . Follow these steps to enable the mbgp orf capability: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enable bgp route refresh for a peer/peer group pe...
Page 1132
1-13 to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv4 mbgp address family view ipv4-family multicast — configure the maximum number of mbgp routes for load balancing balance number required not configured by default. Configuring a large scale ...
Page 1133
1-14 z to configure an mbgp peer group, you need to enable the corresponding ipv4 bgp unicast peer group in ipv4 mbgp address family view. Z before adding an mbgp peer to an mbgp peer group, you need to add the corresponding ipv4 unicast peer to the ipv4 bgp peer group. Configuring mbgp community th...
Page 1134
1-15 configuring an mbgp route reflector to guarantee the connectivity between multicast ibgp peers in an as, you need to make them fully meshed. But this becomes unpractical when there are large numbers of multicast ibgp peers. Configuring route reflectors can solve this problem. Follow these steps...
Page 1135
1-16 to do… use the command… remarks display the advertised networks display bgp multicast network available in any view display as path information display bgp multicast paths [ as-regular-expression ] available in any view display mbgp peer/peer group information display bgp multicast peer [ip-add...
Page 1137
1-18 figure 1-1 network diagram for mbgp configuration v la n -in t1 0 2 v la n -i n t1 0 3 v la n -i n t1 0 3 v la n -in t1 0 2 v la n -i n t2 0 0 device interface ip address device interface ip address source - 10.110.1.100/24 switch c vlan-int200 10.110.2.1/24 switch a vlan-int100 10.110.1.1/24 v...
Page 1138
1-19 [switchc-vlan-interface104] pim sm [switchc-vlan-interface104] quit [switchc] interface vlan-interface 200 [switchc-vlan-interface200] pim sm [switchc-vlan-interface200] igmp enable [switchc-vlan-interface200] quit # configure a pim domain border on switch a. [switcha] interface vlan-interface ...
Page 1139
1-20 [switchb] bgp 200 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 192.168.1.1 as-number 100 [switchb-bgp] import-route ospf 1 [switchb-bgp] ipv4-family multicast [switchb-bgp-af-mul] peer 192.168.1.1 enable [switchb-bgp-af-mul] import-route ospf 1 [switchb-bgp-af-mul] quit [switchb-bgp] quit...
Page 1140: Table of Contents
I table of contents 1 multicast vpn configuration ····················································································································1-1 multicast vpn overview············································································································...
Page 1141: Multicast Vpn Configuration
1-1 1 multicast vpn configuration when configuring multicast vpn, go to the following sections for the information you are interested in: z multicast vpn overview z how md-vpn works z multicast vpn configuration task list z displaying and maintaining multicast vpn z multicast vpn configuration examp...
Page 1142
1-2 figure 1-1 typical application of mpls l3vpns vpn a site 1 vpn a site 3 vpn a site 5 vpn b site 2 vpn b site 4 vpn b site 6 core layer edge layer cpe layer p 1 p 2 p 3 pe 1 pe 2 pe 3 ce 1 ce 2 ce 3 ce 4 ce 5 ce 6 as shown in figure 1-1 , vpn a comprises site 1, site 3 and site 5, while vpn b com...
Page 1143
1-3 instances that are running on pe1: the public instance, vpn instance a, and vpn instance b. These three instances can be regarded as three independent virtual devices, which are pe 1’, pe 1”, and pe 1’”, each virtual device corresponding to a plane. Figure 1-2 multicast in multiple vpn instances...
Page 1144
1-4 for details about the concepts of protocol independent multicast (pim), bootstrap router (bsr), candidate-bsr (c-bsr), rendezvous point (rp), candidate rp (c-rp), shortest path tree (spt) and rendezvous point tree (rpt), refer to pim configuration in the ip multicast volume. Comware implements m...
Page 1145
1-5 per-vpn-instance basis, while the public network multicast traffic between the pe devices and the p devices is transmitted through the public instance. 2) logically, an md defines the transmission range of the multicast traffic of a specific vpn over the public network; physically, an md identif...
Page 1146
1-6 a vpn uniquely corresponds to an md and an md serves only one vpn, which is called a one-to-one relationship. Pim neighboring relationships in md-vpn figure 1-4 pim neighboring relationships in md-vpn md p pe 3 pe 2 pe 1 ce 3 ce 2 ce 1 pe-pe neighbors pe-p neighbors pe-ce neighbors pim neighbori...
Page 1147
1-7 how md-vpn works this section describes the implementation principle of the md-vpn technology, including establishment of a share-mdt, packet delivery over it, and implementation of multi-as md-vpn. For a vpn instance, multicast data transmission in the public network is transparent. The mtis at...
Page 1148
1-8 share-mdt establishment in a pim-sm network figure 1-6 share-mdt establishment in a pim-sm network public instance bgp peers rpt (*, 239.1.1.1) md p rp pe 3 pe 2 pe 1 bgp: 11.1.2.1/24 bgp: 11.1.1.1/24 spt (11.1.1.1, 239.1.1.1) spt (11.1.2.1, 239.1.1.1) spt (11.1.3.1, 239.1.1.1) bgp: 11.1.3.1/24 ...
Page 1149
1-9 shart-mdt establishment in a pim-ssm network figure 1-7 shart-mdt establishment in a pim-ssm network public instance bgp peers md p pe 3 pe 2 pe 1 bgp: 11.1.2.1/24 bgp: 11.1.1.1/24 spt (11.1.1.1, 232.1.1.1) spt (11.1.2.1, 232.1.1.1) spt (11.1.3.1, 232.1.1.1) bgp: 11.1.3.1/24 share-group: 232.1.1...
Page 1150
1-10 and then decapsulated on the remote pe device to go into the normal protocol procedure. Finally a distribution tree is established across the public network. All interfaces that belong to the same vpn, including those interfaces with vpn instance bindings and the mti on pe devices, must run the...
Page 1151
1-11 the work process of multicast protocol packets is as follows: 1) receiver sends an igmp membership report for multicast group g to ce 2. Ce 2 creates a local (*, 225.1.1.1) state entry and sends a join message to the vpn rp (ce 1). 2) upon receiving the join message from ce 2, the vpn instance ...
Page 1152
1-12 z for detailed description of rpt-to-spt switchover, refer to pim configuration in the ip multicast volume. Z the following example explains how multicast data packets are delivered based on the share-mdt while pim-dm is running in both the public network and the vpns network. As shown in figur...
Page 1153
1-13 5) the vpn instance on pe 2 searches the mvrf and finally delivers the private network multicast data to receiver. By now, the process of transmitting a private network multicast packet across the public network is completed. Multi-as md vpn if nodes of a vpns network are allocated in multiple ...
Page 1154
1-14 figure 1-11 multi-hop ebgp interconnectivity as 2 pe 1' pe 3 asbr ce 1 pe 1" ce 2 pe 2" pe 4 pe 2' as 1 md vpn instasnce public instasnce mt p 1 p 2 mti mti asbr in the multi-hop ebgp interconnectivity approach, only one md needs to be established for all the ass, and public network multicast t...
Page 1155
1-15 to do... Use the command... Remarks create a vpn instance and enter vpn instance view ip vpn-instance vpn-instance-name — configure an rd for the vpn instance route-distinguisher route-distinguisher required no rd is configured for a vpn instance by default. Enable ip multicast routing multicas...
Page 1156
1-16 z after a bgp peer is configured with the peer connect-interface command, the mti interface automatically obtains the connect-interface address and uses it as its own ip address. This ip address cannot be used in the vpns network any more; otherwise the mti interface will fail to obtain an ip a...
Page 1157
1-17 to do… use the command… remarks add a peer to the bgp mdt peer group peer ip-address group group-name optional by default, a bgp mdt peer belongs to no peer groups. A bgp mdt peer or peer group is a peer or peer group created in bgp-mdt subaddress family view. Configuring a bgp mdt route reflec...
Page 1159
1-19 item network requirements pim z enable pim-sm on all interfaces of the p device. Z enable pim-sm on all public and private network interfaces of pe 1, pe 2 and pe 3. Z enable pim-sm on all interfaces of ce a1, ce a2, ce a3, ce b1, and ce b2. Z configure loopback 1 of p as a c-bsr and a c-rp for...
Page 1160
1-20 configuration procedure 1) configure pe 1 # configure a router id, enable ip multicast routing in the public instance, configure an mpls lsr id, and enable the ldp capability. System-view [pe1] router id 1.1.1.1 [pe1] multicast routing-enable [pe1] mpls lsr-id 1.1.1.1 [pe1] mpls [pe1-mpls] quit...
Page 1161
1-21 [pe1-vlan-interface11] quit # configure an ip address for loopback 1, and enable pim-sm. [pe1] interface loopback 1 [pe1-loopback1] ip address 1.1.1.1 32 [pe1-loopback1] pim sm [pe1-loopback1] quit # configure bgp. [pe1] bgp 100 [pe1-bgp] group vpn-g internal [pe1-bgp] peer vpn-g connect-interf...
Page 1162
1-22 [pe2-mpls] quit [pe2] mpls ldp [pe2-mpls-ldp] quit # create vpn instance b, configure a rd for it, and create an egress route and an ingress route for it. [pe2] ip vpn-instance b [pe2-vpn-instance-b] route-distinguisher 200:1 [pe2-vpn-instance-b] vpn-target 200:1 export-extcommunity [pe2-vpn-in...
Page 1163
1-23 [pe2-vlan-interface14] quit # configure an ip address for loopback 1, and enable pim-sm. [pe2] interface loopback 1 [pe2-loopback1] ip address 1.1.1.2 32 [pe2-loopback1] pim sm [pe2-loopback1] quit # configure bgp. [pe2] bgp 100 [pe2-bgp] group vpn-g internal [pe2-bgp] peer vpn-g connect-interf...
Page 1164
1-24 [pe2-rip-3] return 3) configure pe 3 # configure a router id, enable ip multicast routing in the public instance, configure an mpls lsr id, and enable the ldp capability. System-view [pe3] router id 1.1.1.3 [pe3] multicast routing-enable [pe3] mpls lsr-id 1.1.1.3 [pe3] mpls [pe3-mpls] quit [pe3...
Page 1165
1-25 [pe3-vlan-interface17] ip address 10.110.5.1 24 [pe3-vlan-interface17] pim sm [pe3-vlan-interface17] quit # bind vlan-interface 18 to vpn instance b, configure an ip address and enable pim-sm on the interface. [pe3] interface vlan-interface 18 [pe3-vlan-interface18] ip binding vpn-instance b [p...
Page 1166
1-26 [pe3–bgp] quit with bgp peers configured on pe 3, the interfaces mti 0 and mti 1 will automatically obtain ip addresses, which are the loopback interface addresses specified in the bgp peer configuration. The pim mode running on mti 0 is the same as on the interfaces in vpn instance a, and the ...
Page 1167
1-27 [p-vlan-interface15] mpls [p-vlan-interface15] mpls ldp [p-vlan-interface15] quit # configure an ip address, and enable pim-sm and ldp capability on the public network interface vlan-interface 19. [p] interface vlan-interface 19 [p-vlan-interface19] ip address 192.168.8.2 24 [p-vlan-interface19...
Page 1168
1-28 6) configure ce b1. # enable ip multicast routing. System-view [ceb1] multicast routing-enable # configure an ip address for vlan-interface 30 and enable pim-sm on the interface. [ceb1] interface vlan-interface 30 [ceb1-vlan-interface30] ip address 10.110.8.1 24 [ceb1-vlan-interface30] pim sm [...
Page 1169
1-29 [cea2] pim [cea2-pim] c-bsr loopback 1 [cea2-pim] c-rp loopback 1 [cea2-pim] quit # configure rip [cea2] rip 2 [cea2-rip-2] network 10.0.0.0 [cea2-rip-2] network 22.0.0.0 8) configure ce a3. # enable ip multicast routing. System-view [cea3] multicast routing-enable # configure an ip address for...
Page 1170
1-30 [ceb2-vlan-interface18] ip address 10.110.6.2 24 [ceb2-vlan-interface18] pim sm [ceb2-vlan-interface18] quit # configure rip [ceb2] rip 3 [ceb2-rip-3] network 10.0.0.0 10) verify the configuration to view the share-group information of a vpn instance, use the display multicast-domain vpn-instan...
Page 1171
1-31 item network requirements pe interfaces and vpn instances they belong to z pe 1: vlan-interface 11 belongs to vpn instance b; vlan-interface 12 belongs to vpn instance a; vlan-interface 2 and loopback 1 belong to the public network instance. Z pe 2: vlan-interface 2, vlan-interface 3, loopback ...
Page 1172
1-32 figure 1-13 network diagram for multi-as md-vpn configuration lo op 1 loo p2 lo op 1 loo p2 pe 2 asbr vlan-int2 vlan-int2 vlan-int10 pe 1 pe 4 as 100 as 200 ce b1 ce b2 ce a1 ce a2 vpn a vpn a vpn b vpn b loop0 loop0 loo p1 loop1 s 1 s 2 r 1 r 2 pe 3 asbr vlan-int3 vlan-int4 vlan-int3 vlan-int4...
Page 1173
1-33 # create vpn instance a, configure an rd for it, and create an ingress route and an egress route for it; enable ip multicast routing in vpn instance a, configure a share-group address, associate an mti with the vpn instance. [pe1] ip vpn-instance a [pe1-vpn-instance-a] route-distinguisher 100:1...
Page 1174
1-34 [pe1-loopback1] pim sm [pe1-loopback1] quit # configure bgp. [pe1] bgp 100 [pe1-bgp] group pe1-pe2 internal [pe1-bgp] peer pe1-pe2 label-route-capability [pe1-bgp] peer pe1-pe2 connect-interface loopback 1 [pe1-bgp] peer 1.1.1.2 group pe1-pe2 [pe1-bgp] group pe1-pe4 external [pe1-bgp] peer pe1-...
Page 1175
1-35 [pe1-ospf-3-area-0.0.0.0] quit [pe1-ospf-3] quit 2) configure pe 2 # configure a router id, enable ip multicast routing in the public instance, configure an mpls lsr id, and enable the ldp capability. System-view [pe2] router id 1.1.1.2 [pe2] multicast routing-enable [pe2] mpls lsr-id 1.1.1.2 [...
Page 1176
1-36 [pe2] interface vlan-interface 3 [pe2-vlan-interface3] pim bsr-boundary [pe2-vlan-interface3] quit # establish an msdp peering relationship. [pe2] msdp [pe2-msdp] encap-data-enable [pe2-msdp] peer 1.1.1.3 connect-interface loopback 1 # configure a static route. [pe2] ip route-static 1.1.1.3 32 ...
Page 1177
1-37 system-view [pe3] router id 1.1.1.3 [pe3] multicast routing-enable [pe3] mpls lsr-id 1.1.1.3 [pe3] mpls [pe3-mpls] quit [pe3] mpls ldp [pe3-mpls-ldp] quit # configure an ip address, and enable pim-sm and ldp capability on the public network interface vlan-interface 4. [pe3] interface vlan-inter...
Page 1178
1-38 [pe3-msdp] encap-data-enable [pe3-msdp] peer 1.1.1.2 connect-interface loopback 1 # configure a static route. [pe3] ip route-static 1.1.1.2 32 vlan-interface 3 192.168.1.1 # configure bgp. [pe3] bgp 200 [pe3-bgp] import-route ospf 1 [pe3-bgp] group pe3-pe4 internal [pe3-bgp] peer pe3-pe4 route-...
Page 1179
1-39 [pe4] mpls ldp [pe4-mpls-ldp] quit # create vpn instance a, configure an rd for it, and create an ingress route and an egress route for it; enable ip multicast routing in vpn instance a, configure a share-group address, associate an mti with the vpn instance. [pe4] ip vpn-instance a [pe4-vpn-in...
Page 1180
1-40 [pe4] interface loopback 1 [pe4-loopback1] ip address 1.1.1.4 32 [pe4-loopback1] pim sm [pe4-loopback1] quit # configure bgp. [pe4] bgp 100 [pe4-bgp] group pe4-pe3 internal [pe4-bgp] peer pe4-pe3 label-route-capability [pe4-bgp] peer pe4-pe3 connect-interface loopback 1 [pe4-bgp] peer 1.1.1.3 g...
Page 1181
1-41 [pe4-ospf-3] area 0.0.0.0 [pe4-ospf-3-area-0.0.0.0] network 10.11.0.0 0.0.255.255 [pe4-ospf-3-area-0.0.0.0] quit [pe4-ospf-3] quit 5) configure ce a1. # enable ip multicast routing. System-view [cea1] multicast routing-enable # configure an ip address for vlan-interface 10 and enable pim-sm on ...
Page 1182
1-42 [ceb1-vlan-interface20] quit # configure an ip address for vlan-interface 12 and enable pim-sm on the interface. [ceb1] interface vlan-interface 12 [ceb1-vlan-interface12] ip address 10.11.2.2 24 [ceb1-vlan-interface12] pim sm [ceb1-vlan-interface12] quit # configure ospf. [ceb1] ospf 1 [ceb1-o...
Page 1183
1-43 # configure an ip address for vlan-interface 14 and enable pim-sm on the interface. [ceb2] interface vlan-interface 14 [ceb2-vlan-interface14] ip address 10.11.4.2 24 [ceb2-vlan-interface14] pim sm [ceb2-vlan-interface14] quit # configure an ip address for loopback 1, and enable pim-sm. [ceb2] ...
Page 1184
1-44 share-group: 239.4.4.4 mtunnel address: 1.1.1.4 troubleshooting md-vpn configuration unable to establish a share-mdt symptom a share-mdt cannot be established. Pim adjacencies cannot be established between the same vpn instance’s interfaces on different pe devices. Analysis z on different pe de...
Page 1185
1-45 analysis z if pim-sm is running in the vpn instance, the bsr information for the vpn instance is required; otherwise, the vpn instance’s mvrf cannot be correctly established. Z if pim-sm is running in the vpn instance, the rp information for the vpn instance is required. If a unicast route to t...
Page 1186: Table of Contents
I table of contents 1 igmp snooping configuration ·················································································································1-1 igmp snooping overview···············································································································...
Page 1187
Ii igmp snooping proxying configuration example ········································································1-33 troubleshooting igmp snooping configuration ···················································································1-35 switch fails in layer 2 multicast forwardin...
Page 1188: Igmp Snooping Configuration
1-1 1 igmp snooping configuration when configuring igmp snooping, go to the following sections for information you are interested in: z igmp snooping overview z igmp snooping configuration task list z displaying and maintaining igmp snooping z igmp snooping configuration examples z troubleshooting i...
Page 1189
1-2 figure 1-1 before and after igmp snooping is enabled on the layer 2 device multicast packet transmission without igmp snooping source multicast router host a receiver host b host c receiver multicast packets layer 2 switch multicast packet transmission when igmp snooping runs source multicast ro...
Page 1190
1-3 z router port: a router port is a port on an ethernet switch that leads the switch towards a layer 3 multicast device (dr or igmp querier). In the figure, gigabitethernet 2/0/1 of switch a and gigabitethernet 2/0/1 of switch b are router ports. The switch registers all its local router ports in ...
Page 1191
1-4 how igmp snooping works a switch running igmp snooping performs different actions when it receives different igmp messages, as follows: the description about adding or deleting a port in this section is only for a dynamic port. Static ports can be added or deleted only through the corresponding ...
Page 1192
1-5 a switch does not forward an igmp report through a non-router port. This is because if the switch forwards a report message through a member port, all the attached hosts listening to the reported multicast address will suppress their own reports upon receiving this report according to the igmp r...
Page 1193
1-6 igmp snooping proxying you can configure the igmp snooping proxying function on an edge device, which then can represent its attached hosts to send membership reports and leave messages, thus reducing the number of igmp reports and leave messages sent to its upstream device. The device configure...
Page 1194
1-7 igmp message actions report when receiving a report for a multicast group, the proxy looks up the multicast forwarding table for the entry for the multicast group. If the forwarding entry is found with the receiving port contained as a dynamic member port in the outgoing port list, the proxy res...
Page 1195
1-8 igmp snooping configuration task list complete these tasks to configure igmp snooping: task remarks enabling igmp snooping required configuring the version of igmp snooping optional configuring basic functions of igmp snooping configuring the maximum number of global igmp forwarding entries opti...
Page 1196
1-9 z configurations made in igmp snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in igmp snooping view is effective only if the same configuration is not made in vlan...
Page 1197
1-10 z igmp snooping must be enabled globally before it can be enabled in a vlan. Z after enabling igmp snooping in a vlan, you cannot enable igmp and/or pim on the corresponding vlan interface. Z when you enable igmp snooping in a specified vlan, this function takes effect for the ports in this vla...
Page 1198
1-11 to do... Use the command... Remarks enter igmp snooping view igmp-snooping — configure the maximum number of global forwarding entries entry-limit limit required 1000 by default. If the number of existing entries is larger than the limit when you configure it, the device informs you to remove e...
Page 1199
1-12 to do... Use the command... Remarks configure dynamic member port aging time host-aging-time interval optional 260 seconds by default configuring aging timers for dynamic ports in a vlan follow these steps to configure aging timers for dynamic ports in a vlan: to do... Use the command... Remark...
Page 1200
1-13 z a static (s, g) joining can take effect only if a valid multicast source address is specified and igmp snooping version 3 is currently running. Z a static member port does not respond to queries from the igmp querier; when static (*, g) or (s, g) joining is enabled or disabled on a port, the ...
Page 1201
1-14 z each simulated host is equivalent to an independent host. For example, when receiving an igmp query, the simulated host corresponding to each configuration responds respectively. Z unlike a static member port, a port configured as a simulated member host will age out like a dynamic member por...
Page 1202
1-15 configuring igmp snooping querier configuration prerequisites before configuring igmp snooping querier, complete the following task: z enable igmp snooping in the vlan. Before configuring igmp snooping querier, prepare the following data: z igmp general query interval, z igmp last-member query ...
Page 1203
1-16 response time (the host obtains the value of the maximum response time from the max response time field in the igmp query it received). When the timer value comes down to 0, the host sends an igmp report to the corresponding multicast group. An appropriate setting of the maximum response time f...
Page 1204
1-17 configuring source ip address of igmp queries upon receiving an igmp query whose source ip address is 0.0.0.0 on a port, the switch does not enlist that port as a dynamic router port. This may prevent multicast forwarding entries from being correctly created at the data link layer and cause mul...
Page 1205
1-18 configuring a source ip address for the igmp messages sent by the proxy you can set the source ip addresses in the igmp reports and leave messages sent by the igmp snooping proxy on behalf of its attached hosts. Follow these steps to configure the source ip addresses for the igmp messages sent ...
Page 1206
1-19 to do... Use the command... Remarks configure a multicast group filter group-policy acl-number [ vlan vlan-list] required by default, no group filter is globally configured, that is, hosts in vlans can join any valid multicast group. Configuring a multicast group filter on a port or a group of ...
Page 1207
1-20 to do... Use the command... Remarks interface interface-type interface-number enter ethernet port/olt port view or port group view port-group manual port-group-name required use either approach enable multicast source port filtering igmp-snooping source-deny required disabled by default configu...
Page 1208
1-21 z for devices that support both drop-unknown and igmp-snooping drop-unknown commands at the same time, the configuration made in igmp snooping view and the configuration made in vlan view are mutually exclusive. Namely, after this function is enabled in igmp snooping view, it cannot be enabled ...
Page 1209
1-22 on an igmp snooping proxy, igmp membership reports are suppressed if the entries for the corresponding groups exist in the forwarding table, no matter the suppression function is enabled or not. Configuring maximum multicast groups that can be joined on a port by configuring the maximum number ...
Page 1210
1-23 z if the multicast group replacement feature is enabled, the newly joined multicast group automatically replaces an existing multicast group with the lowest address. Z if the multicast group replacement feature is not enabled, new igmp reports will be automatically discarded. Configuring multic...
Page 1211
1-24 to do... Use the command... Remarks enter igmp-snooping view igmp-snooping — configure 802.1p precedence for igmp messages dot1p-priority priority-number required the default 802.1p precedence for igmp messages is 0. Configuring 802.1p precedence for igmp messages in a vlan follow these steps t...
Page 1212
1-25 igmp snooping configuration examples group policy and simulated joining configuration example network requirements z as shown in figure 1-4 , router a connects to the multicast source through gigabitethernet 2/0/2 and to switch a through gigabitethernet 2/0/1. Z igmpv2 is required on router a, ...
Page 1213
1-26 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 100, assign gigabitethernet 2/0/1 through gigabitethernet 2/0/4 to this vlan, and enable igmp snooping and the function of dropping unknown multicast traffic in ...
Page 1214
1-27 ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host board host port(s):total 2 port. Ge2/0/3 (d) ge2/0/4 (d) mac group(s): mac group address:0100-5e01-0101 host port unit board: mask(0x04) host port(s):total 2 port. Ge2/0/3 ge2/0/4 as shown above, gigabitethernet 2/0/3 and gigabite...
Page 1215
1-28 figure 1-5 network diagram for static port configuration source 1.1.1.1/24 router a igmp querier ge2/0/1 10.1.1.1/24 ge2/0/2 1.1.1.2/24 switch a switch c switch b ge2/0/1 g e 2 /0 /2 g e 2 /0 /3 g e 2 /0 /1 ge2/0/2 g e 2 /0 /1 ge2/0/2 host c host b host a receiver receiver g e 2 /0 /3 g e 2 /0 ...
Page 1216
1-29 # configure gigabitethernet 2/0/3 to be a static router port. [switcha] interface gigabitethernet 2/0/3 [switcha-gigabitethernet2/0/3] igmp-snooping static-router-port vlan 100 [switcha-gigabitethernet2/0/3] quit 4) configure switch b # enable igmp snooping globally. System-view [switchb] igmp-...
Page 1217
1-30 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port unit board: mask(0x04) router port(s):total 2 port. Ge2/0/1 (d) ge2/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host board host port...
Page 1218
1-31 ge2/0/5 as shown above, gigabitethernet 2/0/3 and gigabitethernet 2/0/5 on switch c have become static member ports for multicast group 224.1.1.1. Igmp snooping querier configuration example network requirements z as shown in figure 1-6 , in a layer 2–only network environment, two multicast sou...
Page 1219
1-32 [switcha-vlan100] igmp-snooping enable [switcha-vlan100] igmp-snooping drop-unknown # enable the igmp-snooping querier function in vlan 100 [switcha-vlan100] igmp-snooping querier # set the source ip address of igmp general queries and group-specific queries to 192.168.1.1 in vlan 100. [switcha...
Page 1220
1-33 igmp snooping proxying configuration example network requirements as shown in figure 1-7 , z router a connects to a multicast source through port gigabitethernet 2/0/2, and to switch a through port gigabitethernet 2/0/1. Z router a runs igmpv2 and switch a runs igmpv2 snooping. Router a serves ...
Page 1221
1-34 system-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 100, assign ports gigabitethernet 2/0/1 through gigabitethernet 2/0/4 to this vlan, and enable igmp snooping and igmp snooping proxying in the vlan. [switcha] vlan 100 [switcha-vlan100] port gigabitethernet 2/0/1 to ...
Page 1222
1-35 total 1 igmp group reported group address last reporter uptime expires 224.1.1.1 0.0.0.0 00:00:06 00:02:04 when host a leaves the multicast group, it sends an igmp leave message to switch a. Receiving the message, switch a removes port gigabitethernet 2/0/3 from the member port list of the forw...
Page 1223
1-36 configured multicast group policy fails to take effect symptom although a multicast group policy has been configured to allow hosts to join specific multicast groups, the hosts can still receive multicast data addressed to other multicast groups. Analysis z the acl rule is incorrectly configure...
Page 1224: Table of Contents
I table of contents 1 multicast vlan configuration··················································································································1-1 introduction to multicast vlan······································································································...
Page 1225: Multicast Vlan Configuration
1-1 1 multicast vlan configuration when configuring multicast vlan, go to these sections for information you are interested in: z introduction to multicast vlan z multicast vlan configuration task list z configuring sub-vlan-based multicast vlan z configuring port-based multicast vlan z displaying a...
Page 1226
1-2 sub-vlan-based multicast vlan as shown in figure 1-2 , host a, host b and host c are in three different user vlans. On switch a, configure vlan 10 as a multicast vlan, configure all the user vlans as sub-vlans of this multicast vlan, and enable igmp snooping in the multicast vlan. Figure 1-2 sub...
Page 1227
1-3 after the configuration, upon receiving an igmp message on a user port, switch a tags the message with the multicast vlan id and relays it to the igmp querier, so that igmp snooping can uniformly manage the router ports and member ports in the multicast vlan. When forwarding multicast data to sw...
Page 1228
1-4 configuring sub-vlan-based multicast vlan in this approach, you need to configure a vlan as a multicast vlan, and then configure user vlans as sub-vlans of the multicast vlan. Follow these steps to configure sub-vlan-based multicast vlan: to do… use the command… remarks enter system view system-...
Page 1229
1-5 configuration prerequisites before configuring port-based multicast vlan, complete the following tasks: z create vlans as required z enable igmp snooping in the vlan to be configured as a multicast vlan z enable igmp snooping in all the user vlans configuring user port attributes configure the u...
Page 1230
1-6 configuring multicast vlan ports in multicast vlan view follow these steps to configure multicast vlan ports in multicast vlan view: to do... Use the command... Remarks enter system view system-view — configure the specified vlan as a multicast vlan and enter multicast vlan view multicast-vlan v...
Page 1231
1-7 configuring the maximum number of forwarding entries in a multicast vlan you can configure the maximum number of entries in the igmp snooping forwarding table of a multicast vlan. When the number of forwarding entries maintained for a multicast vlan reaches the threshold, the device creates no m...
Page 1232
1-8 z configure the sub-vlan-based multicast vlan feature so that router a just sends multicast data to switch a through the multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Network diagram figure 1-4 network diagram for sub-vlan-based multicast ...
Page 1233
1-9 [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 2/0/2 [switcha-vlan2] quit the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 2/0/1 to this vlan and enable igmp snooping in the vlan. [switcha] vlan 10 [switcha-vlan10...
Page 1234
1-10 ge2/0/2 vlan(id):3. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 0 port. Ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): host port(s):total 1 port. Ge2/0/3 (d) mac group(s): mac group address...
Page 1235
1-11 port-based multicast vlan configuration network requirements z as shown in figure 1-5 , router a connects to a multicast source (source) through gigabitethernet 2/0/1, and to switch a through gigabitethernet 2/0/2. Z igmpv2 is required on router a. Igmpv2 snooping is required on switch a. Route...
Page 1236
1-12 [routera] interface gigabitethernet 2/0/1 [routera-gigabitethernet2/0/1] pim dm [routera-gigabitethernet2/0/1] quit [routera] interface gigabitethernet 2/0/2 [routera-gigabitethernet2/0/2] pim dm [routera-gigabitethernet2/0/2] igmp enable 3) configure switch a # enable igmp snooping globally. S...
Page 1237
1-13 [switcha] display multicast-vlan total 1 multicast-vlan(s) multicast vlan 10 subvlan list: no subvlan port list: ge2/0/2 ge2/0/3 ge2/0/4 # view the igmp snooping multicast group information on switch a. [switcha] display igmp-snooping group total 1 ip group(s). Total 1 ip source(s). Total 1 mac...
Page 1238: Table of Contents
I table of contents 1 ipv6 multicast routing and forwarding configuration ·········································································1-1 ipv6 multicast routing and forwarding overview ··················································································1-1 introduction to ...
Page 1239: Configuration
1-1 1 ipv6 multicast routing and forwarding configuration when configuring ipv6 multicast routing and forwarding, go to the following sections for information you are interested in: z ipv6 multicast routing and forwarding overview z configuration task list z displaying and maintaining ipv6 multicast...
Page 1240
1-2 rpf check mechanism an ipv6 multicast routing protocol relies on the existing ipv6 unicast routing information or ipv6 mbgp routes in creating ipv6 multicast routing entries. When creating ipv6 multicast routing table entries, an ipv6 multicast routing protocol uses the reverse path forwarding (...
Page 1241
1-3 the above-mentioned “packet source” can mean different things in different situations: z for a packet traveling along the shortest path tree (spt) from the multicast source to the receivers or the rendezvous point (rp), the “packet source” for rpf check is the multicast source. Z for a packet tr...
Page 1242
1-4 figure 1-1 rpf check process z when an ipv6 multicast packet arrives on vlan-interface20 of router c, as the interface is the incoming interface of the (s, g) entry, the router forwards the packet to all outgoing interfaces. Z when an ipv6 multicast packet arrives on vlan-interface10 of router c...
Page 1243
1-5 configuring ipv6 multicast routing and forwarding configuration prerequisites before configuring ipv6 multicast routing and forwarding, complete the following tasks: z configure an ipv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer. Z configure...
Page 1244
1-6 follow these steps to configure an ipv6 multicast forwarding range: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — configure an ipv6 multicast forwarding boundary multicast ipv6 boundary ipv6-group-address pref...
Page 1245
1-7 configuring ipv6 static multicast mac address entries in layer-2 multicast, a layer-2 ipv6 multicast protocol (such as mld snooping) can dynamically add ipv6 multicast mac address entries. Or, you can manually configure ipv6 multicast mac address entries. Configuring an ipv6 static multicast mac...
Page 1246
1-8 displaying and maintaining ipv6 multicast routing and forwarding to do... Use the command... Remarks display the ipv6 multicast boundary information display multicast ipv6 boundary [ ipv6-group-address [ prefix-length ] ] [ interface interface-type interface-number ] available in any view displa...
Page 1247
1-9 z the reset command clears the information in the ipv6 multicast routing table or the multicast forwarding table, and thus may cause transmission failure of ipv6 multicast information. Z when a routing entry is deleted from the ipv6 multicast routing table, the corresponding forwarding entry wil...
Page 1248: Table of Contents
I table of contents 1 mld configuration ····································································································································1-1 mld overview················································································································...
Page 1249: Mld Configuration
1-1 1 mld configuration z the term “router” in this document refers to a router in a generic sense or a layer 3 switch running the mld protocol. Z the s7900e series ethernet switches are distributed devices that support intelligent resilient framework (irf). Two s7900e series can be connected togeth...
Page 1250
1-2 all mld versions support the any-source multicast (asm) model. In addition, mldv2 can be directly deployed to implement the source-specific multicast (ssm) model, while mldv1 needs to work with the mld ssm mapping function to implement ssm service. For more information about the asm and ssm mode...
Page 1251
1-3 joining an ipv6 multicast group figure 1-1 mld queries and reports query report querier host a (g2) host b (g1) host c (g1) ethernet router a router b ipv6 network assume that host b and host c are expected to receive ipv6 multicast data addressed to ipv6 multicast group g1, while host a is expe...
Page 1252
1-4 1) this host sends an mld done message to all ipv6 multicast routers (the destination address is ff02::2) on the local subnet. 2) upon receiving the mld done message, the querier sends a configurable number of multicast-address-specific queries to the group being left. The destination address fi...
Page 1253
1-5 when mldv2 is running on the hosts and routers, host b can explicitly express its interest in the ipv6 multicast data source 1 sends to g (denoted as (s1, g)), rather than the ipv6 multicast data source 2 sends to g (denoted as (s2, g)). Thus, only ipv6 multicast data from source 1 will be deliv...
Page 1254
1-6 figure 1-3 format of mldv2 query message multicast address (128 bits) type = 130 code 0 7 15 31 checksum maximum response delay reserved reserved s qrv qqic number of sources (n) ... 3 4 source address [1] (128 bits) source address [n] (128 bits) table 1-1 describes the fields in figure 1-3 . Ta...
Page 1255
1-7 field description source address( i ) ipv6 multicast source address in a multicast-address-specific query message (i = 1, 2, .., n, where n represents the number of multicast source addresses.) mld report message a host sends an mld report message to report the current multicast listening state ...
Page 1256
1-8 mld ssm mapping the mld ssm mapping feature allows you to configure static mld ssm mappings on the last hop router to provide ssm support for receiver hosts running mldv1. The ssm model assumes that the last hop router is aware of the desired ipv6 multicast sources when receivers join ipv6 multi...
Page 1257
1-9 the mld ssm mapping feature does not process mldv2 reports. For more information about the ipv6 ssm group range, refer to ipv6 pim configuration in the ip multicast volume. Mld proxying in some simple tree-shaped topologies, it is not necessary to configure complex ipv6 multicast routing protoco...
Page 1258
1-10 interfaces by participating in the querier election, sending queries, and maintaining memberships based on the reports. Protocols and standards mld-related specifications are described in the following documents: z rfc 2710: multicast listener discovery (mld) for ipv6 z rfc 3810: multicast list...
Page 1259
1-11 z configure any ipv6 unicast routing protocol so that all devices in the domain can be interoperable at the network layer. Z configure ipv6 pim-dm or ipv6 pim-sm. In addition, prepare the following data: z mld version z ipv6 multicast group address and ipv6 multicast source address for static g...
Page 1260
1-12 configuring an mld version on an interface follow these steps to configure an mld version on an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — configure an mld version on the interface mld version versi...
Page 1261
1-13 configuring an ipv6 multicast group filter to restrict the hosts on the network attached to an interface from joining certain ipv6 multicast groups, you can set an ipv6 acl rule on the interface so that the interface maintains only the ipv6 multicast groups matching the criteria. Follow these s...
Page 1262
1-14 configurations performed in mld view are globally effective, while configurations performed in interface view are effective on the current interface only. If the same function or parameter is configured in both pim view and interface view, the configuration performed in interface view is given ...
Page 1263
1-15 to do… use the command… remarks configure the interface to discard any mld message without the router-alert option require-router-alert optional by default, the device does not check mld messages for the router-alert option. Enable the insertion of the router-alert option into mld messages send...
Page 1264
1-16 z for mld general queries, you can configure the maximum response delay to fill their maximum response delay field. Z for mld multicast-address-specific query messages, you can configure the last listener query interval to fill their maximum response delay field. That is to say, the maximum res...
Page 1265
1-17 to do… use the command… remarks configure the startup query count mld startup-query-count value optional for the system default, see “note” below. Configure the mld query interval mld timer query interval optional 125 seconds by default. Configure the mld querier robustness variable mld robust-...
Page 1266
1-18 configuring mld ssm mapping due to some possible restrictions, some receiver hosts on an ssm network may run mldv1. To provide ssm service support for these receiver hosts, you need to configure the mld ssm mapping feature on the last hop router. Configuration prerequisites before configuring t...
Page 1267
1-19 if mldv2 is enabled on a vlan interface, and if a port in that vlan is configured as a simulated host, the simulated host will send mldv2 reports even if you did not specify an ipv6 multicast source when configuring simulated joining with the mld-snooping host-join command. In this case, the co...
Page 1268
1-20 configuring ipv6 multicast forwarding on a downstream interface typically, only queriers are able to forward ipv6 multicast traffic while non-queriers have no forwarding capabilities, to avoid duplicate multicast flows. It is the same on mld proxy devices. Only the downstream interfaces acting ...
Page 1270
1-22 z mldv1 is required between switch a and n1. Mldv1 is also required between the other two switches (switch b and switch c) and n2. Switch b acts as the mld querier because it has a lower ipv6 address. Network diagram figure 1-7 network diagram for basic mld functions configuration ether net eth...
Page 1271
1-23 system-view [switchb] multicast ipv6 routing-enable [switchb] interface vlan-interface 200 [switchb-vlan-interface200] mld enable [switchb-vlan-interface200] pim ipv6 dm [switchb-vlan-interface200] quit [switchb] interface vlan-interface 201 [switchb-vlan-interface201] pim ipv6 dm [switchb-vlan...
Page 1272
1-24 network diagram figure 1-8 network diagram for mld ssm mapping configuration device interface ip address device interface ip address source 1 — 1001::1/64 source 3 — 3001::1/64 source 2 — 2001::1/64 receiver — 4001::1/64 switch a vlan-int100 1001::2/64 switch c vlan-int300 3001::2/64 vlan-int10...
Page 1273
1-25 [switchd-vlan-interface104] pim ipv6 sm [switchd-vlan-interface104] quit # enable ipv6 multicast routing on switch a, and enable ipv6 pim-sm on each interface. System-view [switcha] multicast ipv6 routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim ipv6 sm [swi...
Page 1274
1-26 use the display mld ssm-mapping group command to view information of the mld multicast groups created based on the configured mld ssm mappings. # display the ipv6 multicast group information created based on the configured mld ssm mappings on switch d. [switchd] display mld ssm-mapping group to...
Page 1275
1-27 z it is required to configure the mld proxying feature on switch b so that switch b can maintain group memberships and forward ipv6 multicast traffic without running ipv6 pim-dm. Network diagram figure 1-9 network diagram for mld proxying configuration configuration procedure 1) enable ipv6 for...
Page 1276
1-28 use the display mld interface command to view the mld configuration and operation information on an interface. For example, # display mld configuration and operation information on vlan-interface 100 of switch b. [switchb] display mld interface vlan-interface 100 verbose vlan-interface100(2001:...
Page 1277
1-29 2) check that the ipv6 multicast routing is enabled. Carry out the display current-configuration command to check whether the multicast ipv6 routing-enable command has been executed. If not, carry out the multicast ipv6 routing-enable command in system view to enable ipv6 multicast routing. In ...
Page 1278: Table of Contents
I table of contents 1 ipv6 pim configuration ·····························································································································1-1 ipv6 pim overview·············································································································...
Page 1279
Ii failure of building a multicast distribution tree correctly ····························································1-46 ipv6 multicast data abnormally terminated on an intermediate router ······································1-47 rps unable to join spt in ipv6 pim-sm························...
Page 1280: Ipv6 Pim Configuration
1-1 1 ipv6 pim configuration when configuring ipv6 pim, go to these sections for information you are interested in: z ipv6 pim overview z configuring ipv6 pim-dm z configuring ipv6 pim-sm z configuring ipv6 pim-ssm z configuring ipv6 pim common features z displaying and maintaining ipv6 pim z ipv6 p...
Page 1281
1-2 to facilitate description, a network comprising ipv6 pim–supporting routers is referred to as an “ipv6 pim domain” in this document. Introduction to ipv6 pim-dm ipv6 pim-dm is a type of dense mode ipv6 multicast protocol. It uses the “push mode” for ipv6 multicast forwarding, and is suitable for...
Page 1282
1-3 spt establishment the process of constructing an spt is the “flood and prune” process. 1) in an ipv6 pim-dm domain, an ipv6 multicast source first floods ipv6 multicast packets when it sends ipv6 multicast data to ipv6 multicast group g: the packet is subject to an rpf check. If the packet passe...
Page 1283
1-4 pruning has a similar implementation in ipv6 pim-sm. Graft when a host attached to a pruned node joins an ipv6 multicast group, to reduce the join latency, ipv6 pim-dm uses the graft mechanism to resume ipv6 multicast data forwarding to that branch. The process is as follows: 1) the node that ne...
Page 1284
1-5 of the subsequent (s, g) ipv6 multicast packets on the multi-access subnet. The comparison process is as follows: 1) the router with a higher ipv6 unicast route preference to the source wins; 2) if both routers have the same ipv6 unicast route preference to the source, the router with a smaller ...
Page 1285
1-6 z rp discovery z embedded rp z rpt establishment z ipv6 multicast source registration z switchover to spt z assert neighbor discovery ipv6 pim-sm uses the similar neighbor discovery mechanism as ipv6 pim-dm does. Refer to neighbor discovery . Dr election ipv6 pim-sm also uses hello messages to e...
Page 1286
1-7 1) routers on the multi-access network send hello messages to one another. The hello messages contain the router priority for dr election. The router with the highest dr priority will become the dr. 2) in the case of a tie in the router priority, or if any router in the network does not support ...
Page 1287
1-8 figure 1-4 bsr and c-rps advertisement message bootstrap message ipv6 pim-sm bsr c-rp c-rp c-rp c-bsr based on the information in the rp-sets, all routers in the network can calculate the location of the corresponding rps based on the following rules: 1) the c-rp with the highest priority wins. ...
Page 1288
1-9 configured rp or the rp dynamically calculated based on the bsr mechanism. The dr does not need to know the rp address beforehand. The specific process is as follows. Z at the receiver side: 1) a receiver host initiates an mld report to announce its joining an ipv6 multicast group. 2) upon recei...
Page 1289
1-10 multicast source registration the purpose of ipv6 multicast source registration is to inform the rp about the existence of the ipv6 multicast source. Figure 1-6 ipv6 multicast source registration source server host a host b host c receiver receiver ipv6 multicast packets spt join message regist...
Page 1290
1-11 switchover to spt in an ipv6 pim-sm domain, an ipv6 multicast group corresponds to one rp and one rpt. Before the spt switchover takes place, the dr at the ipv6 multicast source side encapsulates all multicast data destined to the multicast group in register messages and sends these messages to...
Page 1291
1-12 ssm model implementation in ipv6 pim the source-specific multicast (ssm) model and the any-source multicast (asm) model are two opposite models. Presently, the asm model includes the ipv6 pim-dm and ipv6 pim-sm modes. The ssm model can be implemented by leveraging part of the ipv6 pim-sm techni...
Page 1292
1-13 figure 1-7 building an spt in ipv6 pim-ssm as shown in figure 1-7 , hosts b and c are ipv6 multicast information receivers. They send an mldv2 report message to the respective drs to announce that they are interested in the information of the specific ipv6 multicast source s and that sent to th...
Page 1293
1-14 configuring ipv6 pim-dm ipv6 pim-dm configuration task list complete these tasks to configure ipv6 pim-dm: task remarks enabling ipv6 pim-dm required enabling state-refresh capability optional configuring state refresh parameters optional configuring ipv6 pim-dm graft retry period optional conf...
Page 1294
1-15 z all the interfaces of the same device must work in the same ipv6 pim mode. Z ipv6 pim-dm cannot be used for ipv6 multicast groups in the ipv6 ssm group range. For details about the multicast ipv6 routing-table command, see ipv6 multicast routing and forwarding commands in the ip multicast vol...
Page 1295
1-16 follow these steps to configure state-refresh parameters: to do... Use the command... Remarks enter system view system-view — enter ipv6 pim view pim ipv6 — configure the interval between state-refresh messages state-refresh-interval interval optional 60 seconds by default configure the time to...
Page 1296
1-17 configuring ipv6 pim-sm ipv6 pim-sm configuration task list complete these tasks to configure ipv6 pim-sm: task remarks enabling ipv6 pim-sm required configuring a static rp optional configuring a c-rp optional enabling embedded rp optional configuring an rp configuring c-rp timers globally opt...
Page 1297
1-18 enabling ipv6 pim-sm with ipv6 pim-sm enabled, a router sends hello messages periodically to discover ipv6 pim neighbors and processes messages from the ipv6 pim neighbors. When deploying an ipv6 pim-sm domain, you are recommended to enable ipv6 pim-sm on all non-border interfaces of the router...
Page 1298
1-19 to do… use the command… remarks configure a static rp static-rp ipv6-rp-address [ acl6-number ] [ preferred ] required no static rp by default to enable a static rp to work normally, you must perform this configuration on all routers in the ipv6 pim-sm domain and specify the same rp address. Co...
Page 1299
1-20 enabling embedded rp with the embedded rp feature enabled, the router can resolve the rp address directly from the ipv6 multicast group address of an ipv6 multicast packets. This rp can replace the statically configured rp or the rp dynamically calculated based on the bsr mechanism. Thus, the d...
Page 1300
1-21 for the configuration of other timers in ipv6 pim-sm, refer to configuring ipv6 pim common timers . Configuring a bsr an ipv6 pim-sm domain can have only one bsr, but must have at least one c-bsr. Any router can be configured as a c-bsr. Elected from c-bsrs, the bsr is responsible for collectin...
Page 1301
1-22 to do... Use the command... Remarks enter ipv6 pim view pim ipv6 — configure an interface as a c-bsr c-bsr ipv6-address [ hash-length [ priority ] ] required no c-bsrs are configured by default. Configure a legal bsr address range bsr-policy acl6-number optional no restrictions by default since...
Page 1302
1-23 to do... Use the command... Remarks enter ipv6 pim view pim ipv6 — configure the hash mask length c-bsr hash-length hash-length optional 126 by default configure the c-bsr priority c-bsr priority priority optional 0 by default configuring c-bsr timers the bsr election winner multicasts its own ...
Page 1303
1-24 in configuration, make sure that the bs period is smaller than the bs timeout value. Configuring ipv6 multicast source registration within an ipv6 pim-sm domain, the source-side dr sends register messages to the rp, and these register messages have different ipv6 multicast source or ipv6 multic...
Page 1304
1-25 to do... Use the command... Remarks configure the register probe time probe-interval interval optional 5 seconds by default configuring spt switchover if an s7900e series routing switch acts as an rp or the receiver-side dr, it initiates an stp switchover process (by default) upon receiving the...
Page 1305
1-26 task remarks enabling ipv6 pim-sm required configuring the ipv6 ssm group range optional configuring ipv6 pim common features optional configuration prerequisites before configuring ipv6 pim-ssm, complete the following task: z configure any ipv6 unicast routing protocol so that all devices in t...
Page 1306
1-27 configuring the ipv6 ssm group range as for whether the information from an ipv6 multicast source is delivered to the receivers based on the ipv6 pim-ssm model or the ipv6 pim-sm model, this depends on whether the group address in the (s, g) channel subscribed by the receivers falls in the ipv6...
Page 1307
1-28 for the functions or parameters that can be configured in both ipv6 pim view and interface view described in this section: z configurations performed in ipv6 pim view are effective to all interfaces, while configurations performed in interface view are effective to the current interface only. Z...
Page 1308
1-29 z maximum number of (s, g) entries in a join/prune message configuring an ipv6 multicast data filter no matter in an ipv6 pim-dm domain or an ipv6 pim-sm domain, routers can check passing-by ipv6 multicast data based on the configured filtering rules and determine whether to continue forwarding...
Page 1309
1-30 with the hello message filter configured, if hello messages of an existing ipv6 pim neighbor fail to pass the filter, the ipv6 pim neighbor will be removed automatically when it times out. Configuring ipv6 pim hello options no matter in an ipv6 pim-dm domain or an ipv6 pim-sm domain, the hello ...
Page 1310
1-31 to do... Use the command... Remarks enter ipv6 pim view pim ipv6 — configure the priority for dr election hello-option dr-priority priority optional 1 by default configure ipv6 pim neighbor timeout time hello-option holdtime interval optional 105 seconds by default configure the prune message d...
Page 1311
1-32 follow these steps to configure the prune delay time to do... Use the command... Remarks enter system view system-view — enter ipv6 pim view pim ipv6 — configure the prune delay interval prune delay interval optional 3 seconds by default configuring ipv6 pim common timers ipv6 pim routers disco...
Page 1312
1-33 configuring ipv6 pim common timers on an interface follow these steps to configure ipv6 pim common timers on an interface: to do... Use the command... Remarks enter system view system-view — enter interface view interface interface-type interface-number — configure the hello interval pim ipv6 t...
Page 1313
1-34 displaying and maintaining ipv6 pim to do... Use the command... Remarks view the bsr information in the ipv6 pim-sm domain and locally configured c-rp information in effect display pim ipv6 bsr-info available in any view view the information of ipv6 unicast routes used by ipv6 pim display pim i...
Page 1314
1-35 z switch d connects to the network that comprises the multicast source (source) through vlan-interface 300. Z switch a connects to n1 through vlan-interface 100, and to switch d through vlan-interface 103. Z switch b and switch c connect to n2 through their respective vlan-interface 200, and to...
Page 1315
1-36 [switcha] interface vlan-interface 100 [switcha-vlan-interface100] mld enable [switcha-vlan-interface100] pim ipv6 dm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 103 [switcha-vlan-interface103] pim ipv6 dm [switcha-vlan-interface103] quit the configuration on switch b an...
Page 1316
1-37 2002::1 vlan101 00:04:16 00:01:29 3 3001::1 vlan102 00:03:54 00:01:17 5 assume that host a needs to receive the information addressed to ipv6 multicast group g (ff0e::101). After ipv6 multicast source s (4001::100/64) sends ipv6 multicast packets to the ipv6 multicast group g, an spt is establi...
Page 1317
1-38 1: vlan-interface103 protocol: pim-dm, uptime: 00:02:19, expires: never 2: vlan-interface101 protocol: pim-dm, uptime: 00:02:19, expires: never 3: vlan-interface102 protocol: pim-dm, uptime: 00:02:19, expires: never ipv6 pim-sm configuration example network requirements z receivers receive vod ...
Page 1318
1-39 vlan-int101 1002::1/64 vlan-int101 1002::2/64 vlan-int102 1003::1/64 vlan-int105 4002::1/64 switch b vlan-int200 2001::1/64 switch e vlan-int104 3001::2/64 vlan-int103 2002::1/64 vlan-int103 2002::2/64 switch c vlan-int200 2001::2/64 vlan-int102 1003::2/64 vlan-int104 3001::1/64 vlan-int105 400...
Page 1319
1-40 # on switch e, configure the service scope of rp advertisements, specify a c-bsr and a c-rp, and set the hash mask length to 128 and the priority of the c-bsr to 20. System-view [switche] acl ipv6 number 2005 [switche-acl6-basic-2005] rule permit source ff0e::101 64 [switche-acl6-basic-2005] qu...
Page 1320
1-41 holdtime: 130 advertisement interval: 60 next advertisement scheduled at: 00:00:48 # view the bsr information and the locally configured c-rp information in effect on switch e. [switche] display pim ipv6 bsr-info elected bsr address: 1003::2 priority: 20 hash mask length: 128 state: elected upt...
Page 1321
1-42 [switcha] display pim ipv6 routing-table total 1 (*, g) entry; 1 (s, g) entry (*, ff0e::100) rp: 1003::2 protocol: pim-sm, flag: wc uptime: 00:03:45 upstream interface: vlan-interface102 upstream neighbor: 1003::2 rpf prime neighbor: 1003::2 downstream interface(s) information: total number of ...
Page 1322
1-43 (*, ff0e::100) rp: 1003::2 (local) protocol: pim-sm, flag: wc uptime: 00:16:56 upstream interface: register upstream neighbor: 4002::1 rpf prime neighbor: 4002::1 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface102 protocol: pim-sm, uptime: 00:16:56, expires...
Page 1323
1-44 figure 1-10 network diagram for ipv6 pim-ssm configuration ether net ether net e thernet source 4001::100/64 ipv6 pim-sm switch a switch b switch c switch d receiver host a host b host c host d receiver n1 n2 switch e vlan-int100 vlan-int200 vlan-int200 vlan-int300 vlan-int102 vlan-int102 vlan-...
Page 1324
1-45 [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-interface101] pim ipv6 sm [switcha-vlan-interface101] quit [switcha] interface vlan-interface 102 [switcha-vlan-interface102] pim ipv6 sm [switcha-vlan-interface102] quit the configuration on switch b and swit...
Page 1325
1-46 rpf prime neighbor: 1002::2 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 protocol: mld, uptime: 00:00:11, expires: 00:03:25 the information on switch b and switch c is similar to that on switch a. # view the ipv6 pim multicast routing table informatio...
Page 1326
1-47 3) check that the rpf neighbor is an ipv6 pim neighbor. Use the display pim ipv6 neighbor command to view the pim neighbor information. 4) check that ipv6 pim and mld are enabled on the interfaces directly connecting to the ipv6 multicast source and to the receiver. 5) check that the same ipv6 ...
Page 1327
1-48 z in the case of the static rp mechanism, the same rp address must be configured on all the routers in the entire network, including static rps, by means of the static rp command. Otherwise, ipv6 multicast will fail. Solution 1) check that a route is available to the rp. Carry out the display i...
Page 1328: Table of Contents
I table of contents 1 ipv6 mbgp configuration ·························································································································1-1 ipv6 mbgp overview ··············································································································...
Page 1329: Ipv6 Mbgp Configuration
1-1 1 ipv6 mbgp configuration when configuring ipv6 mbgp, go to these sections for information you are interested in: z ipv6 mbgp overview z ipv6 mbgp configuration task list z configuring ipv6 mbgp basic functions z controlling route distribution and reception z configuring ipv6 mbgp route attribut...
Page 1330
1-2 for information about rpf, refer to multicast routing and forwarding in the ip multicast volume. Ipv6 mbgp configuration task list complete the following tasks to configure ipv6 mbgp: task remarks configuring an ipv6 mbgp peer required configuring ipv6 mbgp basic functions configuring a preferre...
Page 1331
1-3 z complete bgp basic configuration configuring an ipv6 mbgp peer follow these steps to configure an ipv6 mbgp peer to do… use the command… remarks enter system view system-view — enable bgp and enter bgp view bgp as-number required not enabled by default enter ipv6 address family view ipv6-famil...
Page 1332
1-4 controlling route distribution and reception configuration prerequisites before configuring this task, you need to: z enable ipv6. Z configure the ipv6 mbgp basic functions. Injecting a local ipv6 mbgp route follow these steps to inject a local ipv6 mbgp route: to do… use the command… remarks en...
Page 1333
1-5 configuring ipv6 mbgp route summarization to reduce the routing table size on medium and large bgp networks, you need to configure route summarization on ipv6 mbgp routers. Bgp supports only manual summarization of ipv6 multicast routes. Follow these steps to configure ipv6 mbgp route summarizat...
Page 1336
1-8 configuration prerequisites before the configuration, accomplish the following tasks: z enable ipv6 z configure the ipv6 mbgp basic functions configuring ipv6 mbgp route preferences follow these steps to configure ipv6 mbgp route preferences: to do… use the command… remarks enter system view sys...
Page 1337
1-9 to do… use the command… remarks enable the comparison of the med for routes from different ass compare-different-as-med optional not enabled by default enable the comparison of the med for routes from each as bestroute compare-med optional disabled by default enable the comparison of the med for...
Page 1341
1-13 configuring a large scale ipv6 mbgp network configuration prerequisites before configuring the following tasks, you need to configure ipv6 mbgp basic functions. Configuring an ipv6 mbgp peer group for easy management and configuration, you can organize some ipv6 mbgp peers having the same route...
Page 1342
1-14 follow these steps to advertise the community attribute to an ipv6 mbgp peer/peer group: to do… use the command… remarks enter system view system-view — enter bgp view bgp as-number — enter ipv6 mbgp address family view ipv6-family multicast — advertise the community attribute to an ipv6 mbgp p...
Page 1343
1-15 to do… use the command… remarks configure the cluster id of the route reflector reflector cluster-id cluster-id optional by default, a route reflector uses its router id as the cluster id. Z the clients of a route reflector should not be fully meshed, and the route reflector reflects the routes...
Page 1344
1-16 to do… use the command… remarks display ipv6 mbgp dampening parameter information display bgp ipv6 multicast routing-table dampening parameter available in any view display ipv6 mbgp routing information originated from different ass display bgp ipv6 multicast routing-table different-origin-as a...
Page 1345
1-17 ipv6 mbgp configuration example network requirements as shown in the following figure: z ipv6 pim-sm 1 is in as 100 and ipv6 pim-sm 2 is in as 200. Ospfv3 is the igp in the two ass, and ipv6 mbgp runs between the two ass to exchange ipv6 multicast route information. Z the ipv6 multicast source ...
Page 1346
1-18 [switcha-vlan-interface101] pim ipv6 sm [switcha-vlan-interface101] quit the configuration on switch b and switch d is similar to the configuration on switch a. # enable ipv6 multicast routing on switch c, enable ipv6 pim-sm on each interface, and enable mld on the host-side interface vlan-inte...
Page 1347
1-19 [switcha-bgp-af-ipv6] quit [switcha-bgp] ipv6-family multicast [switcha-bgp-af-ipv6-mul] peer 1001::2 enable [switcha-bgp-af-ipv6-mul] import-route direct [switcha-bgp-af-ipv6-mul] quit [switcha-bgp] quit # on switch b, configure the ipv6 mbgp peers and redistribute ospf routes. [switchb] ipv6 ...
Page 1348: Table of Contents
I table of contents 1 mld snooping configuration···················································································································1-1 mld snooping overview ···············································································································...
Page 1349
Ii mld snooping proxying configuration example ··········································································1-32 troubleshooting mld snooping ···········································································································1-35 switch fails in layer 2 multicast...
Page 1350: Mld Snooping Configuration
1-1 1 mld snooping configuration when configuring mld snooping, go to these sections for information you are interested in: z mld snooping overview z mld snooping configuration task list z displaying and maintaining mld snooping z mld snooping configuration examples z troubleshooting mld snooping z ...
Page 1351
1-2 figure 1-1 before and after mld snooping is enabled on the layer 2 device ipv6 multicast packet transmission without mld snooping source multicast router host a receiver host b host c receiver ipv6 multicast packets layer 2 switch ipv6 multicast packet transmission when mld snooping runs source ...
Page 1352
1-3 z router port: a router port is a port on the ethernet switch that leads switch towards the layer-3 multicast device (dr or mld querier). In the figure, gigabitethernet 2/0/1 of switch a and gigabitethernet 2/0/1 of switch b are router ports. The switch registers all its local router ports in it...
Page 1353
1-4 how mld snooping works a switch running mld snooping performs different actions when it receives different mld messages, as follows: the description about adding or deleting a port in this section is only for a dynamic port. Static ports can be added or deleted only through the corresponding con...
Page 1354
1-5 a switch does not forward an mld report through a non-router port. This is because if the switch forwards a report message through a member port, all the attached hosts listening to the reported ipv6 multicast address will suppress their own reports upon receiving this report according to the ml...
Page 1355
1-6 mld snooping proxying you can configure the mld snooping proxying function on an edge device to reduce the number of mld reports and done messages sent to its upstream device. The device configured with mld snooping proxying is called an mld snooping proxy. It is a host from the perspective of i...
Page 1356
1-7 mld message actions report when receiving a report for an ipv6 multicast group, the proxy looks up the multicast forwarding table for the entry for the multicast group. If the forwarding entry is found with the receiving port contained as a dynamic port in the outgoing port list, the proxy reset...
Page 1357
1-8 mld snooping configuration task list complete these tasks to configure mld snooping: task remarks enabling mld snooping required configuring the version of mld snooping optional configuring basic functions of mld snooping configuring limit on the number of forwarding entries globally optional co...
Page 1358
1-9 z configurations made in mld snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in mld snooping view is effective only if the same configuration is not made in vlan v...
Page 1359
1-10 z mld snooping must be enabled globally before it can be enabled in a vlan. Z after enabling mld snooping in a vlan, you cannot enable mld and/or ipv6 pim on the corresponding vlan interface, and vice versa. Z when you enable mld snooping in a specified vlan, this function takes effect for port...
Page 1360
1-11 to do... Use the command... Remarks enter mld snooping view mld-snooping — configure the maximum number of mld snooping entries entry-limit limit required 512 by default. If the number of existing entries is larger than the limit when you configure it, the device informs you to remove excessive...
Page 1361
1-12 to do... Use the command... Remarks configure dynamic member port aging time host-aging-time interval optional 260 seconds by default configuring aging timers for dynamic ports in a vlan follow these steps to configure aging timers for dynamic ports in a vlan: to do... Use the command... Remark...
Page 1362
1-13 z an ipv6 static (s, g) join takes effect only if a valid ipv6 multicast source address is specified and mld snooping version 2 is currently running. Z a static member port does not respond to queries from the mld querier; when static (*, g) or (s, g) joining is enabled or disabled on a port, t...
Page 1363
1-14 z each simulated host is equivalent to an independent host. For example, when receiving an mld query, the simulated host corresponding to each configuration responds respectively. Z unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port...
Page 1364
1-15 configuring mld snooping querier configuration prerequisites before configuring mld snooping querier, complete the following task: z enable mld snooping in the vlan. Before configuring mld snooping querier, prepare the following data: z mld general query interval, z mld last-member query interv...
Page 1365
1-16 the maximum response time (the host obtains the value of the maximum response time from the max response time field in the mld query it received). When the timer value comes down to 0, the host sends an mld report to the corresponding ipv6 multicast group. An appropriate setting of the maximum ...
Page 1366
1-17 configuring source ipv6 addresses of mld queries this configuration allows you to change the source ipv6 address of mld queries. Follow these steps to configure source ipv6 addresses of mld queries: to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id...
Page 1367
1-18 configuring a source ipv6 address for the mld messages sent by the proxy you can set the source ipv6 addresses in the mld reports and done messages sent by the mld snooping proxy on behalf of its attached hosts. Follow these steps to configure the source ipv6 addresses for the mld messages sent...
Page 1368
1-19 to do... Use the command... Remarks configure an ipv6 multicast group filter group-policy acl6-number [ vlan vlan-list] required by default, no group filter is globally configured, that is, hosts in vlans can join any valid ipv6 multicast group. Configuring an ipv6 multicast group filter on a p...
Page 1369
1-20 to do... Use the command... Remarks interface interface-type interface-number enter ethernet port/olt port view or port group view port-group manual port-group-name required use either approach enable ipv6 multicast source port filtering mld-snooping source-deny required disabled by default con...
Page 1370
1-21 z for devices that support both drop-unknown and mld-snooping drop-unknown commands at the same time, the configuration made in mld snooping view and the configuration made in vlan view are mutually exclusive. Namely, after this function is enabled in mld snooping view, it cannot be enabled or ...
Page 1371
1-22 on an mld snooping proxy, mld membership reports are suppressed if the entries for the corresponding groups exist in the forwarding table, no matter the suppression function is enabled or not. Configuring maximum multicast groups that can be joined on a port by configuring the maximum number of...
Page 1372
1-23 to address this situation, you can enable the ipv6 multicast group replacement function on the switch or certain ports. When the number of ipv6 multicast groups a switch or a port has joined exceeds the limit. Z if the ipv6 multicast group replacement is enabled, the newly joined ipv6 multicast...
Page 1373
1-24 to do... Use the command... Remarks enter system view system-view — enter mld-snooping view mld-snooping — configure 802.1p precedence for mld messages dot1p-priority priority-number required the default 802.1p precedence for mld messages is 0. Configuring 802.1p precedence for mld messages in ...
Page 1374
1-25 mld snooping configuration examples ipv6 group policy and simulated joining configuration example network requirements z as shown in figure 1-4 , router a connects to the ipv6 multicast source through gigabitethernet 2/0/2 and to switch a through gigabitethernet 2/0/1. Router a is the mld queri...
Page 1375
1-26 3) configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 2/0/1 through gigabitethernet 2/0/4 to this vlan, and enable mld snooping and the function of dropping ipv6 unknown multicast traffic in...
Page 1376
1-27 ip group address:ff1e::101 (::, ff1e::101): attribute: host board host port unit board: mask(0x04) host port(s):total 2 port. Ge2/0/3 (d) ge2/0/4 (d) mac group(s): mac group address:3333-0000-1001 host port unit board: mask(0x04) host port(s):total 2 port. Ge2/0/3 ge2/0/4 as shown above, gigabi...
Page 1377
1-28 figure 1-5 network diagram for static port configuration source 1::1/64 router a mld querier ge2/0/1 2001::1/64 ge2/0/2 1::2/64 switch a switch c switch b ge2/0/1 g e 2 /0 /2 g e 2 /0 /3 g e 2 /0 1 ge2/0/2 g e 2 /0 /1 ge2/0/2 host c host b host a receiver receiver g e 2 /0 /3 g e 2 /0 /4 ge2/0/...
Page 1378
1-29 # configure gigabitethernet 2/0/3 to be a static router port. [switcha] interface gigabitethernet 2/0/3 [switcha-gigabitethernet2/0/3] mld-snooping static-router-port vlan 100 [switcha-gigabitethernet2/0/3] quit 4) configure switch b # enable mld snooping globally. System-view [switchb] mld-sno...
Page 1379
1-30 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port unit board: mask(0x04) router port(s):total 2 port. Ge2/0/1 (d) ge2/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): attribute: host board host port unit...
Page 1380
1-31 ge2/0/3 ge2/0/5 as shown above, gigabitethernet 2/0/3 and gigabitethernet 2/0/5 on switch c have become static member ports for ipv6 multicast group ff1e::101. Mld snooping querier configuration example network requirements z as shown in figure 1-6 , in a layer-2-only network environment, two m...
Page 1381
1-32 [switcha-vlan100] mld-snooping enable [switcha-vlan100] mld-snooping drop-unknown # configure mld snooping querier feature in vlan 100. [switcha-vlan100] mld-snooping querier [switcha-vlan100] quit 2) configure switch b # enable ipv6 forwarding and enable mld snooping globally. System-view [swi...
Page 1382
1-33 z router a connects to an ipv6 multicast source through port gigabitethernet 2/0/2, and to switch a through port gigabitethernet 2/0/1. Z router a runs mldv1 and switch a runs mldv1 snooping. Router a acts as an mld querier. Z configure mld snooping proxying on switch a, enabling the switch to ...
Page 1383
1-34 [switcha] vlan 100 [switcha-vlan100] port gigabitethernet 2/0/1 to gigabitethernet 2/0/4 [switcha-vlan100] mld-snooping enable [switcha-vlan100] mld-snooping proxying enable [switcha-vlan100] quit 4) verify the configuration after the configuration is completed, host a and host b send mld join ...
Page 1384
1-35 when host a leaves the ipv6 multicast group, it sends an mld done message to switch a. Receiving the message, switch a removes port gigabitethernet 2/0/3 from the member port list of the forwarding entry for the group; however, it does not remove the group or forward the done message to router ...
Page 1385
1-36 configured ipv6 multicast group policy fails to take effect symptom although an ipv6 multicast group policy has been configured to allow hosts to join specific ipv6 multicast groups, the hosts can still receive ipv6 multicast data addressed to other groups. Analysis z the ipv6 acl rule is incor...
Page 1386: Table of Contents
I table of contents 1 ipv6 multicast vlan configuration ·········································································································1-1 introduction to ipv6 multicast vlan ···································································································...
Page 1387
1-1 1 ipv6 multicast vlan configuration ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features. When configuring ipv6 multicast vlan, go to these sections for information you are interested in: z introduction to ipv6 multicast vlan z ipv6 multicast vlan configuration task list z ...
Page 1388
1-2 multicast vlan instead of making a separate copy of the multicast traffic in each user vlan. This saves the network bandwidth and lessens the burden of the layer 3 device. The ipv6 multicast vlan feature can be implemented in two approaches, as described below: sub-vlan-based ipv6 multicast vlan...
Page 1389
1-3 figure 1-3 port-based ipv6 multicast vlan after the configuration, upon receiving an mld message on a user port, switch a tags the message with the ipv6 multicast vlan id and relays it to the mld querier, so that mld snooping can uniformly manage the router ports and member ports in the ipv6 mul...
Page 1390
1-4 if you have configured both sub-vlan-based ipv6 multicast vlan and port-based ipv6 multicast vlan on a device, the port-based ipv6 multicast vlan configuration is given preference. Configuring ipv6 sub-vlan-based ipv6 multicast vlan configuration prerequisites before configuring sub-vlan-based i...
Page 1391
1-5 configuring port-based ipv6 multicast vlan when configuring port-based ipv6 multicast vlan, you need to configure the attributes of each user port and then assign the ports to the ipv6 multicast vlan. Z a user port can be configured as a multicast vlan port only if it is of the ethernet, or laye...
Page 1393
1-7 to do… use this command… remarks group view port-group manual port-group-name use either command. Configure the port(s) as port(s) of the ipv6 muticast vlan port multicast-vlan ipv6 vlan-id required by default, a user port does not belong to any ipv6 multicast vlan. Z you cannot configure ipv6 m...
Page 1394
1-8 displaying and maintaining ipv6 multicast vlan to do… use the command… remarks display information about an ipv6 multicast vlan display multicast-vlan ipv6 [ vlan-id ] available in any view ipv6 multicast vlan configuration examples sub-vlan-based multicast vlan configuration example network req...
Page 1395
1-9 enable ipv6 forwarding on each device and configure an ipv6 address and address prefix for each interface as per figure 1-4 . The detailed configuration steps are omitted here. 2) configure router a # enable ipv6 multicast routing, enable ipv6 pim-dm on each interface and enable mld on the host-...
Page 1396
1-10 [switcha] display mld-snooping group total 4 ip group(s). Total 4 ip source(s). Total 4 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):2. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total ...
Page 1397
1-11 ge2/0/4 vlan(id):10. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge2/0/1 (d) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): host port(s):total 0 port. Mac group(s): mac group address:333...
Page 1398
1-12 figure 1-5 network diagram for port-based ipv6 multicast vlan configuration source receiver host a vlan 2 ge2/0/2 ge2/0/3 ge2/0/4 switch a mld querier router a ge2/0/1 1:2/64 ge2/0/2 2001::1/64 1::1/64 receiver host b vlan 3 receiver host c vlan 4 ge2/0/1 configuration procedure 1) enable ipv6 ...
Page 1399
1-13 [switcha] vlan 2 [switcha-vlan2] mld-snooping enable [switcha-vlan2] quit the configuration for vlan 3 and vlan 4 is similar. The detailed configuration steps are omitted. # configure gigabitethernet 2/0/2 as a hybrid port. Configure vlan 2 as the default vlan. Configue gigabitethernet 2/0/2 to...
Page 1400
1-14 subvlan flags: r-real vlan, c-copy vlan vlan(id):10. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge2/0/1 (d) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): host port(s):total 3 port. Ge2...
Page 1401: Mpls Volume Organization
Mpls volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the mpls volume is organized as follows: features description mce multi-ce (mce) enables a switch to function as the ces of multiple vpn instances in a bgp/mpls vpn network, thus reducing the ...
Page 1402
Features description mpls l3vpn mpls l3vpn is a kind of pe-based l3vpn technology for service provider vpn solutions. This document describes: z mpls l3vpn overview z configuring vpn instances z configuring basic mpls l3vpn z configuring inter-provider mpls l3vpn z configuring nested vpn z configuri...
Page 1403: Table of Contents
I table of contents 1 mce overview············································································································································1-1 mce overview ·············································································································...
Page 1404: McE Overview
1-1 1 mce overview the term “router” in this document refers to a router in a generic sense or a layer 3 switch running routing protocols. Mce overview multi-ce (mce) enables a switch to function as the ces of multiple vpn instances in a bgp/mpls vpn network, thus reducing the investment on network ...
Page 1405
1-2 figure 1-1 a bgp/mpls vpn implementation ces and pes mark the boundary between the service providers and the customers. A ce is usually a router. After a ce establishes adjacency with a directly connected pe, it redistributes its vpn routes to the pe and learns remote vpn routes from the pe. A c...
Page 1406
1-3 address space overlapping each vpn independently manages the addresses that it uses. The assembly of such addresses for a vpn is called an address space. The address spaces of vpns may overlap. For example, if both vpn 1 and vpn 2 use the addresses in network segment 10.110.10.0/24, address spac...
Page 1407
1-4 you are recommended to configure a distinct rd for each vpn instance on a pe, guaranteeing that routes to the same ce use the same rd. The vpn-ipv4 address with an rd of 0 is in fact a globally unique ipv4 address. By prefixing a distinct rd to a specific ipv4 address prefix, you make it a globa...
Page 1408
1-5 an s7900e switch with mce enabled can solve this problem. By binding the vlan interfaces to the vpns in a network on an s7900e switch of this kind, you can create and maintain a routing table for each of the vpns. In this way, packets of different vpns in the private network can be isolated. Mor...
Page 1409
1-6 z static route z rip z ospf z is-is z ebgp this introduces the cooperation of routing protocols and mce in brief. For details on routing protocols, see the ip routing volume. Static routes a ce can communicate with a site through static routes. As static routes configure for traditional ces take...
Page 1410
1-7 normally, when an ospf route is imported to the bgp routing table as a bgp route on a pe, some attributes of the ospf route get lost. When the bgp route is imported to the ospf routing table on the remote ce, not all the attributes of the original ospf routes can be restored. As a result, the ro...
Page 1411
1-8 z rip z ospf z is-is z ebgp for information on how to configure the routing protocols and how to import routes, refer to the ip routing volume..
Page 1412: McE Configuration
2-1 2 mce configuration for detailed information on the routing protocol configuration mentioned in this chapter, see the ip routing volume. Configuring a vpn instance vpn instance configuration task list complete the following tasks to configure a vpn instance: task remarks creating a vpn instance ...
Page 1413
2-2 to do… use the command… remarks set the description information for the vpn instance description text optional by default, a vpn instance has no description configured. The rd configured for a vpn instance on the mce device must be same as that configured for the vpn instance on the pe device. A...
Page 1417
2-6 to do… use the command… remarks enter system view system-view — enable is-is for a vpn instance and enter is-is view isis [ process-id ] vpn-instance vpn-instance-name required this operation is performed on the mce device. As for the corresponding configuration on the site, you can just enable ...
Page 1419
2-8 in a vpn instance with bgp enabled, the bgp route exchange is processed in the same way as those in a normal bgp-enabled network. Configuring route exchange between a mce and a pe configuring route exchange between a mce and a pe complete the following tasks to configure route exchange between a...
Page 1420
2-9 z a static route configured for a vpn instance does not take effect if you configure the next hop address of the route as the ip address of a local interface (such as ethernet interface, vlan interface). Z if the default static route preference is not configured, the preference of a newly define...
Page 1422
2-11 configure to use ebgp between a mce and a pe to use ebgp to exchange routing information between a mce and a pe, you need to configure the peer end as a peer in the bgp-vpns on both ends, import vpn routes in the site to the mce, and then advertise these routes to the pe. Follow these steps to ...
Page 1424
2-13 mce configuration example mce configuration example (a) network requirements z an mce device connects to vpn1 (with the address range being 192.168.0.0/16) through vlan-interface 10 (with the ip address being 10.214.10.3) and connects to vpn2 (with the address range being 192.168.10.0/24) throu...
Page 1425
2-14 [mce] ip vpn-instance vpn2 [mce-vpn-instance-vpn2] route-distinguisher 20:1 # create vlan 10, add gigabitethernet 2/0/10 to vlan 10, and create vlan-interface 10. [mce-vpn-instance-vpn2] quit [mce] vlan 10 [mce-vlan10] port gigabitethernet 2/0/10 [mce-vlan10] quit [mce] interface vlan-interface...
Page 1426
2-15 # define a static route on mce, specify the next hop address 10.214.10.2 for packets destined for the network segment 192.168.0.0, and bind this route to vpn1. [mce-vlan-interface10] quit [mce] ip route-static vpn-instance vpn1 192.168.0.0 16 10.214.10.2 # display the information about the rout...
Page 1427
2-16 192.168.10.0/24 rip 100 1 10.214.20.2 vlan20 as shown in the displayed information above, mce has obtained the routes of vpn2 through rip, and maintains these routes in a routing table different from the routing table for routing information of vpn1 to the network segment 192.168.0.0, thus isol...
Page 1428
2-17 destinations : 6 routes : 6 destination/mask proto pre cost nexthop interface 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 10.214.30.0/24 direct 0 0 10.214.30.1 vlan30 10.214.30.2/32 direct 0 0 127.0.0.1 inloop0 100.100.10.1/32 direct 0 0 127.0.0.1 inloop0 ...
Page 1429
2-18 network diagram figure 2-2 network diagram for mce configuration (b) ce site 1 vpn 2 bgp 200 pe pe pe vpn 2 vr2 vpn 1 vr1 mce ge1/0/18 ge1/0/10 vlan-int2 10.100.10.1 ospf 172.16.10.0 ge1/0/20 vlan-int3 10.100.20.1 ospf 172.16.20.0 ce vpn 1 site 2 ge1/0/3 vlan-int30 10.100.30.1 vlan-int40 10.100...
Page 1430
2-19 # create vlan 3, add gigabitethernet 2/0/20 to vlan 3, create vlan-interface 3, bind vlan-interface 3 to vpn2, and configure ip address 10.214.20.3/24 for vlan-interface 3. [mce-vlan-interface10] quit [mce] vlan 3 [mce-vlan3] port gigabitethernet 2/0/20 [mce-vlan3] quit [mce] interface vlan-int...
Page 1431
2-20 10.100.10.1/32 direct 0 0 127.0.0.1 inloop0 172.16.10.0/24 ospf 10 1 10.100.10.2 vlan2 as shown in the displayed information above, mce has obtained the routing information of vpn1 through ospf process 10. # create ospf process 20 for mce whose router id is 10.10.20.1, bind the process to vpn2....
Page 1432
2-21 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 10.100.30.0/24 direct 0 0 10.100.10.3 vlan2 10.100.30.3/32 direct 0 0 127.0.0.1 inloop0 172.16.10.0/24 bgp 255 2 10.100.10.2 vlan2 # for vpn2, perform the configurations similar to the above on mce and pe to impo...
Page 1433: Table of Contents
I table of contents 1 mpls basics configuration······················································································································1-1 mpls overview ·····················································································································...
Page 1434
Ii configuration procedure················································································································1-26 restarting mpls ldp gracefully ··································································································1-27 configuring bfd for mpl...
Page 1435: Mpls Basics Configuration
1-1 1 mpls basics configuration when performing mpls basics configuration, go to these sections for information you are interested in: z mpls overview z mpls configuration basics z ldp overview z configuring mpls basic capability z configuring php z configuring a static lsp z configuring mpls ldp z ...
Page 1436
1-2 mpls integrates both layer 2 fast switching and layer 3 routing and forwarding, satisfying the networking requirements of various new applications. For details about the mpls architecture, refer to rfc 3031 “multiprotocol label switching architecture”. Basic concepts of mpls fec as a forwarding ...
Page 1437
1-3 figure 1-2 place of a label in a packet currently, the device does not support the cell mode. Lsr a label switching router (lsr) is a fundamental component on an mpls network. All lsrs support mpls. Lsp a label switched path (lsp) is the path along which a fec travels through an mpls network. Al...
Page 1438
1-4 z for information about rsvp, refer to mpls te configuration in the mpls volume. Z for information about bgp, refer to bgp configuration in the ip routing volume. Lsp tunneling mpls supports lsp tunneling. An lsr and its downstream lsr on an lsp are not necessarily on a path provided by the rout...
Page 1439
1-5 figure 1-4 structure of the mpls network ingress lsp egress transit ip network ip network the following describes how mpls operates: 1) first, the ldp protocol and the traditional routing protocol (such as ospf and isis) work together on each lsr to establish the routing table and the label info...
Page 1440
1-6 structure of an lsr figure 1-5 structure of an lsr as shown in figure 1-5 , an lsr consists of two planes: z control plane: implements label distribution and routing, establishes the lfib, and builds and tears lsps. Z forwarding plane: forwards packets according to the lfib. An ler forwards both...
Page 1441
1-7 nonetheless, mpls can easily implement the seamless integration between ip networks and layer 2 networks of atm, frame relay, and the like, and offer better solutions to quality of service (qos), te, and vpn applications thanks to the following advantages. Mpls-based vpn traditional vpns depend ...
Page 1442
1-8 the qos classification in diff-serv is very similar to the mpls label distribution mechanism. In fact, the mpls-based diff-serv is implemented by integrating the ds distribution into the mpls label distribution. Mpls configuration basics label distribution and management in mpls, the label that ...
Page 1443
1-9 the conservative label retention mode is usually used together with the dod mode on lsrs with limited label spaces. Currently, the s7900e series supports only the liberal mode. Basic concepts for label switching z next hop label forwarding entry (nhlfe): operation to be performed on the label, w...
Page 1444
1-10 z with ip ttl propagation enabled at ingress, whenever a packet passes a hop along the lsp, its ip ttl gets decremented by 1. Therefore, the result of tracert will reflect the path along which the packet has traveled. Z with ip ttl propagation disabled at ingress, the ip ttl of a packet does no...
Page 1445
1-11 with mpls echo replies. If the ping initiator receives the replies, the lsp is considered perfect for forwarding data. Z mpls lsp traceroute is a tool for locating lsp errors. By sending mpls echo requests to the control plane of each transit lsr, it can determine whether the lsr is really a tr...
Page 1446
1-12 z advertisement message: used to create, alter, or remove label bindings. Z notification message: used to provide advisory information and to notify errors. For reliable transport of ldp messages, tcp is used for ldp session messages, advertisement messages, and notification messages, while udp...
Page 1447
1-13 upstream lsr. However, the time when the downstream lsr sends label binding information depends on the label distribution control mode that it uses: z in ordered mode, a downstream lsr sends label binding information only after it receives that of its downstream lsr. Z in independent mode, a do...
Page 1448
1-14 session establishment and maintenance in this phase, lsrs pass through two steps to establish sessions between them: 1) establishing transport layer connections (that is, tcp connections) between them. 2) initializing sessions and negotiating session parameters such as the ldp version, label di...
Page 1449
1-15 maximum hop count a label request message or label mapping message may contain information about its hop count, which increments by 1 for each hop. When this value reaches the specified limit, ldp considers that a loop is present and the attempt to establish an lsp fails. Path vector a label re...
Page 1450
1-16 figure 1-9 network diagram for label advertisement control downstream device a downstream device b label advertisement label advertisement label advertisement upstream device c label control policy on device b: advertise labels that match prefix list x.X.X.X/m to upstream neighbor device c. In ...
Page 1451
1-17 to summarize, during a gr recover, the lsp information is preserved for the forwarding plane and therefore mpls packets can be forwarded without interruption. Configuring mpls basic capability you need to configure mpls basic capability on all routers for mpls forwarding within an mpls domain, ...
Page 1452
1-18 z an mpls lsr id is in the format of an ip address and must be unique within an mpls domain. You are recommended to use the ip address of a loopback interface on an lsr as the mpls lsr id. Z at present, the s7900e series switches support enabling mpls on only vlan interfaces. Z as mpls will enc...
Page 1455
1-21 configuring mpls ldp capability follow these steps to configure mpls ldp capability: to do… use the command… remarks enter system view system-view — enable ldp capability globally and enter mpls ldp view mpls ldp required not enabled by default configure the ldp lsr id lsr-id lsr-id optional mp...
Page 1457
1-23 z if hello adjacency exists between two peers, no remote adjacency can be established between them. If remote adjacency exists between two peers, you can configure local adjacency for them. However, the local adjacency can be established only when the transport address and keepalive settings of...
Page 1460
1-26 ldp instances have different ldp lsr ids if the address spaces overlap. Otherwise, the tcp connections cannot be established normally. Follow these steps to configure ldp instances: to do… use the command… remarks enter system view system-view — enable ldp capability for a vpn instance and ente...
Page 1461
1-27 to do… use the command… remarks enable mpls ldp gr graceful-restart required disabled by default set the ft reconnect timer graceful-restart timer reconnect timer optional 300 seconds by default set the ldp neighbor liveness timer graceful-restart timer neighbor-liveness timer optional 120 seco...
Page 1462
1-28 configuring mpls ip ttl processing configuration prerequisites before configuring mpls ip ttl propagation, be sure to complete this task: z configuring mpls basic capability. Configuring mpls ip ttl propagation follow these steps to configure ip ttl propagation of mpls: to do… use the command… ...
Page 1463
1-29 z configure the ttl propagate vpn command on all relevant pes to allow ip ttl propagation of vpn packets. Z configure the undo ttl expiration pop command on the asbrs and spes to assure that icmp responses can travel along the original lsps. Z spe refers to superstratum pe or service provider-e...
Page 1465
1-31 displaying and maintaining mpls resetting ldp sessions if you change any ldp session parameters when the sessions are up, the ldp sessions will not be able to function normally. In this case, you need to reset ldp sessions so that the ldp peers renegotiate parameters and establish new sessions....
Page 1466
1-32 to do… use the command… remarks on a distributed device display mpls nhlfe reflist token [ slot slot-number ] available in any view display usage information about the nhlfe entries on a distributed stacking device display mpls nhlfe reflist token [ chassis chassis-number slot slot-number ] dis...
Page 1468
1-34 figure 1-10 network diagram for configuring ldp sessions configuration procedure 1) configure the ip addresses of the interfaces configure the ip addresses and masks of the interfaces including the vlan interfaces and loopback interfaces as required in figure 1-10 . The detailed configuration p...
Page 1469
1-35 [switcha] display ip routing-table routing tables: public destinations : 9 routes : 9 destination/mask proto pre cost nexthop interface 1.1.1.9/32 direct 0 0 127.0.0.1 inloop0 2.2.2.9/32 ospf 10 1563 10.1.1.2 vlan10 3.3.3.9/32 ospf 10 3125 10.1.1.2 vlan10 10.1.1.0/24 direct 0 0 10.1.1.1 vlan10 ...
Page 1470
1-36 [switchb-vlan-interface10] quit [switchb] interface vlan-interface 11 [switchb-vlan-interface11] mpls [switchb-vlan-interface11] mpls ldp [switchb-vlan-interface11] quit # configure switch c. [switchc] mpls lsr-id 1.1.1.9 [switchc] mpls [switchc-mpls] quit [switchc] mpls ldp [switchc-mpls-ldp] ...
Page 1471
1-37 after completing the above configurations, you will find by issuing the following commands on switch a that the remote ldp session with switch c is already established: [switcha] display mpls ldp session ldp session(s) in public network total number of sessions: 2 ------------------------------...
Page 1472
1-38 [switchb] mpls [switchb-mpls] lsp-trigger all [switchb-mpls] quit # configure switch c. [switchc] mpls [switchc-mpls] lsp-trigger all [switchc-mpls] quit after completing the above configurations, you will see that the lsps have been established if you execute the display mpls ldp lsp command. ...
Page 1473
1-39 figure 1-11 network diagram for configuring bfd for mpls ldp loop 1.1.1.9/32 loop 3.3.3.9/32 loop 2.2.2.9/32 switch a switch b switch c ge2/0/1 vlan-int12 12.1.1.2/24 ge2/0/1 vlan-int13 13.1.1.3/24 ge2/0/2 vlan-int12 12.1.1.1/24 ge2/0/1 vlan-int13 13.1.1.1/24 vlan-int100 ce 1 ge2/0/3 configurat...
Page 1474
1-40 # configure mpls basic capability on switch b. System-view [switchb] mpls lsr-id 2.2.2.9 [switchb] mpls [switchb-mpls] quit [switchb] mpls ldp [switchb-mpls-ldp] quit [switchb] mpls ldp remote-peer switcha [switchb-mpls-ldp-remote-switcha] remote-ip 1.1.1.9 [switchb-mpls-ldp-remote-switcha] rem...
Page 1475
1-41 [switcha-loopback0] quit # on switch b: [switchb] interface vlan-interface 12 [switchb-vlan-interface12] ip address 12.1.1.2 24 [switchb-vlan-interface12] quit [switchb] interface loopback 0 [switchb-loopback0] ip address 2.2.2.9 32 [switchb-loopback0] quit # on switch c: [switchc] interface vl...
Page 1476
1-42 [switcha-vsi-vpna-ldp] peer 2.2.2.9 backup-peer 3.3.3.9 [switcha-vsi-vpna-ldp] quit [switcha-vsi-vpna] quit [switcha] vlan 100 [switcha-vlan100] port gigabitethernet 2/0/3 [switcha-vlan100] quit [switcha] interface gigabitethernet 2/0/3 [switcha-gigabitethernet2/0/3] service-instance 100 [switc...
Page 1477
1-43 local discr: 4 remote discr: 0 source ip: 1.1.1.9 destination ip: 3.3.3.9 session state: up interface: loopback0 min trans inter: 400ms act trans inter: 1000ms min recv inter: 400ms act detect inter: 3000ms running up for: 00:00:01 auth mode: none connect type: indirect board num: 6 protocol: m...
Page 1478
1-44 # tear down the link between switch a and switch b. Using the display vpls connection vsi vpna command and the display vpls fib vsi vpna verbose command, you can see that the path 2.2.2.9 is blocked. Display vpls connection vsi vpna total 2 connection(s), connection(s): 1 up, 1 block, 0 down vs...
Page 1479: Table of Contents
I table of contents 1 mpls l2vpn configuration ·····················································································································1-1 mpls l2vpn overview ················································································································...
Page 1480: Mpls L2Vpn Configuration
1-1 1 mpls l2vpn configuration when configuring mpls l2vpn, go to these sections for information you are interested in: z mpls l2vpn overview z mpls l2vpn configuration task list z displaying and maintaining mpls l2vpn z mpls l2vpn configuration examples z troubleshooting mpls l2vpn the term router ...
Page 1481
1-2 mpls l2vpn transfers layer 2 user data transparently on the mpls network. For users, the mpls network is a layer 2 switched network and can be used to establish layer 2 connections between nodes. Consider atm as an example. Each customer edge device (ce) can connect to the mpls network through a...
Page 1482
1-3 z upon receiving packets, a pe determines to which ce the packets are to be forwarded according to the vc labels. Figure 1-2 illustrates how the label stack changes in the mpls l2vpn forwarding process. Figure 1-2 mpls l2vpn label stack processing 1) l2 pdu: layer 2 protocol data unit 2) t repre...
Page 1483
1-4 z remote connection: a remote connection is established between a local ce and a remote ce, which are connected to different pes. In this case, a static lsp is required to transport packets from one pe to another. Z only remote connection is supported by s7900e series ethernet switches. Z you mu...
Page 1484
1-5 the martini method applies to scenarios with sparse layer 2 connections, such as a scenario with a star topology. Kompella mpls l2vpn kompella mpls l2vpn is different from martini mpls l2vpn in that it does not operate on the connections between ces directly. It organizes different vpns in the w...
Page 1485
1-6 configuring mpls l2vpn you can select any of the implementation methods for mpls l2vpn as needed. However, no matter what method you select, you must complete these two tasks: z configuring mpls basic capability z enabling mpls l2vpn follow these steps to complete the above two tasks: to do… use...
Page 1486
1-7 z configuring mpls basic capability for the mpls backbone on the pes and p devices. Z enabling mpls l2vpn on pes of the mpls backbone. You do not need to enable mpls l2vpn on the p devices. To configure ccc mpls l2vpn, you need the following data: z name for the ccc connection z connection type:...
Page 1487
1-8 to do… use the command… remarks enter system view system-view — configure a transit static lsp static-lsptransit lsp-name incoming-interface interface-type interface-number in-label in-label nexthop next-hop-addr out-label out-label required z with ccc, no static lsps are required on the pes but...
Page 1491
1-12 z the mtu command is not recommended. It affects only parameter negotiation, which may occur; it does not affect data forwarding. Z with kompella mpls l2vpn, you must create on the pe an l2vpn instance for each vpn where a directly connected ce resides. When creating an l2vpn, you must specify ...
Page 1492
1-13 to do… use the command… remarks create a kompella connection connection [ ce-offset id ] interface interface-type interface-number [ tunnel-policy tunnel-policy-name ] required configuring an mpls l2vpn connection based on layer 2 ethernet interface and vlan at present, an mpls l2vpn connection...
Page 1493
1-14 z l2vpn connection’s destination address and pw id z pw class template configuration procedure follow these steps to configure an mpls l2vpn connection based on layer 2 ethernet interface and vlan: to do… use the command… remarks enter system view system-view — create a pw class template and en...
Page 1495
1-16 support for the packet statistics function of the display interface command depends on the device model. For description of the display interface command, refer to the ethernet port command in the access volume. Resetting bgp l2vpn connections to do… use the command… remarks reset bgp l2vpn con...
Page 1496
1-17 system-view [sysname] sysname ce1 [ce1] interface vlan-interface 10 [ce1-vlan-interface10] ip address 100.1.1.1 24 2) configure pe 1 # configure the lsr id and enable mpls globally. System-view [sysname] sysname pe1 [pe1] interface loopback 0 [pe1-loopback0] ip address 10.0.0.1 32 [pe1-loopback...
Page 1497
1-18 [p-vlan-interface20] quit # create a static lsp for forwarding packets from pe 1 to pe 2. [p] static-lsp transit pe1_pe2 incoming-interface vlan-interface 10 in-label 200 next-hop 10.2.2.1 out-label 201 # create a static lsp for forwarding packets from pe 2 to pe 1. [p] static-lsp transit pe2_p...
Page 1498
1-19 remote ccc vc : 1, 1 up ***name : ce1-ce2 type : remote state : up intf : vlan-interface10 (up) in-label : 100 out-label : 200 nexthop : 10.1.1.2 # ping ce 2 from ce 1. [ce1] ping 100.1.1.2 ping 100.1.1.2: 56 data bytes, press ctrl_c to break reply from 100.1.1.2: bytes=56 sequence=1 ttl=255 ti...
Page 1499
1-20 z configure mpls basic forwarding capability on the pes and p device. This includes configuring the lsr id, enabling mpls and ldp, and running igp (ospf in this example) between pe 1, the p device, and pe 2 to establish lsps. Z establish an svc mpls l2vpn connection. This includes enabling mpls...
Page 1500
1-21 [pe1-vlan-interface10] mpls static-l2vc destination 192.3.3.3 transmit-vpn-label 100 receive-vpn-label 200 [pe1-vlan-interface10] quit 3) configure the p device # configure the lsr id and enable mpls globally. System-view [sysname] sysname p [p] interface loopback 0 [p-loopback0] ip address 192...
Page 1501
1-22 [sysname] sysname pe2 [pe2] interface loopback 0 [pe2-loopback0] ip address 192.3.3.3 32 [pe2-loopback0] quit [pe2] mpls lsr-id 192.3.3.3 [pe2] mpls # configure the lsp establishment triggering policy. [pe2-mpls] lsp-trigger all [pe2-mpls] quit # enable mpls l2vpn and ldp globally. [pe2] mpls l...
Page 1502
1-23 total connections: 1, 1 up, 0 down ce-intf state destination tr-label rcv-label tnl-policy vlan10 up 192.3.3.3 100 200 default # display svc l2vpn connection information on pe 2. [pe2] display mpls static-l2vc total connections: 1, 1 up, 0 down ce-intf state destination tr-label rcv-label tnl-p...
Page 1503
1-24 system-view [sysname] sysname ce1 [ce1] interface vlan-interface 10 [ce1-vlan-interface10] ip address 100.1.1.1 24 2) configure pe 1 # configure the lsr id and enable mpls globally. System-view [sysname] sysname pe1 [pe1] interface loopback 0 [pe1-loopback0] ip address 192.2.2.2 32 [pe1-loopbac...
Page 1504
1-25 # configure the lsr id and enable mpls globally. System-view [sysname] sysname p [p] interface loopback 0 [p-loopback0] ip address 192.4.4.4 32 [p-loopback0] quit [p] mpls lsr-id 192.4.4.4 [p] mpls # configure the lsp establishment triggering policy. [p-mpls] lsp-trigger all [p-mpls] quit # ena...
Page 1505
1-26 [pe2] mpls # configure the lsp establishment triggering policy. [pe2-mpls] lsp-trigger all [pe2-mpls] quit # enable mpls l2vpn and ldp globally. [pe2] mpls l2vpn [pe2] mpls ldp [pe2-mpls-ldp] quit # configure an ldp remote session between pe 2 and pe 1. [pe2] mpls ldp remote-peer 2 [pe2-mpls-ld...
Page 1506
1-27 vc id intf state vc label vc label policy 101 vlan10 up 8193 8192 default # display l2vpn connection information on pe 2. [pe2] display mpls l2vc total ldp vc : 1 1 up 0 down transport client vc local remote tunnel vc id intf state vc label vc label policy 101 vlan10 up 8192 8193 default # ping...
Page 1507
1-28 configuration procedure 1) configure igp on the mpls backbone this example uses ospf. The detailed configuration steps are omitted. After configuration, issuing the display ip routing-table command on each lsr, you should see that it has learned the routes to the lsr ids of the other lsrs. Issu...
Page 1508
1-29 4.4.4.4 100 2 5 0 0 00:01:07 established 4) configure the l2vpn and the ce connection # configure pe 1. The configurations of the vlan interfaces are similar to those for martini mpls l2vpn and are omitted. [pe1] mpls l2vpn vpn1 encapsulation vlan [pe1-mpls-l2vpn-vpn1] route-distinguisher 100:1...
Page 1509
1-30 0.00% packet loss round-trip min/avg/max = 34/68/94 ms example for configuring mpls l2vpn connection based on layer 2 ethernet interface and vlan netowrk requirments z ce 1 and ce 2 are connected to pe 1 and pe 2 respectively through vlan interfaces. Z establish an mpls l2vpn connected between ...
Page 1510
1-31 # configure pe 1 to establish an ldp remote session with pe 2. [pe1] mpls ldp remote-peer 1 [pe1-mpls-ldp-remote-1] remote-ip 192.3.3.3 [pe1-mpls-ldp-remote-1] quit # configure the interface connected with the p device and enable ldp on the interface. [pe1] interface vlan-interface 23 [pe1-vlan...
Page 1511
1-32 [p-vlan-interface23] quit # configure the interface connected with pe 2 and enable ldp on the interface. [p] interface vlan-interface 26 [p-vlan-interface26] ip address 26.2.2.2 24 [p-vlan-interface26] mpls [p-vlan-interface26] mpls ldp [p-vlan-interface26] quit # configure ospf. [p] ospf [p-os...
Page 1512
1-33 [pe2-ospf-1-area-0.0.0.0] quit [pe2-ospf-1] quit # on the interface connecting ce 2, create a service instance and establish an mpls l2vpn connection. [pe2] interface gigabitethernet2/0/1 [pe2-gigabitethernet2/0/1] port access vlan 10 [pe2-gigabitethernet2/0/1] service-instance 1000 [pe2-gigabi...
Page 1513
1-34 round-trip min/avg/max = 34/68/94 ms troubleshooting mpls l2vpn symptom 1: after the l2vpn configuration, the peer pes cannot ping each other. The output of the display mpls l2vc command shows that the vc is down and the remote vc label is invalid. Analysis: the reason the vc is down may be tha...
Page 1514: Table of Contents
I table of contents 1 mpls l3vpn configuration ·····················································································································1-1 mpls l3vpn overview ················································································································...
Page 1515
Ii configuration procedure················································································································1-43 displaying and maintaining mpls l3vpn····························································································1-44 resetting bgp connectio...
Page 1516: Mpls L3Vpn Configuration
1-1 1 mpls l3vpn configuration when configuring mpls l3vpn, go to these sections for information you are interested in: z mpls l3vpn overview z mpls l3vpn configuration task list z displaying and maintaining mpls l3vpn z mpls l3vpn configuration examples z the term router in this document refers to ...
Page 1517
1-2 z provider edge router (pe): a pe resides on a service provider network and connects one or more ces to the network. On an mpls network, all vpn processing occurs on the pes. Z provider (p) router: a p router is a backbone router on a service provider network. It is not directly connected with a...
Page 1518
1-3 sites connected to the same provider network can be classified into different sets by policies. Only the sites in the same set can access each other through the provider network. Such a set is called a vpn. Address space overlapping each vpn independently manages the addresses that it uses. The ...
Page 1519
1-4 an rd can be related to an autonomous system (as) number, in which case it is the combination of the as number and a discretionary number; or be related to an ip address, in which case it is the combination of the ip address and a discretionary number. An rd can be in one of the following three ...
Page 1520
1-5 an import routing policy can further filter the routes that can be advertised to a vpn instance by using the vpn target attribute of import target attribute. It can reject the routes selected by the communities in the import target attribute. An export routing policy can reject the routes select...
Page 1521
1-6 5) ce 2 transmits the packet to the destination by ip forwarding. Mpls l3vpn networking schemes in mpls l3vpns, vpn target attributes are used to control the advertisement and reception of vpn routes between sites. They work independently and can be configured with multiple values to support fle...
Page 1522
1-7 figure 1-5 network diagram for hub and spoke networking scheme in figure 1-5 , the spoke sites communicate with each other through the hub site. The arrows in the figure indicate the advertising path of routes from site 2 to site 1: z the hub pe can receive all the vpn-ipv4 routes advertised by ...
Page 1523
1-8 figure 1-6 network diagram for extranet networking scheme ce ce pe 1 pe 3 site 2 site 1 site 3 vpn 1 vpn 1 vpn 2 vpn 1: import:100:1 export:100:1 ce vpn 2: import:200:1 export:200:1 pe 2 vpn 1: import:100:1,200:1 export:100:1,200:1 in figure 1-6 , vpn 1 and vpn 2 can access site 3 of vpn 1. Z pe...
Page 1524
1-9 routing information exchange from the ingress pe to the egress pe after learning the vpn routing information from the ce, the ingress pe adds rds and vpn targets for these standard ipv4 routes to form vpn-ipv4 routes, and maintains them for the vpn instance created for the ce. Then, the ingress ...
Page 1525
1-10 figure 1-7 network diagram for inter-provider vpn option a vpn 1 ce 1 pe 1 pe 3 vpn 1 ce 3 ce 2 vpn 2 vpn 2 pe 2 pe 4 asbr 1 (pe) asbr 2 (pe) vpn lsp 1 vpn lsp 2 lsp 1 lsp 2 ce 4 ip forwarding ebgp as 100 as 200 this kind of solution is easy to carry out because no special configuration is requ...
Page 1526
1-11 figure 1-8 network diagram for inter-provider vpn option b vpn 1 ce 1 pe 1 pe 3 vpn 1 ce 3 ce 2 vpn 2 vpn 2 pe 2 pe 4 asbr 1 (pe) asbr 2 (pe) vpn lsp 1 vpn lsp 3 lsp 1 lsp 2 ce 4 vpn lsp2 mp-ebgp as 100 as 200 mp -ibg p mp -ib gp mp -ibg p m p- ibgp mpls backbone mpls backbone in terms of scala...
Page 1527
1-12 figure 1-9 network diagram for inter-provider vpn option c to improve the scalability, you can specify an rr in each as, making it maintain all vpn-ipv4 routes and exchange vpn-ipv4 routes with pes in the as. The rrs in two ass establish an inter-provider vpnv4 connection to advertise vpn-ipv4 ...
Page 1528
1-13 routes of the level 2 carrier. This can greatly reduce the number of routes maintained by the level 1 carrier network. Implementation of carrier’s carrier compared with the common mpls l3vpn, the carrier’s carrier is different because of the way in which a ce of a level 1 carrier, that is, a le...
Page 1529
1-14 figure 1-12 scenario where the level 2 carrier is an mpls l3vpn service provider if there are equal cost routes between the level 1 carrier and the level 2 carrier, you are recommended to establish equal cost lsps between them accordingly. Nested vpn background in an mpls l3vpn network, general...
Page 1530
1-15 figure 1-13 network diagram for nested vpn propagation of routing information in a nested vpn network, routing information is propagated in the following process: 1) a provider pe and its ces exchange vpnv4 routes, which carry information about users’ internal vpns. 2) after receiving a vpnv4 r...
Page 1531
1-16 the nested vpn technology simplifies the complexity for a user to access a vpn, reduces the access cost, supports diversified vpn networking methods, and implements control over the access to internal vpns and control over mutual access among multiple levels of vpns. Hovpn why hovpn? 1) hierarc...
Page 1532
1-17 figure 1-14 basic architecture of hovpn mpls network pe pe spe upe upe ce ce ce ce vpn 1 vpn 1 vpn 2 vpn 2 site 1 site 2 as shown in figure 1-14 , devices directly connected to ces are called underlayer pes (upes) or user-end pes, whereas devices that are connected with upes and are in the inte...
Page 1533
1-18 the hope and common pes can coexist in an mpls network. 2) spe-upe the mp-bgp running between spe and upe can be either mp-ibgp or mp-ebgp. Which one to use depends on whether the upe and spe belong to a same as. With mp-ibgp, in order to advertise routes between ibgp peers, the spe acts as the...
Page 1534
1-19 ospf vpn extension this section focuses on the ospf vpn extension. For more information about ospf, refer to the ospf configuration in the ip routing volume. Ospf multi-instance on pe ospf is a prevalent igp protocol. In many cases, vpn clients are connected through bgp peers, and the clients o...
Page 1535
1-20 z finally, pe 2 redistributes the bgp vpn routes into ospf and advertises them to ce 21 and ce 22. Figure 1-16 application of ospf in vpn with the standard bgp/ospf interaction, pe 2 advertises the bgp vpn routes to ce 21 and ce 22 through type 5 lsas (ase lsas). However, ce 11, ce 21, and ce 2...
Page 1536
1-21 figure 1-17 network diagram for sham link to solve the problem, you can establish a sham link between the two pes so that the routes between them over the mpls vpn backbone become an intra-area route. The sham link acts as an intra-area point-to-point link and is advertised through the type 1 l...
Page 1537
1-22 figure 1-18 application of bgp as number substitution in figure 1-18 , both ce 1 and ce 2 use the as number of 800. As number substitution is enabled on pe 2 for ce 2. Before advertising updates received from ce 1 to ce 2, pe 2 finds that an as number in the as_path is the same as that of ce 2 ...
Page 1538
1-23 task remarks configuring bgp as number substitution optional configure it as needed igure mpls l3vpn: configuring vpn instances vpn instances are used to isolate vpn routes from public network routes. Configuring vpn instances is required in all mpls l3vpn networking schemes. In addition, route...
Page 1539
1-24 follow these steps to associate a vpn instance with an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — associate the current interface with the vpn instance ip binding vpn-instance vpn-instance-name requ...
Page 1540
1-25 to do… use the command… remarks apply an export routing policy to the current vpn instance export route-policy route-policy optional by default, all vpn instance routes permitted by the export target attribute can be redistributed. Z a single vpn-target command can configure up to eight vpn tar...
Page 1541
1-26 to do… use the command… remarks enter system view system-view — enter vpn instance view ip vpn-instance vpn-instance-name required associate a tunneling policy with the vpn instance tnl-policy tunnel-policy-name required by default, the lsp tunnel is used and the number of tunnels for load bala...
Page 1542
1-27 to do… use the command… remarks create a vpn instance and enter vpn instance view ip vpn-instance vpn-instance-name required no vpn instance exists by default. Configure an rd for the vpn instance route-distinguisher route-distinguisher required associate the current vpn instance with one or mo...
Page 1543
1-28 z perform this configuration on the pes. The configuration method on the ces is the same for configuring ordinary static routes. Z for information about static route, refer to static routing configuration in the ip routing volume. Configuring rip between pe and ce a rip process belongs to only ...
Page 1545
1-30 z after configuring an is-is instance, you must start is-is by using the same method for starting a common is-is process. Z for description and detailed configuration about is-is, refer to is-is configuration in the ip routing volume. Configuring ebgp between pe and ce 1) on a pe follow these s...
Page 1546
1-31 normally, bgp detects routing loops by as number. In the hub and spoke networking scheme, however, with ebgp running between pe and ce, the routing information the pe advertises to a ce carries the number of the as where the pe resides. Therefore, the route updates that the pe receives from the...
Page 1549
1-34 to do… use the command… remarks specify the interface for tcp connection peer ip-address connect-interface interface-type interface-number required enter bgp-vpnv4 subaddress family view ipv4-family vpnv4 — set the default value of the local preference default local-preference value optional 10...
Page 1551
1-36 refer to configuring basic mpls l3vpn . In the inter-provider vpn option a solution, for the same vpn, the vpn targets for the vpn instances of the pes must match those for the vpn instances of the asbr-pes in the same as. It is not required for pes in different ass. Configuring inter-provider ...
Page 1552
1-37 for inter-provider vpn option b, two configuration methods are available: z do not change the next hop on an asbr. With this method, you still need to configure mpls ldp between asbrs. Z change the next hop on an asbr. With this method, mpls ldp is not required between asbrs. Currently, only th...
Page 1553
1-38 configuring the asbr pes in the inter-provider vpn option c solution, an inter-provider vpn lsp is required, and the routes advertised between the relevant pes and asbrs must carry mpls label information. An asbr-pe establishes common ibgp peer relationship with pes in the same as, and common e...
Page 1554
1-39 follow these steps to configure a routing policy for inter-provider vpn option c on an asbr pe: to do… use the command… remarks enter system view system-view — enter routing policy view route-policy policy-name permit node seq-number required configure the device to match ipv4 routes with label...
Page 1557
1-42 configuring a loopback interface follow these steps to configure a loopback interface: to do… use the command… remarks enter system view system-view — create a loopback interface and enter loopback interface view interface loopback interface-number required bind the loopback interface to vpn in...
Page 1558
1-43 z if you start ospf but do not configure the router id, the system will automatically elect one. However, the same election rules produce the same router id. Therefore, you are recommended to configure the router id when starting an ospf process. For the election rules, refer to ospf configurat...
Page 1559
1-44 displaying and maintaining mpls l3vpn resetting bgp connections when bgp configuration changes, you can use the soft reset function or reset bgp connections to make new configurations take effect. Soft reset requires that bgp peers have route refreshment capability (supporting route-refresh mes...
Page 1563
1-48 figure 1-19 configure mpls l3vpns ce 1 loop0 loop0 loop0 pe 1 pe 2 vlan-int11 vlan-int11 vlan-int12 vlan-int12 vlan-int11 vlan-int13 vlan-int3 vlan-int12 vlan-int12 ce 3 ce 2 ce 4 vlan-int13 vlan-int11 vlan-int13 vpn 1 vpn 1 vpn 2 vpn 2 mpls backbone as 65410 as 65430 as 65420 as 65440 device i...
Page 1564
1-49 [p] interface vlan-interface 13 [p-vlan-interface13] ip address 172.1.1.2 24 [p-vlan-interface13] quit [p] interface vlan-interface 11 [p-vlan-interface11] ip address 172.2.1.1 24 [p-vlan-interface11] quit [p] ospf [p-ospf-1] area 0 [p-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255 [p-ospf-1-...
Page 1565
1-50 area 0.0.0.0 interface 172.1.1.1(vlan-interface13)'s neighbors router id: 172.1.1.2 address: 172.1.1.2 gr state: normal state: full mode:nbr is master priority: 1 dr: none bdr: none mtu: 1500 dead timer due in 38 sec neighbor is up for 00:02:44 authentication sequence: [ 0 ] neighbor state chan...
Page 1566
1-51 value of operational. Issuing the display mpls ldp lsp command, you can see that the lsps established by ldp. The following takes pe 1 as an example: [pe1] display mpls ldp session ldp session(s) in public network ---------------------------------------------------------------- peer-id status l...
Page 1567
1-52 [pe2-vpn-instance-vpn2] quit [pe2] interface vlan-interface 12 [pe2-vlan-interface12] ip binding vpn-instance vpn1 [pe2-vlan-interface12] ip address 10.3.1.2 24 [pe2-vlan-interface12] quit [pe2] interface vlan-interface 13 [pe2-vlan-interface13] ip binding vpn-instance vpn2 [pe2-vlan-interface1...
Page 1568
1-53 # configure pe 1. [pe1] bgp 100 [pe1-bgp] ipv4-family vpn-instance vpn1 [pe1-bgp-vpn1] peer 10.1.1.1 as-number 65410 [pe1-bgp-vpn1] import-route direct [pe1-bgp-vpn1] quit [pe1-bgp] ipv4-family vpn-instance vpn2 [pe1-bgp-vpn2] peer 10.2.1.1 as-number 65420 [pe1-bgp-vpn2] import-route direct [pe...
Page 1569
1-54 after completing the above configuration, if you issue the display bgp peer command or the display bgp vpnv4 all peer command on the pes, you should see that bgp peer relationship has been established between the pes, and has reached the state of established. [pe1] display bgp peer bgp local ro...
Page 1570
1-55 request time out --- 10.4.1.1 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss example for configuring inter-provider vpn option a network requirements z ce 1 and ce 2 belong to the same vpn. Ce 1 accesses the network through pe 1 in as 100 and ce 2 accesses ...
Page 1571
1-56 the 32-bit loopback interface address used as the lsr id needs to be advertised by ospf. After you complete the above configurations, each asbr pe and the pe in the same as should be able to establish ospf adjacencies. Issuing the display ospf peer command, you can see that the adjacencies reac...
Page 1572
1-57 [asbr-pe2-vlan-interface12] quit # configure mpls basic capability on pe 2 and enable mpls ldp on the interface connected to asbr pe 2. System-view [pe2] mpls lsr-id 4.4.4.9 [pe2] mpls [pe2-mpls] quit [pe2] mpls ldp [pe2-mpls-ldp] quit [pe2] interface vlan-interface 12 [pe2-vlan-interface12] mp...
Page 1573
1-58 [pe2] ip vpn-instance vpn1 [pe2-vpn-instance] route-distinguisher 200:2 [pe2-vpn-instance] vpn-target 100:1 both [pe2-vpn-instance] quit [pe2] interface vlan-interface 11 [pe2-vlan-interface11] ip binding vpn-instance vpn1 [pe2-vlan-interface11] ip address 10.2.1.2 24 [pe2-vlan-interface11] qui...
Page 1574
1-59 [ce2] bgp 65002 [ce2-bgp] peer 10.2.1.2 as-number 200 [ce2-bgp] import-route direct [ce2-bgp] quit # configure pe 2. [pe2] bgp 200 [pe2-bgp] ipv4-family vpn-instance vpn1 [pe2-bgp-vpn1] peer 10.2.1.1 as-number 65002 [pe2-bgp-vpn1] import-route direct [pe2-bgp-vpn1] quit [pe2-bgp] quit 5) establ...
Page 1575
1-60 # configure pe 2. [pe2] bgp 200 [pe2-bgp] peer 3.3.3.9 as-number 200 [pe2-bgp] peer 3.3.3.9 connect-interface loopback 0 [pe2-bgp] ipv4-family vpnv4 [pe2-bgp-af-vpnv4] peer 3.3.3.9 enable [pe2-bgp-af-vpnv4] peer 3.3.3.9 next-hop-local [pe2-bgp-af-vpnv4] quit [pe2-bgp] quit 6) verify your config...
Page 1576
1-61 configuration procedure 1) configure pe 1 # run is-is on pe 1. System-view [pe1] isis 1 [pe1-isis-1] network-entity 10.111.111.111.111.00 [pe1-isis-1] quit # configure lsr id, enable mpls and ldp. [pe1] mpls lsr-id 2.2.2.9 [pe1] mpls [pe1-mpls] label advertise non-null [pe1-mpls] quit [pe1] mpl...
Page 1577
1-62 [pe1-bgp-af-vpnv4] peer 3.3.3.9 enable [pe1-bgp-af-vpnv4] quit # specify to inject direct routes to the vpn routing table of vpn1. [pe1-bgp] ipv4-family vpn-instance vpn1 [pe1-bgp-vpn1] import-route direct [pe1-bgp-vpn1] quit [pe1-bgp] quit 2) configure asbr-pe 1 # start is-is on asbr-pe 1. Sys...
Page 1578
1-63 [asbr-pe1-bgp] ipv4-family vpnv4 [asbr-pe1-bgp-af-vpnv4] undo policy vpn-target # configure both ibgp peer 2.2.2.0 and ebgp peer 11.0.0.1 as vpnv4 peers. [asbr-pe1-bgp-af-vpnv4] peer 11.0.0.1 enable [asbr-pe1-bgp-af-vpnv4] peer 2.2.2.9 enable [asbr-pe1-bgp-af-vpnv4] quit 3) configure asbr-pe 2 ...
Page 1579
1-64 [asbr-pe2-bgp-af-vpnv4] undo policy vpn-target # configure both ibgp peer 5.5.5.9 and ebgp peer 11.0.0.2 as vpnv4 peers. [asbr-pe2-bgp-af-vpnv4] peer 11.0.0.2 enable [asbr-pe2-bgp-af-vpnv4] peer 5.5.5.9 enable [asbr-pe2-bgp-af-vpnv4] quit [asbr-pe2-bgp] quit 4) configure pe 2 # start is-is on p...
Page 1580
1-65 # configure ibgp peer 4.4.4.9 as a vpnv4 peer. [pe2-bgp] peer 4.4.4.9 as-number 600 [pe2-bgp] peer 4.4.4.9 connect-interface loopback 0 [pe2-bgp] ipv4-family vpnv4 [pe2-bgp-af-vpnv4] peer 4.4.4.9 enable [pe2-bgp-af-vpnv4] quit # specify to inject direct routes to the vpn routing table of vpn1. ...
Page 1581
1-66 configuration procedure 1) configure pe 1 # run is-is on pe 1. System-view [pe1] isis 1 [pe1-isis-1] network-entity 10.111.111.111.111.00 [pe1-isis-1] quit # configure lsr id, enable mpls and ldp. [pe1] mpls lsr-id 2.2.2.9 [pe1] mpls [pe1-mpls] label advertise non-null [pe1-mpls] quit [pe1] mpl...
Page 1582
1-67 [pe1-bgp] peer 3.3.3.9 label-route-capability # configure the maximum hop count from pe 1 to ebgp peer 5.5.5.9 as 10. [pe1-bgp] peer 5.5.5.9 as-number 600 [pe1-bgp] peer 5.5.5.9 connect-interface loopback 0 [pe1-bgp] peer 5.5.5.9 ebgp-max-hop 10 # configure peer 5.5.5.9 as a vpnv4 peer. [pe1-bg...
Page 1583
1-68 # create routing policies. [asbr-pe1] route-policy policy1 permit node 1 [asbr-pe1-route-policy1] apply mpls-label [asbr-pe1-route-policy1] quit [asbr-pe1] route-policy policy2 permit node 1 [asbr-pe1-route-policy2] if-match mpls-label [asbr-pe1-route-policy2] apply mpls-label [asbr-pe1-route-p...
Page 1584
1-69 [asbr-pe2-vlan-interface11] quit # configure interface loopback 0 and start is-is on it. [asbr-pe2] interface loopback 0 [asbr-pe2-loopback0] ip address 4.4.4.9 32 [asbr-pe2-loopback0] isis enable 1 [asbr-pe2-loopback0] quit # configure interface vlan-interface 12 and enable mpls on it. [asbr-p...
Page 1585
1-70 # configure lsr id, enable mpls and ldp. [pe2] mpls lsr-id 5.5.5.9 [pe2] mpls [pe2-mpls] label advertise non-null [pe2-mpls] quit [pe2] mpls ldp [pe2-mpls-ldp] quit # configure interface vlan-interface 11, start is-is and enable mpls and ldp on the interface. [pe2] interface vlan-interface 11 [...
Page 1586
1-71 [pe2-bgp-af-vpnv4] quit # specify to inject direct routes to the routing table of vpn1. [pe2-bgp] ipv4-family vpn-instance vpn1 [pe2-bgp-vpn1] import-route direct [pe2-bgp-vpn1] quit [pe2-bgp] quit after you complete the above configurations, pe 1 and pe 2 should be able to ping each other: [pe...
Page 1587
1-72 figure 1-23 configure carrier’s carrier device interface ip address device interface ip address ce 3 vlan-int11 100.1.1.1/24 ce 4 vlan-int11 120.1.1.1/24 pe 3 loop0 1.1.1.9/32 pe 4 loop0 6.6.6.9/32 vlan-int11 100.1.1.2/24 vlan-int11 120.1.1.2/24 vlan-int12 10.1.1.1/24 vlan-int12 20.1.1.2/24 ce ...
Page 1588
1-73 [pe1-vlan-interface12] ip address 30.1.1.1 24 [pe1-vlan-interface12] isis enable 1 [pe1-vlan-interface12] mpls [pe1-vlan-interface12] mpls ldp [pe1-vlan-interface12] mpls ldp transport-address interface [pe1-vlan-interface12] quit [pe1] bgp 100 [pe1-bgp] peer 4.4.4.9 as-number 100 [pe1-bgp] pee...
Page 1589
1-74 system-view [pe3] interface loopback 0 [pe3-loopback0] ip address 1.1.1.9 32 [pe3-loopback0] quit [pe3] mpls lsr-id 1.1.1.9 [pe3] mpls [pe3-mpls] quit [pe3] mpls ldp [pe3-mpls-ldp] quit [pe3] isis 2 [pe3-isis-2] network-entity 10.0000.0000.0000.0001.00 [pe3-isis-2] quit [pe3] interface loopback...
Page 1590
1-75 after you complete the above configurations, pe 3 and ce 1 should be able to establish the ldp session and is-is neighbor relationship between them. The configurations for pe 4 and ce 2 are similar to those for pe 3 and ce 1. The detailed configuration steps are omitted. 3) perform configuratio...
Page 1591
1-76 the configurations for pe 2 and ce 2 are similar to those for pe 1 and ce 1. The detailed configuration steps are omitted. 4) perform configuration to allow the ces of the level 2 carrier to access the pes # configure ce 3. System-view [ce3] interface vlan-interface 11 [ce3-vlan-interface11] ip...
Page 1592
1-77 [pe3-bgp] ipv4-family vpnv4 [pe3-bgp-af-vpnv4] peer 6.6.6.9 enable [pe3-bgp-af-vpnv4] quit [pe3-bgp] quit the configurations for pe 4 are similar to those for pe 3. The detailed configuration steps are omitted. 6) verify your configurations after completing all the above configurations, you can...
Page 1593
1-78 issuing the display ip routing-table command on ce 1 and ce 2, you should see that the internal routes of the level 2 carrier network are present in the public network routing tables, but the vpn routes that the level 2 carrier maintains are not. Takes ce 1 as an example: [ce1] display ip routi...
Page 1594
1-79 destinations : 3 routes : 3 destination/mask proto pre cost nexthop interface 100.1.1.0/24 direct 0 0 100.1.1.2 vlan11 100.1.1.2/32 direct 0 0 127.0.0.1 inloop0 120.1.1.0/24 bgp 255 0 6.6.6.9 null0 pe 3 and pe 4 should be able to ping each other: [pe3] ping 20.1.1.2 ping 20.1.1.2: 56 data bytes...
Page 1595
1-80 z when receiving a vpnv4 route from a ce (ce 1 or ce 2 in this example), a service provider pe replaces the rd of the vpnv4 route with the rd of the mpls vpn on the service provider network where the ce resides, adds the export target attribute of the mpls vpn on the service provider network to...
Page 1596
1-81 [pe1-mpls-ldp] quit [pe1] isis 1 [pe1-isis-1] network-entity 10.0000.0000.0000.0004.00 [pe1-isis-1] quit [pe1] interface loopback 0 [pe1-loopback0] isis enable 1 [pe1-loopback0] quit [pe1] interface vlan-interface 12 [pe1-vlan-interface12] ip address 30.1.1.1 24 [pe1-vlan-interface12] isis enab...
Page 1597
1-82 peer information for isis(1) ---------------------------- system id interface circuit id state holdtime type pri 0000.0000.0005 vlan-interface12 001 up 29s l1l2 -- 2) configure the customer vpn, using is-is as the igp protocol and enabling ldp between pe 3 and ce 1, and between pe 4 and ce 2. #...
Page 1598
1-83 [ce1-vlan-interface12] mpls [ce1-vlan-interface12] mpls ldp [ce1-vlan-interface12] quit after the configurations above, ldp and is-is neighbor relationship can be established between pe 3 and ce 1. Configurations on pe 4 and ce 2 are similar to those on pe 3 and ce 1 respectively, and are thus ...
Page 1599
1-84 4) connect sub-vpn ces to the customer vpn pes # configure ce 3. System-view [ce3] interface vlan-interface11 [ce3-vlan-interface11] ip address 100.1.1.1 24 [ce3-vlan-interface11] quit [ce3] bgp 65410 [ce3-bgp] peer 100.1.1.2 as-number 200 [ce3-bgp] import-route direct [ce3-bgp] quit # configur...
Page 1600
1-85 [pe3-bgp] quit configurations on pe 4, ce 4 and ce 6 are similar to those on pe 3, ce 3 and ce5 respectively, and are thus omitted here. 5) establish mp-ebgp peer relationship between service provider pes and their ces to exchange user vpnv4 routes. # configure pe 1, enabling nested vpn. [pe1] ...
Page 1601
1-86 # specify to allow the local as number to appear in the as-path attribute of the routes received. [pe3-bgp-af-vpnv4] peer 2.2.2.9 allow-as-loop 2 [pe3-bgp-af-vpnv4] quit [pe3-bgp] quit # configure ce 1. [ce1] bgp 200 [ce1-bgp] peer 1.1.1.9 as-number 200 [ce1-bgp] peer 1.1.1.9 connect-interface ...
Page 1602
1-87 destination/mask proto pre cost nexthop interface 11.1.1.0/24 direct 0 0 11.1.1.1 vlan11 11.1.1.1/32 direct 0 0 127.0.0.1 inloop0 11.1.1.2/32 direct 0 0 11.1.1.2 vlan11 100.1.1.0/24 bgp 255 0 11.1.1.1 null0 110.1.1.0/24 bgp 255 0 11.1.1.1 null0 120.1.1.0/24 bgp 255 0 4.4.4.9 null0 127.0.0.0/8 d...
Page 1603
1-88 *> 130.1.1.0/24 11.1.1.2 1027/1028 execute the display ip routing-table vpn-instance sub_vpn1 command on pe 3 and pe 4 to verify that the vpn routing tables contain routes sent by the provider pe to user sub-vpn. The following takes pe 3 for illustration. [pe3] display ip routing-table vpn-inst...
Page 1604
1-89 ce 3 and ce 4 can ping each other successfully. [ce3] ping 120.1.1.1 ping 120.1.1.1: 56 data bytes, press ctrl_c to break reply from 120.1.1.1: bytes=56 sequence=1 ttl=252 time=102 ms reply from 120.1.1.1: bytes=56 sequence=2 ttl=252 time=69 ms reply from 120.1.1.1: bytes=56 sequence=3 ttl=252 ...
Page 1605
1-90 example for configuring hovpn network requirements there are two levels of networks, the backbone and the mpls vpn networks, as shown in figure 1-25 . Z spes act as pes to allow mpls vpns to access the backbone. Z upes act as pes of the mpls vpns to allow end users to access the vpns. Z perform...
Page 1606
1-91 [upe1] interface vlan-interface 11 [upe1-vlan-interface11] ip address 172.1.1.1 24 [upe1-vlan-interface11] mpls [upe1-vlan-interface11] mpls ldp [upe1-vlan-interface11] quit # configure the igp protocol, ospf, for example. [upe1] ospf [upe1-ospf-1] area 0 [upe1-ospf-1-area-0.0.0.0] network 172....
Page 1607
1-92 system-view [ce1] interface vlan-interface 12 [ce1-vlan-interface12] ip address 10.2.1.1 255.255.255.0 [ce1-vlan-interface12] quit [ce1] bgp 65410 [ce1-bgp] peer 10.2.1.2 as-number 100 [ce1-bgp] import-route direct [ce1] quit 3) configure ce 2 system-view [ce2] interface vlan-interface 13 [ce2-...
Page 1608
1-93 [upe2-vpn-instance-vpn2] route-distinguisher 400:2 [upe2-vpn-instance-vpn2] vpn-target 100:2 both [upe2-vpn-instance-vpn2] quit [upe2] interface vlan-interface 12 [upe2-vlan-interface12] ip binding vpn-instance vpn1 [upe2-vlan-interface12] ip address 10.1.1.2 24 [upe2-vlan-interface12] quit [up...
Page 1609
1-94 system-view [spe1] interface loopback 0 [spe1-loopback0] ip address 2.2.2.9 32 [spe1-loopback0] quit [spe1] mpls lsr-id 2.2.2.9 [spe1] mpls [spe1-mpls] quit [spe1] mpls ldp [spe1-mpls-ldp] quit [spe1] interface vlan-interface 11 [spe1-vlan-interface11] ip address 172.1.1.2 24 [spe1-vlan-interfa...
Page 1610
1-95 [spe1-bgp-af-vpnv4] peer 1.1.1.9 enable [spe1-bgp-af-vpnv4] peer 1.1.1.9 upe [spe1-bgp-af-vpnv4] quit [spe1-bgp]ipv4-family vpn-instance vpn1 [spe1-bgp-vpn1] quit [spe1-bgp]ipv4-family vpn-instance vpn2 [spe1-bgp-vpn2] quit [spe1-bgp] quit # configure spe 1 to advertise to upe 1 the routes perm...
Page 1611
1-96 # configure vpn instances vpn1 and vpn2. [spe2] ip vpn-instance vpn1 [spe2-vpn-instance-vpn1] route-distinguisher 600:1 [spe2-vpn-instance-vpn1 ] vpn-target 100:1 both [spe2-vpn-instance-vpn1] quit [spe2] ip vpn-instance vpn2 [spe2-vpn-instance-vpn2] route-distinguisher 800:1 [spe2-vpn-instance...
Page 1612
1-97 figure 1-26 configure an ospf sham link (on switches) device interface ip address device interface ip address ce 1 vlan-int12 100.1.1.1/24 ce 2 vlan-int11 120.1.1.1/24 vlan-int11 20.1.1.1/24 vlan-int12 30.1.1.2/24 pe 1 loop0 1.1.1.9/32 pe 2 loop0 2.2.2.9/32 loop1 3.3.3.3/32 loop1 5.5.5.5/32 vla...
Page 1613
1-98 [pe1-loopback0] quit [pe1] mpls lsr-id 1.1.1.9 [pe1] mpls [pe1-mpls] quit [pe1] mpls ldp [pe1-mpls-ldp] quit [pe1] interface vlan-interface 2 [pe1-vlan-interface2] ip address 10.1.1.1 24 [pe1-vlan-interface2] mpls [pe1-vlan-interface2] mpls ldp [pe1-vlan-interface2] quit # configure pe 1 to tak...
Page 1614
1-99 [pe2-bgp-af-vpnv4] peer 1.1.1.9 enable [pe2-bgp-af-vpnv4] quit [pe2-bgp] quit # configure ospf on pe 2. [pe2]ospf 1 [pe2-ospf-1]area 0 [pe2-ospf-1-area-0.0.0.0]network 2.2.2.9 0.0.0.0 [pe2-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255 [pe2-ospf-1-area-0.0.0.0]quit [pe2-ospf-1]quit 3) configure...
Page 1615
1-100 [pe2-ospf-100] quit [pe2] bgp 100 [pe2-bgp] ipv4-family vpn-instance vpn1 [pe2-bgp-vpn1] import-route ospf 100 [pe2-bgp-vpn1] import-route direct [pe2-bgp-vpn1] quit [pe2-bgp] quit after completing the above configurations, if you issue the display ip routing-table vpn-instance command on the ...
Page 1616
1-101 destinations : 6 routes : 6 destination/mask proto pre cost nexthop interface 3.3.3.3/32 direct 0 0 127.0.0.1 inloop0 5.5.5.5/32 bgp 255 0 2.2.2.9 null0 20.1.1.0/24 ospf 10 1563 100.1.1.1 vlan12 100.1.1.0/24 direct 0 0 100.1.1.2 vlan12 100.1.1.2/32 direct 0 0 127.0.0.1 inloop0 120.1.1.0/24 bgp...
Page 1617
1-102 figure 1-27 configure bgp as number substitution loop0 loop0 loop0 pe 1 p pe 2 ce 1 ce 2 vpn 1 vpn 1 vlan-int12 mpls backbone vlan-int12 vlan-int11 vlan-int11 vlan-int12 vlan-int11 vlan-int12 vlan-int12 vlan-int11 vlan-int11 device interface ip address device interface ip address ce 1 vlan-int...
Page 1618
1-103 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 200.1.1.0/24 direct 0 0 200.1.1.1 inloop0 200.1.1.1/32 direct 0 0 127.0.0.1 inloop0 issuing the display ip routing-table vpn-instance command on the pes, you should see the route to the vpn behind the peer ce. T...
Page 1619
1-104 [pe2-bgp] ipv4-family vpn-instance vpn1 [pe2-bgp-vpn1] peer 10.2.1.1 substitute-as [pe2-bgp-vpn1] quit [pe2-bgp] quit you should see that among the routes advertised by pe 2 to ce 2, the as_path of 100.1.1.1/32 has changed from 100 600 to 100 100: *0.13498737 pe2 rm/7/rmdebug: bgp.Vpn1: send u...
Page 1620
1-105 reply from 200.1.1.1: bytes=56 sequence=5 ttl=253 time=70 ms --- 200.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 66/79/109 ms.
Page 1621: Table of Contents
I table of contents 1 vpls configuration···································································································································1-1 vpls overview ···············································································································...
Page 1622: Vpls Configuration
1-1 1 vpls configuration z to support vpls functions, configure your s7900e series ethernet switch with eb or sd lpus and no card intermixing is allowd. Z the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected ...
Page 1623
1-2 z upe user facing provider edge device that functions as the user access convergence device. Z npe network provider edge device that functions as the network core pe. An npe resides at the edge of a vpls network core domain and provides transparent vpls transport services between core networks. ...
Page 1624
1-3 figure 1-1 network diagram for vpls ce 3 vpn 1 site 2 vpn 2 ce 4 pe 1 pe 2 p ac pw signaling pw site 3 site 1 vpn 1 vpn 2 ce 1 ce 2 mpls backbone forwarder tunnel mac address learning and flooding vpls provides reachability by mac address learning. Each pe maintains a mac address table. 1) sourc...
Page 1625
1-4 figure 1-2 mac learning and flooding on pes mac a ip 1.1.1.2 pw 3 pw 1 pw 2 mac b ip 1.1.1.3 pe 1 pe 2 pe 3 arp broadcast arp response vpn 1 a vlan 10, port 1 vpn 1 b pw 1 vsi mac port pe 1 vpn 1 a pw 3 vsi mac port pe 3 vpn 1 vpn 1 b vsi mac a vlan 10, port 1 pw 1 port pe 2 2) mac address recla...
Page 1626
1-5 z pes are logically fully meshed (so are pws), that is, each pe must create for each vpls forwarding instance a tree to all the other pes of the instance. Z each pe must support horizontal split to avoid loops, that is, a pe cannot forward packets via pws of the same vsi, because all the pes of ...
Page 1627
1-6 h-vpls implementation hierarchy of vpls (h-vpls) can extend the vpls access range of a service provider and reduce costs. Advantages of h-vpls access z h-vpls has lower requirements on the multi-tenant unit switch (mtu-s). It has distinct hierarchies which fulfill definite tasks. Z h-vpls reduce...
Page 1628
1-7 figure 1-4 h-vpls qinq access as shown in figure 1-4 , mtu is a standard bridging device and qinq is enabled on its interfaces connected with ces. Data forwarding in h-vpls qinq access mode is as follows: z upon receiving a packet from a ce, mtu labels the packet with a vlan tag as the multiplex...
Page 1629
1-8 figure 1-5 backup link for h-vpls lsp access ce 3 npe 3 n-pw npe 1 n-pw n-pw ce 1 ce 2 npe 2 upe u-pw (backup link) u-pw the h-vpls in lsp access mode determines the validity of the main link according to the ldp session status and bfd checking result. It activates the backup link when: z the tu...
Page 1630
1-9 configuring bgp extensions in kompella mode, vsi uses extended bgp as the signaling protocol to distribute vc labels. Therefore, you need to configure bgp parameters on the pes. For configuration information, refer to bgp configuration in the ip routing volume. Configuration prerequisites before...
Page 1631
1-10 to do… use the command… remarks configure the reserve vlan for mpls l2vpn mpls l2vpn reserve vlan vlan-id optional if the srpu is lsq1srp1cb, you can enable mpls l2vpn only after you configure the mpls l2vpn reserve vlan command. Enable mpls l2vpn mpls l2vpn required configuring a vpls instance...
Page 1633
1-12 to do… use the command… remarks create a bgp vpls instance and enter vsi view vsi vsi-name auto required specify bgp as the pw signaling protocol and enter vsi bgp view pwsignal bgp required configure an rd for the vpls instance route-distinguisher route-distinguisher required configure vpn tar...
Page 1636
1-15 figure 1-6 bind a layer 2 ethernet interface and vlan with a vpls instance configuration procedure 1) configure pe 1 system-view [sysname] sysname pe1 [pe1] interface loopback 0 [pe1-loopback0] ip address 1.1.1.9 32 [pe1-loopback0] quit # configure the lsr id and enable mpls globally. [pe1] mpl...
Page 1637
1-16 [pe1] bgp 100 [pe1-bgp] peer 3.3.3.9 as-number 100 [pe1-bgp] peer 3.3.3.9 connect-interface loopback 0 [pe1-bgp] vpls-family [pe1-bgp-af-vpls] peer 3.3.3.9 enable [pe1-bgp-af-vpls] quit [pe1-bgp] quit # configure the basic attributes of vpls instance aaa, which uses ldp. [pe1] vsi aaa static [p...
Page 1638
1-17 [p] mpls ldp [p-mpls-ldp] quit # configure the interface connected with pe 1 and enable ldp on the interface. [p] interface vlan-interface 2 [p-vlan-interface2] ip address 23.1.1.2 24 [p-vlan-interface2] mpls [p-vlan-interface2] mpls ldp [p-vlan-interface2] quit # configure the interface connec...
Page 1639
1-18 [pe2-vlan-interface3] quit # configure ospf. [pe2] ospf [pe2-ospf-1] area 0 [pe2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [pe2-ospf-1-area-0.0.0.0] network 26.2.2.0 0.0.0.255 [pe2-ospf-1-area-0.0.0.0] quit [pe2-ospf-1] quit # configure bgp extensions. [pe2] bgp 100 [pe2-bgp] peer 1.1.1.9 as...
Page 1640
1-19 after completing the above configurations, you can issue the display vpls connection command on the pes. There should be pw connections established and in the state of up. Take pe 2 as an example, the output information is as follows: [pe2] display vpls connection vsi aaa verbose vsi name: aaa ...
Page 1641
1-20 system-view [sysname] sysname upe [upe] interface loopback 0 [upe-loopback0] ip address 1.1.1.9 32 [upe-loopback0] quit [upe] mpls lsr-id 1.1.1.9 [upe] mpls [upe-mpls] quit [upe] mpls ldp [upe-mpls-ldp] quit # configure mpls basic capability on the interface connected with npe 1. [upe] interfac...
Page 1642
1-21 [npe1] mpls ldp [npe1–mpls-ldp] quit # configure mpls basic capability on the interface connected with upe. [npe1] interface vlan-interface 10 [npe1-vlan-interface10] ip address 10.1.1.2 24 [npe1-vlan-interface10] mpls [npe1-vlan-interface10] mpls ldp [npe1-vlan-interface10] quit # configure mp...
Page 1643
1-22 # configure mpls basic capability on the interface connected with npe 1. [npe3] interface vlan-interface 20 [npe3-vlan-interface20] ip address 11.1.1.2 24 [npe3-vlan-interface20] mpls [npe3-vlan-interface20] mpls ldp [npe3-vlan-interface20] quit # configure the remote ldp session. [npe3] mpls l...
Page 1644
1-23 figure 1-8 network diagram for configuring h-vpls using lsp loo p0 3 .3.3.3/32 l oop0 1.1 .1.1/32 configuration procedure 1) configure the igp protocol on the mpls backbone, which is ospf in this example. The detailed configuration steps are omitted. 2) configure upe # configure mpls basic capa...
Page 1645
1-24 [upe] mpls l2vpn # configure the basic attributes of vpls instance aaa, which uses ldp. [upe] vsi aaa static [upe-vsi-aaa] pwsignal ldp [upe-vsi-aaa-ldp] vsi-id 500 [upe-vsi-aaa-ldp] peer 2.2.2.2 backup-peer 3.3.3.3 [upe-vsi-aaa-ldp] dual-npe revertive wtr-time 1 [upe-vsi-aaa-ldp] quit [upe-vsi...
Page 1646
1-25 [npe1] mpls ldp [npe1–mpls-ldp] quit # configure mpls basic capability on the interface connected with upe. [npe1] interface vlan-interface 13 [npe1-vlan-interface10] ip address 13.1.1.2 24 [npe1-vlan-interface10] mpls [npe1-vlan-interface10] mpls ldp [npe1-vlan-interface10] quit # configure mp...
Page 1647
1-26 [npe3–mpls-ldp] quit # configure mpls basic capability on the interface connected with npe 1. [npe3] interface vlan-interface 15 [npe3-vlan-interface15] ip address 15.1.1.2 24 [npe3-vlan-interface15] mpls [npe3-vlan-interface15] mpls ldp [npe3-vlan-interface15] quit # configure the remote ldp s...
Page 1648: Table of Contents
I table of contents 1 mpls te configuration ····························································································································1-1 mpls te overview················································································································...
Page 1649
Ii displaying and maintaining mpls te···································································································1-38 displaying and maintaining mpls te ···························································································1-38 mpls te configuration exampl...
Page 1650: Mpls Te Configuration
1-1 1 mpls te configuration for detailed information about vpn, refer to mpls l2vpn configuration and mpls l3vpn configuration in the mpls volume. When configuring multiprotocol label switching traffic engineering (mpls te), go to these sections for information you are interested in: z mpls te overv...
Page 1651
1-2 the performance objectives associated with te can be either of the following: z traffic oriented. These are performance objectives that enhance quality of service (qos) of traffic streams, such as minimization of packet loss, minimization of delay, maximization of throughput and enforcement of s...
Page 1652
1-3 mpls te implementation mpls te mainly accomplishes two functions: z static constraint-based routed lsp (cr-lsp) processing to create and remove static cr-lsps. The bandwidth of lsps must be configured manually. Z dynamic cr-lsp processing to handle three types of cr-lsps: basic cr-lsps, backup c...
Page 1653
1-4 the mechanism setting up and managing constraints is called constraint-based routing (cr). Cr-lsp involves these concepts: z strict and loose explicit routes z traffic characteristics z preemption z route pinning z administrative group and affinity attribute z reoptimization strict and loose exp...
Page 1654
1-5 reoptimization traffic engineering is a process of allocating/reallocating network resources. You may configure it to meet desired qos. Normally, service providers use some mechanism to optimize cr-lsps for best use of network resources. They can do this manually but cr-lsp measurement and tunin...
Page 1655
1-6 each lsp set up using rsvp-te is assigned a resource reservation style. During an rsvp session, the receiver decides which reservation style can be used for this session and thus which lsps can be used. Currently, two reservation styles are available: z fixed-filter style (ff) where resources ar...
Page 1656
1-7 z path messages: transmitted along the path of data transmission downstream by each rsvp sender to save path state information on each node along the path. Resv messages: sent by each receiver upstream towards senders to request resource reservation and to create and maintain reservation state o...
Page 1657
1-8 rsvp refresh mechanism rsvp maintains path and reservation state by periodically retransmitting two types of messages: path and resv. These periodically retransmitted path and resv messages are called refresh messages. They are sent along the path that the last path or resv message travels to sy...
Page 1658
1-9 for introduction to graceful restart (gr), refer to gr overview in the high availability volume. The rsvp-te gr function depends on the extended hello capability of rsvp-te. A gr-capable device advertises its gr capability and relevant time parameters to its neighbors by extended rsvp hello pack...
Page 1659
1-10 policy routing you can also use policy routing to route traffic over an mpls te tunnel. In this approach, you need to create a policy that specifies the mpls te tunnel interface as the output interface for traffic that matches certain criteria defined in the referenced acl. This policy should b...
Page 1660
1-11 the configuration of igp shortcut and forwarding adjacency is broken down into tunnel configuration and igp configuration. When making tunnel configuration on a te tunnel interface, consider the following: z the tunnel destination address should be in the same area where the tunnel interface is...
Page 1661
1-12 protection frr provides link protection and node protection for an lsp as follows: z link protection, where the plr and the mp are connected through a direct link and the primary lsp traverses this link. When the link fails, traffic is switched to the bypass lsp. As shown in figure 1-4 , the pr...
Page 1662
1-13 z cooperation of rsvp-te and bfd: bfd is a fast detection mechanism, which can detect faults of links or nodes timely. In this method, frr can obtain the link status timely through bfd, so as to implement fast switchover of links. Z rsvp hello: in this method, rsvp hello is enabled on each prot...
Page 1663
1-14 task remarks configuring mpls te basic capabilities required creating mpls te tunnel over static cr-lsp configuring an mpls te tunnel configuring mpls te tunnel with dynamic signaling protocol required use either approach configuring rsvp-te advanced features optional tuning cr-lsp setup option...
Page 1664
1-15 to do… use the command… remarks enable global mpls te mpls te required disabled by default exit to system view quit –– enter the interface view of an mpls te link interface interface-type interface-number –– enable interface mpls te mpls te required disabled by default exit to system view quit ...
Page 1665
1-16 z configure mpls basic capabilities. Z configure mpls te basic capabilities. Configuration procedure follow these steps to create an mpls te tunnel over a cr-lsp: to do… use the command… remarks enter system view system-view –– enter the interface view of an mpls te tunnel interface tunnel tunn...
Page 1666
1-17 configuring mpls te tunnel with dynamic signaling protocol dynamic signaling protocol can adapt the path of a te tunnel to network changes and implement redundancy, frr, and other advanced features. The following describes how to create an mpls te tunnel with a dynamic signaling protocol: z con...
Page 1667
1-18 to do… use the command... Remarks enter system view system-view — enter mpls view mpls — enable cspf on your device mpls te cspf required disabled by default configuring ospf te configure ospf te if the routing protocol is ospf and a dynamic signaling protocol is used for mpls te tunnel setup. ...
Page 1668
1-19 z according to rfc 3784, the length of the is reachability tlv (type 22) may reach the maximum of 255 octets in some cases. Z for an is-is lsp to carry this type of tlv and to be flooded normally on all interfaces with is-is enabled, the mtu of any is-is enabled interface, including 27 octets o...
Page 1669
1-20 when inserting nodes to an explicit path or modifying nodes on it, you may configure the include keyword to have the established lsp traverse the specified nodes or the exclude keyword to have the established lsp bypass the specified nodes. Follow these steps to configure an mpls te explicit pa...
Page 1670
1-21 establishing an mpls te tunnel with rsvp-te follow these steps to establish an mpls te tunnel with rsvp-te: to do… use the command... Remarks enter system view system-view –– enter mpls view mpls –– enable rsvp-te on your device mpls rsvp-te required disabled by default exit to system view quit...
Page 1671
1-22 z configuring rsvp reservation style z configuring rsvp state timers z configuring the rsvp refreshing mechanism z configuring the rsvp hello extension z configuring rsvp-te resource reservation confirmation z configuring rsvp authentication configuring rsvp reservation style each lsp set up us...
Page 1672
1-23 to do… use the command... Remarks configure the keep multiplier for psb and rsb mpls rsvp-te keep-multiplier number optional the default is 3. Configure the blockade timeout multiplier mpls rsvp-te blockade-multiplier number optional the default blockade timeout multiplier is 4. Configuring the...
Page 1673
1-24 to do… use the command... Remarks configure the hello interval mpls rsvp-te timer hello timevalue optional the default is 3 seconds. Exit to system view quit –– enter interface view of mpls te link interface interface-type interface-number –– enable interface rsvp hello extension mpls rsvp-te h...
Page 1675
1-26 configuration prerequisites the configuration tasks described in this section are about cspf of mpls te. They must be used in conjunction with cspf and the dynamic signal protocol (cr-ldp or rsvp-te). Before performing them, be aware of each configuration objective and its impact on your system...
Page 1676
1-27 follow these steps to configure the administrative group and affinity attribute: to do… use the command... Remarks enter system view system-view –– enter interface view of mpls te link interface interface-type interface-number –– assign the link to a link administrative group mpls te link admin...
Page 1677
1-28 configuration prerequisites the configurations described in this section need to be used together with the dynamic signaling protocol rsvp-te. Before performing them, be aware of each configuration objective and its impact on your system. Configuration procedures tuning mpls te tunnel setup inv...
Page 1678
1-29 configuring tunnel setup retry you may configure the system to attempt setting up a tunnel multiple times until it is established successfully or until the number of attempts reaches the upper limit. Follow these steps to configure tunnel setup retry: to do… use the command... Remarks enter sys...
Page 1679
1-30 configuration procedures configuring traffic forwarding involves these tasks: z forwarding traffic along mpls te tunnels using static routes z forwarding traffic along mpls te tunnels through automatic route advertisement forwarding traffic along mpls te tunnels using static routes follow these...
Page 1680
1-31 follow these steps to configure igp shortcut: to do… use the command... Remarks enter system view system-view –– enter mpls te tunnel interface view interface tunnel tunnel-number –– configure the igp to take the mpls te tunnels in up state into account when performing enhanced spf calculation ...
Page 1681
1-32 to do… use the command... Remarks enable forwarding adjacency enable traffic-adjustment advertise required disabled by default if you use automatic route advertisement, it is required to specify the destination address of the te tunnel as the lsr id of the peer. Configuring traffic forwarding t...
Page 1683
1-34 configuring cr-lsp backup cr-lsp backup provides end-to-end path protection to protect the entire lsp. Configuration prerequisites before configuring cr-lsp backup, do the following: z configure mpls basic capabilities z configure mpls te basic capabilities z configure mpls te tunnels configura...
Page 1684
1-35 a bypass tunnel cannot be used for services like vpn at the same time. Configuration prerequisites before configuring frr, do the following: z configure igp, ensuring that all lsrs are reachable z configure mpls basic capabilities z configure mpls te basic capabilities z establish an mpls te tu...
Page 1685
1-36 follow these steps to configure a bypass tunnel on its plr: to do… use the command... Remarks enter system view system-view –– enter interface view of the bypass tunnel interface tunnel tunnel-number –– specify the destination address of the bypass tunnel destination ip-address required z for n...
Page 1686
1-37 to do… use the command... Remarks enter the view of the interface directly connected to the protected node or plr interface interface-type interface-number –– enable rsvp hello extension on the interface mpls rsvp-te hello required disabled by default rsvp hello extension is configured to detec...
Page 1687
1-38 displaying and maintaining mpls te displaying and maintaining mpls te to do… use the command… remarks display information about explicit paths display explicit-path [ pathname ] available in any view display information about static cr-lsps display mpls static-cr-lsp [ lsp-name lsp-name ] [ { i...
Page 1690
1-41 [switcha-vlan-interface1] quit [switcha] interface loopback 0 [switcha-loopback0] isis enable 1 [switcha-loopback0] quit # configure switch b. System-view [switchb] isis 1 [switchb-isis-1] network-entity 00.0005.0000.0000.0002.00 [switchb-isis-1] quit [switchb] interface vlan-interface 1 [switc...
Page 1691
1-42 [switcha] mpls lsr-id 3.3.3.3 [switcha] mpls [switcha-mpls] mpls te [switcha-mpls] quit [switcha] interface vlan-interface 1 [switcha-vlan-interface1] mpls [switcha-vlan-interface1] mpls te [switcha-vlan-interface1] quit # configure switch b. [switchb] mpls lsr-id 2.2.2.2 [switchb] mpls [switch...
Page 1692
1-43 [switchb] static-cr-lsp transit tunnel0 incoming-interface vlan-interface1 in-label 20 nexthop 3.2.1.2 out-label 30 # configure switch c as the egress node of the static cr-lsp. [switchc] static-cr-lsp egress tunnel0 incoming-interface vlan-interface2 in-label 30 6) verify the configuration per...
Page 1693
1-44 ------------------------------------------------------------------ lsp information: static crlsp ------------------------------------------------------------------ fec in/out label in/out if vrf name -/- 20/30 vlan1/vlan2 [switchc] display mpls lsp ----------------------------------------------...
Page 1694
1-45 figure 1-7 set up mpls te tunnels using rsvp-te vlan-int1 vlan-int1 vlan-int2 vlan-int2 vlan-int3 vlan-int3 loop0 loop0 loop0 loop0 switch a switch b switch c switch d device interface ip address device interface ip address switch a loop0 1.1.1.9/32 switch d loop0 4.4.4.9/32 vlan-int1 10.1.1.1/...
Page 1695
1-46 [switchb-vlan-interface2] isis circuit-level level-2 [switchb-vlan-interface2] quit [switchb] interface loopback 0 [switchb-loopback0] isis enable 1 [switchb-loopback0] isis circuit-level level-2 [switchb-loopback0] quit # configure switch c. System-view [switchc] isis 1 [switchc-isis-1] networ...
Page 1696
1-47 10.1.1.0/24 direct 0 0 10.1.1.1 vlan1 10.1.1.1/32 direct 0 0 127.0.0.1 inloop0 20.1.1.0/24 isis 15 20 10.1.1.2 vlan1 30.1.1.0/24 isis 15 30 10.1.1.2 vlan1 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 3) configure mpls te basic capabilities, and enable rsvp-...
Page 1697
1-48 [switchc-vlan-interface3] mpls rsvp-te [switchc-vlan-interface3] quit [switchc] interface vlan-interface 2 [switchc-vlan-interface2] mpls [switchc-vlan-interface2] mpls te [switchc-vlan-interface2] mpls rsvp-te [switchc-vlan-interface2] quit # configure switch d. [switchd] mpls lsr-id 4.4.4.9 [...
Page 1698
1-49 [switcha-tunnel1] tunnel-protocol mpls te [switcha-tunnel1] destination 4.4.4.9 [switcha-tunnel1] mpls te tunnel-id 10 [switcha-tunnel1] mpls te signal-protocol rsvp-te [switcha-tunnel1] mpls te bandwidth 2000 [switcha-tunnel1] mpls te commit [switcha-tunnel1] quit 6) verify the configuration p...
Page 1699
1-50 backupbw type : - backupbw : - route pinning : disabled retry limit : 5 retry interval: 2 sec reopt : disabled reopt freq : - back up type : none back up lspid : - auto bw : disabled auto bw freq : - min bw : - max bw : - current collected bw: - interfaces protected: - vpn bind type : none vpn ...
Page 1700
1-51 figure 1-8 configure rsvp-te gr configuration procedure 1) assign ip addresses and masks to interfaces (see figure 1-8 ) omitted 2) enable is-is to advertise host routes with lsr ids as destinations omitted 3) configure mpls te basic capabilities, and enable rsvp-te and rsvp hello extension # c...
Page 1701
1-52 [switchb-vlan-interface2] mpls rsvp-te hello [switchb-vlan-interface2] quit # configure switch c. System-view [switchc] mpls lsr-id 3.3.3.9 [switchc] mpls [switchc-mpls] mpls te [switchc-mpls] mpls rsvp-te [switchc-mpls] mpls rsvp-te hello [switchc-mpls] quit [switchc] interface vlan-interface ...
Page 1702
1-53 restart time: 120 sec recovery time: 300 sec cr-lsp backup configuration example network requirements set up an mpls te tunnel from switch a to switch c. Use cr-lsp hot backup for it. Figure 1-9 cr-lsp backup switch a loop0 vlan-int1 switch b switch c switch d loop0 loop0 vlan-int1 vlan-int2 vl...
Page 1703
1-54 [switcha-vlan-interface1] mpls [switcha-vlan-interface1] mpls te [switcha-vlan-interface1] mpls rsvp-te [switcha-vlan-interface1] quit [switcha] interface vlan-interface 4 [switcha-vlan-interface4] mpls [switcha-vlan-interface4] mpls te [switcha-vlan-interface4] mpls rsvp-te [switcha-vlan-inter...
Page 1704
1-55 perform the display mpls te tunnel command on switch a. You can find that two tunnels are present with the outgoing interface being vlan-interface 1 and vlan-interface 4 respectively. This indicates that a backup cr-lsp was created upon creation of the primary cr-lsp. [switcha] display mpls te ...
Page 1705
1-56 1.1.1.9:2054 3.3.3.9 -/vlan4 tunnel1 configuring ordinary cr-lsp backup is almost the same as configuring hot cr-lsp backup except that you need to replace the mpls te backup hot-standby command with the mpls te backup ordinary command. Unlike in hot cr-lsp backup where a secondary tunnel is cr...
Page 1706
1-57 vlan-int3 4.1.1.2/24 configuration procedure 1) assign ip addresses and masks to interfaces (see figure 1-10 ) omitted 2) configure the igp protocol # enable is-is to advertise host routes with lsr ids as destinations on each node. (omitted) perform the display ip routing-table command on each ...
Page 1707
1-58 [switchb-mpls] mpls te cspf [switchb-mpls] quit [switchb] interface vlan-interface 1 [switchb-vlan-interface1] mpls [switchb-vlan-interface1] mpls te [switchb-vlan-interface1] mpls rsvp-te [switchb-vlan-interface1] quit [switchb] interface vlan-interface 2 [switchb-vlan-interface2] mpls [switch...
Page 1708
1-59 perform the display interface tunnel command on switch a. You can find that tunnel4 is up. [switcha] display interface tunnel tunnel4 current state: up line protocol current state: up description: tunnel4 interface the maximum transmit unit is 64000 internet address is 10.1.1.1/24 primary encap...
Page 1709
1-60 vpn bind type : none vpn bind value : - car policy : disabled tunnel group : primary primary tunnel : - backup tunnel : - group status : - oam status : up 5) configure a bypass tunnel on switch b (the plr) # create an explicit path for the bypass lsp. [switchb] explicit-path by-path [switchb-ex...
Page 1710
1-61 3.3.3.3/32 null/1024 -/vla4 [switchc] display mpls lsp ------------------------------------------------------------------ lsp information: rsvp lsp ------------------------------------------------------------------ fec in/out label in/out if vrf name 4.4.4.4/32 1024/3 vlan2/vlan3 3.3.3.3/32 3/n...
Page 1711
1-62 ingresslsrid : 1.1.1.1 locallspid : 1 tunnel-interface : tunnel4 fec : 4.4.4.4/32 nexthop : 3.1.1.2 in-label : 1024 out-label : 1024 in-interface : vlan-interface1 out-interface : vlan-interface2 lspindex : 4097 tunnel id : 0x22001 lsrtype : transit bypass in use : not used bypasstunnel : tunne...
Page 1712
1-63 tunnel attributes : lsp id : 1.1.1.1:1 session id : 10 admin state : up oper state : up ingress lsr id : 1.1.1.1 egress lsr id: 4.4.4.4 signaling prot : rsvp resv style : se class type : class 0 tunnel bw : 0 kbps reserved bw : 0 kbps setup priority : 7 hold priority: 7 affinity prop/mask : 0x0...
Page 1713
1-64 affinity prop/mask : 0x0/0x0 explicit path name : pri-path tie-breaking policy : none metric type : none record route : enabled record label : enabled frr flag : enabled backupbw flag: not supported backupbw type : - backupbw : - route pinning : disabled retry limit : 5 retry interval: 10 sec r...
Page 1714
1-65 out-label : 1024 in-interface : vlan-interface1 out-interface : vlan-interface2 lspindex : 4097 tunnel id : 0x22001 lsrtype : transit bypass in use : in use bypasstunnel : tunnel index[tunnel5], innerlabel[1024] mpls-mtu : 1500 no : 2 ingresslsrid : 2.2.2.2 locallspid : 1 tunnel-interface : tun...
Page 1715
1-66 mpls te in mpls l3vpn configuration example network requirements ce 1 and ce 2 belong to vpn 1. They are connected to the mpls backbone respectively through pe 1 and pe 2. The igp protocol running on the mpls backbone is ospf. Do the following: z set up an mpls te tunnel to forward the vpn traf...
Page 1716
1-67 [pe2-vlan-interface2] ip address 10.0.0.2 255.255.255.0 [pe2-vlan-interface2] quit [pe2] ospf [pe2-ospf-1] area 0 [pe2-ospf-1-area-0.0.0.0] network 10.0.0.0 0.0.0.255 [pe2-ospf-1-area-0.0.0.0] network 3.3.3.3 0.0.0.0 [pe2-ospf-1-area-0.0.0.0] quit [pe2-ospf-1] quit after you complete the config...
Page 1717
1-68 [pe2-mpls] quit [pe2] interface vlan-interface 2 [pe2-vlan-interface2] mpls [pe2-vlan-interface2] quit 3) enable mpls te, cspf and ospf te # configure pe 1. [pe1] mpls [pe1-mpls] mpls te [pe1-mpls] mpls te cspf [pe1-mpls] quit [pe1] interface vlan-interface 2 [pe1-vlan-interface2] mpls te [pe1-...
Page 1718
1-69 [pe1-tunnel1] mpls te signal-protocol rsvp-te [pe1-tunnel1] mpls te commit [pe1-tunnel1] quit perform the display interface tunnel command on pe 1. You can see that the tunnel interface is up. # create a te tunnel with pe 2 as the headend and pe 1 as the tail. The signaling protocol is rsvp-te....
Page 1719
1-70 [pe2] ip vpn-instance vpn1 [pe2-vpn-instance-vpn1] route-distinguisher 100:2 [pe2-vpn-instance-vpn1] vpn-target 100:1 both [pe2-vpn-instance-vpn1] quit [pe2] interface vlan-interface 3 [pe2-vlan-interface3] ip binding vpn-instance vpn1 [pe2-vlan-interface3] ip address 192.168.2.1 255.255.255.0 ...
Page 1720
1-71 [pe1-bgp] peer 3.3.3.3 as-number 100 [pe1-bgp] peer 3.3.3.3 connect-interface loopback1 [pe1-bgp] ipv4-family vpnv4 [pe1-bgp-af-vpnv4] peer 3.3.3.3 enable [pe1-bgp-af-vpnv4] quit [pe1-bgp] quit # configure ce 2. [ce2] bgp 65002 [ce2-bgp] peer 192.168.2.1 as-number 100 [ce2-bgp] quit # configure...
Page 1721
1-72 reply from 192.168.2.2: bytes=56 sequence=5 ttl=253 time=36 ms --- 192.168.2.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 36/52/61 ms [ce2] ping 192.168.1.2 ping 192.168.1.2: 56 data bytes, press ctrl_c to break reply from 192.168...
Page 1722
1-73 fec : 2.2.2.2/32 nexthop : 10.0.0.1 in-label : 3 out-label : null in-interface : vlan-interface2 out-interface : ---------- lspindex : 2051 tunnel id : 0x430000e lsrtype : exgress bypass in use : not exists bypasstunnel : tunnel index[---] mpls-mtu : 1500 ---------------------------------------...
Page 1723
1-74 troubleshooting mpls te symptom: ospf te is configured but no te lsas can be generated to describe mpls te attributes. Analysis: for te lsas to be generated, at least one ospf neighbor must reach the full state. Solution: 1) perform the display current-configuration command to check that mpls t...
Page 1724: Qos Volume Organization
Qos volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the qos volume is organized as follows: features description qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding proc...
Page 1725: Table of Contents
I table of contents 1 qos overview ············································································································································1-1 introduction to qos ·····································································································...
Page 1726
Ii configuration procedure··················································································································4-7 configuration example ····················································································································4-7 configuring th...
Page 1727
Iii referencing an aggregation car in a traffic behavior ·······································································10-1 configuration prerequisites ···········································································································10-1 configuration procedure ···...
Page 1728: Qos Overview
1-1 1 qos overview the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the s7900e ser...
Page 1729
1-2 best-effort service model best effort is a single service model and also the simplest service model. In the best effort service model, the network delivers the packets at its best effort but does not guarantee delay or reliability. The best-effort service model is the default model in the intern...
Page 1730
1-3 positions of the qos techniques in a network figure 1-1 positions of the qos techniques in a network as shown in figure 1-1 , traffic classification, traffic shaping, traffic policing, congestion management, and congestion avoidance mainly implement the following functions: z traffic classificat...
Page 1731: Qos Configuration Approaches
2-1 2 qos configuration approaches this chapter covers the following topics: z qos configuration approach overview z configuring a qos policy qos configuration approach overview two approaches are available for you to configure qos: policy-based and non policy-based. Some qos features can be configu...
Page 1732
2-2 configuring a qos policy figure 2-1 shows how to configure a qos policy. Figure 2-1 qos policy configuration procedure defining a class to define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: to do… use the comma...
Page 1734
2-4 suppose the logical relationship between classification rules is and. Note the following when using the if-match command to define matching rules. Z if multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules i...
Page 1735
2-5 defining a policy in a policy, you can define multiple class-behavior associations. A behavior is performed for the associated class of packets. In this way, various qos features can be implemented. Follow these steps to associate a class with a behavior in a policy: to do… use the command… rema...
Page 1736
2-6 z you can modify classes, behaviors, and class-behavior associations in a qos policy even after it is applied. Z the qos policies applied to ports, vlans, and the system globally have descending priorities. For example, if a port and a vlan carried on the port have both referenced a qos policy f...
Page 1737
2-7 to do… use the command… remarks enter user profile view user-profile profile-name required the configuration made in user profile view takes effect when the user-profile is activated and there are online users. Refer to user profile configuration in the qos volume for more information about user...
Page 1738
2-8 applying the qos policy globally you can apply a qos policy globally to the inbound or outbound direction of all ports. Follow these steps to apply the qos policy globally: to do… use the command… remarks enter system view system-view — apply the qos policy globally qos apply policy policy-name ...
Page 1739
2-9 z the qos policy applied to the control plane for a specific slot takes effect only on the slot. Z in case a global qos policy conflicts with a control plane qos policy, the control plane qos policy takes effect on the control plane. Z by default, devices are configured with pre-defined control ...
Page 1741
3-1 3 priority mapping configuration when configuring priority mapping, go to these sections for information you are interested in: z priority mapping overview z priority mapping configuration tasks z configuring priority mapping z displaying and maintaining priority mapping z priority mapping confi...
Page 1742
3-2 z exp-dp: exp-to-drop priority mapping table. The default priority mapping tables (as shown in appendix b default priority mapping tables ) are available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority mapping table cannot meet your requirements, ...
Page 1743
3-3 for an mpls packet, the priority mapping procedure as shown in figure 3-2 is adopted: figure 3-2 priority mapping procedure for an mpls packet receive a packet look up the exp-dp table mark the packet with drop precedence look up the exp-dot1p table mark the packet with new 802.1p priority look ...
Page 1745
3-5 to do… use the command… remarks display the priority trust mode configuration on the port display qos trust interface [ interface-type interface-number ] optional available in any view configuring the port priority of a port you can change the port priority of a port used for priority mapping. F...
Page 1746
3-6 network requirements as shown in figure 3-3 , the enterprise network of a company interconnects all departments through device. The network is described as follows: z the marketing department connects to gigabitethernet 2/0/1 of device, which sets the 802.1p priority of traffic from the marketin...
Page 1747
3-7 figure 3-3 network diagram for priority mapping table and priority marking configuration host server r&d department internet device ge2/0/1 ge2/0/2 ge2/0/3 ge2/0/4 marketing department host server host server management department public servers ge2/0/5 data server mail server configuration proc...
Page 1748
3-8 3) configure priority marking # mark the http traffic of the management department, marketing department, and r&d department to the internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6,...
Page 1749: Configuration
4-1 4 traffic policing, traffic shaping, and line rate configuration when configuring traffic classification, traffic policing, and traffic shaping, go to these sections for information you are interested in: z traffic policing, traffic shaping, and line rate overview z configuring traffic policing ...
Page 1750
4-2 one evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, it means...
Page 1751
4-3 figure 4-1 schematic diagram for traffic policing traffic policing is widely used in policing traffic entering the networks of internet service providers (isps). It can classify the policed traffic and perform pre-defined policing actions based on different evaluation results. These actions incl...
Page 1752
4-4 figure 4-2 schematic diagram for gts for example, in figure 4-3 , switch a sends packets to switch b. Switch b performs traffic policing on packets from switch a and drops packets exceeding the limit. Figure 4-3 gts application you can perform traffic shaping for the packets on the outgoing inte...
Page 1753
4-5 figure 4-4 line rate implementation in the token bucket approach to traffic control, bursty traffic can be transmitted so long as enough tokens are available in the token bucket; if tokens are inadequate, packets cannot be transmitted until the required number of tokens are generated in the toke...
Page 1754
4-6 to do… use the command… remarks create a policy and enter policy view qos policy policy-name — associate the class with the traffic behavior in the qos policy classifier tcl-name behavior behavior-name — exit policy view quit — to an interface applying the qos policy to an interface — to online ...
Page 1755
4-7 configuring gts configuration procedure on the s7900e series switches, traffic shaping is implemented as queue-based gts, that is, configuring gts parameters for packets of a certain queue. Follow these steps to configure queue-based gts: to do… use the command… remarks enter system view system-...
Page 1756
4-8 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 1757
4-9.
Page 1758
5-1 5 congestion management configuration when configuring hardware congestion management, go to these sections for information you are interested in: z congestion management overview z congestion management configuration approaches z per-queue hardware congestion management z displaying and maintai...
Page 1759
5-2 each queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. Queue scheduling processes packets by their priorities, preferentially forwarding high-priority packets. In the following sect...
Page 1760
5-3 figure 5-3 schematic diagram for wrr queuing assume there are eight output queues on a port. Wrr assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 mbps port, you can configure the weight valu...
Page 1761
5-4 z short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with fq, wfq takes weights into account when determining...
Page 1762
5-5 task remarks configuring wfq queuing optional configuring sp+wrr queues optional per-queue hardware congestion management configuring sp queuing configuration procedure follow these steps to configure sp queuing: to do… use the command… remarks enter system view system-view — enter interface vie...
Page 1763
5-6 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 1764
5-7 to do… use the command… remarks group view enter port group view port-group manual port-group-name settings in port group view take effect on all ports in the port group. Enable wfq queuing qos wfq required the default queuing algorithm on an interface is sp queuing. Configure the minimum guaran...
Page 1765
5-8 configuring sp+wrr queues configuration procedure follow these steps to configure sp + wrr queues: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-gro...
Page 1766
5-9 displaying and maintaining congestion management to do… use the command… remarks display wrr queue configuration information display qos wrr interface [ interface-type interface-number ] display sp queue configuration information display qos sp interface [ interface-type interface-number ] displ...
Page 1767: Congestion Avoidance
6-1 6 congestion avoidance when configuring congestion avoidance, go to these sections for information you are interested in: z congestion avoidance overview z introduction to wred configuration z configuring wred on an interface z displaying and maintaining wred congestion avoidance overview seriou...
Page 1768
6-2 z when the queue size is between the lower threshold and the upper threshold, the received packets are dropped at random. The longer a queue is, the higher the drop probability is. However, a maximum drop probability exists. Different from red, wred determines differentiated drop policies for pa...
Page 1769
6-3 configuration procedure follow these steps to configure wred: to do… use the command… remarks enter system view system-view — create a wred table qos wred queue table table-name — configure the drop parameters for each queue in the wred table queue queue-id [ drop-level drop-level ] low-limit lo...
Page 1770
6-4.
Page 1771
7-1 7 traffic filtering configuration when configuring traffic filtering, go to these sections for information you are interested in: z traffic filtering overview z configuring traffic filtering z traffic filtering configuration example traffic filtering overview you can filter in or filter out a cl...
Page 1772
7-2 to do… use the command… remarks globally applying the qos policy globally — to the control plane applying the qos policy to the control plane — display the traffic filtering configuration display traffic behavior user-defined [ behavior-name ] optional available in any view with filter deny conf...
Page 1773
7-3 figure 7-1 network diagram for traffic filtering configuration configuration procedure # create advanced acl 3000, and configure a rule to match packets whose source port number is 21. System-view [devicea] acl number 3000 [devicea-acl-basic-3000] rule 0 permit tcp source-port eq 21 [devicea-acl...
Page 1774
8-1 8 priority marking configuration when configuring priority marking, go to these sections for information you are interested in: z priority marking overview z configuring priority marking z priority marking configuration example priority marking overview priority marking can be used together with...
Page 1775
8-2 to do… use the command… remarks set the drop precedence for packets remark drop-precedence drop-precedence-value optional applicable to only the outbound direction set the ip precedence for packets remark ip-precedence ip-precedence-value optional set the local precedence for packets remark loca...
Page 1776
8-3 table 8-1 support of sc/sa/ea cards for priority marking card category (right) sc sa ea action (below) inbound outbound inbound outbound inbound outbound remarking the 802.1p precedence for packets supported supported supported not supported supported not supported remarking the drop precedence ...
Page 1777
8-4 card category (right) eb sd remarking the local precedence for packets supported not supported supported not supported remarking the specified qos local id for packets. Supported not supported supported not supported priority marking configuration example priority marking configuration example n...
Page 1778
8-5 [device-acl-adv-3000] quit # create advanced acl 3001, and configure a rule to match packets with destination ip address 192.168.0.2. [device] acl number 3001 [device-acl-adv-3001] rule permit ip destination 192.168.0.2 0 [device-acl-adv-3001] quit # create advanced acl 3002, and configure a rul...
Page 1779
8-6 [device-qospolicy-policy_server] quit # apply the policy named policy_server to the incoming traffic of gigabitethernet 2/0/1. [device] interface gigabitethernet 2/0/1 [device-gigabitethernet2/0/1] qos apply policy policy_server inbound [device-gigabitethernet2/0/1] quit qos-local-id marking con...
Page 1780
8-7 # create a qos policy car_policy. In the qos policy, associate class class_a with behavior behavior_a, and associate class class_b with behavior behavior_b. [sysname] qos policy car_policy [sysname-qospolicy-car_policy] classifier class_a behavior behavior_a [sysname-qospolicy-car_policy] classi...
Page 1781
9-1 9 traffic redirecting configuration when configuring traffic redirecting, go to these sections for information you are interested in: z traffic redirecting overview z configuring traffic redirecting traffic redirecting overview traffic redirecting is the action of redirecting the packets matchin...
Page 1782
9-2 to do… use the command… remarks to an interface applying the qos policy to an interface — to a vlan applying the qos policy to a vlan — globally applying the qos policy globally — apply the qos policy to the control plane applying the qos policy to the control plane — z generally, the action of ...
Page 1783
10-1 10 aggregation car configuration aggregation car overview with aggregation car, one car is used to rate limit flows on different ports as a whole. If aggregation car is enabled for multiple ports, the total traffic on these ports must conform to the traffic policing parameters set in the aggreg...
Page 1784
10-2 to do… use the command… remarks reference the aggregation car in the traffic behavior car name car-name required exit policy view quit — to an interface applying the qos policy to an interface — to a vlan applying the qos policy to a vlan — globally applying the qos policy globally — apply the ...
Page 1785
10-3 [sysname-behavior-2] quit # create qos policy car, associate class 1 with behavior 1, and associate class 2 with behavior 2. [sysname] qos policy car [sysname-qospolicy-car] classifier 1 behavior 1 [sysname-qospolicy-car] classifier 2 behavior 2 [sysname-qospolicy-car] quit # apply the qos poli...
Page 1786
11-1 11 class-based accounting configuration when configuring class-based accounting, go to these sections for information you are interested in: z class-based accounting overview z configuring class-based accounting z displaying and maintaining traffic accounting z class-based accounting configurat...
Page 1787
11-2 displaying and maintaining traffic accounting after completing the configuration above, you can verify the configuration with the display qos policy global, display qos policy interface, or display qos vlan-policy command depending on the occasion where the qos policy is applied. Class-based ac...
Page 1788
11-3 # display traffic statistics to verify the configuration. [devicea] display qos policy interface gigabitethernet 2/0/1 interface: gigabitethernet2/0/1 direction: inbound policy: policy classifier: classifier_1 operator: and rule(s) : if-match acl 2000 behavior: behavior_1 accounting enable: 16 ...
Page 1789: Qos In An Epon System
4 12 qos in an epon system when configuring qos in an epon system, go to these sections for information you are interested in: z qos in an epon system z configuring qos in an epon system qos in an epon system an s7900e switch installed with an olt card can work as an olt in an epon system. For detai...
Page 1790
5 figure 12-1 qos model for uplink traffic in an epon system qos functions for downlink traffic processing on an olt z configuring the olt to perform priority mapping for packets received from the uplink port according to the cos-to-local precedence mapping table and then assign packets to output qu...
Page 1791
6 configuring qos in an epon system qos configuration task list in an epon system qos configurations in an epon system are the same as those in ethernet, and the corresponding configuration commands in olt port view and onu port view are the same as those in ethernet port view too. For detailed conf...
Page 1792
7 table 12-2 configure qos at the onu side of an epon system qos at the onu side reference configuring traffic classification and cos priority marking for incoming packets on unis priority mapping on the uni configure priority trust mode for the onu configuring the priority trust mode on a port conf...
Page 1793
8 you can enable high-priority packet buffering for multiple onus, and the olt will reserve an independent buffer for each onu. Follow these steps to configure rate limiting: to do… use the command… remarks enter system view system-view — enter olt port view interface interface-type interface-number...
Page 1794
9 to do… use the command… remarks enter system view system-view — enter onu port view interface interface-type interface-number — enable the onu downlink bandwidth allocation policy and prioritize high-priority packets bandwidth downstream policy enable required by default, the downlink bandwidth al...
Page 1795
10 follow these steps to configure the mapping between cos precedence values and local precedence values: to do... Use the command... Remarks enter system view system-view — enter onu port view interface interface-type interface-number — configure the mapping between cos precedence values and local ...
Page 1796
11 vlan operation mode with or without vlan tag packet processing with vlan tag case 1: the vlan id in the vlan tag matches a vlan translation entry on the port. The vlan id is replaced with the vlan id corresponding to the entry, and then: z if the packet matches the configured traffic classificati...
Page 1797
12 table 12-5 restrictions about the configuration item restrictions priority remarking based on the source mac address or destination mac address z if a source mac address–based traffic classification rule and a destination mac address–based traffic classification rule are configured for a uni port...
Page 1799
14 # configure the vlan operation mode as transparent for uni 1 and uni 2. [sysname-onu3/0/1:1] uni 1 vlan-mode transparent [sysname-onu3/0/1:1] uni 2 vlan-mode transparent for detailed information about onu uplink bandwidth and vlan operation mode of a uni, refer to epon-olt in the access volume. #...
Page 1800: Appendix
13-1 13 appendix this chapter covers the following appendixes: z appendix a acronym z appendix b default priority mapping tables z appendix c introduction to packet precedences appendix a acronym table 13-1 appendix a acronym acronym full spelling af assured forwarding be best effort car committed a...
Page 1801
13-2 acronym full spelling pe provider edge phb per-hop behavior pir peak information rate pq priority queuing qos quality of service red random early detection rsvp resource reservation protocol rtp real time protocol sla service level agreement te traffic engineering tos type of service tp traffic...
Page 1802
13-3 table 13-2 the default dot1p-lp, dot1p-dp, dot1p-dscp, and dot1p-rpr priority mapping tables input priority value dot1p-lp mapping dot1p-dp mapping dot1p-dscp mapping dot1p-rpr mapping 802.1p priority (dot1p) local precedence (lp) drop precedence (dp) dscp rpr precedence (rpr) 0 2 0 0 0 1 0 0 8...
Page 1803
13-4 table 13-5 the default exp-dscp, exp-dp, and exp-rpr priority mapping tables input priority value exp-dscp mapping exp-dp mapping exp-rpr mapping exp value dscp drop precedence (dp) rpr 0 0 0 0 1 8 0 0 2 16 0 1 3 24 0 1 4 32 0 2 5 40 0 2 6 48 0 2 7 56 0 2 table 13-6 the default lp-dot1p and lp-...
Page 1804
13-5 table 13-8 the default port priority-to-local priority mapping table port priority local precedence (lp) 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 table 13-9 the default up-dot1p, up-dscp, up-exp, up-dp, up-lp, up-rpr, and up-fc priority mapping tables input priority value up-dot1 p mappin g up-dscp mapp...
Page 1805
13-6 table 13-10 the default dscp-dot1p, dscp-dp, dscp-exp, and dscp-lp priority mapping tables for green packets input priority value dscp-dot1p mapping dscp-dp mapping dscp-exp mapping dscp-lp mapping dscp of green packets 802.1p priority (dot1p) drop precedence (dp) exp local precedence (lp) 0 to...
Page 1806
13-7 input priority value dscp-dot1p mapping dscp-dp mapping dscp-exp mapping dscp-lp mapping 16 to 23 2 2 2 2 24 to 31 3 2 3 3 32 to 39 4 2 4 4 40 to 47 5 2 5 5 48 to 55 6 2 6 6 56 to 63 7 2 7 7 table 13-13 the default exp-dp and exp-dscp priority mapping tables for green packets input priority val...
Page 1807
13-8 table 13-15 the default exp-dp and exp-dscp priority mapping tables for red packets input priority value exp-dp mapping exp-dscp mapping exp of red packets drop precedence(dp) dscp 0 2 0 1 2 8 2 2 16 3 2 24 4 2 32 5 2 40 6 2 48 7 2 56 table 13-16 the default lp-dp, lp-dot1p, and lp-dscp priorit...
Page 1808
13-9 table 13-18 the default lp-dp, lp-dot1p, and lp-dscp priority mapping tables for red packets input priority value lp-dp mapping lp-dot1p mapping lp-dscp mapping local precedence (lp) of red packets drop precedence (dp) 802.1p priority (dot1p) dscp 0 2 1 0 1 2 2 8 2 2 0 16 3 2 3 24 4 2 4 32 5 2 ...
Page 1809
13-10 as shown in figure 13-1 , the tos field of the ip header contains eight bits, and the first three bits (0 to 2) represent ip precedence from 0 to 7. According to rfc 2474, the tos field of the ip header is redefined as the differentiated services (ds) field, where a dscp value is represented b...
Page 1810
13-11 dscp value (decimal) dscp value (binary) description 0 000000 be (default) 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where layer 3 header analysis is not needed and qos must be assured at layer 2. Figure 13-2 an ethernet frame with an 802.1q ...
Page 1811
13-12 exp values the exp field lies in mpls labels and is used for qos. Figure 13-4 mpls label structure as shown in figure 13-4 , the exp field is 3 bits long and ranges from 0 to 7..
Page 1812: Table of Contents
I table of contents 1 user profile configuration ························································································································1-1 user profile overview ·········································································································...
Page 1813: User Profile Configuration
1-1 1 user profile configuration when configuring user profile, go to these sections for information you are interested in: z user profile overview z user profile configuration task list z creating a user profile z configuring a user profile z enabling a user profile z displaying and maintaining use...
Page 1814
1-2 creating a user profile configuration prerequisites before creating a user profile, you need to configure authentication parameters. User profile supports 802.1x and portal authentications. You can select one of them to authenticate users based on the actual networking when users access the netw...
Page 1815
1-3 z if a user profile is active, the qos policy, except acls referenced in the qos policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced acls cannot be modified either. Z the qos policies applied in user profile view support only t...
Page 1816: Security Volume Organization
Security volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the security volume is organized as follows: features description aaa authentication, authorization and accounting (aaa) provide a uniform framework used for configuring these three securi...
Page 1817
Features description ip source guard by filtering packets on a per-port basis, ip source guard prevents illegal packets from traveling through, thus improving the network security. This document describes: z configuring a static binding entry z configuring dynamic binding function ssh2.0 ssh ensures...
Page 1818: Table of Contents
I table of contents 1 aaa configuration ····································································································································1-1 introduction to aaa ········································································································...
Page 1819
Ii configuring interpretation radius class attribute as car parameters ·····································1-33 displaying and maintaining radius·····························································································1-34 configuring hwtacacs ···································...
Page 1820: Aaa Configuration
1-1 1 aaa configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the s7900...
Page 1821
1-2 figure 1-1 aaa networking diagram when a user tries to establish a connection to the nas and to obtain the rights to access other networks or some network resources, the nas authenticates the user or the corresponding connection. The nas can transparently pass the user’s aaa information to the s...
Page 1822
1-3 radius uses udp port 1812 for authentication and 1813 for accounting. Radius defines the radius packet format and message transfer mechanism. Radius was originally designed for dial-in user access. With the diversification of access methods, radius has been extended to support more access method...
Page 1823
1-4 figure 1-3 basic message exchange process of radius radius client radius server 1) username and password 3) access-accept/reject 2) access-request 4) accounting-request (start) 5) accounting-response 7) accounting-request (stop) 8) accounting-response 9) notification of access termination host 6...
Page 1824
1-5 figure 1-4 radius packet format descriptions of the fields are as follows: 2) the code field (1-byte long) is for indicating the type of the radius packet. Table 1-1 gives the possible values and their meanings. Table 1-1 main values of the code field code packet type description 1 access-reques...
Page 1825
1-6 5) the authenticator field (16-byte long) is used to authenticate replies from the radius server, and is also used in the password hiding algorithm. There are two kinds of authenticators: request authenticator and response authenticator. 6) the attribute field, with a variable length, carries th...
Page 1826
1-7 no. Attribute no. Attribute 26 vendor-specific 73 arap-security 27 session-timeout 74 arap-security-data 28 idle-timeout 75 password-retry 29 termination-action 76 prompt 30 called-station-id 77 connect-info 31 calling-station-id 78 configuration-token 32 nas-identifier 79 eap-message 33 proxy-s...
Page 1827
1-8 z vendor-length: indicates the length of the sub-attribute. Z vendor-data: indicates the contents of the sub-attribute. Figure 1-5 segment of a radius packet containing an extended attribute introduction to hwtacacs hw terminal access controller access control system (hwtacacs) is an enhanced se...
Page 1828
1-9 basic message exchange process of hwtacacs the following takes a telnet user as an example to describe how hwtacacs performs user authentication, authorization, and accounting. Figure 1-6 illustrates the basic message exchange process of hwtacacs. Figure 1-6 basic message exchange process of hwt...
Page 1829
1-10 9) the user inputs the password. 10) after receiving the login password, the hwtacacs client sends to the hwtacacs server a continue-authentication packet carrying the login password. 11) the hwtacacs server sends back an authentication response indicating that the user has passed authenticatio...
Page 1830
1-11 for a user who has logged in to the device, aaa provides the following services to enhance device security: z command authorization: allows the authorization server to check each command executed by the login user and only authorized commands can be successfully executed. Z command accounting: ...
Page 1831
1-12 z authentication method: no authentication (none), local authentication (local), or remote authentication (scheme) z authorization method: no authorization (none) , local authorization (local), or remote authorization (scheme) z accounting method: no accounting (none), local accounting (local),...
Page 1832
1-13 task remarks configuring aaa accounting methods for an isp domain optional configuring local user attributes optional configuring user group attributes optional tearing down user connections forcibly optional configuring a nas id-vlan binding optional displaying and maintaining aaa optional rad...
Page 1833
1-14 task remarks setting timers regarding hwtacacs servers optional displaying and maintaining hwtacacs optional configuring aaa by configuring aaa, you can provide network access service for legal users, protect the networking devices, and avoid unauthorized access and repudiation. In addition, yo...
Page 1835
1-16 features high speed and low cost, but the amount of information that can be stored is limited by the hardware. Z remote authentication (scheme): the access device cooperates with a radius, or hwtacacs server to authenticate users. As for radius, the device can use the standard radius protocol o...
Page 1836
1-17 z the authentication method specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode. Z with an authentication method that references a radius scheme, aaa accepts only the authentication result from the radius serv...
Page 1837
1-18 the console, or telnet to connect to the device, such as telnet or ssh users. Each connection of these types is called an exec user). The default right for ftp users is to use the root directory of the device. Before configuring authorization methods, complete these three tasks: 1) for hwtacacs...
Page 1838
1-19 z the authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. Z radius authorization is special in that it takes effect only when the radius authorization scheme is the same as the radius auth...
Page 1839
1-20 to do… use the command… remarks enter system view system-view — enter isp domain view domain isp-name — enable the accounting optional feature accounting optional optional disabled by default specify the default accounting method for all types of users accounting default { hwtacacs-scheme hwtac...
Page 1840
1-21 configuring local user attributes for local authentication, you need to create local users and configure user attributes on the device as needed. A local user represents a set of user attributes configured on a device and is uniquely identified by the username. For a user requesting a network s...
Page 1842
1-23 follow these steps to configure the attributes for a user group: to do… use the command… remarks enter system view system-view — create a user group and enter user group view user-group group-name required configure the authorization attributes for the user group authorization-attribute { acl a...
Page 1843
1-24 displaying and maintaining aaa to do… use the command… remarks display the configuration information of a specified isp domain or all isp domains display domain [ isp-name ] available in any view display information about specified or all user connections on a distributed device display connect...
Page 1844
1-25 when there are users online, you cannot modify radius parameters other than the number of retransmission attempts and the timers. Creating a radius scheme before performing other radius configurations, follow these steps to create a radius scheme and enter radius scheme view: to do… use the com...
Page 1845
1-26 z it is recommended to specify only the primary radius authentication/authorization server if backup is not required. Z if both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is unreachable. Z in practice, you may spe...
Page 1846
1-27 z it is recommended to specify only the primary radius accounting server if backup is not required. Z if both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. Z in practice, you can specify two radius servers as the pri...
Page 1847
1-28 setting the upper limit of radius request retransmission attempts because radius uses udp packets to carry data, the communication process is not reliable. If a nas receives no response from the radius server before the response timeout timer expires, it is required to retransmit the radius req...
Page 1848
1-29 setting the status of radius servers when a primary server fails, the device automatically tries to communicate with the secondary server. When both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primar...
Page 1849
1-30 configuring attributes related to data to be sent to the radius server follow these steps to configure the attributes related to data to be sent to the radius server: to do… use the command… remarks enter system view system-view — enter radius scheme view radius scheme radius-scheme-name — spec...
Page 1850
1-31 specifying the source ip address for radius packets to be sent after you specify the source ip address for radius packets to be sent, if the physical port for sending the radius packets fails, response packets from the radius server will be able to arrive the nas. Follow these steps to specify ...
Page 1851
1-32 to do… use the command… remarks enter system view system-view — enter radius scheme view radius scheme radius-scheme-name — set the radius server response timeout timer timer response-timeout seconds optional 3 seconds by default set the quiet timer for the primary server timer quiet minutes op...
Page 1852
1-33 to do… use the command… remarks specify a security policy server security-policy-server ip-address optional not specified by default you can specify up to eight security policy servers for a radius scheme. Enabling the listening port of the radius client follow these steps to enable the listeni...
Page 1853
1-34 z whether to configure this command depends on the implementation of the device and radius server. Z currently, the s7900e series ethernet switches do not support assigning car parameters through the class attribute. Displaying and maintaining radius to do… use the command… remarks display the ...
Page 1855
1-36 to do… use the command… remarks enter system view system-view — enter hwtacacs scheme view hwtacacs scheme hwtacacs-scheme-name — specify the primary hwtacacs authentication server primary authentication ip-address [ port-number ] specify the secondary hwtacacs authentication server secondary a...
Page 1856
1-37 to do… use the command… remarks specify the secondary hwtacacs authorization server secondary authorization ip-address [ port-number ] z it is recommended to specify only the primary hwtacacs authorization server if backup is not required. Z if both the primary and secondary authorization serve...
Page 1857
1-38 z it is recommended to specify only the primary hwtacacs accounting server if backup is not required. Z if both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. Z the ip addresses of the primary and secondary accounting...
Page 1859
1-40 to do… use the command… remarks enter system view system-view — enter hwtacacs scheme view hwtacacs scheme hwtacacs-scheme-name — set the hwtacacs server response timeout timer timer response-timeout seconds optional 5 seconds by default set the quiet timer for the primary server timer quiet mi...
Page 1860
1-41 aaa configuration examples aaa for telnet users by an hwtacacs server network requirements as shown in figure 1-9 , z configure the switch to use the hwtacacs server to provide authentication, authorization, and accounting services for telnet users. The ip address of the server is 10.1.1.1/24. ...
Page 1861
1-42 [switch-hwtacacs-hwtac] key authentication expert [switch-hwtacacs-hwtac] key authorization expert [switch-hwtacacs-hwtac] key accounting expert # specify that a username sent to the radius server carries no domain name. [switch-hwtacacs-hwtac] user-name-format without-domain [switch-hwtacacs-h...
Page 1862
1-43 figure 1-10 configure aaa by separate servers for telnet users configuration procedure # configure the ip addresses of various interfaces (omitted). # enable the telnet server on the switch. System-view [switch] telnet server enable # configure the switch to use aaa for telnet users. [switch] u...
Page 1863
1-44 [switch-isp-bbb] quit # configure the default aaa methods for all types of users. [switch] domain bbb [switch-isp-bbb] authentication default local [switch-isp-bbb] authorization default hwtacacs-scheme hwtac [switch-isp-bbb] accounting default radius-scheme rd when telneting into the switch, a...
Page 1864
1-45 z select device management service as the service type z select 3com as the access device type z select the access device from the device list or manually add the device with the ip address of 10.1.1.2 z click ok to finish the operation figure 1-12 add an access device # add a user for device m...
Page 1865
1-46 figure 1-13 add an account for device management 2) configure the switch # configure the ip address of vlan interface 2, through which the ssh user accesses the switch. System-view [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.1.70 255.255.255.0 [switch-vlan-in...
Page 1866
1-47 [switch-ui-vty0-4] protocol inbound ssh [switch-ui-vty0-4] quit # create radius scheme rad. [switch] radius scheme rad # specify the primary authentication server. [switch-radius-rad] primary authentication 10.1.1.1 1812 # specify the primary accounting server. [switch-radius-rad] primary accou...
Page 1867
1-48 figure 1-14 configure hwtacacs authentication for level switching users internet switch telnet user 192.168.1.58/24 hwtacacs server 10.1.1.1/24 vlan-int2 192.168.1.70/24 vlan-int3 10.1.1.2/24 configuration considerations 1) configure the switch to use aaa, particularly, local authentication for...
Page 1868
1-49 [switch-ui-vty0-4] quit # specify to use hwtacacs authentication and, if hwtacacs authentication is not available, use local authentication for user level switching authentication. [switch] super authentication-mode scheme local # create an hwtacacs scheme named hwtac. [switch] hwtacacs scheme ...
Page 1869
1-50 z select max privilege for any aaa client and set the privilege level to level 3. After these configurations, the user needs to use the password enabpass when switching to level 1, level 2, or level 3. Z select use separate password and specify the password as enabpass. Figure 1-15 configure ad...
Page 1870
1-51 username:test@bbb password: ? User view commands: cluster run cluster command display display current system information ping ping function quit exit from current command view ssh2 establish a secure shell client connection super set the current user priority level telnet establish one telnet c...
Page 1871
1-52 2) the username is in the userid@isp-name format and a default isp domain is specified on the nas. 3) the user is configured on the radius server. 4) the correct password is entered. 5) the same shared key is configured on both the radius server and the nas. Symptom 2: radius packets cannot rea...
Page 1872: Appendixes
2-1 2 appendixes commonly used standard radius attributes table 2-1 commonly used standard radius attributes no. Attribute description 1 user-name name of the user to be authenticated 2 user-password user password for pap authentication, present only in access-request packets in pap authentication m...
Page 1873
2-2 no. Attribute description 40 acct-status-type type of the accounting-request packet, which can be: z 1: start z 2: stop z 3: interium-update z 4: reset-charge z 7: accounting-on (defined in 3gpp, the 3rd generation partnership project ) z 8: accounting-off (defined in 3gpp) z 9-14: reserved for ...
Page 1874: Table of Contents
I table of contents 1 802.1x configuration·································································································································1-1 802.1x overview··············································································································...
Page 1875: 802.1X Configuration
1-1 1 802.1x configuration when configuring 802.1x, go to these sections for information you are interested in: z 802.1x overview z 802.1x configuration task list z 802.1x configuration example z guest vlan and vlan assignment configuration example z acl assignment configuration example 802.1x overv...
Page 1876
1-2 architecture of 802.1x 802.1x operates in the typical client/server model and defines three entities: client, device, and server, as shown in figure 1-1 . Figure 1-1 architecture of 802.1x z client is an entity seeking access to the lan. It resides at one end of a lan segment and is authenticate...
Page 1877
1-3 z the controlled port and uncontrolled port are two parts of the same port. Any packets arriving at the port are available to both of them. Authorized state and unauthorized state the controlled port can be set in either the authorized or unauthorized status, which depends on the authentication ...
Page 1878
1-4 figure 1-3 eapol packet format z pae ethernet type: protocol type. It takes the value 0x888e. Z protocol version: version of the eapol protocol supported by the eapol packet sender. Z type: type of the eapol packet. Table 1-1 lists the types that the device currently supports. Table 1-1 types of...
Page 1879
1-5 packet is for querying the identity of the client. A value of 4 represents md5-challenge, which corresponds closely to the ppp chap protocol. Figure 1-5 format of the data field in an eap request/response packet z identifier: used to match request and response messages. Z length: length of the e...
Page 1880
1-6 unsolicited triggering of a client a client initiates authentication by sending an eapol-start packet to the device. The destination address of the packet is 01-80-c2-00-00-03, the multicast address specified by the ieee 802.1x protocol. Some devices in the network may not support multicast pack...
Page 1881
1-7 figure 1-8 802.1x authentication procedure in eap relay mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge radius access-request (eap-response / identity) radius access-challenge (eap-request / md5 chal...
Page 1882
1-8 10) when receiving the radius access-request packet, the radius server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a radius access-accept packet. 1...
Page 1883
1-9 figure 1-9 message exchange in eap termination mode eapol radius eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge handshake request ( eap-request / identity ) handshake response ( eap-response / identity ) eapol-logof...
Page 1884
1-10 z username request timeout timer (tx-period): this timer is triggered by the device in two cases. The first case is when the client requests for authentication. The device starts this timer when it sends an eap-request/identity packet to a client. If it receives no response before this timer ex...
Page 1885
1-11 the assigned vlan neither changes nor affects the configuration of a port. However, as the assigned vlan has higher priority than the initial vlan of the port, it is the assigned vlan that takes effect after a user passes authentication. After the user goes offline, the port returns to the init...
Page 1886
1-12 if a user of a port in the guest vlan initiates authentication process but fails the authentication, the device will add the user to the auth-fail vlan of the port configured for the port, if any. If no auth-fail vlan is configured, the device will keep the user in the guest vlan. If a user of ...
Page 1887
1-13 authentication domain for authentication, authorization, and accounting of all 802.1x users on the port. In this way, users accessing the port cannot use any account in other domains. Meanwhile, for eap relay mode 802.1x authentication that uses certificates, the certificate of a user determine...
Page 1889
1-15 configuring 802.1x for a port enabling 802.1x for a port follow these steps to enable 802.1x for a port: to do… use the command… remarks enter system view system-view — in system view dot1x interface interface-list interface interface-type interface-number enable 802.1x for one or more ports in...
Page 1890
1-16 enabling the online user handshake function the online user handshake function allows the device to send handshake messages to online users to check whether the users are still online at the interval specified by the dot1x timer handshake-period command. If the device does not receive any respo...
Page 1892
1-18 the unicast trigger function is used for clients that cannot initiate authentication unsolicitedly and is suitable for networks not requiring all the clients to be authenticated. Therefore, it is recommended to disable the multicast trigger function when the unicast trigger function is enabled,...
Page 1893
1-19 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number — enable periodic re-authentication dot1x re-authenticate required disabled by default after an 802.1x user passes authentication, if the authentication server assigns a re-authentication int...
Page 1894
1-20 to do… use the command… remarks enter system view system-view — in system view dot1x guest-vlan guest-vlan-id [ interface interface-list ] interface interface-type interface-number configure the guest vlan for one or more ports in ethernet interface view dot1x guest-vlan guest-vlan-id required ...
Page 1895
1-21 configuration procedure follow these steps to configure an auth-fail vlan: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number — configure the auth-fail vlan for the port dot1x auth-fail vlan authfail-vlan-id re...
Page 1896
1-22 z set the shared key for the device to exchange packets with the authentication server as name, and that for the device to exchange packets with the accounting server as money. Z specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the radius server...
Page 1897
1-23 [device-radius-radius1] primary accounting 10.1.1.2 # configure the ip addresses of the secondary authentication and accounting radius servers. [device-radius-radius1] secondary authentication 10.1.1.2 [device-radius-radius1] secondary accounting 10.1.1.1 # specify the shared key for the device...
Page 1898
1-24 you can use the display dot1x interface gigabitethernet 2/0/1 command to view the 802.1x configuration information. After an 802.1x user passes the radius authentication with the username in the format of username@aabbcc.Net, you can use the display connection command to view the connection inf...
Page 1899
1-25 figure 1-12 network diagram with the port in the guest vlan figure 1-13 network diagram when the client passes authentication configuration procedure z the following configuration procedure uses many aaa/radius commands. For detailed configuration of these commands, refer to aaa configuration i...
Page 1900
1-26 [device-radius-2000] primary accounting 10.11.1.1 1813 [device-radius-2000] key authentication abc [device-radius-2000] key accounting abc [device-radius-2000] user-name-format without-domain [device-radius-2000] quit # configure authentication domain system and specify to use radius scheme 200...
Page 1901
1-27 after the host passes 802.1x authentication, the radius server assigns acl 3000 to port gigabitethernet 2/0/1. As a result, the host can access the internet but cannot access the ftp server, whose ip address is 10.0.0.1. Figure 1-14 network diagram for acl assignment configuration procedure # c...
Page 1902
1-28 pinging 10.0.0.1 with 32 bytes of data: request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: packets: sent = 4, received = 0, lost = 4 (100% loss) c:\>.
Page 1903
2-1 2 802.1x-based ead fast deployment configuration when configuring ead fast deployment, go to these sections for information you are interested in: z ead fast deployment overview z configuring ead fast deployment z displaying and maintaining ead fast deployment z ead fast deployment configuration...
Page 1904
2-2 currently, mac authentication and port security cannot work together with ead fast deployment. Once mac authentication or port security is enabled globally, the ead fast deployment is disabled automatically. Configuration prerequisites z enable 802.1x globally. Z enable 802.1x on the specified p...
Page 1905
2-3 to do… use the command… remarks configure the ie redirect url dot1x url url-string required no redirect url is configured by default. The redirect url and the freely accessible network segment must belong to the same network segment. Otherwise, the specified url is inaccessible. Setting the ead ...
Page 1906
2-4 it is required that: z before successful 802.1 authentication, the host using ie to access outside network will be redirected to the web server, and it can download and install 802.1x client software. Z after successful 802.1x authentication, the host can access outside network. Figure 2-1 netwo...
Page 1907
2-5 reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time ping statistics for 192.168.2.3: packets: sent = 4, received = 4, lost = 0 (0% loss), approximate round trip times in milli-seconds: minimum = 0ms, maximum = 0ms, average = 0ms besides, if the user uses ie to access any ...
Page 1908: Table of Contents
I table of contents 1 mac authentication configuration··········································································································1-1 mac authentication overview ············································································································...
Page 1909
1-1 1 mac authentication configuration when configuring mac authentication, go to these sections for information you are interested in: z mac authentication overview z related concepts z configuring mac authentication z displaying and maintaining mac authentication z mac authentication configuration...
Page 1910
1-2 z if the type of username is fixed username, a single username and optionally a single password are required for the device to authenticate all users. Related concepts mac authentication timers the following timers function in the process of mac authentication: z offline detect timer: at this in...
Page 1911
1-3 configuring mac authentication configuration prerequisites z create and configure an isp domain. Z for local authentication, create the local users and configure the passwords. Z for radius authentication, ensure that a route is available between the device and the radius server, and add the use...
Page 1913
1-5 figure 1-1 network diagram for local mac authentication configuration procedure 1) configure mac authentication on the device # add a local user, setting the username and password as 00-e0-fc-12-34-56, the mac address of the user. System-view [device] local-user 00-e0-fc-12-34-56 [device-luser-0...
Page 1914
1-6 the max allowed user number is 2048 per slot current user number amounts to 1 current domain is aabbcc.Net silent mac user info: mac addr from port port index gigabitethernet2/0/1 is link-up mac address authentication is enabled authenticate success: 1, failed: 0 max number of on-line users is 1...
Page 1915
1-7 configuration procedure it is required that the radius server and the device are reachable to each other and the username and password are configured on the server. 1) configure mac authentication on the device # configure a radius scheme. System-view [device] radius scheme 2000 [device-radius-2...
Page 1916
1-8 offline detect period is 180s quiet period is 180s. Server response timeout value is 100s the max allowed user number is 2048 per slot current user number amounts to 1 current domain is 2000 silent mac user info: mac addr from port port index gigabitethernet2/0/1 is link-up mac address authentic...
Page 1917
1-9 figure 1-3 network diagram for acl assignment configuration procedure z make sure that there is a route available between the radius server and the switch. Z in this example, the switch uses the default username type (user mac address) for mac authentication. Therefore, you need to add the usern...
Page 1918
1-10 # specify the isp domain for mac authentication users. [sysname] mac-authentication domain 2000 # specify the mac authentication username type as mac address, that is, using the mac address of a user as the username and password for mac authentication of the user. [sysname] mac-authentication u...
Page 1919: Table of Contents
I table of contents 1 portal configuration ··································································································································1-1 portal overview············································································································...
Page 1920: Portal Configuration
1-1 1 portal configuration when configuring portal, go to these sections for information you are interested in: z portal overview z portal configuration task list z basic portal configuration z portal configuration examples z troubleshooting portal portal overview this section covers these topics: z...
Page 1921
1-2 z resource access limit: a user passing identity authentication can access only network resources like the anti-virus server or os patch server, which are called the restricted resources. Only users passing security authentication can access more network resources, which are called the unrestric...
Page 1922
1-3 security policy server server that interacts with portal clients and access devices for security authentication and resource authorization. The above five components interact in the following procedure: 1) when an unauthenticated user enters a website address in the address bar of the ie to acce...
Page 1923
1-4 authentication. This solves the problem about ip address planning and allocation and proves to be useful. For example, a service provider can allocate public ip addresses to broadband users only when they access networks beyond the residential community network. Layer 3 authentication layer 3 po...
Page 1924
1-5 direct authentication/layer 3 authentication process figure 1-2 direct authentication/layer 3 authentication process the direct authentication/layer 3 authentication process is as follows: 1) a portal user initiates an authentication request through http. When the http packet arrives at the acce...
Page 1925
1-6 re-dhcp authentication process figure 1-3 re-dhcp authentication process the re-dhcp authentication process is as follows: step 1 through step 6 are the same as those in the direct authentication/layer 3 portal authentication process. 7) after receiving an authentication acknowledgment message, ...
Page 1926
1-7 task remarks basic portal configuration required configuring a portal-free rule optional configuring an authentication subnet optional specifying the source ip address for portal packets to be sent optional logging out users optional specifying a mandatory authentication domain optional specifyi...
Page 1927
1-8 configuration procedure to configure an independent portal server, you need to specify the ip address of the independent portal server on the access device. Follow these steps to perform basic portal configuration: to do… use the command… remarks enter system view system-view — configure a porta...
Page 1929
1-10 z configuration of authentication subnets applies to only layer 3 portal authentication. Z in direct authentication mode, the authentication subnet is 0.0.0.0/0. Z in re-dhcp authentication mode, the authentication subnet of an interface is the subnet to which the private ip address of the inte...
Page 1930
1-11 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — specify an authentication domain for the interface portal domain domain-name required by default, no authentication domain is specified for an interface. The device s...
Page 1931
1-12 to do… use the command… remarks enter interface view interface interface-type interface-number — specify a nas id profile for the interface portal nas-id-profile profile-name required by default, an interface is specified with no nas id profile. Setting the maximum number of online portal users...
Page 1933
1-14 z you need to configure ip addresses for the devices as shown in figure 1-4 and ensure that routes are available between devices. Z perform configurations on the radius server to ensure that the user authentication and accounting functions can work normally. 1) configure the portal server the f...
Page 1934
1-15 figure 1-6 add an ip address group # add a portal device. Select portal service management > device from the navigation tree to enter the portal device configuration page. Then, click add to enter the page for adding a portal device, as shown in figure 1-7 . Z type the device name switch. Z typ...
Page 1935
1-16 figure 1-8 device list on the port group configuration page, click add to enter the page for adding a port group, as shown in figure 1-9 . Perform the following configurations: z type the port group name. Z select the configured ip address group. Note that the ip address used by the user to acc...
Page 1936
1-17 # specify that the isp domain name should not be included in the username sent to the radius server. [switch-radius-rs1] user-name-format without-domain [switch-radius-rs1] quit z configure an authentication domain # create an isp domain named dm1 and enter its view. [switch] domain dm1 # confi...
Page 1937
1-18 figure 1-10 configure re-dhcp portal authentication configuration procedure z for re-dhcp authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the dhcp server. The configuration steps are omitte...
Page 1938
1-19 [switch-radius-rs1] key accounting radius # specify that the isp domain name should not be included in the username sent to the radius server. [switch-radius-rs1] user-name-format without-domain [switch-radius-rs1] quit 2) configure an authentication domain # create an isp domain named dm1 and ...
Page 1939
1-20 configuring layer 3 portal authentication network requirements z switch a is configured for layer 3 portal authentication. Before portal authentication, users can access only the portal server. After passing portal authentication, they can access unrestricted internet resources. Z the host acce...
Page 1940
1-21 [switcha-radius-rs1] key accounting radius # specify that the isp domain name should not be included in the username sent to the radius server. [switcha-radius-rs1] user-name-format without-domain [switcha-radius-rs1] quit 2) configure an authentication domain # create an isp domain named dm1 a...
Page 1941
1-22 figure 1-12 configure direct portal authentication with extended functions switch host 2.2.2.2/24 gateway : 2.2.2.1/24 vlan-int100 2.2.2.1/24 vlan-int2 192.168.0.100/24 portal server 192.168.0.111/24 192.168.0.112/24 security policy server 192.168.0.113/24 radius server configuration procedure ...
Page 1942
1-23 # create an isp domain named dm1 and enter its view. [switch] domain dm1 # configure the isp domain to use radius scheme rs1. [switch-isp-dm1] authentication portal radius-scheme rs1 [switch-isp-dm1] authorization portal radius-scheme rs1 [switch-isp-dm1] accounting portal radius-scheme rs1 [sw...
Page 1943
1-24 configuring re-dhcp portal authentication with extended functions network requirements z the host is directly connected to the switch and the switch is configured for re-dhcp authentication. The host is assigned with an ip address through the dhcp server. Before portal authentication, the host ...
Page 1944
1-25 1) configure a radius scheme # create a radius scheme named rs1 and enter its view. System-view [switch] radius scheme rs1 # set the server type for the radius scheme. When using the imc server, you need set the server type to extended. [switch-radius-rs1] server-type extended # specify the pri...
Page 1945
1-26 [switch-acl-adv-3001] rule permit ip [switch-acl-adv-3001] quit 4) configure portal authentication # configure the portal server as follows: z name: newpt z ip address: 192.168.0.111 z key: portal z port number: 50100 z url: http://192.168.0.111/portal. [switch] portal server newpt ip 192.168.0...
Page 1946
1-27 figure 1-14 configure layer 3 portal authentication with extended functions configuration procedure z you need to configure ip addresses for the devices as shown in figure 1-14 and ensure that routes are available between devices. Z perform configurations on the radius server to ensure that the...
Page 1947
1-28 [switcha] domain dm1 # configure the isp domain to use radius scheme rs1. [switcha-isp-dm1] authentication portal radius-scheme rs1 [switcha-isp-dm1] authorization portal radius-scheme rs1 [switcha-isp-dm1] accounting portal radius-scheme rs1 [switcha-isp-dm1] quit # configure dm1 as the defaul...
Page 1948
1-29 troubleshooting portal inconsistent keys on the access device and the portal server symptom when a user is forced to access the portal server, the portal server displays neither the portal authentication page nor any error message. What the user sees is a blank web page. Analysis the keys confi...
Page 1949: Table of Contents
I table of contents 1 port security configuration······················································································································1-1 introduction to port security····································································································...
Page 1950: Port Security Configuration
1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z introduction to port security z port security configuration task list z displaying and maintaining port security z port security configuration examples z troubleshooting po...
Page 1951
1-2 port security features ntk the need to know (ntk) feature checks the destination mac addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection the intrusion protection ...
Page 1952
1-3 security mode description features userloginsecure in this mode, a port performs 802.1x authentication of users in portbased mode and services only one user passing 802.1x authentication. Userloginwithoui similar to the userloginsecure mode, a port in this mode performs 802.1x authentication of ...
Page 1953
1-4 z currently, port security supports two authentication methods: 802.1x and mac authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. Z the maximum number of users a port supports is the lesser of the maximum num...
Page 1954
1-5 port security configuration task list complete the following tasks to configure port security: task remarks enabling port security required setting the maximum number of secure mac addresses optional setting the port security mode required configuring ntk configuring intrusion protection configu...
Page 1955
1-6 z for detailed 802.1x configuration, refer to 802.1x configuration in the security volume. Z for detailed mac-based authentication configuration, refer to mac authentication configuration in the security volume. Setting the maximum number of secure mac addresses with port security enabled, more ...
Page 1956
1-7 z before configuring the port to operate in autolearn mode, set the maximum number of secure mac addresses allowed on a port. Z with port security disabled, you can configure the port security mode, but your configuration does not take effect. Z you cannot change the port security mode of a port...
Page 1957
1-8 z you cannot change the maximum number of secure mac addresses allowed on a port that operates in autolearn mode. Z oui, defined by ieee, is the first 24 bits of the mac address and uniquely identifies a device vendor. Z you can configure multiple oui values. However, a port in userloginwithoui ...
Page 1958
1-9 z blockmac: adds the source mac addresses of illegal frames to the blocked mac addresses list and discards frames with blocked source mac addresses. A blocked mac address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. Z disableport: disables th...
Page 1959
1-10 configuring secure mac addresses secure mac addresses are special mac addresses. They never age out or get lost if saved before the device restarts. One secure mac address can be added to only one port in the same vlan. Thus, you can bind a mac address to one port in the same vlan. Secure mac a...
Page 1960
1-11 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — ignore the authorization information from the radius server port-security authorization ignore required by default, a port uses the authorization information from the...
Page 1961
1-12 configuration procedure 1) configure port security # enable port security. System-view [switch] port-security enable # enable intrusion protection trap. [switch] port-security trap intrusion [switch] interface gigabitethernet 2/0/1 # set the maximum number of secure mac addresses allowed on the...
Page 1962
1-13 port-security max-mac-count 64 port-security port-mode autolearn port-security mac-address security 0002-0000-0015 vlan 1 port-security mac-address security 0002-0000-0014 vlan 1 port-security mac-address security 0002-0000-0013 vlan 1 port-security mac-address security 0002-0000-0012 vlan 1 po...
Page 1963
1-14 z all users use the default authentication, authorization, and accounting methods of isp domain sun, which can accommodate up to 30 users. Z the radius server response timeout time is five seconds and the maximum number of radius packet retransmission attempts is five. The switch sends real-tim...
Page 1964
1-15 # configure isp domain sun to use radius scheme radsun for authentication, authorization, and accounting of all types of users. Specify that the isp domain can contain up to 30 users. [switch] domain sun [switch-isp-sun] authentication default radius-scheme radsun [switch-isp-sun] authorization...
Page 1965
1-16 quiet-interval(min) : 5 username format : without-domain data flow unit : byte packet unit : one use the following command to view the configuration information of the isp domain named sun: display domain sun domain : sun state : active access-limit : 30 accounting method : required default aut...
Page 1966
1-17 quiet period 60 s, quiet period timer is disabled supp timeout 30 s, server timeout 100 s reauth period 3600 s the maximal retransmitting times 2 ead quick deploy configuration: ead timeout: 30m the maximum 802.1x user resource number is 1024 per slot total current used 802.1x resource number i...
Page 1967
1-18 configuring the macaddresselseuserloginsecure mode network requirements as shown in figure 1-2, the client is connected to the switch through gigabitethernet 2/0/1. The switch authenticates the client by the radius server. If the authentication succeeds, the client is authorized to access the i...
Page 1968
1-19 [switch-gigabitethernet2/0/1] port-security ntk-mode ntkonly 3) verify the configuration after completing the above configurations, you can use the following command to view the port security configuration information: display port-security interface gigabitethernet 2/0/1 equipment port-securit...
Page 1969
1-20 equipment 802.1x protocol is enabled chap authentication is enabled proxy trap checker is disabled proxy logoff checker is disabled ead quick deploy is disabled configuration: transmit period 30 s, handshake period 15 s quiet period 60 s, quiet period timer is disabled supp timeout 30 s, server...
Page 1970
1-21 troubleshooting port security cannot set the port security mode symptom cannot set the port security mode. [switch-gigabitethernet2/0/1] port-security port-mode autolearn error:when we change port-mode, we should first change it to norestrictions, then change it to the other. Analysis for a por...
Page 1971
1-22 analysis changing port security mode is not allowed when an 802.1x-authenticated or mac authenticated user is online. Solution use the cut command to forcibly disconnect the user from the port before changing the port security mode. [switch-gigabitethernet2/0/1] quit [switch] cut connection int...
Page 1972: Table of Contents
I table of contents 1 ip source guard configuration················································································································1-1 ip source guard overview ············································································································...
Page 1973
1-1 1 ip source guard configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; ...
Page 1974
1-2 z a dynamic binding is implemented in cooperation with dhcp snooping or dhcp relay. It is suitable when there are many hosts in a lan, and dhcp is used to allocate ip addresses to the hosts. Once dhcp allocates an ip address for a user, the ip source guard function will automatically add a bindi...
Page 1975
1-3 z cooperating with dhcp snooping, ip source guard will automatically obtain the dhcp snooping entries that are generated during dynamic ip address allocation on a layer 2 ethernet port. Z cooperating with dhcp relay, ip source guard will automatically obtain the dhcp relay entries that are gener...
Page 1976
1-4 ip source guard configuration examples static binding entry configuration example network requirements as shown in figure 1-1 , host a and host b are connected to ports gigabitethernet 2/0/2 and gigabitethernet 2/0/1 of switch b respectively, host c is connected to port gigabitethernet 2/0/2 of ...
Page 1977
1-5 # configure port gigabitethernet 2/0/1 of switch b to allow only ip packets with the source mac address of 00-01-02-03-04-07 and the source ip address of 192.168.0.2 to pass. [switchb] interface gigabitethernet 2/0/1 [switchb-gigabitethernet2/0/1] user-bind ip-address 192.168.0.2 mac-address 000...
Page 1978
1-6 # configure dynamic binding function on port gigabitethernet 2/0/1 to filter packets based on both the source ip address and mac address. System-view [switcha] interface gigabitethernet2/0/1 [switcha-gigabitethernet2/0/1] ip check source ip-address mac-address [switcha-gigabitethernet2/0/1] quit...
Page 1979
1-7 dynamic binding function configuration example 2 network requirements z the s7900e switch acting as an olt device is connected to the dhcp server through gigabitethernet 2/0/1 and connected to an onu through olt 3/0/1. Uni 1 of the onu is connected to a user device. Z enable dhcp snooping on the...
Page 1980
1-8 # enable ip source guard on olt 3/0/1. [sysname-olt3/0/1] ip check source ip-address mac-address [sysname-olt3/0/1] quit # create an onu port onu 3/0/1:1 and bind it with the onu. [sysname] interface olt 3/0/1 [sysname-olt3/0/1] using onu 1 [sysname-olt3/0/1] quit [sysname] interface onu3/0/1:1 ...
Page 1981
1-9 configuration procedure 1) configure switch a # configure the ip addresses of the interfaces (omitted). # configure dynamic binding function on vlan-interface 100 to filter packets based on both the source ip address and mac address. System-view [switcha] vlan 100 [switcha-vlan100] quit [switcha...
Page 1982: Table of Contents
I table of contents 1 ssh2.0 configuration································································································································1-1 ssh2.0 overview···············································································································...
Page 1983: Ssh2.0 Configuration
1-1 1 ssh2.0 configuration ea boards (such as lsq1gp12ea and lsq1tgx1ea) do not support ipv6 features. When configuring ssh2.0, go to these sections for information you are interested in: z ssh2.0 overview z configuring the device as an ssh server z configuring the device as an ssh client z displayi...
Page 1984
1-2 table 1-1 stages in session establishment and interaction between an ssh client and the server stages description version negotiation ssh1 and ssh2.0 are supported. The two parties negotiate a version to use. Key and algorithm negotiation ssh supports multiple algorithms. The two parties negotia...
Page 1985
1-3 z the server and the client use the dh key exchange algorithm and parameters such as the host key pair to generate the session key and session id and the client authenticates the identity of the server. Through the above steps, the server and client get the same session key and session id. The s...
Page 1986
1-4 besides password authentication and publickey authentication, ssh2.0 provides another two authentication methods: z password-publickey: performs both password authentication and publickey authentication if the client is using ssh2.0 and performs either if the client is running ssh1. Z any: perfo...
Page 1987
1-5 task remarks configuring a client public key required for publickey authentication users and optional for password authentication users configuring an ssh user optional setting the ssh management parameters optional generating a dsa or rsa key pair the dsa or rsa key pair will be used to generat...
Page 1988
1-6 to do… use the command… remarks enter system view system-view — enable the ssh server function ssh server enable required disabled by default configuring the user interfaces for ssh clients an ssh client accesses the device through a vty user interface. Therefore, you need to configure the user ...
Page 1989
1-7 to configure the public key of an ssh client, you can: z configure it manually: you can input or copy the public key to the local host. The copied public key must have not been converted and be in the distinguished encoding rules (der) encoding format. Z import it from the public key file: durin...
Page 1990
1-8 for information about client side public key configuration and the relevant commands, refer to public key configuration in the security volume. Configuring an ssh user this configuration allows you to create an ssh user and specify the service type and authentication mode. Follow these steps to ...
Page 1991
1-9 z a user without an ssh account can still pass password authentication and log into the server through stelnet or sftp, as long as the user can pass aaa authentication and the service type is ssh. Z an ssh server supports up to 1024 ssh users. Z the service type of an ssh user can be stelnet (se...
Page 1992
1-10 to do… use the command… remarks enable the ssh server to support ssh1 clients ssh server compatible-ssh1x enable optional by default, the ssh server supports ssh1 clients. Set the rsa server key pair update interval ssh server rekey-interval hours optional 0 by default, that is, the rsa server ...
Page 1993
1-11 specifying a source ip address/interface for the ssh client this configuration task allows you to specify a source ip address or interface for the client to access the ssh server, improving service manageability. To do… use the command… remarks enter system view system-view — specify a source i...
Page 1994
1-12 to do... Use the command… remarks enter system view system-view — disable first-time authentication support undo ssh client first-time optional by default, first-time authentication is supported on a client. Configure the server public key refer to configuring a client public key required the m...
Page 1996
1-14 # configure an ip address for vlan interface 1. This address will serve as the destination of the ssh connection. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168.1.40 255.255.255.0 [switch-vlan-interface1] quit # set the authentication mode for the user interface...
Page 1997
1-15 figure 1-2 ssh client configuration interface in the window shown in figure 1-2 , click open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. W...
Page 1998
1-16 [switch] public-key local create rsa [switch] public-key local create dsa [switch] ssh server enable # configure an ip address for vlan interface 1. This address will serve as the destination of the ssh connection. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168....
Page 1999
1-17 figure 1-4 generate a client key pair 1) while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in figure 1-5 . Otherwise, the process bar stops moving and the key pair generating process will be stopped..
Page 2000
1-18 figure 1-5 generate a client key pair 2) after the key pair is generated, click save public key and specify the file name as key.Pub to save the public key. Figure 1-6 generate a client key pair 3) likewise, to save the private key, click save private key. A warning window pops up to prompt you...
Page 2001
1-19 figure 1-7 generate a client key pair 4) after generating a key pair on a client, you need to transmit the saved public key file to the server through ftp or tftp and have the configuration on the server done before continuing configuration of the client. # specify the private key file and esta...
Page 2002
1-20 figure 1-9 ssh client configuration interface 2) in the window shown in figure 1-9 , click open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface. Ssh client configuration examples...
Page 2003
1-21 [switchb] public-key local create dsa [switchb] ssh server enable # create an ip address for vlan interface 1, which the ssh client will use as the destination for ssh connection. [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [switchb-vlan...
Page 2004
1-22 z if the client does not support first-time authentication, you need to perform the following configurations. # disable first-time authentication. [switcha] undo ssh client first-time # configure the host public key of the ssh server. You can get the server host public key by using the display ...
Page 2005
1-23 when switch acts as client for publickey authentication network requirements z as shown in figure 1-11 , switch a (the ssh client) needs to log into switch b (the ssh server) through the ssh protocol. Z publickey authentication is used, and the public key algorithm is dsa. Figure 1-11 switch ac...
Page 2006
1-24 [switchb] public-key peer switch001 import sshkey key.Pub # specify the authentication type for user client002 as publickey, and assign the public key switch001 to the user. [switchb] ssh user client002 service-type stelnet authentication-type publickey assign publickey switch001 2) configure t...
Page 2007: Sftp Service
2-1 2 sftp service when configuring sftp, go to these sections for information you are interested in: z sftp overview z configuring an sftp server z configuring an sftp client z sftp client configuration example z sftp server configuration example sftp overview the secure file transfer protocol (sft...
Page 2008
2-2 when the device functions as the sftp server, only one client can access the sftp server at a time. If the sftp client uses winscp, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the sftp connec...
Page 2012
2-6 to do… use the command… remarks bye exit terminate the connection to the remote sftp server and return to user view quit required. Use any of the commands. These three commands function in the same way. Sftp client configuration example network requirements as shown in figure 2-1 , an ssh connec...
Page 2013
2-7 before performing the following tasks, you must generate use the client software to generate rsa key pairs on the client, save the host public key in a file named pubkey, and then upload the file to the ssh server through ftp or tftp. For details, refer to configure the sftp client (switch a) be...
Page 2014
2-8 # display files under the current directory of the server, delete the file named z, and check if the file has been deleted successfully. Sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug...
Page 2015
2-9 # upload the local file pu to the server, save it as puk, and check if the file has been uploaded successfully. Sftp-client> put pu puk local file:pu ---> remote file: /puk uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noo...
Page 2016
2-10 # configure an ip address for vlan-interface 1, which the client will use as the destination for ssh connection. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168.1.45 255.255.255.0 [switch-vlan-interface1] quit # set the authentication mode of the user interfaces ...
Page 2017
2-11 figure 2-3 sftp client interface.
Page 2018: Table of Contents
I table of contents 1 public key configuration··························································································································1-1 asymmetric key algorithm overview·······························································································...
Page 2019: Public Key Configuration
1-1 1 public key configuration when configuring public keys, go to these sections for information you are interested in: z asymmetric key algorithm overview z configuring the local asymmetric key pair z configuring the public key of a peer z displaying and maintaining public keys z public key config...
Page 2020
1-2 z encryption/decryption: the information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Z digital signature: the information encrypted with a sender's private key can be decrypted by anyone...
Page 2021
1-3 z configuration of the public-key local create command can survive a reboot. Z the public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. Z the length of an rsa key modulus is in the range ...
Page 2022
1-4 to configure the public key of the peer, you can: z configure it manually: you can input on or copy the public key of the peer to the local host. Z import it from the public key file: the system automatically converts the public key to a string coded using the pkcs (public key cryptography stand...
Page 2024
1-6 30819f300d06092a864886f70d010101050003818d0030818902818100d90003fa95f5a44a2a2cd3f814f985 4c4421b57cac64cffe4782a87b0360b600497d87162d1f398e6e5e51e5e353b3a9ab16c9e766bd995c669a78 4ad597d0fb3aa9f7202c507072b19c3c50a0d7ad3994e14abc62db125035ea326470034dc078b2baa3bc3bca 80aab5ee01986bd1ef64b42f17cca...
Page 2025
1-7 importing the public key of a peer from a public key file network requirements as shown in figure 1-3 , device a is authenticated when accessing device b, so the public host public key of device a should be configured on device b in advance. In this example: z rsa is used. Z the host public key ...
Page 2026
1-8 key name: server_key key type: rsa encryption key ===================================================== key code: 307c300d06092a864886f70d0101010500036b003068026100999089e7aee9802002d9eb2d0433b87bb6158e 35000afb3ff310e42f109829d65bf70f7712507be1a3e0bc5c2c03faaf00dfddc63d004b4490dacba3cfa9e8 4b91...
Page 2027
1-9 key type : rsa key module: 1024 ===================================== key code: 30819f300d06092a864886f70d010101050003818d0030818902818100d90003fa95f5a44a2a2cd3f814f985 4c4421b57cac64cffe4782a87b0360b600497d87162d1f398e6e5e51e5e353b3a9ab16c9e766bd995c669a78 4ad597d0fb3aa9f7202c507072b19c3c50a0d7...
Page 2028: Table of Contents
I table of contents 1 acl overview ············································································································································1-1 introduction to acl ·····································································································...
Page 2029: Acl Overview
1-1 1 acl overview in order to filter traffic, network devices use sets of rules, called access control lists (acls), to identify and handle packets. When configuring acls, go to these chapters for information you are interested in: z acl overview z ipv4 acl configuration z ipv6 acl configuration z ...
Page 2030
1-2 and web users. Note that when an acl is reference by the upper layer software, actions to be taken on packets matching the acl depend on those defined by the acl rules. For details about login user control, refer to the part about login configuration in system volume. Z when an acl is assigned t...
Page 2031
1-3 an ipv4 acl can have only one name. Whether to specify a name for an acl is up to you. After creating an acl, you cannot specify a name for it, nor can you change or remove the name of the acl. The name of an ipv4 acl must be unique among ipv4 acls. However, an ipv4 acl and an ipv6 acl can share...
Page 2032
1-4 3) if the protocol types have the same precedence, look at the source ip address wildcard masks. Then, compare packets against the rule configured with more zeros in the source ip address wildcard mask. 4) if the numbers of zeros in the source ip address wildcard masks are the same, look at the ...
Page 2033
1-5 a referenced time range can be one that has not been created yet. The rule, however, can take effect only after the time range is defined and comes active. Ip fragments filtering with ipv4 acl traditional packet filtering performs match operation on, rather than all ip fragments, the first ones ...
Page 2034
1-6 the name of an ipv6 acl must be unique among ipv6 acls. However, an ipv6 acl and an ipv4 acl can share the same name. Ipv6 acl match order similar to ipv4 acls, ipv6 acls are sequential collections of rules defined with different matching parameters. The order in which a packet is matched agains...
Page 2035: Ipv4 Acl Configuration
2-1 2 ipv4 acl configuration when configuring an ipv4 acl, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv4 acl z configuring an advanced ipv4 acl z configuring an ethernet frame header acl z copying an ipv4 acl z displaying and maintaini...
Page 2038
2-4 [sysname] acl number 2000 [sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # verify the configuration. [sysname-acl-basic-2000] display acl 2000 basic acl 2000, named -none-, 1 rule, acl's step is 5 rule 0 deny source 1.1.1.1 0 configuring an advanced ipv4 acl advanced ipv4 acls filter packet...
Page 2039
2-5 to do… use the command… remarks set a rule numbering step step step-value optional the default step is 5. Create an ipv4 acl description description text optional by default, no ipv4 acl description is present. Create a rule description rule rule-id comment text optional by default, no rule desc...
Page 2040
2-6 configuring an ethernet frame header acl ethernet frame header acls filter packets based on layer 2 protocol header fields such as source mac address, destination mac address, 802.1p priority (vlan priority), and link layer protocol type. They are numbered in the range 4000 to 4999. Configuratio...
Page 2043
2-9 network diagram figure 2-1 network diagram for ipv4 acl configuration configuration procedure 1) create a time range for office hours # create a periodic time range spanning 8:00 to 18:00 in working days. System-view [switch] time-range trname 8:00 to 18:00 working-day 2) define an acl to contro...
Page 2044
2-10 # configure class c_market for packets matching ipv4 acl 3001. [switch] traffic classifier c_market [switch-classifier-c_market] if-match acl 3001 [switch-classifier-c_market] quit # configure traffic behavior b_ market to deny matching packets. [switch] traffic behavior b_market [switch-behavi...
Page 2045: Ipv6 Acl Configuration
3-1 3 ipv6 acl configuration when configuring ipv6 acls, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv6 acl z configuring an advanced ipv6 acl z copying an ipv6 acl z displaying and maintaining ipv6 acls z ipv6 acl configuration example...
Page 2046
3-2 to do… use the command… remarks set a rule numbering step step step-value optional the default step is 5. Create an ipv6 acl description description text optional by default, no ipv6 acl description is present. Create a rule description rule rule-id comment text optional by default, no rule desc...
Page 2047
3-3 configuring an advanced ipv6 acl advanced acls filter packets based on the source ipv6 address, destination ipv6 address, protocol carried on ipv6, and other protocol header fields such as the tcp/udp source port, tcp/udp destination port, icmp message type, and icmp message code. Advanced ipv6 ...
Page 2048
3-4 note that: z you can only modify the existing rules of an acl that uses the match order of config. When modifying a rule of such an acl, you may choose to change just some of the settings, in which case the other settings remain the same. Z you cannot create a rule with, or modify a rule to have...
Page 2050
3-6 network diagram figure 3-1 network diagram for ipv6 acl configuration configuration procedure # create an ipv6 acl 2000. System-view [switch] acl ipv6 number 2000 [switch-acl6-basic-2000] rule deny source 4050::9000/120 [switch-acl6-basic-2000] quit # configure class c_rd for packets matching ip...
Page 2051: Table of Contents
I table of contents 1 arp attack protection configuration······································································································1-1 arp attack protection overview ··········································································································...
Page 2052
1-1 1 arp attack protection configuration when configuring arp attack protection, go to these sections for information you are interested in: z configuring arp defense against ip packet attacks z configuring arp active acknowledgement z configuring source mac address based arp attack detection z con...
Page 2053
1-2 configuring arp defense against ip packet attacks introduction if a device receives large numbers of ip packets from a host to unreachable destinations, z the device sends large numbers of arp requests to the destination subnets, which increases the load of the destination subnets. Z the device ...
Page 2054
1-3 displaying and maintaining arp defense against ip packet attacks to do… use the command… remarks display the arp source suppression configuration information display arp source-suppression available in any view configuring arp active acknowledgement introduction typically, the arp active acknowl...
Page 2058
1-7 to do… use the command… remarks enter system view system-view — enter vlan view vlan vlan-id — enable arp detection for the vlan arp detection enable required disabled by default. That is, arp detection based on static ip source guard binding entries/dhcp snooping entries/802.1x security entries...
Page 2059
1-8 figure 1-1 network diagram for arp detection configuration configuration procedure 1) add all the ports on switch b to vlan 10, and configure the ip address of vlan-interface 10 on switch a (the configuration procedure is omitted). 2) configure switch a as a dhcp server # configure dhcp address ...
Page 2060
1-9 [switchb-gigabitethernet2/0/2] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10 [switchb-gigabitethernet2/0/2] quit # enable the checking of the mac addresses and ip addresses of arp packets. [switchb] arp detection validate dst-mac ip src-mac after the preceding configurations a...
Page 2061
1-10 system-view [switchb] dot1x [switchb] interface gigabitethernet 2/0/1 [switchb-gigabitethernet2/0/1] dot1x [switchb-gigabitethernet2/0/1] quit [switchb] interface gigabitethernet 2/0/2 [switchb-gigabitethernet2/0/2] dot1x [switchb-gigabitethernet2/0/2] quit # add local access user test. [switch...
Page 2062: Table of Contents
I table of contents 1 urpf configuration ··································································································································1-1 urpf overview ···············································································································...
Page 2063: Urpf Configuration
1-1 1 urpf configuration when configuring urpf, go to these sections for information you are interested in: z urpf overview z configuring urpf the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Urpf overview what is urpf unicast reverse path forwarding (urp...
Page 2064
1-2 z discards packets with all-zero source addresses but non-broadcast destination addresses. (a packet with source address 0.0.0.0 and destination address 255.255.255.255 might be a dhcp packet, and thus is not discarded.) 2) if the source address of an incoming packet is found in the fib table: u...
Page 2065
1-3 z route entries half reduction on an lpu means that the lpu can accommodate only half the number of original routes after you enable urpf. Z if the number of route entries on an lpu exceeds half the number of route entries that the lpu can accommodate, the urpf function cannot be enabled, which ...
Page 2066
High availability volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the high availability volume is organized as follows: features description dual-srpu system the s7900e series switches are typically equipped with two srpus to provide active-stan...
Page 2067
Features description rrpp rrpp is a link layer protocol designed for ethernet rings. Rrpp can prevent broadcast storms caused by data loops when an ethernet ring is healthy, and rapidly restore the communication paths between the nodes after a link is disconnected on the ring. This document describe...
Page 2068
Features description track the track module is used to implement collaboration between different modules through established collaboration objects. The detection modules trigger the application modules to perform certain operations through the track module. This document describes: z track overview ...
Page 2069: Table of Contents
I table of contents 1 dual-srpu system configuration ···········································································································1-1 introduction to dual-srpu system········································································································...
Page 2070
1-1 1 dual-srpu system configuration z the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed devic...
Page 2071
1-2 z you cannot execute any command on the smb, and you need to perform configurations through the command line interface on the amb, which will synchronize the configurations to the smb. Z when you upgrade an s7900e switch, ensure that the software versions of the amb and the smb are the same, and...
Page 2072
1-3 to do… use the command… remarks enter system view system-view — manually restart the smb slave restart required after the smb has restarted, the amb will perform initial synchronization on the smb. During this process, the system does not respond to your input. After the initial synchronization ...
Page 2073: Table of Contents
I table of contents 1 vrrp configuration ··································································································································1-1 vrrp overview ···············································································································...
Page 2074: Vrrp Configuration
1-1 1 vrrp configuration when configuring vrrp, go to these sections for information you are interested in: z vrrp overview z vrrp standard protocol mode z vrrp load balancing mode z configuring vrrp for ipv4 z configuring vrrp for ipv6 z ipv4-based vrrp configuration examples z ipv6-based vrrp conf...
Page 2075
1-2 configuring a default route for network hosts facilitates your configuration, but also requires high performance stability of the device acting as the gateway. Using more egress gateways is a common way to improve system reliability, introducing the problem of routing among the multiple egresses...
Page 2076
1-3 figure 1-2 network diagram for vrrp host a host b host c router a router b router c virtual router network as shown in figure 1-2 , router a, router b, and router c form a virtual router, which has its own ip address. Hosts on the ethernet use the virtual router as the default gateway. The route...
Page 2077
1-4 working mode a router in a vrrp group works in one of the following two modes: z non-preemptive mode when a router in the vrrp group becomes the master, it stays as the master as long as it operates normally, even if a backup is assigned a higher priority later. Z preemptive mode when a backup f...
Page 2078
1-5 packet format the master multicasts vrrp packets periodically to declare its existence. Vrrp packets are also used for checking the parameters of the virtual router and electing the master. Figure 1-3 shows the format of a vrrpv2 packet and figure 1-4 shows the format of a vrrpv3 packet. Figure ...
Page 2079
1-6 z auth type: authentication type. 0 means no authentication, 1 means simple text authentication, and 2 means md5 authentication. Vrrpv3 does not support md5 authentication. Z adver int: interval for sending advertisement packets. For vrrpv2, the interval is in seconds and defaults to 1; for vrrp...
Page 2080
1-7 z monitor the master on a backup. If there is a fault on the master, the backup working in the mode switches to the master immediately to maintain normal communication. For details of track object tracking, refer to track configuration in the high availability volume. Vrrp application (taking ip...
Page 2081
1-8 figure 1-6 vrrp in load sharing mode host a host b host c router a backup router b backup router c master vrrp group 2 vrrp group 3 vrrp group 1 master backup backup backup master backup network a router can be in multiple vrrp groups and hold a different priority in different group. In figure 1...
Page 2082
1-9 the vrrp load balancing mode is based on the vrrp standard protocol mode, so mechanisms, such as master election, preemption, and tracking functions, in the standard protocol mode are also supported in the load balancing mode. Besides, vrrp load balancing mode has some new mechanisms, which are ...
Page 2083
1-10 z the mac address obtained by host b is the virtual mac address of router b, and thus to ensure that the packets from host b are forwarded by router b. Z the mac address obtained by host c is the virtual mac address of router c, and thus to ensure that the packets from host c are forwarded by r...
Page 2084
1-11 figure 1-8 vf information host a host b host c router a master router b backup router c backup virtual ip address: 10.1.1.1/24 10.1.1.2/24 10.1.1.3/24 10.1.1.4/24 network vf virtual mac address vf priority state 000f-e2ff-0011 vf 1 255 avf 000f-e2ff-0012 vf 2 127 lvf 000f-e2ff-0013 vf 3 127 lvf...
Page 2085
1-12 z reply: after receiving a request, the master sends a reply to the backup router to allocate a virtual mac address. Upon receiving the reply, the backup router creates a vf corresponding to the virtual mac address, and then the backup router becomes the owner of this vf. Z release: after a vf ...
Page 2086
1-13 by default, a mac address is created for a vrrp group after the vrrp group is created, and the virtual ip address is associated with the virtual mac address. With such association adopted, the hosts in the internal network do not need to update the association between ip address and mac address...
Page 2087
1-14 creating vrrp group and configuring virtual ip address you need to configure a virtual ip address for a vrrp group when creating the vrrp group on an interface. If the interface connects to multiple sub-networks, you can configure multiple virtual ip addresses for the vrrp group to realize rout...
Page 2088
1-15 z when vrrp works in the load balancing mode, the virtual ip address cannot be the same with ip address of any interface in the vrrp group, that is, in the load balancing mode, the vrrp group does not have an ip address owner. Z for the s7900e series, the maximum number of vrrp groups on a swit...
Page 2089
1-16 to do… use the command… remarks configure the router in the vrrp group to work in preemptive mode and configure preemption delay vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ] optional the router in the vrrp group works in preemptive mode and the preemption delay is 0 seco...
Page 2090
1-17 z you can configure the vf tracking function when vrrp works in either the standard protocol mode or the load balancing mode; however, the vf tracking function is effective only when vrrp works in the load balancing mode. Z do not configure vf tracking on an ip address owner. Z by default, the ...
Page 2091
1-18 z you may configure different authentication modes and authentication keys for the vrrp groups on an interface. However, the members of the same vrrp group must use the same authentication mode and authentication key. Z excessive traffic or different timer setting on routers can cause the backu...
Page 2092
1-19 configuring vrrp for ipv6 vrrp for ipv6 configuration task list complete these tasks to configure vrrp for ipv6: task remarks configuring the association between virtual ipv6 address and mac address optional when vrrp works in the load balancing mode, the association between the virtual ip addr...
Page 2094
1-21 to do… use the command… remarks create a vrrp group and configure its virtual ipv6 address vrrp ipv6 vrid virtual-router-id virtual-ip virtual-address [ link-local ] required no vrrp group is created by default. The first virtual ipv6 address of the vrrp group must be a link local address. Only...
Page 2095
1-22 to do… use the command… remarks configure the interface to be tracked vrrp ipv6 vrid virtual-router-id track interface interface-type interface-number [ reduced priority-reduced ] optional no interface is being tracked by default. Configure vrrp to track a specified track object vrrp ipv6 vrid ...
Page 2096
1-23 z you can configure the vf tracking function when vrrp works in either the standard protocol mode or the load balancing mode; however, the vf tracking function is effective only when vrrp works in the load balancing mode. Z do not configure vf tracking on an ip address owner. Z by default, the ...
Page 2097
1-24 to do… use the command… remarks display vrrp group statistics display vrrpipv6 statistics[ interface interface-type interface-number [ vrid virtual-router-id ] ] available in any view clear vrrp group statistics reset vrrp ipv6 statistics [ interface interface-type interface-number [ vrid virtu...
Page 2098
1-25 [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 202.38.160.1 255.255.255.0 # create vrrp group 1 and set its virtual ip address to be 202.38.160.111. [switcha-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # set the priority of switch a in vrrp group 1 to 110. ...
Page 2099
1-26 total number of virtual routers : 1 interface vlan-interface2 vrid : 1 adver timer : 1 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 5 auth type : none virtual ip : 202.38.160.111 master ip : 202.38.160.1 the above information indicates that...
Page 2100
1-27 figure 1-10 network diagram for vrrp interface tracking host a switch a switch b virtual ip address: 202.38.160.111/24 vlan-int2 202.38.160.1/24 vlan-int2 202.38.160.2/24 host b 202.38.160.3/24 203.2.3.1/24 vlan-int3 internet configuration procedure 1) configure switch a # configure vlan 2. Sys...
Page 2101
1-28 [switchb-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # configure the authentication mode of the vrrp group as simple and authentication key as hello. [switchb-vlan-interface2] vrrp vrid 1 authentication-mode simple hello # set the interval for master to send vrrp advertisement to fiv...
Page 2102
1-29 # if vlan-interface 3 on switch a is not available, the detailed information of vrrp group 1 on switch a is displayed. [switcha-vlan-interface2] display vrrp verbose ipv4 standby information: run mode : standard run method : virtual mac total number of virtual routers : 1 interface vlan-interfa...
Page 2103
1-30 outside through switch a and switch b respectively, and if switch a or switch b fails, the hosts can use the other switch to communicate with the outside, so as to avoid communication interruption. Figure 1-11 network diagram for multiple vrrp group configuration switch a switch b virtual ip ad...
Page 2104
1-31 [switchb-vlan2] port gigabitethernet 2/0/5 [switchb-vlan2] quit [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ip address 202.38.160.2 255.255.255.128 # create a vrrp group 1 and set its virtual ip address to 202.38.160.100. [switchb-vlan-interface2] vrrp vrid 1 virtual-ip 202.3...
Page 2105
1-32 ipv4 standby information: run mode : standard run method : virtual mac total number of virtual routers : 2 interface vlan-interface2 vrid : 1 adver timer : 1 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 0 auth type : none virtual ip : 202.3...
Page 2106
1-33 figure 1-12 network diagram for vrrp load balancing mode configuration procedure 1) configure switch a # configure vlan 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 2/0/5 [switcha-vlan2] quit # configure vrrp to work in the load balancing mode. [switcha] vrrp mode load-b...
Page 2107
1-34 # configure vrrp to work in the load balancing mode. [switchb] vrrp mode load-balance # create vrrp group 1 and configure its virtual ip address as 10.1.1.1. [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ip address 10.1.1.3 24 [switchb-vlan-interface2] vrrp vrid 1 virtual-ip 10...
Page 2108
1-35 running weight : 255 forwarder 01 state : active virtual mac : 000f-e2ff-0011 (owner) owner id : 0000-5e01-1101 priority : 255 active : local forwarder 02 state : listening virtual mac : 000f-e2ff-0012 (learnt) owner id : 0000-5e01-1103 priority : 127 active : 10.1.1.3 forwarder 03 state : list...
Page 2109
1-36 active : local forwarder 03 state : listening virtual mac : 000f-e2ff-0013 (learnt) owner id : 0000-5e01-1105 priority : 127 active : 10.1.1.4 # display detailed information of vrrp group 1 on switch c. [switchc-vlan-interface2] display vrrp verbose ipv4 standby information: run mode : load bal...
Page 2110
1-37 # if switch a fails, use the display vrrp verbose command to display the detailed information of vrrp group 1 on switch c. [switchc-vlan-interface2] display vrrp verbose ipv4 standby information: run mode : load balance run method : virtual mac total number of virtual routers : 1 interface vlan...
Page 2111
1-38 z multiple vrrp group configuration example z vrrp load balancing mode configuration example single vrrp group configuration example network requirements z host a needs to access host b on the internet, using 1::10/64 as its default gateway. Z switch a and switch b belong to vrrp group 1 with t...
Page 2112
1-39 # enable switch a to send ra messages. [switcha-vlan-interface2] undo ipv6 nd ra halt 2) configure switch b # configure vlan 2. System-view [switchb] ipv6 [switchb] vlan 2 [switchb-vlan2] port gigabitethernet 2/0/5 [switchb-vlan2] quit [switchb] interface vlan-interface 2 [switchb-vlan-interfac...
Page 2113
1-40 interface vlan-interface2 vrid : 1 adver timer : 100 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 5 auth type : none virtual ip : fe80::10 1::10 master ip : fe80::1 the above information indicates that in vrrp group 1 switch a is the master...
Page 2114
1-41 figure 1-14 network diagram for vrrp interface tracking host a switch a switch b virtual ipv6 address: fe80::10 1::10/64 vlan-int2 fe80::1 1::1/64 vlan-int2 fe80::2 1::2/64 host b gateway: 1::10/64 vlan-int3 internet configuration procedure 1) configure switch a # configure vlan 2. System-view ...
Page 2115
1-42 # configure vlan 2. System-view [switchb] ipv6 [switchb] vlan 2 [switchb-vlan2] port gigabitethernet 2/0/5 [switchb-vlan2] quit [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address fe80::2 link-local [switchb-vlan-interface2] ipv6 address 1::2 64 # create a vrrp group 1 a...
Page 2116
1-43 run mode : standard run method : virtual mac total number of virtual routers : 1 interface vlan-interface2 vrid : 1 adver timer : 500 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 5 auth type : simple key : hello virtual ip : fe80::10 1::10 ...
Page 2117
1-44 preempt mode : yes delay time : 5 auth type : simple key : hello virtual ip : fe80::10 1::10 virtual mac : 0000-5e00-0201 master ip : fe80::2 the above information indicates that if vlan-interface 3 on switch a is not available, the priority of switch a is reduced to 80 and switch a becomes the...
Page 2118
1-45 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ipv6 address fe80::1 link-local [switcha-vlan-interface2] ipv6 address 1::1 64 # create vrrp group 1 and set its virtual ipv6 addresses to fe80::10 to 1::10. [switcha-vlan-interface2] vrrp ipv6 vrid 1 virtual-ip...
Page 2119
1-46 [switchb] vlan 3 [switchb-vlan3] port gigabitethernet 2/0/6 [switchb-vlan3] quit [switchb] interface vlan-interface 3 [switchb-vlan-interface3] ipv6 address fe90::2 link-local [switchb-vlan-interface3] ipv6 address 2::2 64 # create vrrp group 2 and set its virtual ipv6 addresses to fe90::10 and...
Page 2120
1-47 total number of virtual routers : 2 interface vlan-interface2 vrid : 1 adver timer : 100 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 0 auth type : none virtual ip : fe80::10 1::10 master ip : fe80::1 interface vlan-interface3 vrid : 2 adve...
Page 2121
1-48 figure 1-16 network diagram for vrrp load balancing mode configuration procedure 1) configure switch a # configure vlan 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 2/0/5 [switcha-vlan2] quit # configure vrrp to work in the load balancing mode. [switcha] vrrp mode load-b...
Page 2122
1-49 system-view [switchb] vlan 2 [switchb-vlan2] port gigabitethernet 2/0/5 [switchb-vlan2] quit # configure vrrp to work in the load balancing mode. [switchb] vrrp mode load-balance # create vrrp group 1 and configure its virtual ipv6 address as fe80::10. [switchb] interface vlan-interface 2 [swit...
Page 2123
1-50 total number of virtual routers : 1 interface vlan-interface2 vrid : 1 adver timer : 100 admin status : up state : master config pri : 120 running pri : 120 preempt mode : yes delay time : 5 auth type : none virtual ip : fe80::10 master ip : fe80::1 forwarder information: 3 forwarders 1 active ...
Page 2124
1-51 forwarder 01 state : listening virtual mac : 000f-e2ff-4011 (learnt) owner id : 0000-5e01-1101 priority : 127 active : fe80::1 forwarder 02 state : active virtual mac : 000f-e2ff-4012 (owner) owner id : 0000-5e01-1103 priority : 255 active : local forwarder 03 state : listening virtual mac : 00...
Page 2125
1-52 forwarder 03 state : active virtual mac : 000f-e2ff-4013 (owner) owner id : 0000-5e01-1105 priority : 255 active : local the above information indicates that in vrrp group 1, switch a is the master and switch b and switch c are the backups. On each of the three switches, there are one avf and t...
Page 2126
1-53 the above information indicates that if switch a fails, switch b becomes the master, switch c becomes the avf among the vfs corresponding to the virtual mac address 000f-e2ff-4011, and packets sent from host a to the external network are forwarded by switch c. Troubleshooting vrrp symptom 1: th...
Page 2127: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-2 smart link overview ············································································································...
Page 2128: Smart Link Configuration
1-2 1 smart link configuration when configuring smart link, go to these sections for information that you are interested in: z smart link overview z configuring a smart link device z configuring an associated device z displaying and maintaining smart link z smart link configuration examples smart li...
Page 2129
1-3 for more information about stp and rrpp, refer to mstp configuration in the access volume and rrpp configuration in the high availability volume. Smart link is a feature developed to address the slow convergence issue with stp. It provides link redundancy as well as fast convergence in a dual up...
Page 2130
1-4 receive control vlan the receive control vlan is used for receiving and processing flush messages. When link switchover occurs, the devices (such as device a, device b, and device e in figure 1-1 ) receive and process flush messages in the receive control vlan and refresh their mac address forwa...
Page 2131
1-5 configured with role preemption, ge2/0/1 takes over to forward traffic as soon as the former master link recovers, while ge2/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism a ring network may carry traffic of multiple vlans. Smart link can forward traffic of ...
Page 2132
1-6 z a smart link device is a device that supports smart link and is configured with a smart link group and a transmit control vlan for flush message transmission. Device c and device d in figure 1-1 are two examples of smart link devices. Z an associated device is a device that supports smart link...
Page 2133
1-7 configuring member ports for a smart link group you can configure member ports for a smart link group either in smart link group view or in interface view. The configurations made in these two views have the same effect. In smart link group view follow these steps to configure member ports for a...
Page 2134
1-8 enabling the sending of flush messages follow these steps to enable the sending of flush messages: to do… use the command… remarks enter system view system-view — create a smart link group and enter smart link group view smart-link group group-id required enable flush update in the specified con...
Page 2135
1-9 smart link device configuration example network requirements z create smart link group 1. Z the protected vlans of smart link group 1 are mapped to msti 0 through 8. Z configure gigabitethernet 2/0/1 as the master port of the smart link group, and gigabitethernet 2/0/2 as the slave port. Z confi...
Page 2136
1-10 to do… use the command… remarks enter system view system-view — enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number — configure the control vlans for receiving flush messages smart-link flush enable [ control-vlan vlan-id-list] required by...
Page 2137
1-11 to do... Use the command… remarks clear the statistics about flush messages reset smart-link statistics available in user view smart link configuration examples single smart link group configuration example network requirements as shown in figure 1-2: z map vlans 1 through 10, vlans 11 through ...
Page 2138
1-12 # disable stp on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 separately, and configure them as trunk ports that permit vlans 1 through 30. [devicec] interface gigabitethernet 2/0/1 [devicec-gigabitethernet2/0/1] undo stp enable [devicec-gigabitethernet2/0/1] port link-type trunk [devicec-gi...
Page 2139
1-13 [deviced-gigabitethernet2/0/2] quit # create smart link group 1 and configure all vlans mapped to mstis 0 through 2 as the protected vlans. [deviced] smart-link group 1 [deviced-smlk-group1] protected-vlan reference-instance 0 to 2 # configure gigabitethernet 2/0/1 as the master port and gigabi...
Page 2140
1-14 [devicee] interface gigabitethernet 2/0/2 [devicee-gigabitethernet2/0/2] port link-type trunk [devicee-gigabitethernet2/0/2] port trunk permit vlan 1 to 30 [devicee-gigabitethernet2/0/2] smart-link flush enable [devicee-gigabitethernet2/0/2] quit [devicee] interface gigabitethernet 2/0/3 [devic...
Page 2141
1-15 receiving interface of the last flush packet : gigabitethernet2/0/3 receiving time of the last flush packet : 16:25:21 2009/02/21 device id of the last flush packet : 000f-e23d-5af0 control vlan of the last flush packet : 1 multiple smart link groups load sharing configuration example network r...
Page 2142
1-16 [devicec-gigabitethernet2/0/1] port link-type trunk [devicec-gigabitethernet2/0/1] port trunk permit vlan 1 to 200 [devicec-gigabitethernet2/0/1] quit [devicec] interface gigabitethernet 2/0/2 [devicec-gigabitethernet2/0/2] undo stp enable [devicec-gigabitethernet2/0/2] port link-type trunk [de...
Page 2143
1-17 [deviceb-gigabitethernet2/0/1] port trunk permit vlan 1 to 200 [deviceb-gigabitethernet2/0/1] smart-link flush enable control-vlan 10 101 [deviceb-gigabitethernet2/0/1] quit [deviceb] interface gigabitethernet 2/0/2 [deviceb-gigabitethernet2/0/2] port link-type trunk [deviceb-gigabitethernet2/0...
Page 2144
1-18 # display the smart link group configuration on device c. [devicec] display smart-link group all smart link group 1 information: device id: 000f-e23d-5af0 preemption mode: role control vlan: 10 protected vlan: reference instance 0 member role state flush-count last-flush-time ------------------...
Page 2145: Table of Contents
I table of contents 1 monitor link configuration ······················································································································1-1 overview ························································································································...
Page 2146: Monitor Link Configuration
1-1 1 monitor link configuration when configuring monitor link, go to these sections for information you are interested in: z overview z configuring monitor link z displaying and maintaining monitor link z monitor link configuration example overview monitor link is a port collaboration function. Mon...
Page 2147
1-2 configuring monitor link configuration prerequisites before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group or service loopback group. Configuration procedure follow these steps to configure monitor link: to do… use the command… remark...
Page 2149
1-4 [devicec-gigabitethernet2/0/2] undo stp enable [devicec-gigabitethernet2/0/2] quit # create smart link group 1, and configure all the vlans mapped to mstis 0 through 15 as the protected vlans for smart link group 1. [devicec] smart-link group 1 [devicec-smlk-group1]protected-vlan reference-insta...
Page 2150
1-5 [deviced-mtlk-group1] quit # enable flush message receiving on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 separately. [deviced] interface gigabitethernet 2/0/1 [deviced-gigabitethernet2/0/1] smart-link flush enable [deviced-gigabitethernet2/0/1] quit [deviced] interface gigabitethernet 2/0/...
Page 2151: Table of Contents
I table of contents 1 rrpp configuration ··································································································································1-1 rrpp overview ···············································································································...
Page 2152: Rrpp Configuration
1-1 1 rrpp configuration when configuring rrpp, go to these sections for information you are interested in: z rrpp overview z rrpp configuration task list z creating an rrpp domain z configuring control vlans z configuring protected vlans z configuring rrpp rings z activating an rrpp domain z config...
Page 2153
1-2 basic concepts in rrpp figure 1-1 rrpp networking diagram rrpp domain the interconnected devices with the same domain id and control vlans constitute an rrpp domain. An rrpp domain contains the following elements: primary ring, subring, control vlan, master node, transit node, primary port, seco...
Page 2154
1-3 ip address configuration is prohibited on the control vlan interfaces. 2) data vlan a data vlan is a vlan dedicated to transferring data packets. Both rrpp ports and non-rrpp ports can be assigned to a data vlan. Node each device on an rrpp ring is referred to as a node. The role of a node is co...
Page 2155
1-4 common port and edge port the ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in figure 1-1 , device b and device c lie on ring 1 and ring 2. Devi...
Page 2156
1-5 rrppdus of subrings are transmitted as data packets in the primary ring, while rrppdus of the primary ring can only be transmitted within the primary ring. Rrpp timers when rrpp checks the link state of an ethernet ring, the master node sends hello packets out the primary port according to the h...
Page 2157
1-6 z if the ring is torn down, the secondary port of the master node will fail to receive hello packets before the fail timer expires. The master node will release the secondary port from blocking data vlans while sending common-flush-fdb packets to instruct all transit nodes to update their own ma...
Page 2158
1-7 node rrpp ring group and an assistant-edge node rrpp ring group configured, only one subring sends and receives edge-hello packets, thus reducing cpu workload. As shown in figure 1-5 , device b is the edge node of ring 2 and ring 3, and device c is the assistant-edge node of ring 2 and ring 3. D...
Page 2159
1-8 figure 1-2 schematic diagram for a single-ring network tangent rings as shown in figure 1-3 , there are two or more rings in the network topology and only one common node between rings. In this case, you need to define an rrpp domain for each ring. Figure 1-3 schematic diagram for a tangent-ring...
Page 2160
1-9 figure 1-4 schematic diagram for an intersecting-ring network dual homed rings as shown in figure 1-5 , there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an rrpp domain, and configure one ring as the primary ring...
Page 2161
1-10 figure 1-6 schematic diagram for a single-ring load balancing network domain 1 ring 1 device a device b device d device c domain 2 intersecting-ring load balancing in an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in figure 1-7 , ring...
Page 2162
1-11 complete the following tasks to configure rrpp: task remarks creating an rrpp domain required perform this task on all nodes in the rrpp domain. Configuring control vlans required perform this task on all nodes in the rrpp domain. Configuring protected vlans required perform this task on all no...
Page 2163
1-12 follow these steps to create an rrpp domain: to do… use the command… remarks enter system view system-view — create an rrpp domain and enter rrpp domain view rrpp domain domain-id required configuring control vlans before configuring rrpp rings in an rrpp domain, configure the same control vlan...
Page 2164
1-13 follow these steps to configure protected vlans: to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — configure protected vlans for the rrpp domain protected-vlan reference-instance instance-id-list required by default, no protected vlan...
Page 2166
1-15 to do… use the command… remarks specify the current device as the master node of the ring, and specify the primary port and the secondary port ring ring-id node-mode master [ primary-port interface-type interface-number ] [ secondary-port interface-type interface-number] level level-value requi...
Page 2167
1-16 to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — specify the current device as a transit node of the primary ring, and specify the primary port and the secondary port ring ring-id node-mode transit [ primary-port interface-type inter...
Page 2168
1-17 to do… use the command… remarks configure the hello timer and fail timer for the rrpp domain timer hello-timer hello-value fail-timer fail-value required by default, the hello timer value is 1 second and the fail timer value is 3 seconds. Z the fail timer value must be equal to or greater than ...
Page 2169
1-18 configuring fast detection timers perform this configuration on the master node in the rrpp domain to be configured. Follow these steps to configure rrpp fast detection timers: to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — configu...
Page 2170
1-19 z you can assign a subring to only one rrpp ring group. Make sure that the rrpp ring group configured on the edge node and that configured on the assistant-edge node must contain the same subrings. Otherwise, the rrpp ring group cannot operate normally. Z ensure that the subrings in an rrpp rin...
Page 2171
1-20 figure 1-8 network diagram for single ring configuration configuration procedure 1) configuration on device a # configure the suppression time of physical-link-state changes on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 as zero, disable stp, configure the two ports as trunk ports, and assi...
Page 2172
1-21 [devicea] rrpp enable 2) configuration on device b # configure the suppression time of physical-link-state changes on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 as zero, disable stp, configure the two ports as trunk ports, and assign them to all vlans. System-view [deviceb] interface gigab...
Page 2173
1-22 z device a, device b, device c and device d constitute rrpp domain 1, vlan 4092 is the primary control vlan of rrpp domain 1, and rrpp domain 1 protects all the vlans; z device a, device b, device c and device d constitute primary ring 1, and device b, device c and device e constitute subring 2...
Page 2174
1-23 [devicea-gigabitethernet2/0/2] quit # create rrpp domain 1, configure vlan 4092 as the primary control vlan of rrpp domain 1, and configure the vlans mapped to mstis 0 through 31 as the protected vlans of rrpp domain 1. [devicea] rrpp domain 1 [devicea-rrpp-domain1] control-vlan 4092 [devicea-r...
Page 2175
1-24 [deviceb-rrpp-domain1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-port gigabitethernet 2/0/2 level 0 [deviceb-rrpp-domain1] ring 1 enable # configure device b as the edge node of subring 2, with gigabitethernet 2/0/3 as the edge port, and enable ring 2. [deviceb-rrpp-...
Page 2176
1-25 [devicec-rrpp-domain1] ring 2 node-mode assistant-edge edge-port gigabitethernet 2/0/3 [devicec-rrpp-domain1] ring 2 enable [devicec-rrpp-domain1] quit # enable rrpp. [devicec] rrpp enable 4) configuration on device d # configure the suppression time of physical-link-state changes on gigabiteth...
Page 2177
1-26 [devicee-gigabitethernet2/0/1] port trunk permit vlan all [devicee-gigabitethernet2/0/1] quit [devicee] interface gigabitethernet 2/0/2 [devicee-gigabitethernet2/0/2] link-delay 0 [devicee-gigabitethernet2/0/2] undo stp enable [devicee-gigabitethernet2/0/2] port link-type trunk [devicee-gigabit...
Page 2178
1-27 figure 1-10 network diagram for intersecting-ring load balancing configuration configuration procedure 1) configuration on device a # create vlans 10 and 20, map vlan 10 to msti 1 and vlan 20 to msti 2, and activate mst region configuration. System-view [devicea] vlan 10 [devicea-vlan10] quit [...
Page 2179
1-28 [devicea-gigabitethernet2/0/2] port link-type trunk [devicea-gigabitethernet2/0/2] undo port trunk permit vlan 1 [devicea-gigabitethernet2/0/2] port trunk permit vlan 10 20 [devicea-gigabitethernet2/0/2] quit # create rrpp domain 1, configure vlan 100 as the primary control vlan of rrpp domain ...
Page 2180
1-29 [deviceb] interface gigabitethernet 2/0/1 [deviceb-gigabitethernet2/0/1] link-delay 0 [deviceb-gigabitethernet2/0/1] undo stp enable [deviceb-gigabitethernet2/0/1] port link-type trunk [deviceb-gigabitethernet2/0/1] undo port trunk permit vlan 1 [deviceb-gigabitethernet2/0/1] port trunk permit ...
Page 2181
1-30 [deviceb-rrpp-domain1] ring 3 enable [deviceb-rrpp-domain1] quit # create rrpp domain 2, configure vlan 105 as the primary control vlan of rrpp domain 2, and configure the vlan mapped to msti 2 as the protected vlan of rrpp domain 2. [deviceb] rrpp domain 2 [deviceb-rrpp-domain2] control-vlan 1...
Page 2182
1-31 [devicec-gigabitethernet2/0/2] undo stp enable [devicec-gigabitethernet2/0/2] port link-type trunk [devicec-gigabitethernet2/0/2] undo port trunk permit vlan 1 [devicec-gigabitethernet2/0/2] port trunk permit vlan 10 20 [devicec-gigabitethernet2/0/2] quit # configure the suppression time of phy...
Page 2183
1-32 # configure device c as the transit node of primary ring 1 in rrpp domain 2, with gigabitethernet 2/0/1 as the primary port and gigabitethernet 2/0/2 as the secondary port, and enable ring 1. [devicec-rrpp-domain2] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-port gigab...
Page 2184
1-33 [deviced-rrpp-domain1] control-vlan 100 [deviced-rrpp-domain1] protected-vlan reference-instance 1 # configure device d as the transit node of primary ring 1 in rrpp domain 1, with gigabitethernet 2/0/1 as the primary port and gigabitethernet 2/0/2 as the secondary port, and enable ring 1. [dev...
Page 2185
1-34 [devicee-gigabitethernet2/0/2] undo port trunk permit vlan 1 [devicee-gigabitethernet2/0/2] port trunk permit vlan 20 [devicee-gigabitethernet2/0/2] quit # create rrpp domain 2, configure vlan 105 as the primary control vlan, and configure the vlan mapped to msti 2 as the protected vlan. [devic...
Page 2186
1-35 [devicef] rrpp domain 1 [devicef-rrpp-domain1] control-vlan 100 [devicef-rrpp-domain1] protected-vlan reference-instance 1 # configure device f as the master node of subring 3 in rrpp domain 1, with gigabitethernet 2/0/1 as the primary port and gigabitethernet 2/0/2 as the secondary port, and e...
Page 2187
1-36 figure 1-11 network diagram for fast detection configuration configuration procedure 1) configuration on device a # configure the suppression time of physical-link-state changes on gigabitethernet 2/0/1 and gigabitethernet 2/0/2 as zero, disable stp, configure the two ports as trunk ports, and ...
Page 2188
1-37 [devicea-rrpp-domain1] fast-detection enable [devicea-rrpp-domain1] timer fast-fail-timer 300 [devicea-rrpp-domain1] timer fast-hello-timer 100 [devicea-rrpp-domain1] quit # enable the rrpp protocol. [devicea] rrpp enable 2) configuration on device b # configure the suppression time of physical...
Page 2189
1-38 [deviced-gigabitethernet2/0/1] undo stp enable [deviced-gigabitethernet2/0/1] port link-type trunk [deviced-gigabitethernet2/0/1] port trunk permit vlan all [deviced-gigabitethernet2/0/1] quit [deviced] interface gigabitethernet 2/0/2 [deviced-gigabitethernet2/0/2] link-delay 0 [deviced-gigabit...
Page 2190
1-39 z use the debugging rrpp command on each node to check whether a port receives or transmits hello packets. If not, hello packets are lost..
Page 2191: Table of Contents
I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...
Page 2192: Dldp Configuration
1-1 1 dldp configuration when performing dldp configuration, go to these sections for information you are interested in: z overview z dldp configuration task list z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting the delaydown timer z setting the ...
Page 2193
1-2 figure 1-2 unidirectional fiber link: a fiber not connected or disconnected device a ge2/0/1 ge2/0/2 device b ge2/0/1 ge2/0/2 pc the device link detection protocol (dldp) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, dldp, as configured, can shu...
Page 2194
1-3 state indicates… disable a port enters this state when: z a unidirectional link is detected. Z the contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than dldpdus. Delaydown a port in the active, advertisement, or probe dldp link ...
Page 2195
1-4 dldp timer description delaydown timer a device in the active, advertisement, or probe dldp link state transits to delaydown state rather than removes the corresponding neighbor entry and transits to the inactive state when it detects a port-down event. When a device transits to this state, the ...
Page 2196
1-5 figure 1-3 a case for enhanced dldp mode z in normal dldp mode, only fiber cross-connected unidirectional links (as shown in figure 1-1 ) can be detected. Z in enhanced dldp mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in figure 1-1 ). The...
Page 2197
1-6 table 1-4 dldp packet types and dldp states dldp state type of dldp packets sent active advertisement packet with rsy tag advertisement normal advertisement packet probe probe packet disable disable packet and recoverprobe packet when a device transits from a dldp state other than inactive state...
Page 2198
1-7 packet type processing procedure if the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the entry timer, and transits to probe state. If the neighbor information it carries conflicts with the corresponding locally maintained neighbor entry, drops the packet. Ech...
Page 2199
1-8 recoverecho packet. Upon receiving the recoverecho packet, the local port checks whether neighbor information in the recoverecho packet is the same as the local port information. If they are the same, the link between the local port and the neighbor is considered to have been restored to a bidir...
Page 2200
1-9 z keep the interval for sending advertisement packets adequate to enable unidirectional links to be detected in time. If the interval is too long, unidirectional links cannot be terminated in time; if the interval is too short, network traffic may increase in vain. Z dldp does not process any li...
Page 2202
1-11 delaydown timer setting applies to all dldp-enabled ports. Setting the port shutdown mode on detecting a unidirectional link, the ports can be shut down in one of the following two modes. Z manual mode. This mode applies to networks with low performance, where normal links may be treated as uni...
Page 2203
1-12 to enable dldp to operate properly, make sure the dldp authentication modes and the passwords of the both sides of a link are the same. Resetting dldp state after dldp detects a unidirectional link on a port, the port enters disable state. In this case, dldp prompts you to shut down the port ma...
Page 2204
1-13 to do… use the command… remarks reset dldp state dldp reset required displaying and maintaining dldp to do… use the command… remarks display the dldp configuration of a port display dldp [ interface-type interface-number ] available in any view display the statistics on dldp packets passing thr...
Page 2205
1-14 [devicea] interface gigabitethernet 2/0/2 [devicea-gigabitethernet2/0/2] dldp enable [devicea-gigabitethernet2/0/2] quit # set the interval for sending advertisement packets to 6 seconds. [devicea]dldp interval6 # set the delaydown timer to 2 seconds. [devicea]dldp delaydown-timer 2 # set the d...
Page 2206
1-15 # display the dldp configuration information on all the dldp-enabled ports of device a. [devicea] display dldp dldp global status : enable dldp interval : 6s dldp work-mode : enhance dldp authentication-mode : none dldp unidirectional-shutdown : auto dldp delaydown-timer : 2s the number of enab...
Page 2207: Table of Contents
I table of contents 1 ethernet oam configuration ····················································································································1-1 ethernet oam overview ·············································································································...
Page 2208: Ethernet Oam Configuration
1-1 1 ethernet oam configuration when configuring the ethernet oam function, go to these sections for information you are interested in: z ethernet oam overview z ethernet oam configuration task list z configuring basic ethernet oam functions z configuring link monitoring z enabling oam remote loopb...
Page 2209
1-2 figure 1-1 formats of different types of ethernet oampdus the fields in an oampdu are described as follows: table 1-1 description of the fields in an oampdu field description dest addr destination mac address of the ethernet oampdu. It is a slow protocol multicast address 0180c2000002. As slow p...
Page 2210
1-3 table 1-2 functions of different types of oampdus oampdu type function information oampdu used for transmitting state information of an ethernet oam entity (including the information about the local device and remote devices, and customized information) to the remote ethernet oam entity and main...
Page 2211
1-4 item active ethernet oam mode passive ethernet oam mode responding to loopback control oampdus available (if both sides operate in active oam mode) available z oam connections can be initiated only by oam entities operating in active oam mode, while those operating in passive mode wait and respo...
Page 2212
1-5 ethernet oam link events description errored frame seconds event when the number of error frame seconds detected on a port over a detection interval reaches the error threshold, an errored frame seconds event occurs. Z the system transforms the period of detecting errored frame period events int...
Page 2213
1-6 standards and protocols ethernet oam is defined in ieee 802.3h (carrier sense multiple access with collision detection (csma/cd) access method and physical layer specifications. Amendment: media access control parameters, physical layers, and management parameters for subscriber access networks)...
Page 2214
1-7 after ethernet oam connections are established, the link monitoring periods and thresholds configured in this section take effect on all ethernet ports automatically. Configuring errored frame event detection an errored frame event occurs when the number of detected error frames over a specific ...
Page 2215
1-8 to do… use the command… remarks configure the errored frame seconds event triggering threshold oam errored-frame-seconds threshold threshold-value optional 1 by default make sure the errored frame seconds triggering threshold is less than the errored frame seconds detection interval. Otherwise, ...
Page 2216
1-9 z ethernet oam remote loopback is available only after the ethernet oam connection is established and can be performed only by the ethernet oam entities operating in active ethernet oam mode. Z remote loopback is available only on full-duplex links that support remote loopback at both ends. Z et...
Page 2217
1-10 ethernet oam configuration example network requirements z enable ethernet oam on device a and device b to auto-detect link errors between the two devices. Z monitor the performance of the link between device a and device b by collecting statistics about the error frames received by device a. Fi...
Page 2218
1-11 errored-frame event threshold : 10 errored-frame-period event period(in ms) : 1000 errored-frame-period event threshold : 1 errored-frame-seconds event period(in seconds) : 60 errored-frame-seconds event threshold : 1 according to the above output information, the detection period of errored fr...
Page 2219: Extended Oam Configuration
2-1 2 extended oam configuration when configuring extended oam, go to these sections for information you are interested in: z overview z configuring extended oam overview with an ethernet passive optical network (epon) board, an s7900e switch can operate as the optical line terminal (olt) device of ...
Page 2220
2-2 when you remotely manage onus on an olt device, extended oam can encapsulate various operation and acknowledgement information in the data field. The data field consists of the following sub-fields: z oui: the oui address of the transmitting device. Z ext.Opcode: extended operation code. Extende...
Page 2221
2-3 the olt can configure the following functions for the onu: z basic port configurations, including duplex mode, rate, and traffic control. Z vlan management and configuration z multicast z qos z dba the olt can query and configure the functions mentioned above. You can use the related query comma...
Page 2222: Table of Contents
I table of contents 1 connectivity fault detection configuration ···························································································1-1 overview ···································································································································...
Page 2223
1-1 1 connectivity fault detection configuration when configuring cfd, go to these sections for information you are interested in: z overview z cfd configuration task list z basic configuration tasks z configuring cc on meps z configuring lb on meps z configuring lt on meps z displaying and maintain...
Page 2224
1-2 figure 1-1 two nested mds cfd exchanges messages and performs operations on a per-domain basis. By planning mds properly in a network, you can use cfd to locate failure points rapidly. Maintenance association a maintenance association (ma) is a set of maintenance points (mps) in an md. An ma is ...
Page 2225
1-3 figure 1-2 outward-facing mep figure 1-3 inward-facing mep z mip a mip is internal to an md. It cannot send cfd packets actively; however, it can handle and respond to cfd packets. The ma and md that a mip belongs to define the vlan attribute and level of the packets received. By cooperating wit...
Page 2226
1-4 figure 1-4 levels of mps mep list a mep list is a collection of local meps allowed to be configured in an ma and the remote meps to be monitored. It lists all the meps configured on different devices in the same ma. The meps all have unique mep ids. When a mep receives from a remote device a con...
Page 2227
1-5 linktrace linktrace is responsible for identifying the path between the source mep and the destination mep. This function is implemented in the following way: the source mep multicasts linktrace messages (ltms) to the destination mep. After receiving the messages, the destination mep and the mip...
Page 2228
1-6 basic configuration tasks basic configuration tasks include: z configuring service instance z configuring mep z configuring mip generation rules based on the network design, you should configure meps or the rules for generating mips on each device. However, before doing this you must first confi...
Page 2229
1-7 configuring mep meps are functional entities in a service instance. Cfd is implemented through operations on meps, which provides functions such as cc, lb, and lt, and gives prompts on error ccms and cross connections. As a mep is configured on a service instance, the md level and vlan attribute...
Page 2230
1-8 mips are generated on each port automatically according to the rules specified in the cfd mip-rule command. If a port has no mip, the system will check the mas in each md (from low to high levels), and follow the rules in table 1-1 to create or not create mips (within a single vlan): table 1-1 r...
Page 2231
1-9 z on different devices, the meps belonging to the same md and ma should be configured with the same ccm sending interval. Z if the device has multiple cards with assistant cpus, the ccms will be sent by one of these cards. If the card that sends the ccms is unplugged, another card will take over...
Page 2233
1-11 displaying and maintaining cfd to do... Use the command... Remarks display cfd status display cfd status available in any view display the cfd protocol version display cfd version available in any view display md configuration information display cfd md available in any view display ma configur...
Page 2234
1-12 z configure an ma in each md z configure a service instance for each ma figure 1-5 network diagram for md configuration configuration procedure 1) configuration on device a (configuration on device e is the same as that on device a) system-view [devicea] cfd enable [devicea] cfd md md_a level 5...
Page 2235
1-13 z decide the mep direction (inward-facing or outward-facing) on each edge port based on the md position. Z configure a mep list for each ma, and assign a unique id to each mep in an ma. Z decide the remote mep for each mep, and enable these meps. According to the network diagram as shown in fig...
Page 2236
1-14 [deviced] interface gigabitethernet 2/0/1 [deviced-gigabitethernet2/0/1] cfd mep 4001 service-instance 2 outbound [deviced-gigabitethernet2/0/1] cfd mep service-instance 2 mep 4001 enable [deviced-gigabitethernet2/0/1] cfd cc service-instance 2 mep 4001 enable [deviced-gigabitethernet2/0/1] int...
Page 2237
1-15 figure 1-7 network diagram of md and mp configuration configuration procedure 1) configure device b system-view [deviceb] cfd mip-rule explicit service-instance 1 2) configure device c system-view [devicec] cfd mip-rule default service-instance 2 after the above operation, you can use the displ...
Page 2238
1-16 [devicea] cfd linktrace service-instance 1 mep 1001 target-mep 4002.
Page 2239: Table of Contents
I table of contents 1 bfd configuration·····································································································································1-1 introduction to bfd ········································································································...
Page 2240: Bfd Configuration
1-1 1 bfd configuration when configuring bfd, go to these sections for information you are interested in: z introduction to bfd z configuring bfd basic functions z enabling trap z displaying and maintaining bfd z the term “router” or router icon in this document refers to a router in a generic sense...
Page 2241
1-2 how bfd works bfd provides a general-purpose, standard, medium- and protocol-independent fast failure detection mechanism. It can uniformly and quickly detect the failures of the bidirectional forwarding paths between two routers for protocols, such as routing protocols and multiprotocol label s...
Page 2242
1-3 no detection time resolution is defined in the bfd draft. At present, most devices supporting bfd provide detection measured in milliseconds. Bfd detection methods z single-hop detection: detects the ip connectivity between two directly connected systems. Single hop means one hop for ip forwardi...
Page 2243
1-4 z at present, only the asynchronous mode is supported. Z when a bfd session operates in echo mode, the session is independent of the operating mode. Z when the connectivity to another system needs to be verified explicitly, a system sends several bfd control packets that have the poll (p) bit se...
Page 2244
1-5 diag description 7 administratively down 8~31 reserved for future use z state (sta): current bfd session state. Its value can be 0 for admindown, 1 for down, 2 for init, and 3 for up. Z demand (d): if set, demand mode is active in the transmitting system (the system wishes to operate in demand m...
Page 2245
1-6 z bgp: for details, refer to bgp configuration and bgp commands in the ip routing volume. Z mpls: for details, refer to mpls basics configuration and mpls basics commands in the mpls volume. Z track: for details, refer to track configuration and track commands in the high availability volume. Pr...
Page 2246
1-7 to do… use the command… remarks configure the source ip address of echo packets bfd echo-source-ip ip-address optional you are not recommended to configure the source ip address as on the network segment of any local interface’s ip address; otherwise, a large number of icmp redirect packets will...
Page 2247
1-8 to do… use the command… remarks clear bfd session statistics (on a distributed irf device) reset bfd session statistics [ chassis chassis-number slot slot-number ] available in user view.
Page 2248: Table of Contents
I table of contents 1 track configuration···································································································································1-1 track overview ·············································································································...
Page 2249: Track Configuration
1-1 1 track configuration when configuring track, go to these sections for information you are interested in: z track overview z track configuration task list z configuring collaboration between the track module and the detection modules z configuring collaboration between the track module and the a...
Page 2250
1-2 at present, the detection modules that can collaborate with the track module include the network quality analyzer (nqa) module, the bidirectional forwarding detection (bfd) module and the interface management module. Z refer to nqa configuration in the system volume for details of nqa. Z refer t...
Page 2251
1-3 configuring collaboration between the track module and the detection modules configuring track-nqa collaboration through the following configuration, you can establish the collaboration between the track module and the nqa, which probes the link status and informs the track module of the probe r...
Page 2252
1-4 configuring collaboration between the track module and the interface management module through the following configuration, you can establish the collaboration between the track module and the interface management module, which informs the track module of the changes of the physical status and l...
Page 2253
1-5 a higher priority router in the vrrp group to become the master to maintain proper communication between the hosts in the lan and the external network. Z monitor the master on a backup. If there is a fault on the master, the backup working in the switchover mode will switch to the master immedia...
Page 2254
1-6 configuring track-static routing collaboration a static route is a manually configured route. With a static route configured, packets to the specified destination are forwarded through the path specified by the administrator. The disadvantage of using static routes is that they cannot adapt to n...
Page 2255
1-7 z for the configuration of track-static routing collaboration, the specified static route can be an existent or nonexistent one. For an existent static route, the static route and the specified track entry are associated directly; for a nonexistent static route, the system creates the static rou...
Page 2256
1-8 figure 1-2 network diagram for vrrp-track-nqa collaboration configuration configuration procedure 1) configure the ip address of each interface as shown in figure 1-2 . 2) configure an nqa test group on switch a. System-view # create an nqa test group with the administrator name admin and the op...
Page 2257
1-9 [switcha-vlan-interface2] vrrp vrid 1 priority 110 # set the authentication mode of vrrp group 1 to simple, and the authentication key to hello. [switcha-vlan-interface2] vrrp vrid 1 authentication-mode simple hello # configure the master to send vrrp packets at an interval of five seconds. [swi...
Page 2258
1-10 run mode : standard run method : virtual mac total number of virtual routers : 1 interface vlan-interface2 vrid : 1 adver timer : 5 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 5 auth type : simple key : hello virtual ip : 10.1.1.10 master ...
Page 2259
1-11 master ip : 10.1.1.2 the output information indicates that when there is a fault on the link between switch a and switch c, the priority of switch a decreases to 80. Switch a becomes the backup, and switch b becomes the master. Packets from host a to host b are forwarded through switch b. Confi...
Page 2260
1-12 [switcha-vlan-interface2] vrrp vrid 1 priority 110 [switcha-vlan-interface2] return 2) configure bfd on switch b. # configure the source address of bfd echo packets as 10.10.10.10. System-view [switchb] bfd echo-source-ip 10.10.10.10 3) create the track entry to be associated with the bfd sessi...
Page 2261
1-13 auth type : none virtual ip : 192.168.0.10 master ip : 192.168.0.101 vrrp track information: track object : 1 state : positive switchover # display information about track entry 1 on switch b. Display track 1 track id: 1 status: positive notification delay: positive 0, negative 0 (in seconds) r...
Page 2262
1-14 the above output indicates that when bfd detects that switch a fails, it notifies vrrp through the track module to change the status of switch b to master, without waiting for a period three times the advertisement interval, so that a backup can quickly preempt as the master. Configuring bfd fo...
Page 2263
1-15 # create vrrp group 1, and configure the virtual ip address of the group as 192.168.0.10; configure the priority of switch a in vrrp group 1 as 110; configure vrrp group 1 to monitor the status of track entry 1. When the status of the track entry becomes negative, the priority of switch a decre...
Page 2264
1-16 run mode : standard run method : virtual mac total number of virtual routers : 1 interface vlan-interface2 vrid : 1 adver timer : 1 admin status : up state : backup config pri : 100 running pri : 100 preempt mode : yes delay time : 0 auth type : none virtual ip : 192.168.0.10 master ip : 192.16...
Page 2265
1-17 interface vlan-interface2 vrid : 1 adver timer : 1 admin status : up state : master config pri : 100 running pri : 100 preempt mode : yes delay time : 0 auth type : none virtual ip : 192.168.0.10 virtual mac : 0000-5e00-0101 master ip : 192.168.0.102 the above output indicates that when switch ...
Page 2266
1-18 # configure the test frequency as 100 ms. [switcha-nqa-admin-test-icmp-echo] frequency 100 # configure reaction entry 1, specifying that five consecutive probe failures trigger the static routing-track-nqa collaboration. [switcha-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail t...
Page 2267
1-19 notification delay: positive 0, negative 0 (in seconds) reference object: nqa entry: admin test reaction: 1 # display the routing table of switch a. [switcha] display ip routing-table routing tables: public destinations : 4 routes : 4 destination/mask proto pre cost nexthop interface 10.2.1.0/2...
Page 2268
1-20 # configure the source address of bfd echo packets as 10.10.10.10. [switcha] bfd echo-source-ip 10.10.10.10 4) configure a track entry on switch a. # configure track entry 1, and associate it with the bfd session. Check whether switch a can be interoperated with the next hop of static route: sw...
Page 2269
1-21 remote ip : 10.2.1.1 local ip : 10.2.1.2 # display the routing table of switch a. [switcha] display ip routing-table routing tables: public destinations : 4 routes : 4 destination/mask proto pre cost nexthop interface 10.2.1.0/24 direct 0 0 10.2.1.2 vlan3 10.2.1.2/32 direct 0 0 127.0.0.1 inloop...
Page 2270
1-22 [switcha] track 1 interface vlan-interface 3 3) configure vrrp on switch a. # create vrrp group 1, and configure the virtual ip address 10.1.1.10 for the group. [switcha] interface vlan-interface 2 [switcha-vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.10 # set the priority of switch a in vrrp...
Page 2271
1-23 auth type : none virtual ip : 10.1.1.10 master ip : 10.1.1.1 the above output information indicates that in vrrp group 1, switch a is the master and switch b is a backup. Packets from host a to host b are forwarded through switch a. # shut down the uplink interface vlan-interface 3 on switch a....
Page 2272: Table of Contents
I table of contents 1 gr overview ··············································································································································1-1 introduction to graceful restart ·······················································································...
Page 2273: Gr Overview
1-1 1 gr overview go to these sections for information you are interested in: z introduction to graceful restart z basic concepts in graceful restart z graceful restart communication procedure z graceful restart mechanism for several commonly used protocols throughout this chapter, the term router r...
Page 2274
1-2 z gr time: the time taken for the gr restarter and the gr helper to establish a session between them. Upon detection of the down state of a neighbor, the gr helper will preserve the topology or routing information sent from the gr restarter for a period as specified by the gr time. Graceful rest...
Page 2275
1-3 figure 1-2 restarting process for the gr restarter as illustrated in figure 1-2 . The gr helper detects that the gr restarter has restarted its routing protocol and assumes that it will recover within the gr time. Before the gr time expires, the gr helper will neither terminate the session with ...
Page 2276
1-4 figure 1-4 the gr restarter obtains topology and routing information from the gr helper as illustrated in figure 1-4 , the gr restarter obtains the necessary topology and routing information from all its neighbors through the gr sessions between them and calculates its own routing table based on...
Page 2277: System Volume Organization
System volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the system volume is organized as follows: features description login upon logging into a device, you can configure user interface properties and manage the system conveniently. This documen...
Page 2278
Features description device management through the device management function, you can view the current condition of your device and configure running parameters. This document describes: z device management overview z configuring the exception handling method z rebooting a device z configuring the ...
Page 2279
Features description information center as the system information hub, information center classifies and manages all types of system information. This document describes: z information center overview z setting to output system information to the console z setting to output system information to a m...
Page 2280
Features description hotfix hotfix is a fast, cost-effective method to fix software defects of the device without interrupting the running services. This document describes: z hotfix overview z hotfix operations (including loading, activating, running, deactivating, and deleting patch files) irf int...
Page 2281: Table of Contents
I table of contents 1 logging in to an ethernet switch ············································································································1-1 logging in to an ethernet switch ····································································································...
Page 2282
Ii modem connection establishment ·········································································································4-2 modem attribute configuration ···············································································································4-4 configuratio...
Page 2283
1-1 1 logging in to an ethernet switch when logging in to an ethernet switch, go to these sections for information you are interested in: z introduction to user interface z logging in to an ethernet switch z specifying source for telnet packets z controlling login users logging in to an ethernet swi...
Page 2284
1-2 user interface applicable user port used description vty telnet users and ssh users ethernet port each switch can accommodate up to five vty users. Users and user interfaces a device can support two aux ports and multiple ethernet interfaces, and thus multiple user interfaces are supported. Thes...
Page 2286
2-1 2 logging in through the console port when logging in through the console port, go to these sections for information you are interested in: z introduction z setting up the connection to the console port z console port login configuration z console port login configuration with authentication mod...
Page 2287
2-2 figure 2-1 diagram for setting the connection to the console port z if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows 3.X or hyperterminal in windows 9x/windows 2000/windows xp) and perform the configuration shown in figure 2-2 throu...
Page 2288
2-3 figure 2-4 set port parameters terminal window z turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. Z you can then configure the switch or check t...
Page 2290
2-5 console port login configurations for different authentication modes table 2-3 lists console port login configurations for different authentication modes. Table 2-3 console port login configurations for different authentication modes authentication mode console port login configuration descripti...
Page 2291
2-6 to do… use the command… remarks enter system view system-view — enter aux user interface view user-interface aux first-number [ last-number ] — configure not to authenticate users authentication-mode none required by default, users logging in through the console port are not authenticated. Note ...
Page 2292
2-7 [sysname] user-interface aux 0 # specify not to authenticate the user logging in through the console port. [sysname-ui-aux0] authentication-mode none # specify commands of level 2 are available to the user logging in to the aux user interface. [sysname-ui-aux0] user privilege level 2 # set the b...
Page 2293
2-8 configuration example network requirementsassume the switch is configured to allow you to login through telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects. Z the user is authenticate...
Page 2294
2-9 # set the maximum number of commands the history command buffer can store to 20. [sysname-ui-aux0] history-command max-size 20 # set the timeout time of the aux user interface to 6 minutes. [sysname-ui-aux0] idle-timeout 6 after the above configuration, to ensure a successful login, the console ...
Page 2296
2-11 configuration example network requirements assume the switch is configured to allow you to login through telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects. Z configure the name of ...
Page 2297
2-12 # configure to authenticate the user logging in through the console port in the scheme mode. [sysname-ui-aux0] authentication-mode scheme # set the baud rate of the console port to 19200 bps. [sysname-ui-aux0] speed 19200 # set the maximum number of lines the screen can contain to 30. [sysname-...
Page 2298
2-13 configuring command accounting command accounting allows the hwtacacs server to record all commands executed on the device regardless of the command execution result. This helps control and monitor the user operations on the device. If command accounting is enabled and command authorization is ...
Page 2299
3-1 3 logging in through telnet/ssh logging in through telnet when logging in through telnet, go to these sections for information you are interested in: z introduction z telnet connection establishment z telnet login configuration with authentication mode being none z telnet login configuration wit...
Page 2300
3-2 # enable the telnet server function and configure the ip address of the management vlan interface as 202.38.160.92, and .The subnet mask as 255.255.255.0. System-view [sysname] telnet server enable [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 202.38.160.92 255.255.25...
Page 2301
3-3 step 6: after successfully telnetting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? At any time for help. Refer to the following chapters for the information about the commands. Z a telnet connection...
Page 2302
3-4 common configuration table 3-2 lists the common telnet configuration. Table 3-2 common telnet configuration configuration remarks enter system view system-view — make the switch to operate as a telnet server telnet server enable by default, a switch does not operate as a telnet server enter one ...
Page 2303
3-5 table 3-3 telnet login configuration tasks when different authentication modes are adopted task description telnet login configuration with authentication mode being none configure not to authenticate users logging in user interfaces telnet login configuration with authentication mode being pass...
Page 2304
3-6 figure 3-4 network diagram for telnet configuration (with the authentication mode being none) 3) configuration procedure # enter system view, and enable the telnet service. System-view [sysname] telnet server enable # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure no...
Page 2305
3-7 configuration example 1) network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: z authenticate users logging in to vty 0 using the local password. Z set the local password to 123456 (in plain text). Z comm...
Page 2306
3-8 telnet login configuration with authentication mode being scheme configuration procedure follow these steps to perform telnet configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter one or more vty user interface views user-int...
Page 2307
3-9 when the radius or hwtacacs authentication mode is used, the user levels are set on the corresponding radius or hwtacacs servers. For more information about aaa, radius, and hwtacacs, see aaa configuration in the security volume. Configuration example 1) network requirements assume that you are ...
Page 2308
3-10 # configure to authenticate users logging in to vty 0 in the scheme mode. [sysname-ui-vty0] authentication-mode scheme # configure telnet protocol is supported. [sysname-ui-vty0] protocol inbound telnet # set the maximum number of lines the screen can contain to 30. [sysname-ui-vty0] screen-len...
Page 2309
3-11 authorization are enabled, only the authorized and executed commands will be recorded on the hwtacacs server. The command accounting configuration involves two steps: 1) enable command accounting. See the following table for details. 2) configure a command accounting scheme. Specify the ip addr...
Page 2310: Logging In Using Modem
4-1 4 logging in using modem when logging in using modem, go to these sections for information you are interested in: z introduction z configuration on the administrator side z configuration on the switch side z modem connection establishment z modem attribute configuration introduction you may log ...
Page 2311
4-2 at&k0 ----------------------- disable flow control at&r1 ----------------------- ignore rts signal at&s0 ----------------------- set dsr to high level by force ateq1&w ----------------------- disable the modem from returning command response and the result, save the changes you can verify your c...
Page 2312
4-3 authentication mode being password , and console port login configuration with authentication mode being scheme for details. Step 2: perform the following configuration on the modem directly connected to the switch. At&f ----------------------- restore the factory settings ats0=1 ---------------...
Page 2313
4-4 figure 4-2 set the telephone number figure 4-3 call the modem step 5: provide the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? At anytime for help. Refer to the following chapter...
Page 2314
4-5 configuration prerequisites z the authentication mode for login users has been configured on the aux user interface. Z the modem dialup configuration environment is ready. Configuration procedure follow these steps to configure the switch-side modem: to do … use the command … remarks enter syste...
Page 2315
5-1 5 user interface configuration examples user authentication configuration example network diagram as shown in figure 5-1 , command levels should be configured for different users to secure device: z the device administrator accesses device through the console port on host a. When the administrat...
Page 2316
5-2 [device-ui-vty0-4] authentication-mode scheme [device-ui-vty0-4] quit # create a radius scheme and configure the ip address and udp port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the radius server. Set the shared key for authenti...
Page 2317
5-3 configuration procedure # assign an ip address to device to make device be reachable from host a and hwtacacs server respectively. The configuration is omitted. # enable the telnet service on device. System-view [device] telnet server enable # set to use username and password authentication when...
Page 2318
5-4 command accounting configuration example network diagram as shown in figure 5-3 , configure the commands that the login users execute to be recorded on the hwtacacs server to control and monitor user operations. Figure 5-3 network diagram for configuring command accounting internet console conne...
Page 2319
5-5 [device-hwtacacs-tac] quit # create isp domain system, and configure the isp domain system to use hwtacacs scheme tac for accounting of command line users [device] domain system [device-isp-system] accounting command hwtacacs-scheme tac [device-isp-system] quit.
Page 2320: Logging In Through Nms
6-1 6 logging in through nms when logging in through nms, go to these sections for information you are interested in: z introduction z connection establishment using nms introduction you can also log in to a switch through an nms (network management station), and then configure and manage the switch...
Page 2321
7-1 7 specifying source for telnet packets when specifying source ip address/interface for telnet packets, go to these sections for information you are interested in: z introduction z specifying source ip address/interface for telnet packets z displaying the source ip address/interface specified for...
Page 2323: Controlling Login Users
8-1 8 controlling login users when controlling login users, go to these sections for information you are interested in: z introduction z controlling telnet users z controlling network management users by source ip addresses introduction multiple ways are available for controlling different types of ...
Page 2325
8-3 controlling telnet users by source mac addresses this configuration needs to be implemented by layer 2 acl; a layer 2 acl ranges from 4000 to 4999. For the definition of acl, refer to acl configuration in the security volume. Follow these steps to control telnet users by source mac addresses: to...
Page 2326
8-4 network diagram figure 8-1 network diagram for controlling telnet users using acls switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.1...
Page 2328
8-6 network diagram figure 8-2 network diagram for controlling snmp users using acls switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110...
Page 2329: Table of Contents
I table of contents 1 basic configurations·································································································································1-1 configuration display ·······································································································...
Page 2330: Basic Configurations
1-1 1 basic configurations while performing basic configurations of the system, go to these sections for information you are interested in: z configuration display z basic configurations z cli features configuration display to avoid duplicate configuration, you can use the display commands to view t...
Page 2331
1-2 z configuring the device name z configuring the system clock z enabling/disabling the display of copyright information z configuring a banner z configuring cli hotkeys z configuring command aliases z configuring user privilege levels and command levels z displaying and maintaining basic configur...
Page 2332
1-3 configuring the device name the device name is used to identify a device in a network. Inside the system, the device name corresponds to the prompt of the cli. For example, if the device name is sysname, the prompt of user view is . Follow these steps to configure the device name: to do… use the...
Page 2333
1-4 z [1] indicates the clock datetime command is an optional configuration. Z the default system clock is 2005/1/1 1:00:00 in the example. Table 1-1 relationship between the configuration and display of the system clock configuration system clock displayed by the display clock command example 1 dat...
Page 2334
1-5 configuration system clock displayed by the display clock command example if date-time is not in the daylight saving time range, date-time is displayed. Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:00 2008/1/1 display: 01:00:00 utc tue 01/01/2008 con...
Page 2335
1-6 configuration system clock displayed by the display clock command example if date-time is not in the daylight saving time range, date-time is displayed. Configure: clock timezone zone-time add 1, clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2 and clock datetime 1:30 2008/1/1 display:...
Page 2336
1-7 configuring a banner introduction to banners banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. At present, the system support...
Page 2337
1-8 to do… use the command… remarks configure the authorization information before login header legal text optional configure the banner to be displayed when a user enters user view (non modem login users) header shell text optional configure the banner to be displayed before login header motd text ...
Page 2338
1-9 hotkey function ctrl+n displays the next command in the history command buffer. Ctrl+p displays the previous command in the history command buffer. Ctrl+r redisplays the current line information. Ctrl+v pastes the content in the clipboard. Ctrl+w deletes all the characters in a continuous string...
Page 2339
1-10 when you input a character string that matches multiple aliases partially, the system prompts you for various matched information. Z if you press tab after you input the keyword of an alias, the original format of the keyword will be displayed. Z you can replace only the first keyword of a non-...
Page 2340
1-11 level privilege description 3 manage influences the basic operation of the system and the system support modules for service support. By default, commands at this level involve file system, ftp, tftp, xmodem command download, user management, level setting, as well as parameter setting within a...
Page 2341
1-12 z for the description of user interface, refer to login configuration in the system volume; for the description of the user-interface, authentication-mode and user privilege level commands, refer to login commands in the system volume. Z for the introduction to aaa authentication, refer to aaa ...
Page 2342
1-13 to do… use the command… remarks configure the authentication mode when a user uses the current user interface to log in to the device authentication-mode scheme optional by default, the authentication mode for vty user interfaces is password, and aux user interfaces do not need authentication. ...
Page 2343
1-14 ping ping function quit exit from current command view ssh2 establish a secure shell client connection super set the current user priority level telnet establish one telnet connection tracert trace route function after you set the user privilege level under the user interface, users can log in ...
Page 2344
1-15 a user can switch to a privilege level equal to or lower than the current one unconditionally and is not required to input the password (if any). A user is required to input the password (if any) to switch to a higher privilege level for security sake. The authentication falls into one of the f...
Page 2346
1-17 z if you switch the user privilege level without providing the level argument, the user privilege level will be switched to level 3. Z when the user logs in to the switch through the console port (aux user interface), if local authentication mode is applied for user privilege level switch, but ...
Page 2347
1-18 to do… use the command… remarks display the valid configuration under current view display this [ by-linenum ] display clipboard information display clipboard display and save statistics the running status of multiple modules display diagnostic-information during daily maintenance or when the s...
Page 2348
1-19 z hierarchical command protection where you can only execute the commands at your own or lower levels. Refer to configuring command aliases for details. Z easy access to on-line help by entering “?” z abundant debugging information for fault diagnosis z saving and executing commands that have b...
Page 2349
1-20 vlan interface number [sysname] interface vlan-interface 1 ? [sysname] interface vlan-interface 1 where, indicates that there is no parameter at this position. The command is then repeated in the next command line and executed if you press enter. 4) enter a character string followed by a ?. All...
Page 2350
1-21 table 1-4 edit functions key function common keys if the editing buffer is not full, insert the character at the position of the cursor and move the cursor to the right. Backspace deletes the character to the left of the cursor and move the cursor back one character. Left-arrow key or ctrl+b th...
Page 2351
1-22 z include: displays only the lines that match the regular expression. A regular expression is a case sensitive string of 1 to 256 characters. It also supports special characters as shown in table 1-5 . Table 1-5 special characters in a regular expression character meaning remarks ^string starti...
Page 2352
1-23 character meaning remarks \index repeats a specified character group for once. A character group refers to the string in () before \. Index refers to the sequence number (starting from 1 from left to right) of the character group before \: if only one character group appears before \, then inde...
Page 2353
1-24 commands in the system volume.) you can follow the step below to disable the multiple-screen output function of the current user. To do… use the command… remarks disable the multiple-screen output function of the current user screen-length disable required by default, a login user uses the sett...
Page 2354
1-25 z if you execute the same command repeatedly, the device saves only the earliest command. However, if you execute the same command in different formats, the system considers them as different commands. For example, if you execute the display cu command repeatedly, the system saves only one comm...
Page 2355: Table of Contents
I table of contents 1 device management ··································································································································1-1 device management overview ···································································································...
Page 2356: Device Management
1-1 1 device management the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the s7900...
Page 2357
1-2 device management configuration task list complete these tasks to configure device management: task remarks configuring the exception handling method optional rebooting a device optional configuring the scheduled automatic execution function optional upgrading device software optional configurin...
Page 2358
1-3 z after this command is configured, both the active srpu and the standby srpu adopt the same method to handle exceptions. The system adopts the reboot method to handle exceptions happened on an interface card or the auxiliary cpu system, that is, the system reboots the failed card. Z the excepti...
Page 2359
1-4 z distributed device follow the step below to reboot a device immediately: to do… use the command… remarks reboot a card or the whole system immediately reboot [ slot slot-number ] required available in user view. Follow these steps to enable the scheduled reboot function: to do… use the command...
Page 2360
1-5 z device reboot may result in the interruption of the ongoing services. Use these commands with caution. Z before device reboot, use the save command to save the current configurations. For details about the save command, refer to file system configuration in the system volume. Z before device r...
Page 2361
1-6 configure the system to automatically execute a batch file at the specified time (note that you must provide a complete file path for the system to execute the batch file.). Z the system does not check the values of the view and command arguments. Therefore, ensure the correctness of the command...
Page 2362
1-7 figure 1-1 relationship between the boot rom program and the system boot file start boot rom runs press ctrl+b run boot file enter boot rom menu to upgrade the boot rom program or boot file yes no select the reboot option to reboot the device enter cli finish the boot rom program and system boot...
Page 2365
1-10 clearing the 16-bit interface indexes not used in the current system in practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface ind...
Page 2366
1-11 to do… use the command… remarks enter system view system-view — enable the system load sharing function loadsharing enable optional disabled by default. Z load sharing is applicable to unicast traffic only. Z the s7902e switches are designed to work in the load sharing mode, and do not support ...
Page 2367
1-12 to do… use the command… remarks enable active/standby mode for service ports on srpus strict-standby enable optional disabled by default. Z before enabling the active/standby mode for service ports on srpus, you need to perform cross-card port redundancy configurations, such as cross-card port ...
Page 2368
1-13 srpu model supported traffic forwarding mode feature recommended application environment standard forwarding mode with the route extension function z supporting qinq z powerful layer 3 forwarding functions z providing a 32k mac address table and a 128k routing table networks having high require...
Page 2369
1-14 configuring the working mode of lpus introduction to the working mode of lpus the s7900e series ethernet switches support multiple types of lpus, each of which provides different mac address table and routing table. If you need to extend the mac address table or the routing table, you can purch...
Page 2372
1-17 to do… use the command… remarks enable expansion memory data recovery function on a card (distributed device) mmu-monitor enable slot slot-number optional enabled by default. Enable expansion memory data recovery function on a card (distributed irf device) mmu-monitor enable chassis chassis-num...
Page 2373
1-18 to do… use the command… remarks display key parameters of the pluggable transceiver(s) display transceiver interface [ interface-type interface-number ] available for all pluggable transceivers. Display part of the electrical label information of the anti-spoofing transceiver(s) customized by h...
Page 2374
1-19 to do… use the command… remarks display history statistics of the cpu usage in a chart display cpu-usage history [ task task-id ][ slot slot-number [ cpu cpu-number ] ] available in any view display information about a card, subcard, cf card on the device display device [ cf-card ] [ [ shelf sh...
Page 2375
1-20 to do… use the command… remarks display history statistics of the cpu usage in a chart display cpu-usage history [ task task-id ][ chassis chassis-number slot slot-number ] available in any view display information about a card, subcard, cf card on the device display device [ cf-card ] [ [ shel...
Page 2376
1-21 figure 1-2 network diagram for remote upgrade configuration procedure z configuration on the ftp server (note that configurations may vary with different types of servers) # enable the ftp server. System-view [ftp-server] ftp server enable # set the ftp username to aaa and password to hello. [f...
Page 2377
1-22 user(2.2.2.2:(none)):aaa 331 give me your password, please password: 230 logged in successfully [ftp] # download the soft-version2.App programs on the ftp server to the flash of device. [ftp] binary 200 type set to i. [ftp] get soft-version2.App [ftp] bye # upgrade the boot rom file of the acti...
Page 2378
1-23 figure 1-3 network diagram for remote upgrade configuration procedure 1) configuration on the tftp server (note that configurations may vary with different types of servers) obtain the boot file and configuration file through legitimate channels, such as the official website of 3com, agents, an...
Page 2379
1-24 tftp 2.2.2.2 get soft-version2.App chassis1#slot1#flash:/soft-version2.App tftp 2.2.2.2 get soft-version2.App chassis2#slot0#flash:/soft-version2.App tftp 2.2.2.2 get soft-version2.App chassis2#slot1#flash:/soft-version2.App # specify file new-config.Cfg as the boot file for the next boot of al...
Page 2380: Table of Contents
I table of contents 1 file system management··························································································································1-1 file system ······················································································································...
Page 2381
Ii specifying a startup configuration file for the next system startup ·····················································2-9 backing up the startup configuration file····························································································2-10 deleting the startup configuration...
Page 2382: File System Management
1-1 1 file system management the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the ...
Page 2383
1-2 format description length example file-name specifies a file under the current working directory. 1 to 91 characters a.Cfg indicates a file named a.Cfg under the current working directory. If the current working directory is on the amb, a.Cfg represents file a.Cfg on the amb; if the current work...
Page 2384
1-3 format description length example drive:/[path]/file- name specifies a file in the specified storage medium on the device. Drive represents the storage medium name. The storage medium on the amb of the master is usually flash or cf; the storage medium on a slave is usually chassisx#sloty#flash o...
Page 2385
1-4 creating a directory to do… use the command… remarks create a directory mkdir directory required available in user view removing a directory to do… use the command… remarks remove a directory rmdir directory required available in user view z the directory to be removed must be empty, meaning tha...
Page 2386
1-5 displaying the contents of a file to do… use the command… remarks display the contents of a file more file-url required currently only a .Txt file can be displayed. Available in user view renaming a file to do… use the command… remarks rename a file rename fileurl-source fileurl-dest required av...
Page 2387
1-6 z the files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storag...
Page 2388
1-7 to do… use the command… remarks execute a batch file execute filename required execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, the system will ...
Page 2389
1-8 when a device is unmounted, it is in a logically disconnected state, and you can then remove the storage medium from the system safely. To mount a storage medium, you are to reconnect the logically disconnected storage medium to the system. Follow the steps below to mount/unmount a storage mediu...
Page 2390
1-9 0 drw- - feb 16 2006 11:45:36 logfile 1 -rw- 1218 feb 16 2006 11:46:19 config.Cfg 2 drw- - feb 16 2006 15:20:27 test 3 -rw- 184108 feb 16 2006 15:30:20 aaa.App 64389 kb total (2521 kb free) # create a new folder called mytest under the test directory. Cd test mkdir mytest %created dir flash:/tes...
Page 2391
2-1 2 configuration file management the device provides the configuration file management function with a user-friendly command line interface (cli) for you to manage the configuration files conveniently. This section covers these topics: z configuration file overview z saving the current configurat...
Page 2392
2-2 device moves between these networking environments, you just need to specify the corresponding configuration file as the startup configuration file for the next boot of the device and restart the device, so that the device can adapt to the network rapidly, saving the configuration workload. Star...
Page 2393
2-3 to do… use the command… remarks enable configuration file auto-save slave auto-update config optional enabled by default. If you execute the save filename command and press enter, the system saves the current configuration to the specified path, but the smb does not save the configuration. Modes...
Page 2395
2-5 1) specify the filename prefix and path for saving the current configuration. 2) save the current running configuration with the specified filename (filename prefix + serial number) to the specified path. The current running configuration can be saved in two ways: the system saves the current ru...
Page 2396
2-6 configuring parameters for saving the current running configuration before the current running configuration is saved manually or automatically, the file path and filename prefix must be configured. After that, the system saves the current running configuration with the specified filename (filen...
Page 2397
2-7 z the saving and rollback operations are executed only on the amb. To make the configuration rollback take effect on the new amb after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file on both ...
Page 2398
2-8 the path and filename prefix of a saved configuration file must be specified before you configure the automatic saving period. Saving the current running configuration manually automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects sy...
Page 2399
2-9 do not unplug and plug a card during configuration rollback (that is, the system is executing the configuration replace file command). In addition, configuration rollback may fail if one of the following situations is present (if a command cannot be rolled back, the system skips it and processes...
Page 2400
2-10 a configuration file must use .Cfg as its extension name and the startup configuration file must be saved under the root directory of the storage medium. Backing up the startup configuration file the backup function allows you to copy the startup configuration file to be used at the next system...
Page 2401
2-11 z this command will permanently delete the configuration files from the amb and smb. Use it with caution. (distributed device) z this command will permanently delete the configuration files from all the main boards of a irf. Use it with caution. (distributed irf device) restoring the startup co...
Page 2403: Table of Contents
I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...
Page 2404: Snmp Configuration
1-1 1 snmp configuration when configuring snmp, go to these sections for information you are interested in: z snmp overview z snmp configuration z configuring snmp logging z configuring snmp trap z displaying and maintaining snmp z snmpv1/snmpv2c configuration example z snmpv3 configuration example ...
Page 2405
1-2 z inform operation: the nms sends traps to other nmss through this operation. Snmp protocol version currently, snmp agents support snmpv3 and are compatible with snmpv1 and snmpv2c. Z snmpv1 uses community names for authentication, which defines the relationship between an snmp nms and an snmp a...
Page 2406
1-3 figure 1-2 mib tree a 2 6 1 5 2 1 1 2 1 b snmp configuration as configurations for snmpv3 differ substantially from those for snmpv1 and snmpv2c, their snmp functionalities are introduced separately as follows. Follow these steps to configure snmpv3: to do… use the command… remarks enter system ...
Page 2408
1-5 to do… use the command… remarks configure the maximum size of an snmp packet that can be received or sent by an snmp agent snmp-agent packet max-size byte-count optional 1,500 bytes by default. The validity of a usm user depends on the engine id of the snmp agent. If the engine id generated when...
Page 2409
1-6 z a large number of logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable snmp logging. Z the size of snmp logs cannot exceed that allowed by the information center, and the total length of the node field and value field of...
Page 2413
1-10 # configure the ip address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the nms. (the configuration procedure is omitted here) # configure the snmp basic information, including the version and community name. System-view [sysname] snmp-agent sys-info vers...
Page 2414
1-11 figure 1-4 network diagram for snmpv3 configuration procedure 1) configuring the agent # configure the ip address of the agent as 1.1.1.1/24 and make sure that there is a route between the agent and the nms. (the configuration procedure is omitted here) # configure the access right: the user ca...
Page 2415
1-12 z execute the shutdown or undo shutdown command to an idle interface on the agent, and the nms receives the corresponding trap. Snmp logging configuration example network requirements z as shown in figure 1-5 , the nms and the agent are connected through an ethernet. Z the ip address of the nms...
Page 2416
1-13 seqno = srcip = op = node = value= z the following log information is displayed on the terminal when the nms performs the set operation to the agent. %jan 1 02:59:42:576 2006 sysname snmp/6/set: seqno = srcip = op = errorindex = errorstatus = node = value = table 1-1 description on the output f...
Page 2417: Table of Contents
I table of contents 1 rmon configuration ·································································································································1-1 rmon overview ················································································································...
Page 2418: Rmon Configuration
1-1 1 rmon configuration when configuring rmon, go to these sections for information you are interested in: z rmon overview z configuring the rmon statistics function z configuring the rmon alarm function z displaying and maintaining rmon z ethernet statistics group configuration example z history g...
Page 2419
1-2 working mechanism rmon allows multiple monitors (management devices). A monitor provides two ways of data gathering: z using rmon probes. Management devices can obtain management information from rmon probes directly and control network resources. In this approach, management devices can obtain ...
Page 2420
1-3 z trap: sending a trap to notify the occurrence of this event to the network management station (nms). Z log-trap: logging event information in the event log table and sending a trap to the nms. Z none: no action alarm group the rmon alarm group monitors specified alarm variables, such as total ...
Page 2421
1-4 z a statistics object of the history group is the variable defined in the history record table, and the recorded content is a cumulative sum of the variable in each period. For detailed configuration, refer to configuring the rmon history statistics function . Configuring the rmon ethernet stati...
Page 2422
1-5 configuring the rmon alarm function configuration prerequisites z if you need to configure that the managed devices send traps to the nms when it triggers an alarm event, you should configure the snmp agent as described in snmp configuration in the system volume before configuring the rmon alarm...
Page 2423
1-6 table 1-1 restrictions on the configuration of rmon entry parameters to be compared maximum number of entries that can be created event event description (description string), event type (log, trap, logtrap or none) and community name (trap-community or log-trapcommunity) 60 alarm alarm variable...
Page 2424
1-7 figure 1-1 network diagram for rmon configuration procedure # configure rmon to gather statistics for interface gigabitethernet 2/0/1. System-view [sysname] interface gigabitethernet 2/0/1 [sysname-gigabitethernet2/0/1] rmon statistics 1 owner user1 after the above configuration, the system gath...
Page 2425
1-8 figure 1-2 network diagram for rmon configuration procedure # configure rmon to gather statistics for interface gigabitethernet 2/0/1 periodically. System-view [sysname] interface gigabitethernet 2/0/1 [sysname-gigabitethernet2/0/1] rmon history 1 buckets 8 interval 60 owner user1 after the abov...
Page 2426
1-9 packets : 8 , broadcast packets : 0 multicast packets : 7 , crc alignment errors : 0 undersize packets : 0 , oversize packets : 0 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 sampled values of record 5 : dropevents : 0 , octets : 898 packets : 9 , broadcast packets : 2 multicast ...
Page 2427
1-10 z execute the display rmon statistics command on agent to display the statistics result, and query the statistics on the nms. Figure 1-3 network diagram for rmon configuration procedure # configure the snmp agent. (note that parameter values configured on the agent must be the same with the fol...
Page 2428
1-11 display rmon statistics gigabitethernet 2/0/1 etherstatsentry 1 owned by user1-rmon is valid. Interface : gigabitethernet2/0/1 etherstatsoctets : 57329 , etherstatspkts : 455 etherstatsbroadcastpkts : 53 , etherstatsmulticastpkts : 353 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 et...
Page 2429
1-12 [sysname] snmp-agent trap enable [sysname] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname v3user v3 # configure rmon to gather statistics on interface gigabitethernet 2/0/1. [sysname] interface gigabitethernet 2/0/1 [sysname-gigabitethernet2/0/1] rmon statistics 1 ow...
Page 2430: Table of Contents
I table of contents 1 mac address table configuration ··········································································································1-1 overview ·······························································································································...
Page 2431
1-1 1 mac address table configuration when configuring mac address tables, go to these sections for information you are interested in: z overview z configuring a mac address table z displaying and maintaining mac address table z mac address table configuration example z currently, interfaces involve...
Page 2432
1-2 when receiving a frame destined for mac-source, the device looks up the mac address table and forwards it from port a. To adapt to network changes, mac address table entries need to be constantly updated. Each dynamically learned mac address table entry has a life time, that is, an aging timer. ...
Page 2433
1-3 figure 1-1 forward frames using the mac address table configuring a mac address table the mac address table configuration tasks include: z configuring mac address table entries z disabling mac address learning z configuring the aging timer for dynamic mac address entries z configuring the mac le...
Page 2434
1-4 when using the mac-address command to add a mac address entry, the interface specified by the interface keyword must belong to the vlan specified by the vlan keyword, and the vlan must already exist. Otherwise, you will fail to add this mac address entry. Follow these steps to add, modify, or re...
Page 2435
1-5 to do… use the command… remarks disable global mac address learning mac-address mac-learning disable required enabled by default. When global mac address learning is disabled, the learned mac addresses remain valid until they age out. Disabling mac address learning on ports after enabling global...
Page 2436
1-6 disabling mac address learning on a vlan you may disable mac address learning on a per-vlan basis. Follow these steps to disable mac address learning on a vlan: to do… use the command… remarks enter system view system-view — enable global mac address learning undo mac-address mac-learning disabl...
Page 2437
1-7 z the mac address aging timer takes effect globally on dynamic mac address entries (learned or administratively configured) only. Z in a stable network, when there has been no traffic activity for a long time, all the dynamic entries in the mac address table maintained by the device will be dele...
Page 2438
1-8 to do… use the command… remarks display the system or interface mac address learning state display mac-address mac-learning [ interface-type interface-number ] display mac address statistics display mac-address statistics mac address table configuration example network requirements z the mac add...
Page 2439
2-1 2 mac information configuration when configuring mac information, go to these sections for information you are interested in: z overview z configuring mac information z mac information configuration example overview introduction to mac information to monitor a network, you need to monitor users ...
Page 2440
2-2 enabling mac information on an interface follow these steps to enable mac information on an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable mac information on the interface mac-address information ...
Page 2441
2-3 to do… use the command… remarks enter system view system-view — configure the mac information queue length mac-address information queue-length value optional 50 by default mac information configuration example mac information configuration example network requirements z host a is connected to a...
Page 2442
2-4 # set the interval for sending syslog or trap messages to 20 seconds. [device] mac-address information interval 20
Page 2443: Table of Contents
I table of contents 1 system maintaining and debugging········································································································1-1 system maintaining and debugging ·······································································································1-...
Page 2444
1-1 1 system maintaining and debugging when maintaining and debugging the system, go to these sections for information you are interested in: z system maintaining and debugging z ping z tracert z system debugging z ping and tracert configuration example system maintaining and debugging you can use t...
Page 2445
1-2 z for a low-speed network, you are recommended to set a larger value for the timeout timer (indicated by the -t parameter in the command) when configuring the ping command. Z only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument z f...
Page 2446
1-3 ping -r 1.1.2.2 ping 1.1.2.2: 56 data bytes, press ctrl_c to break reply from 1.1.2.2: bytes=56 sequence=1 ttl=254 time=53 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: bytes=56 sequence=2 ttl=254 time=1 ms record route: 1.1.2.1 1.1.2.2 1.1.1.2 1.1.1.1 reply from 1.1.2.2: ...
Page 2447
1-4 5) upon receiving the reply, the source device adds the ip address (1.1.1.1) of its inbound interface to the rr option. Finally, you can get the detailed information of routes from device a to device c: 1.1.1.1 {1.1.1.2; 1.1.2.1} 1.1.2.2. Tracert introduction by using the tracert command, you ca...
Page 2449
1-6 figure 1-3 the relationship between the protocol and screen debugging switch configuring system debugging output of the debugging information may reduce system efficiency. The debugging commands are usually used by administrators in diagnosing network failure. After completing the debugging, dis...
Page 2450
1-7 you must configure the debugging, terminal debugging and terminal monitor commands first to display the detailed debugging information on the terminal. For the detailed description on the terminal debugging and terminal monitor commands, refer to information center commands in the system volume....
Page 2451
1-8 4 * * * 5 the above output shows that no available route exists between device a and device c; an available router exists between device a and device b; an error occurred on the connection between device b and device c. In this case, you can use the debugging ip icmp command to enable icmp debug...
Page 2452: Table of Contents
I table of contents 1 information center configuration············································································································1-1 information center overview ··········································································································...
Page 2453
1-1 1 information center configuration when configuring information center, go to these sections for information you are interested in: z information center configuration z configuring information center z displaying and maintaining information center z information center configuration examples info...
Page 2454
1-2 figure 1-1 information center diagram (default) by default, the information center is enabled. An enabled information center affects the system performance in some degree due to information classification and output. Such impact becomes more obvious in the event that there is enormous informatio...
Page 2455
1-3 table 1-1 severity description severity severity value description emergency 0 the system is unusable. Alert 1 action must be taken immediately critical 2 critical conditions error 3 error conditions warning 4 warning conditions notice 5 normal but significant condition informational 6 informati...
Page 2456
1-4 information channel number default channel name default output destination description 8 channel8 not specified receives log, trap, and debugging information. 9 channel9 log file receives log, trap, and debugging information. Configurations for the seven output destinations function independentl...
Page 2457
1-5 log trap debug output destinati on modules allowed enabled/ disabled severity enabled/ disabled severity enabled/ disabled severity log host default (all modules) enabled informatio nal enabled debug disabled debug trap buffer default (all modules) disabled informatio nal enabled warning disable...
Page 2458
1-6 int_16 (priority) the priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges from local0 to local7 (16 to 23 in decimal integers) and defaults ...
Page 2459
1-7 z if the timestamp starts with a *, the information is debugging information source this field indicates the source of the information, such as the slot number of a board, irf member id, irf member id and slot number, or the source ip address of the log sender. This field is optional and is disp...
Page 2465
1-13 saving system information to a log file with the log file feature enabled, the log information generated by system can be saved to a specified directory with a predefined frequency. This allows you to check the operation history at any time to ensure that the device functions properly. Logs are...
Page 2466
1-14 system will display a command line prompt (a prompt in command editing mode, or a [y/n] string in interaction mode) and your input so far. This command is used in the case that your input is interrupted by a large amount of system output. With this feature enabled, you can continue your operati...
Page 2467
1-15 with this feature applied to a port, when the state of the port changes, the system does not generate port link up/down logging information. In this case, you cannot monitor the port state changes conveniently. Therefore, it is recommended to use the default configuration in normal cases. Displ...
Page 2468
1-16 information center configuration examples outputting log information to a unix log host network requirements z send log information to a unix log host with an ip address of 1.2.0.1/16; z log information with severity higher than informational will be output to the log host; z the source modules...
Page 2469
1-17 step 2: create a subdirectory named device under directory /var/log/, and create file info.Log under the device directory to save logs of device. # mkdir /var/log/device # touch /var/log/device/info.Log step 3: edit file /etc/syslog.Conf and add the following contents. # device configuration me...
Page 2470
1-18 1) configure the device # enable information center. System-view [sysname] info-center enable # specify the host with ip address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local5 as the logging facility. [sysname] info-cente...
Page 2471
1-19 in the above configuration, local5 is the name of the logging facility used by the log host to receive logs. Info is the information level. The linux system will record the log information with severity level equal to or higher than informational to file /var/log/device/info.Log. Be aware of th...
Page 2472
1-20 [sysname] info-center enable # use channel console to output log information to the console (optional, console by default). [sysname] info-center console channel console # disable the output of log, trap, and debugging information of all modules on channel console. [sysname] info-center source ...
Page 2473: Table of Contents
I table of contents 1 poe configuration ·····································································································································1-1 poe overview ··············································································································...
Page 2474: Poe Configuration
1-1 1 poe configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the s7900...
Page 2475
1-2 1) poe power: the whole poe system is powered by the poe power. 2) pse: a pse is a device supplying power for pds. A pse can be built-in (endpoint) or external (midspan). A built-in pse is integrated in a switch, and an external pse is independent from a switch or router. The pses of 3com are bu...
Page 2476
1-3 poe configuration task list you can configure a poe interface in either of the following two ways: z through command lines. Z through configuring the poe profile and applying the poe profile to the poe interface. When configuring a single poe interface, you can use command lines; when you config...
Page 2477
1-4 z before configure poe, make sure that the poe power supply and pse is operating normally; otherwise, you cannot configure poe or the configured poe function does not take effect. Z turning off the poe power supply during the startup of the device might cause the poe configuration in the startup...
Page 2478
1-5 interface is enabled with the poe power management function (for the detailed description of the poe power management function, refer to configuring poe power management ). Z if the poe interface is not enabled with the poe power management function, you are not allowed to enable poe for the poe...
Page 2479
1-6 detecting pds enabling the pse to detect nonstandard pds there are standard pds and nonstandard pds. Usually, the pse can detect only standard pds and supply power to them. The pse can detect nonstandard pds and supply power to them only after the pse is enabled to detect nonstandard pds. Follow...
Page 2480
1-7 to do… use the command… remarks configure the maximum poe power (distributed irf device) poe power chassis chassis-number max-value max-power optional the default maximum poe power is 6720. Configuring the maximum pse power the maximum pse power is the sum of power that the pds connected to the ...
Page 2481
1-8 configuring pse power management where the maximum poe power may be lower than the sum of the maximum power required by all pses, pse power management is applied to decide whether to allow pse to enable poe, whether to supply power to a specific pse and the power allocation method. Where the max...
Page 2482
1-9 all pses implement the same poe interface power management policies. When a pse supplies power to a pd, z if the poe interface power management is not enabled, no power will be supplied to a new pd if the pse power is overloaded. Z if the poe interface power management priority policy is enabled...
Page 2484
1-11 to do… use the command… remarks configure a dc output over-voltage threshold for the poe power supply (distributed irf device) poe-power output-threshold chassis chassis-number upper value optional the default dc output over-voltage threshold is 55.00. The under-voltage threshold should be less...
Page 2485
1-12 to do… use the command… remarks enter system view system-view — create a poe profile, and enter poe profile view poe-profile profile-name [ index ] required enable poe for the poe interface poe enable required disabled by default. Configure the maximum power for the poe interface poe max-power ...
Page 2487
1-14 displaying and maintaining poe to do… use the command… remarks display the mapping between id, module, and slot of all pses display poe device display the mapping between id, module, and slot of all pses (distributed irf device) display poe device [ chassis chassis-number ] display the power su...
Page 2488
1-15 to do… use the command… remarks display the state information of the poe power supply display poe-power status display the state information of the poe power supply (distributed irf device) display poe-power status [ chassis chassis-number ] display the information of the monitoring module of t...
Page 2489
1-16 figure 1-2 network diagram for poe ge3/0/1 ge3/0/2 ge5/0/1 ge5/0/2 configuration procedure # enable poe for the pse. System-view [sysname] poe enable pse 4 [sysname] poe enable pse 6 # set the maximum power of pse 4 to 400 watts. [sysname] poe max-power 400 pse 4 # enable poe on gigabitethernet...
Page 2490
1-17 z the guaranteed remaining power of the pse is lower than the maximum power of the poe interface. Z the priority of the poe interface is already set. Solution: z in the first case, you can solve the problem by increasing the maximum pse power, or by reducing the maximum power of the poe interfa...
Page 2491: Table of Contents
I table of contents 1 nqa configuration ····································································································································1-1 nqa overview ···············································································································...
Page 2492: Nqa Configuration
1-1 1 nqa configuration when configuring nqa, go to these sections for information you are interested in: z nqa overview z nqa configuration task list z configuring the nqa server z enabling the nqa client z creating an nqa test group z configuring an nqa test group z configuring the collaboration f...
Page 2493
1-2 supporting the collaboration function collaboration is implemented by establishing collaboration entries to monitor the detection results of the current test group. If the number of consecutive probe failures reaches a certain limit, nqa’s collaboration with other modules is triggered. The imple...
Page 2494
1-3 basic concepts of nqa test group before performing an nqa test, you need to create an nqa test group, and configure nqa test parameters such as test type, destination address and destination port. Each test group has an administrator name and operation tag, which can uniquely define a test group...
Page 2495
1-4 nqa test operation an nqa test operation is as follows: 1) the nqa client constructs packets with the specified type, and sends them to the peer device; 2) upon receiving the packet, the peer device replies with a response with a timestamp. 3) the nqa client computes the packet loss rate and rtt...
Page 2496
1-5 task remarks configuring optional parameters common to an nqa test group optional scheduling an nqa test group required configuring the nqa server before performing tcp, udp echo, udp jitter or voice tests, you need to configure the nqa server on the peer device. The nqa server makes a response ...
Page 2497
1-6 if you execute the nqa entry command to enter the test group view with test type configured, you will enter the test type view of the test group directly. Configuring an nqa test group configuring an icmp echo test an icmp echo test is used to test reachability of the destination host according ...
Page 2498
1-7 to do… use the command… remarks configure the source ip address of a probe request source ip ip-address optional by default, no source ip address is specified. If no source ip address is specified, but the source interface is specified, the ip address of the source interface is taken as the sour...
Page 2499
1-8 z as dhcp test is a process to simulate address allocation in dhcp, the ip address of the interface performing the dhcp test will not be changed. Z after the dhcp test is completed, the nqa client will send a dhcp-release packet to release the obtained ip address. Configuring a dns test a dns te...
Page 2500
1-9 configuring an ftp test an ftp test is mainly used to test the connection between the nqa client and a specified ftp server and the time necessary for the ftp client to transfer a file to or download a file from the ftp server. Configuration prerequisites before an ftp test, you need to perform ...
Page 2501
1-10 z when you execute the put command, a file file-name with fixed size and content is created on the ftp server; when you execute the get command, the device does not save the files obtained from the ftp server. Z when you execute the get command, the ftp test cannot succeed if a file named file-...
Page 2503
1-12 configuring a udp jitter test follow these steps to configure a udp jitter test: to do… use the command… remarks enter system view system-view — enter nqa test group view nqa entry admin-name operation-tag — configure the test type as udp jitter and enter test type view type udp-jitter required...
Page 2504
1-13 to do… use the command… remarks configure common optional parameters refer to configuring optional parameters common to an nqa test group optional the number of probes made in a udp jitter test depends on the probe count command, while the number of probe packets sent in each probe depends on t...
Page 2505
1-14 configuring a tcp test a tcp test is used to test the tcp connection between the client and the specified port on the nqa server and the setup time for the connection, thus judge the availability and performance of the services provided on the specified port on the server. Configuration prerequ...
Page 2506
1-15 configuring a udp echo test a udp echo test is used to test the connectivity and roundtrip time of a udp echo packet from the client to the specified udp port on the nqa server. Configuration prerequisites a udp echo test requires cooperation between the nqa server and the nqa client. The udp l...
Page 2507
1-16 to do… use the command… remarks configure the source ip address of a probe request in a test operation source ip ip-address optional by default, no source ip address is specified. The source ip address must be that of an interface on the device and the interface must be up. Otherwise, the test ...
Page 2508
1-17 configuration prerequisites a voice test requires cooperation between the nqa server and the nqa client. Before a voice test, make sure that the udp listening function is configured on the nqa server. For the configuration of udp listening function, refer to configuring the nqa server . Configu...
Page 2509
1-18 to do… use the command… remarks configure the size of a probe packet to be sent data-size size optional by default, the probe packet size depends on the codec type. The default packet size is 172 bytes forg.711a-law and g.711 µ-lawcodec type, and is 32 bytes for g.729 a-law codec type. Configur...
Page 2510
1-19 to do… use the command… remarks configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. Configure the source ip address of a probe request in a test operation source ip ip-address optiona...
Page 2511
1-20 configuring trap delivery traps can be sent to the network management server when test is completed, test fails or probe fails. Configuration prerequisites before configuring trap delivery, you need to configure the destination address of the trap message with the snmp-agent target-host command...
Page 2513
1-22 to do… use the command… remarks set the lifetime of the history records in an nqa test group history-record keep-time keep-time optional by default, the history records in the nqa test group are kept for 120 minutes. Configure the maximum number of history records that can be saved in a test gr...
Page 2514
1-23 to do… use the command… remarks configure the nqa probe timeout time probe timeout timeout optional by default, the timeout time is 3000 milliseconds. This parameter is not available for a udp jitter test. Configure the maximum number of hops a probe packet traverses in the network ttl value op...
Page 2515
1-24 to do… use the command… remarks configure the maximum number of the tests that the nqa client can simultaneously perform nqa agent max-concurrent number optional 2 by default. Z after an nqa test group is scheduled, you cannot enter the test group view or test type view. Z a started test group ...
Page 2516
1-25 [devicea-nqa-admin-test-icmp-echo] destination ip 10.2.2.2 # configure optional parameters. [devicea-nqa-admin-test-icmp-echo] probe count 10 [devicea-nqa-admin-test-icmp-echo] probe timeout 500 [devicea-nqa-admin-test-icmp-echo] frequency 5000 # enable the saving of history records. [devicea-n...
Page 2517
1-26 dhcp test configuration example network requirements use the nqa dhcp function to test the time necessary for switch a to obtain an ip address from the dhcp server switch b. Figure 1-4 network diagram for dhcp test configuration procedure # create a dhcp test group and configure related test pa...
Page 2518
1-27 index response status time 1 624 succeeded 2007-11-22 09:56:03.2 dns test configuration example network requirements use the dns function to test whether device a can resolve the domain name host.Com into an ip address through the dns server and test the time required for resolution. Figure 1-5...
Page 2519
1-28 packet(s) arrived late: 0 # display the history of dns tests. [devicea] display nqa history admin test nqa entry(admin admin, tag test) history record(s): index response status time 1 62 succeeded 2008-11-10 10:49:37.3 ftp test configuration example network requirements use the nqa ftp function...
Page 2520
1-29 square-sum of round trip time: 29929 last succeeded probe time: 2007-11-22 10:07:28.6 extended results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures ...
Page 2521
1-30 # display results of the last http test. [devicea] display nqa result admin test nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 1 receive response times: 1 min/max/average round trip time: 64/64/64 square-sum of round trip time: 4096 last s...
Page 2522
1-31 [devicea-nqa-admin-test] type udp-jitter [devicea-nqa-admin-test-udp-jitter] destination ip 10.2.2.2 [devicea-nqa-admin-test-udp-jitter] destination port 9000 [devicea-nqa-admin-test-udp-jitter] frequency 1000 [devicea-nqa-admin-test-udp-jitter] quit # enable udp jitter test. [devicea] nqa sche...
Page 2523
1-32 sd lost packet(s): 0 ds lost packet(s): 0 lost packet(s) for unknown reason: 0 # display the statistics of udp jitter tests. [devicea] display nqa statistics admin test nqa entry(admin admin, tag test) test statistics: no. : 1 destination ip address: 10.2.2.2 start time: 2008-05-29 13:56:14.0 l...
Page 2524
1-33 the display nqa history command cannot show you the results of udp jitter tests. Therefore, to know the result of a udp jitter test, you are recommended to use the display nqa result command to view the probe results of the latest nqa test, or use the display nqa statistics command to view the ...
Page 2525
1-34 [devicea] display nqa result admin test nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 1 receive response times: 1 min/max/average round trip time: 50/50/50 square-sum of round trip time: 2500 last succeeded probe time: 2007-11-22 10:24:41....
Page 2526
1-35 [devicea-nqa-admin-test-tcp] destination port 9000 # enable the saving of history records. [devicea-nqa-admin-test-tcp] history-record enable [devicea-nqa-admin-test-tcp] quit # enable tcp test. [devicea] nqa schedule admin test start-time now lifetime forever # disable tcp test after the test ...
Page 2527
1-36 configuration procedure 1) configure device b # enable the nqa server and configure the listening ip address as 10.2.2.2 and port number as 8000. System-view [deviceb] nqa server enable [deviceb] nqa server udp-echo 10.2.2.2 8000 # enable the saving of history records. [devicea-nqa-admin-test-u...
Page 2528
1-37 index response status time 1 25 succeeded 2007-11-22 10:36:17.9 voice test configuration example network requirements use the nqa voice function to test the delay jitter of voice packet transmission and voice quality between device a and device b. Figure 1-12 network diagram for voice tests con...
Page 2529
1-38 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 voice results: rtt number: 1000 min positive sd: 1 min positive ds: 1 max positive sd: 204 max positive ds: 1297 positive sd number: 257...
Page 2530
1-39 packet(s) arrived late: 0 voice results: rtt number: 4000 min positive sd: 1 min positive ds: 1 max positive sd: 360 max positive ds: 1297 positive sd number: 1030 positive ds number: 1024 positive sd sum: 4363 positive ds sum: 5423 positive sd average: 4 positive ds average: 5 positive sd squa...
Page 2531
1-40 configuration procedure # create a dlsw test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type dlsw [devicea-nqa-admin-test-dlsw] destination ip 10.2.2.2 # enable the saving of history records. [devicea-nqa-admin-test-dlsw] his...
Page 2532
1-41 figure 1-14 network diagram for nqa collaboration configuration example vlan-int2 10.1.1.1/24 vlan-int2 10.1.1.2/24 vlan-int3 10.2.1.1/24 switch c vlan-int3 10.2.1.2/24 switch b switch a configuration procedure 1) assign each interface an ip address. (omitted) 2) on switch a, configure a unicas...
Page 2533
1-42 notification delay: positive 0, negative 0 (in seconds) reference object: nqa entry: admin test reaction: 1 # display brief information about active routes in the routing table on switch a. [switcha] display ip routing-table routing tables: public destinations : 5 routes : 5 destination/mask pr...
Page 2534: Table of Contents
I table of contents 1 ntp configuration ·····································································································································1-1 ntp overview ··············································································································...
Page 2535: Ntp Configuration
1-1 1 ntp configuration when configuring ntp, go to these sections for information you are interested in: z ntp overview z ntp configuration task list z configuring the operation modes of ntp z configuring the local clock as a reference source z configuring optional parameters of ntp z configuring a...
Page 2536
1-2 z ntp supports access control and md5 authentication. Z ntp can unicast, multicast or broadcast protocol messages. How ntp works figure 1-1 shows the basic workflow of ntp. Device a and device b are interconnected over a network. They have their own independent system clocks, which need to be au...
Page 2537
1-3 this is only a rough description of the work mechanism of ntp. For details, refer to rfc 1305. Ntp message format ntp uses two types of messages, clock synchronization message and ntp control message. An ntp control message is used in environments where network management is needed. As it is not...
Page 2538
1-4 z poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages. Z precision: an 8-bit signed integer indicating the precision of the local clock. Z root delay: roundtrip delay to the primary reference source. Z root dispersion: the maximum erro...
Page 2539
1-5 symmetric peers mode figure 1-4 symmetric peers mode a device working in the symmetric active mode periodically sends clock synchronization messages, with the mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive m...
Page 2540
1-6 multicast mode figure 1-6 multicast mode network client server after receiving the first multicast message, the client sends a request clock synchronization message exchange (mode 3 and mode 4) periodically multicasts clock synchronization messages (mode 5) calculates the network delay between c...
Page 2541
1-7 z the ntp client on a pe can be synchronized to the ntp server on another pe through a designated vpn instance. Z the ntp server on a pe can synchronize the ntp clients on multiple ces in different vpns. Z a ce is a device that has an interface directly connecting to the service provider (sp). A...
Page 2542
1-8 a single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an ntp command, while a dynamic association is a temporary association created ...
Page 2543
1-9 configuring the ntp symmetric peers mode for devices working in the symmetric mode, you need to specify a symmetric-passive peer on a symmetric-active peer. Following these steps to configure a symmetric-active device: to do… use the command… remarks enter system view system-view — specify a sym...
Page 2544
1-10 configuring a broadcast client to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number required enter the interface used to receive ntp broadcast messages. Configure the device to work in the ntp broadcast client mode ntp-se...
Page 2545
1-11 configuring the multicast server to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter the interface used to send ntp multicast message. Configure the device to work in the ntp multicast server mode ntp-service multi...
Page 2546
1-12 z typically, the stratum level of the ntp server which is synchronized from an authoritative clock (such as an atomic clock) is set to 1. This ntp server operates as the primary reference source on the network; and other devices synchronize themselves to it. The synchronization distances betwee...
Page 2547
1-13 disabling an interface from receiving ntp messages when ntp is enabled, ntp messages can be received from all the interfaces by default, and you can disable an interface from receiving ntp messages through the following configuration. To do… use the command… remarks enter system view system-vie...
Page 2548
1-14 configuration prerequisites prior to configuring the ntp service access-control right to the local device, you need to create and configure an acl associated with the access-control right. For the configuration of acl, refer to acl configuration in the security volume. Configuration procedure f...
Page 2549
1-15 z for the client/server mode, if the ntp authentication feature has not been enabled for the client, the client can synchronize with the server regardless of whether the ntp authentication feature has been enabled for the server or not. If the ntp authentication is enabled on a client, the clie...
Page 2550
1-16 to do… use the command… remarks configure an ntp authentication key ntp-service authentication-keyid keyid authentication-mode md5 value required no ntp authentication key by default configure the key as a trusted key ntp-service reliable authentication-keyid keyid required no authentication ke...
Page 2551
1-17 figure 1-7 network diagram for ntp client/server mode configuration configuration procedure 1) configuration on device a: # specify the local clock as the reference source, with the stratum level of 2. System-view [devicea] ntp-service refclock-master 2 2) configuration on device b: # view the ...
Page 2552
1-18 [deviceb] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345] 1.0.1.11 127.127.1.0 2 63 64 3 -75.5 31.0 16.5 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 config...
Page 2553
1-19 in the step above, device b and device c are configured as symmetric peers, with device c in the symmetric-active mode and device b in the symmetric-passive mode. Because the stratus level of device c is 1 while that of device b is 3, device b is synchronized to device c. # view the ntp status ...
Page 2554
1-20 figure 1-9 network diagram for ntp broadcast mode configuration vlan-int3 1.0.1.11/24 vlan-int3 1.0.1.10/24 vlan-int2 3.0.1.31/24 vlan-int2 3.0.1.32/24 vlan-int2 3.0.1.30/24 switch a switch b switch c switch d configuration procedure 1) configuration on switch c: # specify the local clock as th...
Page 2555
1-21 actual frequency: 100.0000 hz clock precision: 2^18 clock offset: 0.0000 ms root delay: 31.00 ms root dispersion: 8.31 ms peer dispersion: 34.30 ms reference time: 16:01:51.713 utc sep 19 2005 (c6d95f6f.B6872b02) as shown above, switch d has been synchronized to switch c, and the clock stratum ...
Page 2556
1-22 # configure switch c to work in the multicast server mode and send multicast messages through vlan-interface 2. [switchc] interface vlan-interface 2 [switchc-vlan-interface2] ntp-service multicast-server 2) configuration on switch d: # configure switch d to work in the multicast client mode and...
Page 2557
1-23 [switchb-vlan3] port gigabitethernet 2/0/1 [switchb-vlan3] quit [switchb] interface vlan-interface 3 [switchb-vlan-interface3] igmp enable [switchb-vlan-interface3] igmp static-group 224.0.1.1 [switchb-vlan-interface3] quit [switchb] interface gigabitethernet 2/0/1 [switchb- gigabitethernet2/0/...
Page 2558
1-24 configuring ntp client/server mode with authentication network requirements z the local clock of device a is to be configured as a reference source, with the stratum level of 2. Z device b works in the client mode and device a is to be used as the ntp server of device b, with device b as the cl...
Page 2559
1-25 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: 0.0000 ms root delay: 31.00 ms root dispersion: 1.05 ms peer dispersion: 7.81 ms reference time: 14:53:27.371 utc sep 19 2005 (c6d94f67.5ef9db22) as shown above, device b has been synchronized to de...
Page 2560
1-26 system-view [switchc] ntp-service refclock-master 3 # configure ntp authentication. [switchc] ntp-service authentication enable [switchc] ntp-service authentication-keyid 88 authentication-mode md5 123456 [switchc] ntp-service reliable authentication-keyid 88 # specify switch c as an ntp broadc...
Page 2561
1-27 configuring mpls vpn time synchronization in client/server mode network requirements z two vpns are present on pe 1 and pe 2: vpn 1 and vpn 2. Z ce 1 and ce 3 are devices in vpn 1, while ce 2 and ce 4 are devices in vpn 2. Z ce 1’s local clock is to be used as a reference source, with the strat...
Page 2562
1-28 configuration procedure prior to performing the following configuration, be sure you have completed mpls vpn-related configurations and make sure of the reachability between ce 1 and pe 1, between pe 1 and pe 2, and between pe 2 and ce 3. Refer to the mpls volume to configure mpls vpn. 1) confi...
Page 2563
1-29 configuring mpls vpn time synchronization in symmetric peers mode network requirements z pe 1’s local clock is to be used as a reference source, with the stratum level of 1. Z pe 2 is synchronized to pe 1 in the symmetric peers mode. Configuration procedure 1) configuration on pe 1: # specify t...
Page 2564: Table of Contents
I table of contents 1 hotfix configuration ··································································································································1-1 hotfix overview ···········································································································...
Page 2565: Hotfix Configuration
1-1 1 hotfix configuration the s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the s7...
Page 2566
1-2 z temporary patches are those not formally released through the version release flow, but temporarily provided to solve the emergent problems. The common patches always include the functions of the previous temporary patches, so as to replace them. The patch type affects the patch loading proces...
Page 2567
1-3 the patches that are in the idle state will be still in the idle state after system reboot. Figure 1-2 patches are not loaded to the memory patch area currently, the system patch area supports up to 200 patches. Deactive state patches in the deactive state have been loaded to the memory patch ar...
Page 2568
1-4 figure 1-4 patches are activated running state after you confirm the running of the active patches, the state of the patches will become running and will be in the running state after system reboot. For the five patches in figure 1-4 , if you confirm the running the first three patches, their st...
Page 2569
1-5 configuration prerequisites patches are released per device model or card type. Before patching the system, you need to save the appropriate patch files to the storage media of the device using ftp or tftp. When saving the patch files, note that: z the patch files match the device model and soft...
Page 2570
1-6 to do… use the command… remarks enter system view system-view — install the patches in one step patch install patch-location required z the patch matches the card type and software version. Z the patch install command changes the patch file location specified with the patch location command to t...
Page 2571
1-7 z the directory specified by the patch-location argument must exist on both the amb and smb. If the smb does not have such directory, the system cannot locate the patch files on the original smb after a switchover. Z the patch install command changes patch file location specified with the patch ...
Page 2572
1-8 if you find that an active patch is of some problem, you can reboot the device to deactivate the patch, so as to avoid a series of running faults resulting from patch error. Follow the steps below to activate patches: (distributed device) to do… use the command… remarks enter system view system-...
Page 2573
1-9 one-step patch uninstallation you can use the undo patch install command to uninstall all patches from all the cards and oam cpu. The patches then turn to the idle state. This equals the execution of the commands patch deactive and patch delete on each card and oam cpu. Follow these steps to uni...
Page 2574
1-10 to do… use the command… remarks enter system view system-view — delete the specified patches from the memory patch area patch delete patch-number slot slot-number required follow the steps below to delete patches: (distributed irf device) to do… use the command… remarks enter system view system...
Page 2575
1-11 2) configure device. Make sure the free flash space of the device is big enough to store the patch files. # before upgrading the software, use the save command to save the current system configuration. The configuration procedure is omitted. # load the patch files patch_mpu.Bin 、patch_lpr.Bin a...
Page 2576: Table of Contents
I table of contents 1 irf configuration ······································································································································1-1 introduction to irf·······································································································...
Page 2577: Irf Configuration
1-1 1 irf configuration when configuring irf, go to these sections for information you are interested in: z introduction to irf z basic concepts of irf z irf working process z irf configuration task list z switching operating mode z configuring irf z accessing an irf z displaying and maintaining irf...
Page 2578
1-2 an irf system comprises multiple member devices: the master runs, manages and maintains the irf, whereas the slaves process services as well as functioning as the backups. As soon as the master fails, the irf system elects a new master immediately to prevent service interruption and implement 1:...
Page 2579
1-3 basic concepts of irf figure 1-2 diagram for irf basic concepts as shown in figure 1-2 , connect device a and device b and perform necessary configurations, and then the irf is formed. This irf has four main boards, one active switching & routing processing unit (srpu) and three standby srpus, a...
Page 2580
1-4 both the master and slave(s) are elected. An irf has only one master at one time, and all the other devices are the slaves. For the introduction to the role election process, refer to role election . Local active srpu a local active srpu is the active srpu of a member device. As an essential har...
Page 2581
1-5 irf merge as shown in figure 1-3 , two irfs operate independently and steadily. You can connect them physically and perform necessary configurations to make them form one irf, and this process is irf merge. Figure 1-3 irf merge irf split as shown in figure 1-4 , after an irf is formed, the failu...
Page 2582
1-6 an irf typically has a daisy chain connection, that is, irf-port1 of a device is connected to irf-port2 of another device, and the two devices are connected to form a single straight connection, as shown in figure 1-5 . Figure 1-5 physical connections of irf irf-port1 irf-port2 irf master slave ...
Page 2583
1-7 after that, the irf system is formed and the irf enters the next stage: irf management and maintenance. During the mergence, irf election is held, and role election rules are followed. Members of the loser side will reboot and join the winner side as slaves. Whether the device reboots automatica...
Page 2584
1-8 besides, if the irf ports are not connected correctly (that is, irf-port1 of a device is connected to irf-port2 of another device), the slaves will reboot and try to join the irf again. Therefore, to make the irf system operate normally, you need to make sure that the link state is normal and co...
Page 2585
1-9 master, and execute some simple commands on the slaves, like display, terminal, debug, and so on, as shown in the following table. Complete the following tasks to configure irf: task remarks switching operating mode optional setting a member id for a device required specifying a priority for an ...
Page 2586
1-10 z when the switch operates in standalone mode (that is, irf is not enabled on the switch), the olt function can operate normally; when the switch operates in irf mode (that is, irf in enabled on the switch), the olt cards cannot start. Z for introduction to the olt function, refer to epon-olt c...
Page 2587
1-11 z the above setting takes effect after the reboot of the device. Z in an irf, member ids are not only used to identify devices, but also used to configure irf ports and member priorities. Therefore, modifying a member id may cause device configuration changes or even losses. Please modify membe...
Page 2588
1-12 to do… use the command… remarks create an irf port and enter irf port view irf-port member-id/port-number required by default, no irf port is created on the device. If the irf port is already created, this command enters irf port view. Bind physical irf port(s) to an irf port port group interfa...
Page 2589
1-13 z if a master leaves an irf to join another irf or to operate independently and the irf is configured to preserve the bridge mac address permanently, bridge mac address collision occurs and thus causes network communication problem. Z if the master leaves the irf because of reboot or link failu...
Page 2590
1-14 handles the problem accordingly. Use this function to avoid adding additional overhead to the system caused by the frequent link state changes of an interface in a short time. Follow these steps to set the delay time for the link layer to report a link-down event of an irf: to do… use the comma...
Page 2591
1-15 figure 1-7 network diagram for bfd mad detection lacp mad requires intermediate devices that are capable of identifying and processing lacp data units (lacpdus) extended to carry the active id field. Enabling bfd mad detection bfd mad detection is implemented through the bfd protocol. You need ...
Page 2592
1-16 to do… use the command… remarks enter the view of the port that connects to the bfd mad detection link interface interface-type interface-number — access port port access vlan vlan-id trunk port port trunk permit vlan vlan-id assign the port to the vlan used for bfd mad detection hybrid port po...
Page 2593
1-17 to do… use the command… remarks enter system view system-view — enter layer 2 aggregation port view interface bridge-aggregation interface-number required the aggregation port here must be a dynamic aggregation port. Configure the aggregation group to work in dynamic aggregation mode link-aggre...
Page 2594
1-18 to do… use the command… remarks specify the reserved ports, that is, the ports that will not be disabled when the device is in the recovery state mad exclude interface interface-type interface-number required by default, no reserved port is specified, that is, all service ports will be disabled...
Page 2595
1-19 example, . What you have input on the access terminal will be redirected to the specified global standby srpu for processing. At present, only the following commands are allowed to be executed on a global standby srpu: z display z quit z return z system-view z debugging z terminal debugging z t...
Page 2596
1-20 irf configuration examples bfd-mad enabled irf configuration example network requirements as shown in figure 1-8 , the number of pcs on the enterprise network is outgrowing the number of ports available on the access switches. To accommodate to business growth, the number of ports at the access...
Page 2597
1-21 [sysname] interface ten-gigabitethernet 1/3/0/25 [sysname-ten-gigabitethernet1/3/0/25] shutdown [sysname-ten-gigabitethernet1/3/0/25] quit [sysname] irf-port 1/2 [sysname-irf-port 1/2] port group interface ten-gigabitethernet 1/3/0/25 [sysname-irf-port 1/2] quit [sysname] interface ten-gigabite...
Page 2598
1-22 [sysname] interface vlan-interface 3 [sysname-vlan-interface3] mad bfd enable [sysname-vlan-interface3] mad ip add 192.168.2.1 24 chassis 1 [sysname-vlan-interface3] mad ip add 192.168.2.2 24 chassis 2 [sysname-vlan-interface3] quit lacp-mad enabled irf configuration example network requirement...
Page 2599
1-23 configuration procedure 1) device a and device b are not connected. Power them on and configure them separately. # configure device a. System-view [sysname] chassis convert mode irf this command will convert the device to irf mode and the device will reboot. Are you sure? [y/n]: y the device re...
Page 2600
1-24 [sysname-ten-gigabitethernet2/3/0/25] undo shutdown [sysname-ten-gigabitethernet2/3/0/25] save 2) power off the two devices. Connect them as shown in figure 1-9 with irf cables. Power them on, and the irf is established. 3) configure lacp mad detection # create a dynamic aggregation port and en...
Page 2601: Table of Contents
I table of contents 1 ipc configuration ······································································································································1-1 ipc overview ·············································································································...
Page 2602: Ipc Configuration
1-1 1 ipc configuration when configuring ipc, go to these sections for information you are interested in: z ipc overview z enabling ipc performance statistics z displaying and maintaining ipc ipc overview introduction to ipc inter-process communication (ipc) is a reliable communication mechanism amo...
Page 2603
1-2 figure 1-1 relationship between a node, link and channel node 1 ipc application 2 application 3 application 1 node 2 ipc application 2 application 3 application 1 cha nne l 1 ch an ne l 2 packet sending modes ipc supports three packet sending modes: unicast, multicast (broadcast is considered as...
Page 2605: Oaa Volume Organization
Oaa volume organization manual version 20091015-c-1.00 product version release 6605 and later organization the oaa volume is organized as follows: features description oap configuration this document describes: z oap overview z configuring an oap card acfp the application control forwarding protocol...
Page 2606: Table of Contents
I table of contents 1 oap configuration ····································································································································1-1 oap overview················································································································...
Page 2607: Oap Configuration
1-1 1 oap configuration the 3com s7900e series ethernet switches are distributed devices supporting intelligent resilient framework (irf). Two s7900e series can be connected together to form a distributed irf device. If an s7900e series is not in any irf, it operates as a distributed device; if the ...
Page 2608
1-2 to do… use the command… remarks redirect from the switch to the software system on the oap card (distributed device) oap connect slot slot-number redirect from the switch to the software system on the oap card (distributed irf device) oap connect chassis chassis-number slot slot-number required ...
Page 2609: Table of Contents
I table of contents 1 acfp configuration ··································································································································1-1 introduction to acfp·········································································································...
Page 2610: Acfp Configuration
1-1 1 acfp configuration when configuring acfp, go to these sections for information you are interested in: z introduction to acfp z acfp configuration task list z configuring the acfp server (switch) z configuring acfp client (oap card) introduction to acfp basic data communication networks compris...
Page 2611
1-2 z interface-connecting component: it connects the interface of the routing/switching component to that of the independent service component, allowing the devices of two manufacturers to be interconnected. Acfp collaboration acfp collaboration means that the independent service component can send...
Page 2612
1-3 z supported working modes: host, pass-through, mirroring, and redirect. An acfp server can support multiple working modes among these four at the same time. The acfp server and client(s) can collaborate with each other only when the acfp server supports the working mode of the acfp client. Z max...
Page 2613
1-4 z context id: it is used when the packet is mirrored or redirected to an acfp client. After the interface connected to the acfp client is specified in the policy sent, the acfp server assigns it a global serial number, that is, the context id, with each context id corresponding to an acfp collab...
Page 2614
1-5 z ending source port number z destination ip address z wildcard mask of destination ip address z destination port number operator: its type can be equal to, not equal to, greater than, less than, greater than and less than. The following ending destination port number is meaning only when the ty...
Page 2615
1-6 configuring the acfp server (switch) enabling the acfp server follow these steps to enable the acfp server: to do… use the command… remarks enter system view system-view — enable the acfp server acfp server enable required disabled by default enabling the acfp trap function to make acfp work nor...
Page 2616
1-7 for the detailed description of the snmp-agent trap enable command, refer to the snmp commands in the system volume. Displaying and maintaining acfp to do… use the command… remarks display the configuration information of the acfp server display acfp server-info display the configuration informa...
Page 2617: Table of Contents
I table of contents 1 acsei configuration ·································································································································1-1 introduction to acsei········································································································...
Page 2618: Acsei Configuration
1-1 1 acsei configuration when configuring acsei, go to these sections for information you are interested in: z introduction to acsei z acsei server configuration (switch) z configuring acsei client (oap card) introduction to acsei as a private protocol, acsei provides a method for exchanging inform...
Page 2619
1-2 an acsei server can register multiple acsei clients. The maximum number of acsei clients that an acsei server allows to register is 10. Acsei timers an acsei server uses two timers, the clock synchronization timer and the monitoring timer. Z the clock synchronization timer is used to periodicall...
Page 2620
1-3 configuring the clock synchronization timer follow these steps to configure the clock synchronization timer: to do… use the command… remarks enter system view system-view — enable the acsei server function acsei server enable required enter acsei server view acsei server — configure the clock sy...
Page 2621
1-4 to do… use the command… remarks enter acsei server view acsei server — restart the specified acsei client acsei client reboot client-id required displaying and maintaining acsei server to do… use the command… remarks display acsei client summary display acsei client summary [ client-id ] display...