- DL manuals
- 3Com
- Switch
- Switch 4800G 24-Port
- Configuration Manual
3Com Switch 4800G 24-Port Configuration Manual
Summary of Switch 4800G 24-Port
Page 1
Www.3com.Com part number: 10015265 rev. Ab published: march 2008 3com ® switch 4800g family configuration guide switch 4800g 24-port switch 4800g pwr 24-port switch 4800g 48-port switch 4800g pwr 48-port switch 4800g 24-port sfp.
Page 2
3com corporation 350 campus drive marlborough, ma usa 01752-3064 copyright © 2006-2008, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without ...
Page 3: Ontents
C ontents a bout t his g uide conventions 21 related documentation 21 p roduct o verview preface 23 product models 23 n etworking a pplications serving as a convergence layer device 24 serving as a access layer device 24 1 l ogging i n to an e thernet s witch logging in to an ethernet switch 27 intr...
Page 4
5 l ogging in t hrough w eb - based n etwork m anagement s ystem introduction 67 http connection establishment 67 web server shutdown/startup 68 displaying web users 69 6 l ogging in t hrough nms introduction 71 connection establishment using nms 71 7 c onfiguring s ource ip a ddress for t elnet s e...
Page 5
12 ip a ddressing c onfiguration ip addressing overview 121 configuring ip addresses 123 displaying and maintaining ip addressing 126 13 ip p erformance c onfiguration ip performance overview 127 enabling reception and forwarding of directed broadcasts to a directly connected network 127 configuring...
Page 6
19 l ink a ggregation c onfiguration configuring link aggregation 167 displaying and maintaining link aggregation 169 link aggregation configuration example 170 20 mac a ddress t able m anagement c onfiguration introduction to mac address table 173 configuring mac address table management 174 displa...
Page 7
25 gr o verview introduction to graceful restart 247 basic concepts in graceful restart 247 graceful restart communication procedure 248 graceful restart mechanism for several commonly used protocols 250 26 s tatic r outing c onfiguration introduction 251 configuring a static route 252 detecting rea...
Page 8
30 bgp c onfiguration bgp overview 365 bgp configuration task list 380 configuring bgp basic functions 381 controlling route distribution and reception 383 configuring bgp route attributes 386 tuning and optimizing bgp networks 388 configuring a large scale bgp network 390 configuring bgp gr 392 dis...
Page 9
Troubleshooting ospfv3 configuration 459 35 ip v 6 is-is c onfiguration introduction to ipv6 is-is 461 configuring ipv6 is-is basic functions 461 configuring ipv6 is-is routing information control 462 displaying and maintaining ipv6 is-is 463 ipv6 is-is configuration example 464 36 ip v 6 bgp c onfi...
Page 10
40 t unneling c onfiguration introduction to tunneling 523 tunneling configuration task list 526 configuring ipv6 manual tunnel 526 configuring 6to4 tunnel 530 configuring isatap tunnel 535 displaying and maintaining tunneling configuration 538 troubleshooting tunneling configuration 538 41 m ultica...
Page 11
Configuring ipv6 multicast vlan 609 displaying and maintaining ipv6 multicast vlan 610 ipv6 multicast vlan configuration examples 610 46 igmp c onfiguration igmp overview 613 igmp configuration task list 617 configuring basic functions of igmp 618 adjusting igmp performance 620 displaying and mainta...
Page 12
Displaying and maintaining 802.1x 729 802.1x configuration example 729 guest vlan configuration example 732 acl assignment configuration example 735 51 habp c onfiguration introduction to habp 737 configuring habp 737 displaying and maintaining habp 738 52 mac a uthentication c onfiguration mac auth...
Page 13
Protocols and standards 796 57 dhcp s erver c onfiguration introduction to dhcp server 797 dhcp server configuration task list 799 enabling dhcp 799 enabling the dhcp server on an interface 799 configuring an address pool for the dhcp server 800 configuring the dhcp server security functions 806 con...
Page 14
Introduction to ipv6 acl 838 63 ip v 4 acl c onfiguration creating a time range 841 configuring a basic ipv4 acl 842 configuring an advanced ipv4 acl 844 configuring an ethernet frame header acl 845 copying an ipv4 acl 846 displaying and maintaining ipv4 acls 847 ipv4 acl configuration example 847 6...
Page 15
Configuring a wrr queue 880 configuring sp+wrr queues 881 displaying and maintaining congestion management 882 69 p riority m apping priority mapping overview 883 configuring a priority mapping table 884 configuring the port priority 885 configuring port priority trust mode 886 displaying and mainta...
Page 16
Displaying and maintaining udp helper 928 udp helper configuration example 928 75 snmp c onfiguration snmp overview 931 snmp configuration 933 configuring snmp logging 935 trap configuration 936 displaying and maintaining snmp 937 snmp configuration example 938 snmp logging configuration example 939...
Page 17
Configuring the ftp server 996 displaying and maintaining ftp 999 81 tftp c onfiguration tftp overview 1001 configuring the tftp client 1002 displaying and maintaining the tftp client 1003 tftp client configuration example 1003 82 i nformation c enter c onfiguration information center overview 1005 ...
Page 18
87 vrrp c onfiguration introduction to vrrp 1073 configuring vrrp for ipv4 1081 configuring vrrp for ipv6 1084 ipv4-based vrrp configuration examples 1088 ipv6-based vrrp configuration examples 1096 troubleshooting vrrp 1105 88 ssh c onfiguration ssh2.0 overview 1107 configuring the device as an ssh...
Page 19
92 lldp c onfiguration introduction to lldp 1181 lldp configuration tasks list 1184 performing basic lldp configuration 1184 configuring lldp trap 1188 displaying and maintaining lldp 1188 lldp configuration example 1189 93 p o e c onfiguration poe overview 1193 poe configuration task list 1194 conf...
Page 20
Https configuration example 1215 97 pki c onfiguration introduction to pki 1219 pki configuration task list 1222 configuring an entity dn 1222 configuring a pki domain 1223 submitting a pki certificate request 1225 retrieving a certificate manually 1226 configuring pki certificate validation 1227 de...
Page 21: Bout
A bout t his g uide this guide describes the 3com ® switch 4800g and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch. This guide is intended for qualified service personnel who ...
Page 22
22 a bout t his g uide ■ switch 4800g release notes — contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the release notes. These documents are available in adobe acrobat reader portable document form...
Page 23: Roduct
P roduct o verview preface 3com switch 4800g family (hereinafter referred to as the switch 4800g) are gigabit ethernet switching products developed by 3com. The switch 4800g have abundant service features. They provide the ipv6 forwarding function and 10ge uplink interfaces. Through 3com-specific cl...
Page 24
24 c hapter : n etworking a pplications the switch 4800g are designed as convergence layer switches or access layer switches for enterprise networks and mans. The switch 4800g provide 24 or 48 autosensing gigabit ethernet ports and four sfp combo gigabit optical interfaces. In addition, the switch 4...
Page 25
Serving as a access layer device 25 figure 2 application of switch 4800g at access layer core/aggregation access s5600-hi s5600-pwr-hi.
Page 26
26 c hapter : n etworking a pplications.
Page 27: Ogging
1 l ogging i n to an e thernet s witch logging in to an ethernet switch you can log in to an switch 4800g in one of the following ways: ■ logging in locally through the console port ■ telnetting locally or remotely to an ethernet port ■ telnetting to the console port using a modem ■ logging in to th...
Page 28
28 c hapter 1: l ogging i n to an e thernet s witch common user interface configuration to do… use the command… remarks lock the current user interface lock optional execute this command in user view. A user interface is not locked by default. Specify to send messages to all user interfaces/a specif...
Page 30
30 c hapter 1: l ogging i n to an e thernet s witch.
Page 31: Ogging
2 l ogging i n t hrough the c onsole p ort n the default system name of the switch 4800g is 3com, that is, the command line prompt is 3com. All the following examples take 3com as the command line prompt. Introduction to log in through the console port is the most common way to log in to a switch. I...
Page 32
32 c hapter 2: l ogging i n t hrough the c onsole p ort figure 4 create a connection figure 5 specify the port used to establish the connection.
Page 33
Console port login configuration 33 figure 6 set port parameters terminal window ■ turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. ■ you can then c...
Page 34
34 c hapter 2: l ogging i n t hrough the c onsole p ort c caution: changing of console port configuration terminates the connection to the console port. To establish the connection again, you need to modify the configuration of the termination emulation utility running on your pc accordingly. Refer ...
Page 35
Console port login configuration with authentication mode being none 35 n changes of the authentication mode of console port login will not take effect unless you exit and enter again the cli. Console port login configuration with authentication mode being none configuration procedure scheme specify...
Page 37
Console port login configuration with authentication mode being none 37 note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in ...
Page 38
38 c hapter 2: l ogging i n t hrough the c onsole p ort [sw4800g] user-interface aux 0 # specify not to authenticate the user logging in through the console port. [sw4800g-ui-aux0] authentication-mode none # specify commands of level 2 are available to the user logging in to the aux user interface. ...
Page 39
Console port login configuration with authentication mode being password 39 note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the configure the console port set the baud rate speed speed-value option...
Page 40
40 c hapter 2: l ogging i n t hrough the c onsole p ort authentication-mode password and the user privilege level level command, as listed in the following table. Configuration example network requirements assume the switch is configured to allow you to login through telnet, and your user level is s...
Page 41
Console port login configuration with authentication mode being scheme 41 [sw4800g] user-interface aux 0 # specify to authenticate the user logging in through the console port using the local password. [sw4800g-ui-aux0] authentication-mode password # set the local password to 123456 (in plain text)....
Page 42
42 c hapter 2: l ogging i n t hrough the c onsole p ort configure the authentication mode enter the default isp domain view domain domain name optional by default, the local aaa scheme is applied. If you specify to apply the local aaa scheme, you need to perform the configuration concerning local us...
Page 44
44 c hapter 2: l ogging i n t hrough the c onsole p ort note that the level the commands of which are available to users logging in to a switch depends on the authentication-mode scheme [ command-authorization ] command, the user privilege level level command, and the service-type terminal [ level l...
Page 45
Console port login configuration with authentication mode being scheme 45 ■ set the service type of the local user to terminal. ■ configure to authenticate the user logging in through the console port in the scheme mode. ■ the commands of level 2 are available to the user logging in to the aux user ...
Page 46
46 c hapter 2: l ogging i n t hrough the c onsole p ort [sw4800g-ui-aux0] authentication-mode scheme # set the baud rate of the console port to 19,200 bps. [sw4800g-ui-aux0] speed 19200 # set the maximum number of lines the screen can contain to 30. [sw4800g-ui-aux0] screen-length 30 # set the maxim...
Page 47: Ogging
3 l ogging i n t hrough t elnet introduction you can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the telnet terminal properly. N ■ after you log in to the switch through telnet, you can issue commands to the switch by way of...
Page 48
48 c hapter 3: l ogging i n t hrough t elnet c caution: ■ the auto-execute command command may cause you unable to perform common configuration in the user interface, so use it with caution. ■ before executing the auto-execute command command and save your configuration, make sure you can log in to ...
Page 49
Telnet configuration with authentication mode being none 49 telnet configuration with authentication mode being none configuration procedure scheme specify to perform local authentication or radius authentication aaa configuration specifies whether to perform local authentication or radius authentic...
Page 50
50 c hapter 3: l ogging i n t hrough t elnet note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on both the authentication-mode none command and the user privilege level level command, as listed in table 13. Configuration exa...
Page 51
Telnet configuration with authentication mode being none 51 ■ commands of level 2 are available to users logging in to vty 0. ■ telnet protocol is supported. ■ the screen can contain up to 30 lines. ■ the history command buffer can contain up to 20 commands. ■ the timeout time of vty 0 is 6 minutes....
Page 52
52 c hapter 3: l ogging i n t hrough t elnet telnet configuration with authentication mode being password configuration procedure to do… use the command… remarks enter system view system-view - enable the telnet server function telnet server enable required enter one or more vty user interface views...
Page 53
Telnet configuration with authentication mode being password 53 note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command, ...
Page 54
54 c hapter 3: l ogging i n t hrough t elnet configuration procedure # enter system view, and enable the telnet service. System-view [sw4800g] telnet server enable # enter vty 0 user interface view. [sw4800g] user-interface vty 0 # configure to authenticate users logging in to vty 0 using the local ...
Page 55
Telnet configuration with authentication mode being scheme 55 configure the authenticati on scheme enter the default isp domain view domain domain name optional by default, the local aaa scheme is applied. If you specify to apply the local aaa scheme, you need to perform the configuration concerning...
Page 56
56 c hapter 3: l ogging i n t hrough t elnet note that if you configure to authenticate the users in the scheme mode, the command level available to users logging in to a switch depends on the authentication-mode scheme [ command-authorization ] command, the user privilege level level command, and t...
Page 57
Telnet configuration with authentication mode being scheme 57 n refer to “aaa/radius/hwtacacs configuration” on page 747 and “ssh configuration” on page 1107. Table 15 determine the command level when users logging in to switches are authenticated in the scheme mode scenario command level authentica...
Page 58
58 c hapter 3: l ogging i n t hrough t elnet configuration example network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: ■ configure the name of the local user to be “guest”. ■ set the authentication password...
Page 59
Telnet connection establishment 59 # set the maximum number of lines the screen can contain to 30. [sw4800g-ui-vty0] screen-length 30 # set the maximum number of commands the history command buffer can store to 20. [sw4800g-ui-vty0] history-command max-size 20 # set the timeout time to 6 minutes. [s...
Page 60
60 c hapter 3: l ogging i n t hrough t elnet figure 13 network diagram for telnet connection establishment step 4: launch telnet on your pc, with the ip address of the management vlan interface of the switch as the parameter, as shown in the following figure. Figure 14 launch telnet step 5: enter th...
Page 61
Telnet connection establishment 61 two ethernet ports belong to are of the same network segment, or the route between the two vlan interfaces is available. As shown in figure 15, after telnetting to a switch (labeled as telnet client), you can telnet to another switch (labeled as telnet server) by e...
Page 62
62 c hapter 3: l ogging i n t hrough t elnet.
Page 63: Ogging
4 l ogging in u sing m odem introduction the administrator can log in to the console port of a remote switch using a modem through pstn (public switched telephone network) if the remote switch is connected to the pstn through a modem to configure and maintain the switch remotely. When a network oper...
Page 64
64 c hapter 4: l ogging in u sing m odem n the above configuration is unnecessary to the modem on the administrator side. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch configuration n af...
Page 65
Modem connection establishment 65 n ■ the configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. ■ it is recommended that the baud rate of the aux port (also the console port) be set to a value lower than t...
Page 66
66 c hapter 4: l ogging in u sing m odem figure 17 set the telephone number figure 18 call the modem step 5: provide the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? At anytime for h...
Page 67: Ogging
5 l ogging in t hrough w eb - based n etwork m anagement s ystem introduction a switch 4800g has a web server built in. You can log in to a switch 4800g through a web browser and manage and maintain the switch intuitively by interacting with the built-in web server. To log in to a switch 4800g throu...
Page 68
68 c hapter 5: l ogging in t hrough w eb - based n etwork m anagement s ystem # configure the user name to be admin. [sw4800g] local-user admin # set the user level to level 3. [sw4800g-luser-admin] service-type telnet level 3 # set the password to admin. [sw4800g-luser-admin] password simple admin ...
Page 69
Displaying web users 69 displaying web users after the above configurations, execute the display command in any view to display the information about web users, and thus to verify the configuration effect. Start the web server ip http enable required execute this command in system view. To do… use t...
Page 70
70 c hapter 5: l ogging in t hrough w eb - based n etwork m anagement s ystem.
Page 71: Ogging
6 l ogging in t hrough nms introduction you can also log in to a switch through an nms (network management station), and then configure and manage the switch through the agent module on the switch. ■ the agent here refers to the software running on network devices (switches) and as the server. ■ snm...
Page 72
72 c hapter 6: l ogging in t hrough nms.
Page 73: Onfiguring
7 c onfiguring s ource ip a ddress for t elnet s ervice p ackets go to these sections for information you are interested in: ■ “overview” on page 73 ■ “configuring source ip address for telnet service packets” on page 73 ■ “displaying the source ip address/interface specified for telnet packets” on ...
Page 74
74 c hapter 7: c onfiguring s ource ip a ddress for t elnet s ervice p ackets n to perform the configurations listed in table 20 and table 21, make sure that ■ the ip address specified is that of the local device. ■ the interface specified exists. ■ if a source ip address (or source interface) is sp...
Page 75: Ontrolling
8 c ontrolling l ogin u sers introduction a switch provides ways to control different types of login users, as listed in table 22. Controlling telnet users prerequisites the controlling policy against telnet users is determined, including the source and destination ip addresses to be controlled and ...
Page 76
76 c hapter 8: c ontrolling l ogin u sers controlling telnet users by source and destination ip addresses controlling telnet users by source and destination ip addresses is achieved by applying advanced acls, which are numbered from 3000 to 3999. Refer to “acl overview” on page 835 for information a...
Page 77
Controlling telnet users 77 configuration example network requirements only the telnet users sourced from the ip address of 10.110.100.52 and 10.110.100.46 are permitted to log in to the switch. Network diagram figure 22 network diagram for controlling telnet users using acls configuration procedure...
Page 78
78 c hapter 8: c ontrolling l ogin u sers controlling network management users by source ip addresses you can manage a switch 4800g through network management software. Network management users can access switches through snmp. You need to perform the following two operations to control network mana...
Page 79
Controlling web users by source ip address 79 as snmp community name is a feature of snmpv1 and snmpv2c, the specified acls in the command that configures snmp community names (the snmp-agent community command) take effect in the network management systems that adopt snmpv1 or snmpv2c. Similarly, as...
Page 80
80 c hapter 8: c ontrolling l ogin u sers you need to perform the following two operations to control web users by source ip addresses. ■ defining an acl ■ applying the acl to control web users prerequisites the controlling policy against web users is determined, including the source ip addresses to...
Page 81
Controlling web users by source ip address 81 configuration procedure # define a basic acl. System-view [sw4800g] acl number 2030 match-order config [sw4800g-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [sw4800g-acl-basic-2030] rule 2 deny source any # apply the acl to only permit the web us...
Page 82
82 c hapter 8: c ontrolling l ogin u sers.
Page 83: Vlan C
9 vlan c onfiguration when configuring vlan, go to these sections for information you are interested in: ■ “introduction to vlan” on page 83 ■ “configuring basic vlan attributes” on page 86 ■ “basic vlan interface configuration” on page 86 ■ “port-based vlan configuration” on page 87 ■ “mac address-...
Page 84
84 c hapter 9: vlan c onfiguration figure 25 a vlan diagram a vlan is not restricted by physical factors, that is to say, hosts that reside in different network segments may belong to the same vlan, users in a vlan can be connected to the same switch, or span across multiple switches or routers. Vla...
Page 85
Introduction to vlan 85 ieee802.1q defines a four-byte vlan tag between the da&sa field and the type field to carry vlan-related information, as shown in figure 27. Figure 27 the position and the format of the vlan tag the vlan tag comprises four fields: the tag protocol identifier (tpid) field, the...
Page 86
86 c hapter 9: vlan c onfiguration configuring basic vlan attributes follow these steps to configure basic vlan attributes: n ■ as the default vlan, vlan 1 cannot be created or removed. ■ you cannot manually create or remove reserved vlans, which are reserved for specific functions. ■ dynamic vlans ...
Page 87
Port-based vlan configuration 87 n before creating a vlan interface, ensure that the corresponding vlan already exists. Otherwise, the specified vlan interface will not be created. Port-based vlan configuration introduction to port-based vlan this is the simplest and yet the most effective way of cl...
Page 88
88 c hapter 9: vlan c onfiguration default vlan you can configure the default vlan for a port. By default, vlan 1 is the default vlan for all ports. However, this can be changed as needed. ■ an access port only belongs to one vlan. Therefore, its default vlan is the vlan it resides in and cannot be ...
Page 89
Port-based vlan configuration 89 follow these steps to configure the access-port-based vlan in ethernet port view/port group view: n to add an access port to a vlan, make sure the vlan already exists. Configuring a trunk-port-based vlan a trunk port may belong to multiple vlans, and you can only per...
Page 90
90 c hapter 9: vlan c onfiguration n ■ to convert a trunk port into a hybrid port (or vice versa), you need to use the access port as a medium. For example, the trunk port has to be configured as an access port first and then a hybrid port. ■ the default vlan ids of the trunk ports on the local and ...
Page 91
Mac address-based vlan configuration 91 mac address-based vlan configuration introduction to mac address-based vlan with mac address-based vlans created, the vlan to which a packet belongs is determined by its source mac address, and packets in a mac address-based vlan are forwarded after being tagg...
Page 92
92 c hapter 9: vlan c onfiguration protocol-based vlan configuration introduction to protocol-based vlan n protocol-based vlans are only applicable to hybrid ports. In this approach, inbound packets are assigned with different vlan ids based on their protocol type and encapsulation format. The proto...
Page 93
Protocol-based vlan configuration 93 the port processes a tagged packet (that is, a packet carrying a vlan tag) in the same way as it processes packets of a port-based vlan. ■ if the port is configured to permit the vlan identified by this vlan tag, the port forwards the packet. ■ if the port is con...
Page 94
94 c hapter 9: vlan c onfiguration template for llc encapsulation. Otherwise, the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively. ■ when you use the mode keyword to configure a user-defined protocol template, do not set etype-id i...
Page 95
Displaying and maintaining vlan 95 displaying and maintaining vlan vlan configuration example network requirements ■ device a connects to device b through trunk port gigabitethernet 1/0/1; ■ the default vlan id of the port is 100; ■ this port allows packets from vlan 2, vlan 6 through vlan 50, and v...
Page 96
96 c hapter 9: vlan c onfiguration configuration procedure 1 configure device a # create vlan 2, vlan 6 through vlan 50, and vlan 100. System-view [devicea] vlan 2 [devicea-vlan2] quit [devicea] vlan 100 [devicea-vlan100] vlan 6 to 50 please wait... Done. # enter gigabitethernet 1/0/1 port view. [de...
Page 97
Vlan configuration example 97 link delay is 0(sec) port link-type: trunk tagged vlan id : 2, 6-50, 100 untagged vlan id : 2, 6-50, 100 port priority: 0 last 300 seconds input: 8 packets/sec 1513 bytes/sec 0% last 300 seconds output: 1 packets/sec 179 bytes/sec 0% input (total): 25504971 packets, 139...
Page 98
98 c hapter 9: vlan c onfiguration.
Page 99: Oice
10 v oice vlan c onfiguration when configuring voice vlan, go to these sections for information you are interested in: ■ “introduction to voice vlan” on page 99 ■ “configuring voice vlan” on page 101 ■ “displaying and maintaining voice vlan” on page 103 ■ “voice vlan configuration examples” on page ...
Page 100
100 c hapter 10: v oice vlan c onfiguration and matches it against the oui addresses. If a match is found, the system will automatically add the port into the voice vlan and apply acl rules and configure the packet precedence. An aging time can be configured for the voice vlan. The system will remov...
Page 101
Configuring voice vlan 101 c caution: ■ if the voice traffic sent by an ip phone is tagged and that the access port has 802.1x authentication and guest vlan enabled, assign different vlan ids for the voice vlan, the default vlan of the access port, and the 802.1x guest vlan. ■ if the voice traffic s...
Page 102
102 c hapter 10: v oice vlan c onfiguration n ■ do not configure a vlan as both a protocol-based vlan and a voice vlan. Because a protocol-based vlan requires that the inbound packets on the hybrid port are untagged packets (refer to section “protocol-based vlan configuration” on page 92), whereas t...
Page 103
Displaying and maintaining voice vlan 103 n ■ only one vlan of a device can have the voice vlan function enabled at a time, and the vlan must be an existing static vlan. ■ a port that is in a link aggregation port group cannot have the voice vlan feature enabled. ■ if a port is enabled with voice vl...
Page 104
104 c hapter 10: v oice vlan c onfiguration network diagram figure 29 network diagram for automatic voice vlan mode configuration configuration procedure # create vlan 2 and vlan 6. System-view [devicea] vlan 2 [devicea-vlan2] quit [devicea] vlan 6 [devicea-vlan6] quit # configure the voice vlan agi...
Page 105
Voice vlan configuration examples 105 [devicea-gigabitethernet1/0/1] voice vlan enable [devicea-gigabitethernet1/0/1] return verification # display information about the oui addresses, oui address masks, and descriptive strings. Display voice vlan oui oui address mask description 0001-e300-0000 ffff...
Page 106
106 c hapter 10: v oice vlan c onfiguration network diagram figure 30 network diagram for manual voice vlan mode configuration configuration procedure # configure the voice vlan to work in security mode and only allows legal voice packets to pass through the voice vlan enabled port. (optional, enabl...
Page 107
Voice vlan configuration examples 107 verification # display information about the oui addresses, oui address masks, and descriptive strings. Display voice vlan oui oui address mask description 0001-e300-0000 ffff-ff00-0000 siemens phone 0003-6b00-0000 ffff-ff00-0000 cisco phone 0004-0d00-0000 ffff-...
Page 108
108 c hapter 10: v oice vlan c onfiguration.
Page 109: Gvrp C
11 gvrp c onfiguration garp vlan registration protocol (gvrp) is a garp application. It functions based on the operating mechanism of garp to maintain and propagate dynamic vlan registration information for the gvrp devices on the network. When configuring gvrp, go to these sections for information ...
Page 110
110 c hapter 11: gvrp c onfiguration garp participant sends leaveall messages upon the expiration of the leaveall timer, which is triggered when the garp participant is created. Join messages, leave messages, and leaveall message make sure the reregistration and deregistration of garp attributes are...
Page 111
Introduction to gvrp 111 garp participants send protocol data units (pdu) with a particular multicast mac address as destination. Based on this address, a device can identify to which gvrp application, gvrp for example, should a garp pdu be delivered. Garp message format the following figure illustr...
Page 112
112 c hapter 11: gvrp c onfiguration gvrp gvrp enables a device to propagate local vlan registration information to other participant devices and dynamically update the vlan registration information from other devices to its local database about active vlan members and through which port they can be...
Page 113
Configuring gvrp 113 n because gvrp is not compatible with the bpdu tunneling feature, you must disable bpdu tunneling before enabling gvrp on a bpdu tunneling-enabled ethernet port. Configuring garp timers follow these steps to configure garp timers: as for the garp timers, note that: ■ the setting...
Page 114
114 c hapter 11: gvrp c onfiguration displaying and maintaining gvrp gvrp configuration examples gvrp configuration example i network requirements configure gvrp for dynamic vlan information registration and update among devices, adopting the normal registration mode on ports. Network diagram figure...
Page 115
Gvrp configuration examples 115 configuration procedure 1 configure device a # enable gvrp globally. System-view [devicea] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass. [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] port link-type ...
Page 116
116 c hapter 11: gvrp c onfiguration gvrp configuration example ii network requirements configure gvrp for dynamic vlan information registration and update among devices. Specify fixed gvrp registration on device a and normal gvrp registration on device b. Network diagram figure 33 network diagram f...
Page 117
Gvrp configuration examples 117 [deviceb-gigabitethernet1/0/1] gvrp [deviceb-gigabitethernet1/0/1] quit # create vlan 3 (a static vlan). [sysname] vlan 3 3 verify the configuration # display dynamic vlan information on device a. [devicea] display vlan dynamic no dynamic vlans exist! # display dynami...
Page 118
118 c hapter 11: gvrp c onfiguration [devicea] vlan 2 2 configure device b # enable gvrp globally. System-view [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass. [deviceb] interface gigabitethernet 1/0/1 [deviceb-gigabitethernet1/0/1] port link-type tr...
Page 119
Gvrp configuration examples 119 [deviceb] display vlan dynamic no dynamic vlans exist!.
Page 120
120 c hapter 11: gvrp c onfiguration.
Page 121: Ip A
12 ip a ddressing c onfiguration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: ■ “ip addressing overview” on page 121 ■ “configuring ip addresses” on page 123 ■ “displaying and maintaining ip addressing” on page 126 ip addressin...
Page 122
122 c hapter 12: ip a ddressing c onfiguration table 27 describes the address ranges of these five classes. Currently, the first three classes of ip addresses are used in quantity. Special case ip addresses the following ip addresses are for special use, and they cannot be used as host ip addresses:...
Page 123
Configuring ip addresses 123 figure 36 subnet a class b network while allowing you to create multiple logical networks within a single class a, b, or c network, subnetting is transparent to the rest of the internet. All these networks still appear as one. As subnetting adds an additional level, subn...
Page 124
124 c hapter 12: ip a ddressing c onfiguration c caution: ■ the primary ip address you assigned to the interface can overwrite the old one if there is any. ■ an interface cannot be configured with a secondary ip address if the interface has been configured to obtain an ip address through bootp or dh...
Page 125
Configuring ip addresses 125 network diagram figure 37 network diagram for ip addressing configuration configuration procedure # assign a primary ip address and a secondary ip address to vlan-interface 1. System-view [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 172.16.1.1 ...
Page 126
126 c hapter 12: ip a ddressing c onfiguration ping 172.16.2.2 ping 172.16.2.2: 56 data bytes, press ctrl_c to break reply from 172.16.2.2: bytes=56 sequence=1 ttl=255 time=25 ms reply from 172.16.2.2: bytes=56 sequence=2 ttl=255 time=26 ms reply from 172.16.2.2: bytes=56 sequence=3 ttl=255 time=26 ...
Page 127: Ip P
13 ip p erformance c onfiguration when configuring ip performance, go to these sections for information you are interested in: ■ “ip performance overview” on page 127 ■ “enabling reception and forwarding of directed broadcasts to a directly connected network” on page 127 ■ “configuring tcp attribute...
Page 128
128 c hapter 13: ip p erformance c onfiguration enabling forwarding of directed broadcasts to a directly connected network follow these steps to enable the device to forward directed broadcasts: n ■ you can reference an acl to forward only directed broadcasts permitted by the acl. ■ if you execute t...
Page 129
Configuring tcp attributes 129 [switcha] interface vlan-interface 3 [switcha-vlan-interface3] ip address 1.1.1.2 24 [switcha-vlan-interface3] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 2.2.2.2 24 # enable vlan-interface 2 to forward directed broadcasts. [switcha-v...
Page 130
130 c hapter 13: ip p erformance c onfiguration c caution: the actual length of the finwait timer is determined by the following formula: actual length of the finwait timer = (configured length of the finwait timer - 75) + configured length of the synwait timer configuring icmp to send error packets...
Page 131
Configuring icmp to send error packets 131 ■ when the device receives the first fragment of an ip datagram whose destination is the device itself, it will start a timer. If the timer times out before all the fragments of the datagram are received, the device will send a "reassembly timeout" icmp err...
Page 132
132 c hapter 13: ip p erformance c onfiguration n ■ the device stops sending "network unreachable" and "source route failure" icmp error packets after sending icmp destination unreachable packets is disabled. However, other destination unreachable packets can be sent normally. ■ the device stops sen...
Page 133: Q C
14 q in q c onfiguration when configuring qinq, go to these sections for information you are interested in: ■ “introduction to qinq” on page 133 ■ “configuring basic qinq” on page 135 ■ “configuring selective qinq” on page 136 ■ “configuring the tpid value to be carried in vlan tags” on page 137 ■ “...
Page 134
134 c hapter 14: q in q c onfiguration figure 39 single-tagged frame structure vs. Double-tagged ethernet frame structure advantages of qinq: ■ addresses the shortage of public vlan id resource. ■ enables customers to plan their own vlan ids, without running into conflicts with public network vlan i...
Page 135
Configuring basic qinq 135 figure 40 vlan tag structure of an ethernet frame the device determines whether a received frame carries a service provider vlan tag or a customer vlan tag by checking the corresponding tpid value. Upon receiving a frame, the device compares the compares the configured tpi...
Page 136
136 c hapter 14: q in q c onfiguration configuring selective qinq the outer vlan tag added to a frame by the basic qinq feature is the vlan tag corresponding to the port’s default vlan id, while the selective qinq feature allows adding different outer vlan tags based on different inner vlan tags. Wi...
Page 137
Configuring the tpid value to be carried in vlan tags 137 configuring the tpid value to be carried in vlan tags you can configure the tpid value to be carried in a vlan tag tpid globally (configuration will take effect on all ports of the device). Qinq configuration example network requirements ■ pr...
Page 138
138 c hapter 14: q in q c onfiguration network diagram figure 41 network diagram for qinq configuration configuration procedure n with this configuration, the user must allow the qinq packets to pass between the devices of the service providers. 1 configuration on provider a # enter system view. Sys...
Page 139
Qinq configuration example 139 # configure the port to tag frames from vlan 20 with an outer tag with the vlan id of 2000. [providera-gigabitethernet1/0/1] qinq vid 2000 [providera-gigabitethernet1/0/1-vid-2000] raw-vlan-id inbound 20 [providera-gigabitethernet1/0/1-vid-2000] quit [providera-gigabit...
Page 140
140 c hapter 14: q in q c onfiguration [providerb] interface gigabitethernet 1/0/2 [providerb-gigabitethernet1/0/2] port access vlan 2000 # enable basic qinq so as to tag frames from vlan 20 with an outer tag with the vlan id of 2000. [providerb-gigabitethernet1/0/2] qinq enable 3 configuration on d...
Page 141: Bpdu T
15 bpdu t unneling c onfiguration when configuring bpdu tunneling, go to these sections for information you are interested in: ■ “introduction to bpdu tunneling” on page 141 ■ “configuring bpdu isolation” on page 142 ■ “configuring bpdu transparent transmission” on page 143 ■ “configuring destinatio...
Page 142
142 c hapter 15: bpdu t unneling c onfiguration bpdu isolation when a port receives bpdus of other networks, the port will discard the bpdus, so that they will not take part in spanning tree calculation. Refer to “configuring bpdu isolation” on page 142. Bpdu transparent transmission as shown in fig...
Page 143
Configuring bpdu transparent transmission 143 n ■ bpdu tunneling must be enabled globally before the bpdu tunnel configuration for a port can take effect. ■ the bpdu tunneling feature is incompatible with the gvrp feature, so these two features cannot be enabled at the same time. For introduction to...
Page 144
144 c hapter 15: bpdu t unneling c onfiguration n ■ bpdu tunneling must be enabled globally before the bpdu tunnel configuration for a port can take effect. ■ the bpdu tunneling feature is incompatible with the gvrp feature, so these two features cannot be enabled at the same time. For introduction ...
Page 145
Bpdu tunneling configuration example 145 network diagram figure 43 network diagram for bpdu tunneling configuration configuration procedure 1 configuration on provider a # configure bpdu transparent transmission on gigabitethernet 1/0/1. System-view [providera] interface gigabitethernet 1/0/1 [provi...
Page 146
146 c hapter 15: bpdu t unneling c onfiguration # configure bpdu transparent transmission on gigabitethernet 1/0/4. [providerc-gigabitethernet1/0/3] quit [providerc] interface gigabitethernet 1/0/4 [providerc-gigabitethernet1/0/4] port access vlan 2 [providerc-gigabitethernet1/0/4] stp disable [prov...
Page 147: Ort
16 p ort c orrelation c onfiguration when configuring ethernet ports, go to these sections for information you are interested in: ■ “ethernet port configuration” on page 147 ■ “maintaining and displaying an ethernet port” on page 156 ethernet port configuration complete the following tasks to config...
Page 148
148 c hapter 16: p ort c orrelation c onfiguration n the speed 1000 command is only applicable to gigabitethernet ports. Combo port configuration introduction to combo port a combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interf...
Page 149
Ethernet port configuration 149 for detailed information about combo ports and the corresponding physical ports, refer to the installation manual. Enabling flow control on an ethernet port when flow control is enabled on both sides, if traffic congestion occurs on one side, the side will send a paus...
Page 150
150 c hapter 16: p ort c orrelation c onfiguration ■ internal loopback test, which is performed within switching chips to test the functions related to the ethernet ports. ■ external loopback test, which is used to test the hardware functions of an ethernet port. To perform external loopback testing...
Page 151
Ethernet port configuration 151 follow these steps to configure manual port group: n for more information, refer to “aggregation port group” on page 166. Configuring the broadcast/multicast/unk nown unicast storm suppression ratio for an ethernet port you can use the following commands to suppress t...
Page 152
152 c hapter 16: p ort c orrelation c onfiguration n if you set storm suppression ratios in ethernet port view or port group view repeatedly for an ethernet port that belongs to a port group, only the latest settings take effect. Setting the interval for collecting ethernet port statistics follow th...
Page 153
Ethernet port configuration 153 enabling loopback detection on an ethernet port loop occurs when a port receives the packets that it sent out. Loops may cause broadcast storm. The purpose of loopback detection is to detect loops on a port. With loopback detection enabled on an ethernet port, the dev...
Page 154
154 c hapter 16: p ort c orrelation c onfiguration ethernet interface on a device can operate in one of the following three medium dependent interface (mdi) modes: ■ across mode, where the ethernet interface only accepts crossover cables. ■ normal mode, where the ethernet interface only accepts stra...
Page 155
Ethernet port configuration 155 configuring the storm constrain function on an ethernet port the storm constrain function suppresses packet storm in an ethernet. With this function enabled on a port, the system detects the unicast traffic, multicast traffic, or broadcast traffic passing through the ...
Page 156
156 c hapter 16: p ort c orrelation c onfiguration n ■ for network stability consideration, configure the interval for generating traffic statistics to a value that is not shorter than the default. ■ the storm constrain function is applicable to multicast packets and broadcast packets on a port, and...
Page 157: Ort
17 p ort i solation c onfiguration when configuring port isolation, go to these sections for information you are interested in: ■ “introduction to port isolation” on page 157 ■ “configuring an isolation group” on page 157 ■ “displaying isolation groups” on page 158 ■ “port isolation configuration ex...
Page 158
158 c hapter 17: p ort i solation c onfiguration displaying isolation groups port isolation configuration example networking requirement ■ users host a, host b, and host c are connected to gigabitethernet1/0/1, gigabitethernet1/0/2, and gigabitethernet1/0/3 of device. ■ device is connected to an ext...
Page 159
Port isolation configuration example 159 [device] interface gigabitethernet1/0/3 [device-gigabitethernet1/0/3] port-isolate enable # display the information about the isolation group. Display port-isolate group port-isolate group information: uplink port support: no group id: 1 gigabitethernet1/0/1 ...
Page 160
160 c hapter 17: p ort i solation c onfiguration.
Page 161: Ink
18 l ink a ggregation o verview this chapter covers these topics: ■ “link aggregation” on page 161 ■ “approaches to link aggregation” on page 162 ■ “load sharing in a link aggregation group” on page 165 ■ “service loop group” on page 165 ■ “aggregation port group” on page 166 link aggregation link a...
Page 162
162 c hapter 18: l ink a ggregation o verview approaches to link aggregation two ways are available for implementing link aggregation, as described in “manual link aggregation” on page 163 and “static lacp link aggregation” on page 164. Table 29 consistency considerations for ports in an aggregation...
Page 163
Approaches to link aggregation 163 manual link aggregation overview manual aggregations are created manually. Member ports in a manual aggregation are lacp-disabled. Port states in a manual aggregation in a manual aggregation group, ports are either selected or unselected. Selected ports can receive...
Page 164
164 c hapter 18: l ink a ggregation o verview when the configuration of some port in a manual aggregation group changes, the system does not remove the aggregation; instead, it re-sets the selected/unselected state of the member ports and re-selects a master port. Static lacp link aggregation overvi...
Page 165
Load sharing in a link aggregation group 165 you need to maintain the basic configurations of these ports manually to ensure consistency. As one configuration change may involve multiple ports, this can become troublesome if you need to do that port by port. As a solution, you may add the ports into...
Page 166
166 c hapter 18: l ink a ggregation o verview group. At present, you may specify to redirect four types of services, ipv6 (ipv6 unicast), ipv6mc (ipv6 multicast), tunnel, and mpls. N currently, the the switch 4800g support to redirect tunnel services only. After creating a service-loop group, assign...
Page 167: Ink
19 l ink a ggregation c onfiguration when configuring link aggregation, go to these sections for information you are interested in: ■ “configuring link aggregation” on page 167 ■ “displaying and maintaining link aggregation” on page 169 ■ “link aggregation configuration example” on page 170 configur...
Page 168
168 c hapter 19: l ink a ggregation c onfiguration ■ to make an aggregation group to function properly, make sure the selected states of the ports on the both sides of the same link are the same. Configuring a static lacp link aggregation group follow these steps to configure a static aggregation gr...
Page 169
Displaying and maintaining link aggregation 169 configuring a service loop group follow these steps to configure a service loop group: n ■ you can remove any service loop group except those that are currently referenced by modules. ■ for a service loop group containing only one port, the only way to...
Page 170
170 c hapter 19: l ink a ggregation c onfiguration link aggregation configuration example network requirements ■ switch a aggregates ports gigabitethernet 1/0/1 through gigabitethernet 1/0/3 to form one link connected to switch b and performs load sharing among these ports. ■ create a tunnel service...
Page 171
Link aggregation configuration example 171 system-view [switcha] link-aggregation group 1 mode static # add ports gigabitethernet 1/0/1 through gigabitethernet 1/0/3 to the group. [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] port link-aggregation group 1 [switcha-gigabite...
Page 172
172 c hapter 19: l ink a ggregation c onfiguration.
Page 173: Mac A
20 mac a ddress t able m anagement c onfiguration when configuring mac address table management, go to these sections for information you are interested in: ■ “introduction to mac address table” on page 173 ■ “configuring mac address table management” on page 174 ■ “displaying and maintaining mac ad...
Page 174
174 c hapter 20: mac a ddress t able m anagement c onfiguration as shown in figure 46, when forwarding a frame, the switch looks up the mac address table. If an entry is available for the destination mac address, the switch forwards the frame directly from the hardware. If not, it does the following...
Page 175
Configuring mac address table management 175 n do not configure a static or dynamic mac address entry on an aggregation port. Configuring mac address aging timer the mac address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhauste...
Page 176
176 c hapter 20: mac a ddress t able m anagement c onfiguration displaying and maintaining mac address table management mac address table management configuration example network requirements log onto your device from the console port to configure mac address table management as follows: ■ set the a...
Page 177: Ip S
21 ip s ource g uard c onfiguration when configuring ip source guard, go to these sections for information you are interested in: ■ “ip source guard overview” on page 177 ■ “configuring a static binding entry” on page 177 ■ “configuring dynamic binding function” on page 178 ■ “displaying ip source g...
Page 178
178 c hapter 21: ip s ource g uard c onfiguration n ■ the system does not support repeatedly configuring a binding entry to one port. A binding entry can be configured to multiple ports. ■ in a valid binding entry, the mac address cannot be all 0s, all fs (a broadcast address), or a multicast addres...
Page 179
Ip source guard configuration examples 179 ■ on port gigabitethernet1/0/2 of switch a, only ip packets with the source mac address of 00-01-02-03-04-05 and the source ip address of 192.168.0.3 can pass. ■ on port gigabitethernet1/0/1 of switch a, only ip packets with the source mac address of 00-01-...
Page 180
180 c hapter 21: ip s ource g uard c onfiguration 2 configure switch b # configure the ip addresses of various interfaces (omitted). # configure port gigabitethernet1/0/1 of switch b to allow only ip packets with the source mac address of 00-01-02-03-04-06 and the source ip address of 192.168.0.1 to...
Page 181
Ip source guard configuration examples 181 network diagram figure 48 network diagram for configuring dynamic binding configuration procedure 1 configure switch a # configure dynamic binding on port gigabitethernet1/0/1. System-view [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/...
Page 182
182 c hapter 21: ip s ource g uard c onfiguration troubleshooting failed to configure static binding entries and dynamic binding function symptom configuring static binding entries and dynamic binding function fails on a port. Analysis ip source guard is not supported on the port which has joined an...
Page 183: Dldp C
22 dldp c onfiguration when performing dldp configuration, go to these sections for information you are interested in: ■ “overview” on page 183 ■ “dldp configuration task list” on page 190 ■ “enabling dldp” on page 190 ■ “setting dldp mode” on page 191 ■ “setting the interval for sending advertiseme...
Page 184
184 c hapter 22: dldp c onfiguration figure 49 unidirectional fiber link: cross-connected fiber figure 50 unidirectional fiber link: fiber not connected or disconnected dldp introduction device link detection protocol (dldp) can detect the link status of a fiber cable or twisted pair. On detecting a...
Page 185
Overview 185 dldp fundamentals dldp link states a device is in one of these dldp link states: initial, inactive, active, advertisement, probe, disable, and delaydown, as described in table 30. Dldp timers table 30 dldp link states state description initial this state indicates that dldp is not enabl...
Page 186
186 c hapter 22: dldp c onfiguration dldp mode dldp can operate in two modes: normal mode and enhanced mode, as described below. ■ in normal dldp mode, when an entry timer expires, the device removes the corresponding neighbor entry and sends an advertisement packet with rsy tag. ■ in enhanced dldp ...
Page 187
Overview 187 the enhanced dldp mode is designed for addressing black holes. It prevents the cases where one end of a link is up and the other is down. If you configure the speed and the duplex mode by force on a device, the situation shown in figure 51 may occur, where port b is actually down but th...
Page 188
188 c hapter 22: dldp c onfiguration ■ md5 authentication. In this mode, before sending a packet, the sending side encrypts the user configured password using md5 algorithm, assigns the digest to the authentication field, and sets the authentication type field to 2. The receiving side checks the val...
Page 189
Overview 189 3 if no echo packet is received from the neighbor, dldp performs the following processing. Dldp neighbor state a dldp neighbor can be in one of the three states described in table 36. You can check the state of a dldp neighbor by using the display dldp command. Echo packet retrieves the...
Page 190
190 c hapter 22: dldp c onfiguration dldp configuration task list complete the following tasks to configure dldp: n ■ dldp works only when the link is up. ■ to ensure unidirectional links can be detected, make sure these settings are the same on the both sides: dldp state (enabled/disabled), the int...
Page 191
Dldp configuration task list 191 n dldp takes effect only when it is enabled both globally and on a port. Setting dldp mode follow these steps to set dldp mode: setting the interval for sending advertisement packets you can set the interval for sending advertisement packets to enable unidirectional ...
Page 192
192 c hapter 22: dldp c onfiguration setting the port shutdown mode on detecting a unidirectional link, the ports can be shut down in one of the following two modes. ■ manual mode. This mode applies to networks with low performance, where normal links may be treated as unidirectional links. It prote...
Page 193
Displaying and maintaining dldp 193 resetting dldp state after a unidirectional link is detected, dldp shuts down the corresponding port. To enable the port to perform dldp detect again, you can reset dldp state for it. A port can be in different state after you reset dldp state for it. That is, it ...
Page 194
194 c hapter 22: dldp c onfiguration ■ it is desired that the unidirectional links can be disconnected on being detected; and the ports shut down by dldp can be restored after the fiber connections are corrected. Network diagram figure 52 network diagram for dldp configuration configuration procedur...
Page 195
Troubleshooting 195 # check the information about dldp. [devicea] display dldp dldp global status : enable dldp interval : 6s dldp work-mode : enhance dldp authentication-mode : none dldp unidirectional-shutdown : auto dldp delaydown-timer : 2s the number of enabled ports is 2. Interface gigabitethe...
Page 196
196 c hapter 22: dldp c onfiguration.
Page 197: Mstp C
23 mstp c onfiguration when configuring mstp, go to these sections for information you are interested in: ■ “mstp overview” on page 197 ■ “configuring the root bridge” on page 213 ■ “configuring leaf nodes” on page 224 ■ “performing mcheck” on page 228 ■ “configuring protection functions” on page 23...
Page 198
198 c hapter 23: mstp c onfiguration basic concepts in stp 1 root bridge a tree network must have a root; hence the concept of “root bridge” has been introduced in stp. There is one and only one root bridge in the entire network, and the root bridge can change alone with changes of the network topol...
Page 199
Mstp overview 199 figure 53 a schematic diagram of designated bridges and designated ports path cost path cost is a reference value used for link selection in stp. By calculating the path cost, stp selects relatively “robust” links and blocks redundant links, and finally prunes the network into loop...
Page 200
200 c hapter 23: mstp c onfiguration ■ designated port id (in the form of port name) 1 specific calculation process of the stp algorithm ■ initial state upon initialization of a device, each port generates a bpdu with itself as the root bridge, in which the root path cost is 0, designated bridge id ...
Page 201
Mstp overview 201 n when the network topology is stable, only the root port and designated ports forward traffic, while other ports are all in the blocked state - they only receive stp packets but do not forward user traffic. Once the root bridge, the root port on each non-root bridge and designated...
Page 202
202 c hapter 23: mstp c onfiguration ■ comparison process and result on each device the following table shows the comparison process and result on each device. Table 40 initial state of each device device port name bpdu of port device a ap1 {0, 0, 0, ap1} ap2 {0, 0, 0, ap2} device b bp1 {1, 0, 1, bp...
Page 203
Mstp overview 203 device b ■ port bp1 receives the configuration bpdu of device a {0, 0, 0, ap1}. Device b finds that the received configuration bpdu is superior to the configuration bpdu of the local port {1, 0, 1, bp1}, and updates the configuration bpdu of bp1. ■ port bp2 receives the configurati...
Page 204
204 c hapter 23: mstp c onfiguration after the comparison processes described in the table above, a spanning tree with device a as the root bridge is stabilized, as shown in figure 55. Device c ■ port cp1 receives the configuration bpdu of device a {0, 0, 0, ap2}. Device c finds that the received co...
Page 205
Mstp overview 205 figure 55 the final calculated spanning tree n to facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. 2 the bpdu forwarding mechanism in stp ■ upon network initiation, every switch regards itself...
Page 206
206 c hapter 23: mstp c onfiguration transition in stp, a newly elected root port or designated port requires twice the forward delay time before transitioning to the forwarding state, when the new configuration bpdu has been propagated throughout the network. ■ hello time is the time interval at wh...
Page 207
Mstp overview 207 ■ mstp prunes loop networks into a loop-free tree, thus avoiding proliferation and endless recycling of packets in a loop network. In addition, it provides multiple redundant paths for data forwarding, thus supporting load balancing of vlan data in the data forwarding process. ■ ms...
Page 208
208 c hapter 23: mstp c onfiguration ■ the same region name, ■ the same vlan-to-instance mapping (vlan 1 is mapped to mst instance 1, vlan 2 to mst instance 2, and the rest to the command and internal spanning tree (cist). Cist refers to mst instance 0), and ■ the same mstp revision level (not shown...
Page 209
Mstp overview 209 the common root bridge is the root bridge of the cist. In figure 56, for example, the common root bridge is a device in region a0. 9 boundary port a boundary port is a port that connects an mst region to another mst configuration, or to a single spanning-tree region running stp, or...
Page 210
210 c hapter 23: mstp c onfiguration figure 57 port roles figure 57 helps understand these concepts. Where, ■ devices a, b, c, and d constitute an mst region. ■ port 1 and port 2 of device a connect to the common root bridge. ■ port 5 and port 6 of device c form a loop. ■ port 3 and port 4 of device...
Page 211
Mstp overview 211 how mstp works mstp divides an entire layer 2 network into multiple mst regions, which are interconnected by a calculated cst. Inside an mst region, multiple spanning trees are generated through calculation, each spanning tree called an mst instance. Among these mst instances, inst...
Page 212
212 c hapter 23: mstp c onfiguration ■ ieee 802.1w: rapid spanning tree protocol ■ ieee 802.1s: multiple spanning tree protocol configuration task list before configuring mstp, you need to know the position of each device in each mst instance: root bridge or leave node. In each instance, one, and on...
Page 213
Configuring the root bridge 213 n in a network containing switches with both gvrp and mstp enabled, gvrp messages travel along the cist. If you want to advertise a vlan through gvrp, be sure to map the vlan to the cist (msti 0) when configuring the vlan-to-msti mapping table. For detailed informatio...
Page 214
214 c hapter 23: mstp c onfiguration n ■ mstp-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), mst region name, vlan-to-msti mapping table, and revision level. ■ the 3com series ...
Page 215
Configuring the root bridge 215 specifying the root bridge or a secondary root bridge mstp can determine the root bridge of a spanning tree through mstp calculation. Alternatively, you can specify the current device as the root bridge using the commands provided by the system. Specifying the current...
Page 216
216 c hapter 23: mstp c onfiguration mstp will select the secondary root bridge with the lowest mac address as the new root bridge. ■ when specifying the root bridge or a secondary root bridge, you can specify the network diameter and hello time. However, these two options are effective only for mst...
Page 217
Configuring the root bridge 217 a device to a low value, you can specify the device as the root bridge of the spanning tree. An mstp-compliant device can have different priorities in different mst instances. Configuration procedure follow these steps to configure the priority of the current device: ...
Page 218
218 c hapter 23: mstp c onfiguration n a larger maximum hops setting means a larger size of the mst region. Only the maximum hops configured on the regional root bridge can restrict the size of the mst region. Configuration example # set the maximum hops of the mst region to 30. System-view [sysname...
Page 219
Configuring the root bridge 219 these three timers set on the root bridge of the cist apply on all the devices on the entire switched network. C caution: ■ the length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, ...
Page 220
220 c hapter 23: mstp c onfiguration the upstream device within nine times the hello time, it will assume that the upstream device has failed and start a new spanning tree calculation process. In a very stable network, this kind of spanning tree calculation may occur because the upstream device is b...
Page 221
Configuring the root bridge 221 configuration example # set the maximum transmission rate of port gigabitethernet 1/0/1 to 5. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] stp transmit-limit 5 configuring ports as edge ports if a port directly connects to a use...
Page 222
222 c hapter 23: mstp c onfiguration configuration procedure follow these steps to configure whether a port or a group of ports connect to point-to-point links: n ■ in the case of link aggregation, every port in the aggregation group can be configured to connect to a point-to-point link. If a port w...
Page 223
Configuring the root bridge 223 configuration procedure follow these steps to configure the mstp packet format to be supported by a port or a group of ports: n ■ in mstp mode, if a port is configured to recognize/send mstp packets in a mode other than auto, and if it receives a packet in the format ...
Page 224
224 c hapter 23: mstp c onfiguration enabling the mstp feature configuration procedure follow these steps to enable the mstp feature: n ■ you must enable mstp for the device before any other mstp-related configuration can take effect. ■ to control mstp flexibly, you can use the stp disable or undo s...
Page 225
Configuring leaf nodes 225 configuring the maximum transmission rate of ports refer to “configuring the maximum transmission rate of ports” on page 220 in the section about root bridge configuration. Configuring ports as edge ports refer to “configuring ports as edge ports” on page 221 in the sectio...
Page 226
226 c hapter 23: mstp c onfiguration n in the calculation of the path cost value of an aggregated link, 802.1d-1998 does not take into account the number of ports in the aggregated link. Whereas, 802.1t takes the number of ports in the aggregated link into account. The calculation formula is: path c...
Page 227
Configuring leaf nodes 227 on an mstp-compliant device, a port can have different priorities in different mst instances, and the same port can play different roles in different mst instances, so that data of different vlans can be propagated along different physical paths, thus implementing per-vlan...
Page 228
228 c hapter 23: mstp c onfiguration enabling the mstp feature refer to “enabling the mstp feature” on page 224 in the section about root bridge configuration. Performing mcheck ports on an mstp-compliant device have three working modes: stp compatible mode, rstp mode, and mstp mode. In a switched n...
Page 229
Configuring digest snooping 229 configuring digest snooping as defined in ieee 802.1s, interconnected devices are in the same region only when the region-related configuration (domain name, revision level, vlan-to-instance mappings) on them is identical. An mstp-enabled device identifies devices in ...
Page 230
230 c hapter 23: mstp c onfiguration ■ you need to enable this feature both globally and on associated ports to make it take effect. It is recommended to enable the feature on all associated ports first and then globally, making all configured ports take effect, and disable the feature globally to d...
Page 231
Configuring no agreement check 231 both rstp and mstp switches can perform rapid transition operation on a designated port only when the port receives an agreement packet from the downstream switch. The differences between rstp and mstp switches are: ■ for mstp, the downstream device’s root port sen...
Page 232
232 c hapter 23: mstp c onfiguration prerequisites ■ a device is the upstream one that is connected to another vendor’s mstp supported device via a point-to-point link. ■ configure the same region name, revision level and vlan-to-instance mappings on the two devices, making them in the same region. ...
Page 233
Configuring protection functions 233 configuring protection functions an mstp-compliant device supports the following protection functions: ■ bpdu guard ■ root guard ■ loop guard ■ tc-bpdu attack guard n ■ the the switch 4800g support the bpdu guard, root guard and loop guard functions. ■ among loop...
Page 234
234 c hapter 23: mstp c onfiguration to prevent this situation from happening, mstp provides the root guard function to protect the root bridge. If the root guard function is enabled on a port, this port will keep playing the role of designated port on all mst instances. Once this port receives a co...
Page 235
Displaying and maintaining mstp 235 enabling tc-bpdu attack guard when receiving a tc-bpdu (a pdu used as notification of topology change), the device will delete the corresponding forwarding address entry. If someone forges tc-bpdus to attack the device, the device will receive a larger number of t...
Page 236
236 c hapter 23: mstp c onfiguration mstp configuration example network requirements configure mstp so that packets of different vlans are forwarded along different spanning trees. The specific configuration requirements are as follows: ■ all devices on the network are in the same mst region. ■ pack...
Page 237
Mstp configuration example 237 configuration procedure 1 configuration on device a # enter mst region view. System-view [devicea] stp region-configuration # configure the region name, vlan-to-instance mappings and revision level of the mst region. [devicea-mst-region] region-name example [devicea-ms...
Page 238
238 c hapter 23: mstp c onfiguration [deviceb] display stp region-configuration oper configuration format selector :0 region name :example revision level :0 instance vlans mapped 0 1 to 9, 11 to 29, 31 to 39, 41 to 4094 1 10 3 30 4 40 3 configuration on device c # enter mst region view. System-view ...
Page 239
Mstp configuration example 239 # activate mst region configuration manually. [deviced-mst-region] active region-configuration [deviced-mst-region] quit # view the mst region configuration information that has taken effect. [deviced] display stp region-configuration oper configuration format selector...
Page 240
240 c hapter 23: mstp c onfiguration.
Page 241: Ip R
24 ip r outing o verview go to these sections for information you are interested in: ■ “ip routing and routing table” on page 241 ■ “routing protocol overview” on page 243 ■ “displaying and maintaining a routing table” on page 246 n the term "router" in this document refers to a layer 3 switch runni...
Page 242
242 c hapter 24: ip r outing o verview ■ outbound interface: specifies the interface through which the ip packets are to be forwarded. ■ ip address of the next hop: specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the ip address ...
Page 243
Routing protocol overview 243 figure 63 a sample routing table routing protocol overview static routing and dynamic routing static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perf...
Page 244
244 c hapter 24: ip r outing o verview operational scope ■ interior gateway protocols (igps): work within an autonomous system, including rip, ospf, and is-is. ■ exterior gateway protocols (egps): work between autonomous systems. The most popular one is bgp. N an autonomous system refers to a group ...
Page 245
Routing protocol overview 245 n ■ the smaller the priority value, the higher the priority. ■ the priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. ■ each static route can be configured with a different priority. ...
Page 247: Gr O
25 gr o verview go to these sections for information you are interested in: ■ “introduction to graceful restart” on page 247 ■ “basic concepts in graceful restart” on page 247 ■ “graceful restart communication procedure” on page 248 ■ “graceful restart mechanism for several commonly used protocols” ...
Page 248
248 c hapter 25: gr o verview graceful restart communication procedure configure a device as gr restarter in a network. This device and its gr helper must support gr or be gr capable. Thus, when gr restarter restarts, its gr helper can know its restart process. N in some cases, gr restarter and gr h...
Page 249
Graceful restart communication procedure 249 figure 65 restarting process for the gr restarter as illustrated in figure 65. The gr helper detects that the gr restarter has restarted its routing protocol and assumes that it will recover within the gr time. Before the gr time expires, the gr helper wi...
Page 250
250 c hapter 25: gr o verview figure 67 the gr restarter obtains topology and routing information from the gr helper as illustrated in figure 67, the gr restarter obtains the necessary topology and routing information from all its neighbors through the gr sessions between them and calculates its own...
Page 251: Tatic
26 s tatic r outing c onfiguration when configuring a static route, go to these sections for information you are interested in: ■ “introduction” on page 251 ■ “configuring a static route” on page 252 ■ “application environment of static routing” on page 252 ■ “displaying and maintaining static route...
Page 252
252 c hapter 26: s tatic r outing c onfiguration application environment of static routing before configuring a static route, you need to know the following concepts: 1 destination address and mask in the ip route-static command, an ipv4 address is in dotted decimal format and a mask can be either i...
Page 253
Detecting reachability of the static route’s nexthop 253 n ■ when configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the ip address of a local interface, such as a vlan interface. ■ if you do not specify the preference...
Page 254
254 c hapter 26: s tatic r outing c onfiguration n ■ to configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a track entry. ■ if a static route needs route recursion, the associa...
Page 255
Configuration example 255 configuration procedure 1 configuring ip addresses for interfaces (omitted) 2 configuring static routes # configure a default route on switch a system-view [switcha] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # configure two static routes on switch b system-view [switchb] ip r...
Page 256
256 c hapter 26: s tatic r outing c onfiguration # from host a, use the ping command to verify the network layer reachability to host b and host c..
Page 257: Rip C
27 rip c onfiguration n ■ the term “router” in this document refers to a router in a generic sense or a layer 3 switch. ■ the switch 4800g only support single rip process. When configuring rip, go to these sections for information you are interested in: ■ “rip overview” on page 257 ■ “configuring ri...
Page 258
258 c hapter 27: rip c onfiguration ■ next hop: ip address of the adjacent router’s interface to reach the destination. ■ egress interface: packet outgoing interface. ■ metric: cost from the local router to the destination. ■ route time: time elapsed since the routing entry was last updated. The tim...
Page 259
Rip overview 259 operation of rip the following procedure describes how rip works. 1 after rip is enabled, the router sends request messages to neighboring routers. Neighboring routers return response messages including information about their routing tables. 2 after receiving such information, the ...
Page 260
260 c hapter 27: rip c onfiguration figure 69 ripv1 message format ■ command: type of message. 1 indicates request, and 2 indicates response. ■ version: version of rip, 0x01 for ripv1. ■ afi: address family identifier, 2 for ip. ■ ip address: destination ip address of the route. It can be a natural ...
Page 261
Configuring rip basic functions 261 figure 71 ripv2 authentication message ■ authentication type: 2 represents plain text authentication, while 3 represents md5. ■ authentication: authentication data, including password information when plain text authentication is adopted or including key id, md5 a...
Page 262
262 c hapter 27: rip c onfiguration n ■ if you make some rip configurations in interface view before enabling rip, those configurations will take effect after rip is enabled. ■ rip runs only on the interfaces residing on the specified networks. Therefore, you need to specify the network after enabli...
Page 263
Configuring rip route control 263 configuring rip route control in complex networks, you need to configure advanced rip features. This section covers the following topics: ■ “configuring an additional routing metric” on page 263 ■ “configuring ripv2 route summarization” on page 264 ■ “disabling host...
Page 264
264 c hapter 27: rip c onfiguration configuring ripv2 route summarization route summarization means that subnets in a natural network are summarized with a natural network that is sent to other networks. This feature can reduce the size of routing tables. Enabling ripv2 route automatic summarization...
Page 265
Configuring rip route control 265 follow these steps to disable rip from receiving host routes: n ripv2 can be disabled from receiving host routes, but ripv1 cannot. Advertising a default route you can configure rip to advertise a default route with a specified metric to rip neighbors. Follow these ...
Page 266
266 c hapter 27: rip c onfiguration n ■ using the filter-policy import command filters incoming routes. Routes not passing the filtering will be neither installed into the routing table nor advertised to neighbors. ■ using the filter-policy export command filters outgoing routes, including routes re...
Page 267
Configuring rip network optimization 267 n based on network performance, you need to make rip timers of rip routers identical to each other to avoid unnecessary traffic or route oscillation. Configuring split horizon and poison reverse n if both split horizon and poison reverse are configured, only ...
Page 268
268 c hapter 27: rip c onfiguration that all messages are trusty, you can disable zero field check to save cpu resources. Follow these steps to enable zero field check on incoming ripv1 messages: enabling source ip address check on incoming rip updates you can enable source ip address check on incom...
Page 269
Displaying and maintaining rip 269 neighbor is not directly connected, you must disable source address check on incoming updates. Follow these steps to specify a rip neighbor: n you need not use the peer ip-address command when the neighbor is directly connected; otherwise the neighbor may receive b...
Page 270
270 c hapter 27: rip c onfiguration configuration procedure 1 configure ip addresses for interfaces (omitted). 2 configure basic rip functions # configure switch a. System-view [switcha] rip [switcha-rip-1] network 192.168.1.0 [switcha-rip-1] network 172.16.0.0 [switcha-rip-1] network 172.17.0.0 [sw...
Page 271
Troubleshooting rip 271 from the routing table, you can see ripv2 uses classless subnet masks. N since ripv1 routing information has a long aging time, it will still exist until aged out after ripv2 is configured. Troubleshooting rip no rip updates received symptom: no rip updates are received when ...
Page 272
272 c hapter 27: rip c onfiguration.
Page 273: Ospf C
28 ospf c onfiguration n the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Open shortest path first (ospf) is a link state interior gateway protocol developed by the ospf working group of the internet engineering task force (ietf). At present, ospf version...
Page 274
274 c hapter 28: ospf c onfiguration ■ routing hierarchy: supports a four-level routing hierarchy that prioritizes the routes into intra-area, inter-area, external type-1, and external type-2 routes. ■ authentication: supports interface-based packet authentication to guarantee the security of packet...
Page 275
Introduction to ospf 275 ■ lsu (link state update) packet: transmits the needed lsas to the neighbor. ■ lsack (link state acknowledgment) packet: acknowledges received lsu packets. It contains the headers of received lsas (a packet can acknowledge multiple lsas). Lsa types ospf sends routing informa...
Page 276
276 c hapter 28: ospf c onfiguration ospf area partition and route summarization area partition when a large number of ospf routers are present on a network, lsdbs may become so large that a great amount of storage space is occupied and cpu resources are exhausted by performing spf computation. In a...
Page 277
Introduction to ospf 277 3 backbone router at least one interface of a backbone router must be attached to the backbone area. Therefore, all abrs and internal routers in area 0 are backbone routers. 4 autonomous system border router (asbr) the router exchanging routing information with another as is...
Page 278
278 c hapter 28: ospf c onfiguration figure 75 virtual link application 1 another application of virtual links is to provide redundant links. If the backbone area cannot maintain internal connectivity due to a physical link failure, configuring a virtual link can guarantee logical connectivity in th...
Page 279
Introduction to ospf 279 ■ a (totally) stub area cannot have an asbr because as external routes cannot be distributed into the stub area. ■ virtual links cannot transit (totally) stub areas. Nssa area similar to a stub area, an nssa area imports no as external lsa (type-5 lsa) but can import type-7 ...
Page 280
280 c hapter 28: ospf c onfiguration ospf has two types of route summarization: 1 abr route summarization to distribute routing information to other areas, an abr generates type-3 lsas on a per network segment basis for an attached non-backbone area. If contiguous network segments are available in t...
Page 281
Introduction to ospf 281 ■ nbma (non-broadcast multi-access): when the link layer protocol is frame relay, atm or x.25, ospf considers the network type as nbma by default. Packets on these networks are sent to unicast addresses. ■ p2mp (point-to-multipoint): by default, ospf considers no link layer ...
Page 282
282 c hapter 28: ospf c onfiguration become the new dr in a very short period by avoiding adjacency establishment and dr reelection. Meanwhile, other routers elect another bdr, which requires a relatively long period but has no influence on routing calculation. Other routers, also known as drothers,...
Page 283
Introduction to ospf 283 figure 80 ospf packet format ospf packet header ospf packets are classified into five types that have the same packet header, as shown below. Figure 81 ospf packet header ■ version: ospf version number, which is 2 for ospfv2. ■ type: ospf packet type from 1 to 5, correspondi...
Page 284
284 c hapter 28: ospf c onfiguration figure 82 hello packet format major fields: ■ network mask: network mask associated with the router’s sending interface. If two routers have different network masks, they cannot become neighbors. ■ hellointerval: interval for sending hello packets. If two routers...
Page 285
Introduction to ospf 285 figure 83 dd packet format major fields: ■ interface mtu: size in bytes of the largest ip datagram that can be sent out the associated interface, without fragmentation. ■ i (initial) the init bit, which is set to 1 if the packet is the first packet of database description pa...
Page 286
286 c hapter 28: ospf c onfiguration figure 84 lsr packet format major fields: ■ ls type: type number of the lsa to be requested. Type 1 for example indicates the router lsa. ■ link state id: determined by lsa type. ■ advertising router: id of the router that sent the lsa. Lsu packet lsu (link state...
Page 287
Introduction to ospf 287 figure 86 lsack packet format lsa header format all lsas have the same header, as shown in the following figure. Figure 87 lsa header format major fields: ■ ls age: time in seconds elapsed since the lsa was originated. A lsa ages in the lsdb (added by 1 per second), but does...
Page 288
288 c hapter 28: ospf c onfiguration formats of lsas 1 router lsa figure 88 router lsa format major fields: ■ link state id: id of the router that originated the lsa. ■ v (virtual link): set to 1 if the router that originated the lsa is a virtual link endpoint. ■ e (external): set to 1 if the router...
Page 289
Introduction to ospf 289 figure 89 network lsa format major fields: ■ link state id: the interface address of the dr ■ network mask: the mask of the network (a broadcast or nbma network) ■ attached router: the ids of the routers, which are adjacent to the dr, including the dr itself ■ summary lsa ne...
Page 290
290 c hapter 28: ospf c onfiguration n a type-3 lsa can be used to advertise a default route, having the link state id and network mask set to 0.0.0.0. 1 as external lsa an as external lsa originates from an asbr, describing routing information to a destination outside the as. Figure 91 as external ...
Page 291
Introduction to ospf 291 figure 92 nssa external lsa format supported ospf features multi-process with multi-process support, multiple ospf processes can run on a router simultaneously and independently. Routing information interactions between different processes seem like interactions between diff...
Page 292
292 c hapter 28: ospf c onfiguration after the restart, the gr restarter will send an ospf gr signal to its neighbors that will not reset their adjacencies with it. In this way, the gr restarter can restore the neighbor table upon receiving the responses from neighbors. After reestablishing neighbor...
Page 293
Configuring ospf basic functions 293 configuring ospf basic functions you need to enable ospf, specify an interface and area id first before performing other tasks. Prerequisites before configuring ospf, you need to configure ip addresses for interfaces, making neighboring nodes accessible with each...
Page 294
294 c hapter 28: ospf c onfiguration to ensure ospf stability, you need to decide on router ids and configure them manually. Any two routers in an as must have different ids. In practice, the id of a router is the ip address of one of its interfaces. ■ enable an ospf process the system supports ospf...
Page 295
Configuring ospf network types 295 area, these lsas will be translated into type 5 lsas for advertisement to other areas. Non-backbone areas exchange routing information via the backbone area. Therefore, the backbone and non-backbone areas, including the backbone itself must maintain connectivity. I...
Page 296
296 c hapter 28: ospf c onfiguration for routers having no direct link in between, you can configure the p2mp type for the related interfaces. If a router in the nbma network has only a single peer, you can configure the p2p type for the related interfaces. In addition, when configuring broadcast an...
Page 297
Configuring ospf route control 297 n the dr priority configured with the ospf dr-priority command and the one with the peer command have the following differences ■ the former is for actual dr election. ■ the latter is to indicate whether a neighbor has the election right or not. If you configure th...
Page 298
298 c hapter 28: ospf c onfiguration configuring ospf inbound route filtering follow these steps to configure inbound route filtering: n since ospf is a link state-based interior gateway protocol, routing information is contained in lsas. However, ospf cannot filter lsas. Using the filter-policy imp...
Page 299
Configuring ospf route control 299 n if no ospf cost is configured for an interface, ospf computes the cost automatically: interface ospf cost= bandwidth reference value/interface bandwidth. If the calculated cost is greater than 65535, the value of 65535 is used. Configuring the maximum number of o...
Page 300
300 c hapter 28: ospf c onfiguration configuring ospf route redistribution follow these steps to configure ospf route redistribution: n ■ using the import-route command cannot redistribute a default external route. To do so, you need to use the default-route-advertise command. ■ the default-route-ad...
Page 301
Configuring ospf network optimization 301 ■ change ospf packet timers to adjust the ospf network convergence speed and network load. On low speed links, you need to consider the delay time for sending lsas on interfaces. ■ change the interval for spf calculation to reduce resource consumption caused...
Page 302
302 c hapter 28: ospf c onfiguration n ■ the hello and dead intervals restore to default values after you change the network type for an interface. ■ the dead interval should be at least four times the hello interval on an interface. ■ the poll interval is at least four times the hello interval. ■ t...
Page 303
Configuring ospf network optimization 303 n the interval set with the lsa-arrival-interval command should be smaller or equal to the interval set with the lsa-generation-interval command. Specifying the lsa generation interval with this feature configured, you can protect network resources and route...
Page 304
304 c hapter 28: ospf c onfiguration configuring stub routers a stub router is used for traffic control. It tells other ospf routers not to use it to forward data, but they can have a route to it. The router lsas from the stub router may contain different link type values. A value of 3 means a link ...
Page 305
Configuring ospf network optimization 305 adding the interface mtu into dd packets generally, when an interface sends a dd packet, it adds 0 into the interface mtu field of the dd packet rather than the interface mtu. Follow these steps to add the interface mtu into dd packets: configuring the maxim...
Page 306
306 c hapter 28: ospf c onfiguration enabling the advertisement and reception of opaque lsas with this feature enabled, the ospf router can receive and advertise type 9, type 10 and type 11 opaque lsas. Follow these steps to enable the advertisement and reception of opaque lsas: configuring ospf gra...
Page 307
Configuring ospf graceful restart 307 n ■ with the graceful-restart ietf command used, a device can act as a gr restarter and a gr helper. ■ without the graceful-restart ietf command used, a device can only act as a gr helper. Configure the non-ietf standard ospf gr capability follow these steps to ...
Page 308
308 c hapter 28: ospf c onfiguration triggering ospf graceful restart performing the following configuration on an ospf router will trigger ospf graceful restart. Ensure that these routers are enabled with the following capabilities first: ■ lls (link local signaling) ■ oob (out of band re-synchroni...
Page 309
Displaying and maintaining ospf 309 displaying and maintaining ospf ospf configuration examples n these examples only cover commands for ospf configuration. To do… use the command… remarks display ospf brief information display ospf [ process-id ] brief available in any view display ospf statistics ...
Page 310
310 c hapter 28: ospf c onfiguration configuring ospf basic functions network requirements as shown in the following figure, all switches run ospf. The as is split into three areas, in which, switch a and switch b act as abrs to forward routing information between areas. After configuration, all swi...
Page 311
Ospf configuration examples 311 system-view [switchc] ospf [switchc-ospf-1] area 1 [switchc-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [switchc-ospf-1-area-0.0.0.1] network 10.4.1.0 0.0.0.255 [switchc-ospf-1-area-0.0.0.1] quit [switchc-ospf-1] quit # configure switch d system-view [switchd] osp...
Page 312
312 c hapter 28: ospf c onfiguration total nets: 5 intra area: 3 inter area: 2 ase: 0 nssa: 0 # display the link state database on switch a. [switcha] display ospf lsdb ospf process 1 with router id 10.2.1.1 link state database area: 0.0.0.0 type linkstate id advrouter age len sequence metric router...
Page 313
Ospf configuration examples 313 configuring an ospf stub area network requirements the following figure shows an as is split into three areas, where all switches run ospf. Switch a and switch b act as abrs to forward routing information between areas. Switch d acts as the asbr to redistribute routes...
Page 314
314 c hapter 28: ospf c onfiguration 10.5.1.0/24 17 inter 10.2.1.1 10.2.1.1 0.0.0.1 10.1.1.0/24 5 inter 10.2.1.1 10.2.1.1 0.0.0.1 routing for ases destination cost type tag nexthop advrouter 3.1.2.0/24 1 type2 1 10.2.1.1 10.5.1.1 total nets: 6 intra area: 2 inter area: 3 ase: 1 nssa: 0 n in the abov...
Page 315
Ospf configuration examples 315 [switchc] display ospf routing ospf process 1 with router id 10.4.1.1 routing tables routing for network destination cost type nexthop advrouter area 0.0.0.0/0 4 inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 transit 10.2.1.2 10.4.1.1 0.0.0.1 10.4.1.0/24 3 stub 10.4.1....
Page 316
316 c hapter 28: ospf c onfiguration # configure switch c. [switchc] ospf [switchc-ospf-1] area 1 [switchc-ospf-1-area-0.0.0.1] nssa [switchc-ospf-1-area-0.0.0.1] quit [switchc-ospf-1] quit n it is recommended to configure the nssa command with the keyword default-route-advertise no-summary on switc...
Page 317
Ospf configuration examples 317 configuring ospf dr election network requirements ■ in the following figure, ospf switches a, b, c and d reside on the same network segment. ■ it is required to configure switch a as the dr, and configure switch c as the bdr. Network diagram figure 96 network diagram ...
Page 318
318 c hapter 28: ospf c onfiguration # configure switch d. System-view [switchd] router id 4.4.4.4 [switchd] ospf [switchd-ospf-1] area 0 [switchd-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 [switchd-ospf-1-area-0.0.0.0] quit [switchd-ospf-1] quit # display ospf neighbor information on switch a...
Page 319
Ospf configuration examples 319 # display neighbor information on switch d. [switchd] display ospf peer verbose ospf process 1 with router id 4.4.4.4 neighbors area 0.0.0.0 interface 192.168.1.4(vlan-interface1)’s neighbors router id: 1.1.1.1 address: 192.168.1.1 gr state: normal state: full mode:nb...
Page 320
320 c hapter 28: ospf c onfiguration dr: 192.168.1.1 bdr: 192.168.1.3 mtu: 0 dead timer due in 39 sec neighbor is up for 00:01:41 authentication sequence: [ 0 ] neighbor state change count: 2 switch a becomes the dr, and switch c is the bdr. N if the neighbor state is full, it means switch d has est...
Page 321
Ospf configuration examples 321 # configure switch a. System-view [switcha] ospf 1 router-id 1.1.1.1 [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1] area 1 [switcha-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0...
Page 322
322 c hapter 28: ospf c onfiguration [switcha] display ospf routing ospf process 1 with router id 1.1.1.1 routing tables routing for network destination cost type nexthop advrouter area 172.16.1.1/16 1563 inter 192.168.1.2 2.2.2.2 0.0.0.0 10.0.0.0/8 1 stub 10.1.1.1 1.1.1.1 0.0.0.0 192.168.1.0/24 156...
Page 323
Troubleshooting ospf configuration 323 system-view [switchb] acl number 2000 [switchb-acl-basic-2000] rule 10 permit source 192.1.1.1 0.0.0.0 [switchb-acl-basic-2000] quit [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ip address 192.1.1.2 255.255.255.0 [switchb-vlan-interface100...
Page 324
324 c hapter 28: ospf c onfiguration 3 ping the neighbor router’s ip address to check connectivity. 4 check ospf timers. The neighbor dead interval on an interface must be at least four times the hello interval. 5 on an nbma network, using the peer ip-address command to specify the neighbor manually...
Page 325: Is-Is C
29 is-is c onfiguration when configuring is-is, go to these sections for information you are interested in: ■ “is-is overview” on page 325 ■ “is-is configuration task list” on page 340 ■ “configuring is-is basic functions” on page 341 ■ “configuring is-is routing information control” on page 342 ■ “...
Page 326
326 c hapter 29: is-is c onfiguration ■ link state database (lsdb). All link states in the network forms the lsdb. There is at least one lsdb in each is. The is uses spf algorithm and lsdb to generate its own routes. ■ link state protocol data unit (lspdu) or link state packet (lsp). Each is can gen...
Page 327
Is-is overview 327 the system id is used in cooperation with the router id in practical. For example, a router uses the ip address 168.10.1.1 of the loopback 0 as the router id, the system id in is-is can be obtained in the following way: ■ extend each decimal number of the ip address to 3 digits by...
Page 328
328 c hapter 29: is-is c onfiguration level-1 and level-2 1 level-1 router the level-1 router only establishes the neighbor relationship with level-1 and level-1-2 routers in the same area. The lsdb maintained by the level-1 router contains the local area routing information. It directs the packets ...
Page 329
Is-is overview 329 figure 100 is-is topology figure 101 shows another network topology running the is-is protocol. The level-1-2 routers connect the level-1 and level-2 routers, and also form the is-is backbone together with the level-2 routers. There is no area defined as the backbone in this topol...
Page 330
330 c hapter 29: is-is c onfiguration by configuring the routing hierarchy on the interface. For example, the level-1 interface can only establish level-1 adjacency, while the level-2 interface can only establish level-2 adjacency. By having this function, you can prevent the level-1 hello packets f...
Page 331
Is-is overview 331 figure 102 dis in the is-is broadcast network the dis creates and updates pseudo nodes as well as their lsp to describe all routers on the network. The pseudonode emulates a virtual node on the broadcast network. It is not a real router. In is-is, it is identified by the system id...
Page 332
332 c hapter 29: is-is c onfiguration figure 104 pdu common header format ■ intra-domain routing protocol discriminator: set to 0x83. ■ length indicator: the length of the pdu header, including both common and specific headers, present in bytes. ■ version/protocol id extension: set to 1(0x01). ■ id ...
Page 333
Is-is overview 333 figure 105 l1/l2 lan iih format ■ reserved/circuit type: the first 6 bits are reserved with value 0. The last 2 bits indicates router types: 00 means reserved, 01 indicates l1, 10 indicates l2, and 11 indicates l1/2. ■ source id: the system id of the router advertising the hello p...
Page 334
334 c hapter 29: is-is c onfiguration figure 106 p2p iih format instead of the priority and lan id fields in the lan iih, the p2p iih has a local circuit id field. Lsp packet format the link state pdus (lsp) carries link state information. There are two types: level-1 lsp and level-2 lsp. The level-...
Page 335
Is-is overview 335 figure 107 l1/l2 lsp format ■ pdu length: total length of the pdu in bytes. ■ remaining lifetime: lsp remaining lifetime in seconds. ■ lsp id: consists of the system id, the pseudonode id (one byte) and the lsp fragment number (one byte). ■ sequence number: lsp sequence number. ■ ...
Page 336
336 c hapter 29: is-is c onfiguration figure 108 lsdb overload ■ is type: type of the router generating the lsp. Snp format the sequence number pdu (snp) confirms the latest received lsps. It is similar to the acknowledge packet, but more efficient. Snp contains complete snp (csnp) and partial snp (...
Page 337
Is-is overview 337 figure 110 shows the psnp packet format. Figure 110 l1/l2 psnp format clv the variable fields of pdu are composed of multiple code-length-value (clv) triplets. Figure 111 shows the clv format. Figure 111 clv format table 45 shows different pdus contain different clvs. Table 45 clv...
Page 338
338 c hapter 29: is-is c onfiguration code 1 to 10 of clv are defined in iso 10589 (code 3 and 5 are not shown in the table), and others are defined in rfc 1195. Is-is features supported multiple processes is-is supports multiple processes. Multiple processes allow a is-is process to work in concert...
Page 339
Is-is overview 339 ■ system id the system id of the originating system. ■ additional system id it is the additional virtual system id configured for the is-is router after lsp fragment extension is enabled. Each additional system id can generate 256 lsp fragments. Both the additional system id and t...
Page 340
340 c hapter 29: is-is c onfiguration information in the extended fragments. Mode-2 is recommended in a network where all the routers that are in the same area and at the same routing level support lsp fragment extension. Dynamic host name mapping mechanism the dynamic host name mapping mechanism pr...
Page 341
Configuring is-is basic functions 341 configuring is-is basic functions configuration prerequisites before the task, configure an ip address for each interface, making all adjacent nodes reachable to each other at the network layer. Configuration procedure follow these steps to configure is-is basic...
Page 342
342 c hapter 29: is-is c onfiguration n if a router’s type is configured as level-1 or level-2, the type of interfaces must be the same, which cannot be changed using the isis circuit-level command. However, an interface’s type can be changed with this command when the router’s type is level-1-2 for...
Page 343
Configuring is-is routing information control 343 configuring is-is link cost there are three ways to configure the interface link cost, in descending order of interface costs: ■ interface cost: assign a link cost for a single interface. ■ global cost: assign a link cost for all interfaces. ■ automa...
Page 344
344 c hapter 29: is-is c onfiguration n in the case no interface cost is specified in interface view or system view and automatic cost calculation is enabled ■ when the cost style is wide or wide-compatible, is-is automatically calculates the interface cost based on the interface bandwidth, using th...
Page 345
Configuring is-is routing information control 345 n the cost of the summary route is the lowest cost among those summarized routes. Advertising a default route follow these steps to advertise a default route: n the default route is only advertised to routers at the same level. You can use a routing ...
Page 346
346 c hapter 29: is-is c onfiguration configuring is-is route leaking with this feature enabled, the level-1-2 router can advertise both level-1 and level-2 area routing information to the level-1 router. Follow these steps to configure is-is route leaking: n ■ if a filter policy is specified, only ...
Page 347
Tuning and optimizing is-is network 347 n if multiple routers in the broadcast network have the same highest dis priority, the router with the highest mac address becomes the dis. This rule applies even all routers’ dis priority is 0. Configuring is-is timers follow these steps to configure the is-i...
Page 348
348 c hapter 29: is-is c onfiguration configuring lsp parameters an is-is router periodically advertises all the local lsps to maintain the lsp synchronization in the entire area. A lsp is given an aging time when generated by the router. When the lsp is received by another router, its aging time be...
Page 349
Tuning and optimizing is-is network 349 n note the following when enabling lsp fragment extension ■ after lsp fragment extension is enabled in an is-is process, the mtus of all the interfaces with this is-is process enabled must not be less than 512; otherwise, lsp fragment extension will not take e...
Page 350
350 c hapter 29: is-is c onfiguration n the local host name on the local is overwrites the remote host name on the remote is. Configuring is-is authentication for area authentication, the area authentication password is encapsulated into the level-1 lsp, csnp, and psnp packets. On area authenticatio...
Page 351
Tuning and optimizing is-is network 351 n the level-1 and level-2 keywords in the isis authentication-mode command are only supported on a vlan interface of a switch, and the interface must be configured with the isis enable command first. Configuring lsdb overload tag when the overload tag is set o...
Page 352
352 c hapter 29: is-is c onfiguration enabling snmp trap follow these steps to enable is-is trap: configuring is-is gr an isis restart may cause the termination of the adjacencies between a restarting router and its neighbors, resulting in a transient network disconnection. Is-is graceful restart ca...
Page 353
Displaying and maintaining is-is 353 displaying and maintaining is-is enable is-is, and enter is-is view isis [ process-id ] required disabled by default enable the gr capability for is-is graceful-restart required disabled by default set the graceful restart interval graceful-restart interval timer...
Page 354
354 c hapter 29: is-is c onfiguration is-is configuration example is-is basic configuration network requirements as shown in figure 112, switch a, b, c and switch d reside in an is-is as. Switch a and b are level-1 switches, switch d is a level-2 switch and switch c is a level-1-2 switch. Switch a, ...
Page 355
Is-is configuration example 355 system-view [switchc] isis 1 [switchc-isis-1] network-entity 10.0000.0000.0003.00 [switchc-isis-1] quit [switchc] interface vlan-interface 100 [switchc-vlan-interface100] isis enable 1 [switchc-vlan-interface100] quit [switchc] interface vlan-interface 200 [switchc-vl...
Page 356
356 c hapter 29: is-is c onfiguration *-self lsp, +-self lsp(extended), att-attached, p-partition, ol-overload [switchc] display isis lsdb database information for isis(1) -------------------------------- level-1 link state database lspid seq num checksum holdtime length att/p/ol -------------------...
Page 357
Is-is configuration example 357 route information for isis(1) ----------------------------- isis(1) ipv4 level-1 forwarding table ------------------------------------- ipv4 destination intcost extcost exitinterface nexthop flags -----------------------------------------------------------------------...
Page 358
358 c hapter 29: is-is c onfiguration network diagram figure 113 network diagram for dis selection configuration procedure 1 configure an ip address for each interface (omitted) 2 enable is-is # configure switch a. System-view [switcha] isis 1 [switcha-isis-1] network-entity 10.0000.0000.0001.00 [sw...
Page 359
Is-is configuration example 359 system-view [switchd] isis 1 [switchd-isis-1] network-entity 10.0000.0000.0004.00 [switchd-isis-1] is-level level-2 [switchd-isis-1] quit [switchd] interface vlan-interface 100 [switchd-vlan-interface100] isis enable 1 [switchd-vlan-interface100] quit # display inform...
Page 360
360 c hapter 29: is-is c onfiguration id ipv4.State ipv6.State mtu type dis 001 up down 1497 l1/l2 no/yes n by using the default dis priority, switch c is the level-1 dis, and switch d is the level-2 dis. The pseudo nodes of level-1 and level-2 are 0000.0000.0003.01 and 0000.0000.0004.01 respectivel...
Page 361
Is-is configuration example 361 state: up holdtime: 25s type: l1 pri: 64 system id: 0000.0000.0001 interface: vlan-interface100 circuit id: 0000.0000.0001.01 state: up holdtime: 7s type: l1 pri: 100 [switchc] display isis interface interface information for isis(1) --------------------------------- ...
Page 362
362 c hapter 29: is-is c onfiguration configuration procedure 1 configure ip addresses of the interfaces on each switch and configure is-is. Follow figure 114 to configure the ip address and subnet mask of each interface. The configuration procedure is omitted. Configure is-is on the switches, ensur...
Page 363
Is-is configuration example 363 complete csnp not received number of t1 pre expiry: 0 is-is(1) level-2 restart status restart interval: 150 sa bit supported total number of interfaces = 1 restart status: restarting t3 timer status: remaining time: 65535 t2 timer status: remaining time: 59 interface ...
Page 364
364 c hapter 29: is-is c onfiguration.
Page 365: Bgp C
30 bgp c onfiguration the border gateway protocol (bgp) is a dynamic inter-as route discovery protocol. When configuring bgp, go to these sections for information you are interested in: ■ “bgp overview” on page 365 ■ “bgp configuration task list” on page 380 ■ “configuring bgp basic functions” on pa...
Page 366
366 c hapter 30: bgp c onfiguration ■ eliminating route loops completely by adding as path information to bgp routes ■ providing abundant routing policies to implement flexible route filtering and selection ■ easy to extend, satisfying new network developments a router advertising bgp messages is ca...
Page 367
Bgp overview 367 4-keepalive, and 5-route-refresh. The former four are defined in rfc1771, the last one defined in rfc2918. Open after a tcp connection is established, the first message sent by each side is an open message for peer relationship establishment. The open message contains the following ...
Page 368
368 c hapter 30: bgp c onfiguration ■ unfeasible routes length: the total length of the withdrawn routes field in bytes. A value of 0 indicates neither any route is being withdrawn from service, nor withdrawn routes field is present in this update message. ■ withdrawn routes: this is a variable leng...
Page 369
Bgp overview 369 bgp path attributes classification of path attributes path attributes fall into four categories: ■ well-known mandatory: must be recognized by all bgp routers and must be included in every update message. Routing information error occurs without this attribute. ■ well-known discreti...
Page 370
370 c hapter 30: bgp c onfiguration determine ass to route the massage back. The number of the as closest to the receiver’s as is leftmost, as shown below: figure 120 as_path attribute in general, a bgp router does not receive routes containing the local as number to avoid routing loops. N the curre...
Page 371
Bgp overview 371 configured, the next_hop attribute will be modified. For load-balancing information, refer to “bgp route selection” on page 372. Figure 121 next_hop attribute 4 med (multi_exit_disc) the med attribute is exchanged between two neighboring ass, each of which does not advertise the att...
Page 372
372 c hapter 30: bgp c onfiguration this attribute is exchanged between ibgp peers only, thus not advertised to any other as. It indicates the priority of a bgp router. Local_pref is used to determine the best route for traffic leaving the local as. When a bgp router obtains from several ibgp peers ...
Page 373
Bgp overview 373 ■ select the route originated by the local router ■ select the route with the shortest as-path ■ select igp, egp, incomplete routes in turn ■ select the route with the lowest med value ■ select routes learned from ebgp, confederation, ibgp in turn ■ select the route with the smalles...
Page 374
374 c hapter 30: bgp c onfiguration figure 124 network diagram for bgp load balancing in the above figure, router d and router e are ibgp peers of router c. Router a and router b both advertise a route destined for the same destination to router c. If load balancing is configured and the two routes ...
Page 375
Bgp overview 375 route recursion. Router c has no idea about the route 8.0.0.0/8, so it discards the packet. Figure 125 ibgp and igp synchronization if synchronization is configured in this example, the ibgp router (router d) checks the learned ibgp route from its igp routing table first. Only the r...
Page 376
376 c hapter 30: bgp c onfiguration bgp route dampening uses a penalty value to judge the stability of a route. The bigger the value, the less stable the route. Each time a route flap occurs (the state change of a route from active to inactive is a route flap), bgp adds a penalty value (1000, which ...
Page 377
Bgp overview 377 community a peer group makes peers in it enjoy the same policy, while a community makes a group of bgp routers in several ass enjoy the same policy. Community is a path attribute and advertised between bgp peers, without being limited by as. A bgp router can modify the community att...
Page 378
378 c hapter 30: bgp c onfiguration figure 128 network diagram for route reflectors when clients of a route reflector are fully meshed, route reflection is unnecessary because it consumes more bandwidth resources. The system supports using related commands to disable route reflection in this case. N...
Page 379
Bgp overview 379 the deficiency of confederation is: when changing an as into a confederation, you need to reconfigure your routers, and the topology will be changed. In large-scale bgp networks, both route reflector and confederation can be used. Bgp gr n for gr (graceful restart) information, refe...
Page 380
380 c hapter 30: bgp c onfiguration the above two attributes are both optional non-transitive, so bgp speakers not supporting multi-protocol ignore the two attributes and do not forward them to peers. Address family mp-bgp employs address family to differentiate network layer protocols. For address ...
Page 381
Configuring bgp basic functions 381 configuring bgp basic functions the section describes bgp basic configuration. N ■ this section does not differentiate between bgp and mp-bgp. ■ since bgp employs tcp, you need to specify ip addresses of peers, which may not be neighboring routers. ■ using logical...
Page 382
382 c hapter 30: bgp c onfiguration n ■ it is required to specify for a bgp router a router id, a 32-bit unsigned integer and the unique identifier of the router in the as. ■ you can specify a router id manually. If not, the system selects an ip address as the router id. The selection sequence is th...
Page 383
Controlling route distribution and reception 383 preferred-value preferred-value in routing policy commands of the ip routing volume. Controlling route distribution and reception prerequisites before configuring this task, you have completed bgp basic configuration. Configuring bgp route redistribut...
Page 384
384 c hapter 30: bgp c onfiguration advertising a default route to a peer or peer group follow these steps to advertise a default route to a peer or peer group: n with the peer default-route-advertise command executed, the router sends a default route with the next hop being itself to the specified ...
Page 385
Controlling route distribution and reception 385 configuring bgp route reception filtering policies follow these steps to configure bgp route reception filtering policies: n ■ only routes permitted by the specified filtering policies can they be installed into the local bgp routing table. ■ members ...
Page 386
386 c hapter 30: bgp c onfiguration enabling bgp and igp route synchronization by default, when a bgp router receives an ibgp route, it only checks the reachability of the route’s next hop before advertisement. With bgp and igp synchronization configured, the bgp router cannot advertise the route to...
Page 387
Configuring bgp route attributes 387 n ■ using a routing policy can set preferences for routes matching it. Routes not matching it use the default preferences. ■ if other conditions are identical, the route with the smallest med value is selected as the best external route. Configure the med attribu...
Page 388
388 c hapter 30: bgp c onfiguration ■ using the peer next-hop-local command can specify the router as the next hop for routes to a peer/peer group. If bgp load balancing is configured, the router specify itself as the next hop for routes to a peer/peer group regardless of whether the peer next-hop-l...
Page 389
Tuning and optimizing bgp networks 389 prerequisites before configuring this task, you have configured bgp basic functions configuration procedure follow these steps to tune and optimize bgp networks: to do… use the command… remarks enter system view system-view - enter bgp view bgp as-number - conf...
Page 390
390 c hapter 30: bgp c onfiguration n ■ the maximum keepalive interval should be one third of the holdtime and no less than 1 second. The holdtime is no less than 3 seconds unless it is set to 0. ■ the intervals set with the peer timer command are preferred to those set with the timer command. ■ use...
Page 391
Configuring a large scale bgp network 391 n ■ you need not specify the as number when creating an ibgp peer group. ■ if there are peers in a peer group, you can neither change the as number of the group nor use the undo command to remove the as number ■ you need specify the as number for each peer i...
Page 392
392 c hapter 30: bgp c onfiguration configuring a bgp route reflector follow these steps to configure a bgp route reflector: n ■ in general, it is not required to make clients of a route reflector fully meshed. The route reflector forwards routing information between clients. If clients are fully me...
Page 393
Configuring bgp gr 393 n ■ in general the maximum time allowed for the peer (the gr restarter) to reestablish a bgp session should be less than the holdtime carried in the open message. ■ the end-of-rib (end of router-information-base) indicates the end of route updates. To do… use the command… rema...
Page 394
394 c hapter 30: bgp c onfiguration displaying and maintaining bgp displaying bgp to do… use the command… remarks display peer group information display bgp group [ group-name ] available in any view display advertised bgp routing information display bgp network display as path information display b...
Page 395
Bgp configuration examples 395 resetting bgp connections clearing bgp information bgp configuration examples bgp basic configuration network requirements in the following figure are all bgp switches. Between switch a and switch b is an ebgp connection. Ibgp speakers switch b, switch c and switch d a...
Page 396
396 c hapter 30: bgp c onfiguration configuration procedure 1 configure ip addresses for interfaces (omitted) 2 configure ibgp connections # configure switch b. System-view [switchb] bgp 65009 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 9.1.1.2 as-number 65009 [switchb-bgp] peer 9.1.3.2 as-nu...
Page 397
Bgp configuration examples 397 peer v as msgrcvd msgsent outq prefrcv up/down state 9.1.1.2 4 65009 56 56 0 0 00:40:54 established 9.1.3.2 4 65009 49 62 0 0 00:44:58 established 200.1.1.2 4 65008 49 65 0 1 00:44:03 established you can find switch b has established bgp connections to other switches. ...
Page 398
398 c hapter 30: bgp c onfiguration [switcha] display bgp routing-table total number of routes: 4 bgp local router id is 1.1.1.1 status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, s - stale origin : i - igp, e - egp, ? - incomplete network nexthop med locprf pr...
Page 399
Bgp configuration examples 399 network diagram figure 131 network diagram for bgp and igp synchronization configuration procedure 1 configure ip addresses for interfaces (omitted) 2 configure ospf (omitted) 3 configure the ebgp connection # configure switch a. System-view [switcha] bgp 65008 [switch...
Page 400
400 c hapter 30: bgp c onfiguration network nexthop med locprf prefval path/og n *> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.1.0/24 3.1.1.1 0 0 65009? *> 9.1.2.0/24 3.1.1.1 2 0 65009? # configure ospf to redistribute routes from bgp on switch b. [switchb] ospf [switchb-ospf-1] import-route bgp [switchb-ospf-...
Page 401
Bgp configuration examples 401 --- 9.1.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/37/47 ms bgp load balancing and med attribute configuration network requirements ■ configure bgp on all switches; switch a is in as77008, and swit...
Page 402
402 c hapter 30: bgp c onfiguration # configure switch c. System-view [switchc] bgp 65009 [switchc-bgp] router-id 3.3.3.3 [switchc-bgp] peer 200.1.2.2 as-number 65008 [switchc-bgp] peer 9.1.1.1 as-number 65009 [switchc-bgp] network 9.1.1.0 255.255.255.0 [switchc-bgp] quit # display the routing table...
Page 403
Bgp configuration examples 403 # display the routing table on switch a. [switcha] display bgp routing-table total number of routes: 3 bgp local router id is 1.1.1.1 status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, s - stale origin : i - igp, e - egp, ? - inco...
Page 404
404 c hapter 30: bgp c onfiguration system-view [switchb] bgp 20 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] peer 200.1.2.1 as-number 10 [switchb-bgp] peer 200.1.3.2 as-number 30 [switchb-bgp] quit # configure switch c. System-view [switchc] bgp 30 [switchc-bgp] router-id 3.3.3.3 [switchc-bgp] pee...
Page 405
Bgp configuration examples 405 # apply the routing policy. [switcha] bgp 10 [switcha-bgp] peer 200.1.2.2 route-policy comm_policy export [switcha-bgp] peer 200.1.2.2 advertise-community # display the routing table on switch b. [switchb] display bgp routing-table 9.1.1.0 bgp local router id : 2.2.2.2...
Page 406
406 c hapter 30: bgp c onfiguration # configure switch a. System-view [switcha] bgp 100 [switcha-bgp] router-id 1.1.1.1 [switcha-bgp] peer 192.1.1.2 as-number 200 # inject network 1.0.0.0/8 to the bgp routing table. [switcha-bgp] network 1.0.0.0 [switcha-bgp] quit # configure switch b. System-view [...
Page 407
Bgp configuration examples 407 network nexthop med locprf prefval path/ogn *> 1.0.0.0 192.1.1.1 0 0 100i # display the bgp routing table on switch d. [switchd] display bgp routing-table total number of routes: 1 bgp local router id is 4.4.4.4 status codes: * - valid, > - best, d - damped, h - histor...
Page 408
408 c hapter 30: bgp c onfiguration # configure switch a. System-view [switcha] bgp 65001 [switcha-bgp] router-id 1.1.1.1 [switcha-bgp] confederation id 200 [switcha-bgp] confederation peer-as 65002 65003 [switcha-bgp] peer 10.1.1.2 as-number 65002 [switcha-bgp] peer 10.1.1.2 next-hop-local [switcha...
Page 409
Bgp configuration examples 409 [switche-bgp] router-id 5.5.5.5 [switche-bgp] confederation id 200 [switche-bgp] peer 10.1.4.1 as-number 65001 [switche-bgp] peer 10.1.5.1 as-number 65001 [switche-bgp] quit 4 configure the ebgp connection between as100 and as200. # configure switch a. [switcha] bgp 65...
Page 410
410 c hapter 30: bgp c onfiguration *>i 9.1.1.0/24 10.1.3.1 0 100 0 100i [switchd] display bgp routing-table 9.1.1.0 bgp local router id : 4.4.4.4 local as number : 65001 paths: 1 available, 1 best bgp routing table entry information of 9.1.1.0/24: from : 10.1.3.1 (1.1.1.1) relay nexthop : 0.0.0.0 o...
Page 411
Bgp configuration examples 411 system-view [switchb] ospf [switchb-ospf] area 0 [switchb-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [switchb-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [switchb-ospf-1-area-0.0.0.0] quit [switchb-ospf-1] quit # configure switch c. System-view [switchc] osp...
Page 412
412 c hapter 30: bgp c onfiguration [switchd] bgp 200 [switchd-bgp] peer 194.1.1.2 as-number 200 [switchd-bgp] peer 195.1.1.2 as-number 200 [switchd-bgp] quit 4 configure attributes for route 1.0.0.0/8, making switch d give priority to the route learned from switch c. ■ configure a higher med value ...
Page 413
Troubleshooting bgp 413 [switchc] acl number 2000 [switchc-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [switchc-acl-basic-2000] quit # configure a routing policy named localpref on switch c, setting the local preference of route 1.0.0.0/8 to 200 (the default is 100). [switchc] route-pol...
Page 414
414 c hapter 30: bgp c onfiguration 6 use the ping command to check connectivity. 7 use the display tcp status command to check the tcp connection. 8 check whether an acl disabling tcp port 179 is configured..
Page 415: Outing
31 r outing p olicy c onfiguration n the term “router” refers to a router in a generic sense or a layer 3 switch running routing protocols. A routing policy is used on a router for route inspection, filtering, attributes modification when routes are received, advertised, or redistributed. When confi...
Page 416
416 c hapter 31: r outing p olicy c onfiguration router’s address and so on. The match criteria can be set beforehand and then apply them to a routing policy for route distribution, reception and redistribution. Filters routing protocols can use six filters: acl, ip prefix list, as path acl, communi...
Page 417
Routing policy configuration task list 417 order of node sequence number. Once a node is matched, the routing policy is passed and the packet will not go through the next node. Each node comprises a set of if-match and apply clauses. The if-match clauses define the match criteria. The matching objec...
Page 418
418 c hapter 31: r outing p olicy c onfiguration n if all items are set to the deny mode, no routes can pass the ipv4 prefix list. Therefore, you need to define the permit 0.0.0.0 0 less-equal 32 item following multiple deny mode items to allow other ipv4 routing information to pass. For example, th...
Page 419
Configuring a routing policy 419 defining an extended community list you can define multiple items for an extended community list that is identified by number. During matching, the relation between items is logic or, that is, if routing information matches one of these items, it passes the extended ...
Page 420
420 c hapter 31: r outing p olicy c onfiguration cannot match any if-match clause of the node, it will go to the next node for a match. ■ when a routing policy is defined with more than one node, at least one node should be configured with the permit keyword. If the routing policy is used to filter ...
Page 421
Configuring a routing policy 421 n ■ the if-match clauses of a route-policy are in logic and relationship, namely, routing information has to satisfy all if-match clauses before being executed with apply clauses. ■ you can specify no or multiple if-match clauses for a routing policy. If no if-match ...
Page 422
422 c hapter 31: r outing p olicy c onfiguration n the apply ip-address next-hop command do not apply to redistributed ipv4 routes. Displaying and maintaining the routing policy routing policy configuration example applying routing policy when redistributing ipv4 routes network requirements ■ switch...
Page 423
Routing policy configuration example 423 network diagram figure 137 network diagram for routing policy application to route redistribution configuration procedure 1 specify ip addresses for interfaces (omitted). 2 configure is-is # configure switch c. System-view [switchc] isis [switchc-isis-1] is-l...
Page 424
424 c hapter 31: r outing p olicy c onfiguration system-view [switcha] ospf [switcha-ospf-1] area 0 [switcha-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [switcha-ospf-1-area-0.0.0.0] quit [switcha-ospf-1] quit # configure switch b: enable ospf and redistribute routes from is-is. [switchb] osp...
Page 425
Troubleshooting routing policy configuration 425 6 apply the routing policy to route redistribution. # configure switch b: apply the routing policy when redistributing routes. [switchb] ospf [switchb-ospf-1] import-route isis 1 route-policy isis2ospf [switchb-ospf-1] quit # display the ospf routing ...
Page 426
426 c hapter 31: r outing p olicy c onfiguration.
Page 427: 6 S
32 ip v 6 s tatic r outing c onfiguration n the term “router” in this document refers to a layer 3 switch running routing protocols. Introduction to ipv6 static routing static routes are special routes that are manually configured by network administrators. They work well in simple networks. Configu...
Page 428
428 c hapter 32: ip v 6 s tatic r outing c onfiguration displaying and maintaining ipv6 static routes n using the undo ipv6 route-static command can delete a single ipv6 static route, while using the delete ipv6 static-routes all command deletes all ipv6 static routes including the default route. Ip...
Page 429
Ipv6 static routing configuration example 429 # configure the default ipv6 static route on switch c. System-view [switchc] ipv6 [switchc] ipv6 route-static :: 0 5::2 3 configure the ipv6 addresses of hosts and gateways. Configure the ipv6 addresses of all the hosts based upon the network diagram, co...
Page 430
430 c hapter 32: ip v 6 s tatic r outing c onfiguration --- 3::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms.
Page 431: 6 Rip
33 ip v 6 rip ng c onfiguration n ■ the term “router” in this document refers to a layer 3 switch running routing protocols. ■ the switch 4800g only support single ripng process. Introduction to ripng rip next generation (ripng) is an extension of rip-2 for ipv4. Most rip concepts are applicable in ...
Page 432
432 c hapter 33: ip v 6 rip ng c onfiguration ■ route time: time that elapsed since a route entry is last changed. Each time a route entry is modified, the routing time is set to 0. ■ route tag: identifies the route, used in routing policy to control routing information. Ripng packet format basic fo...
Page 433
Configuring ripng basic functions 433 figure 141 ipv6 prefix rte format ■ ipv6 prefix: destination ipv6 address prefix. ■ route tag: route tag. ■ prefix len: length of the ipv6 address prefix. ■ metric: cost of a route. Ripng packet processing procedure request packet when a ripng router first start...
Page 434
434 c hapter 33: ip v 6 rip ng c onfiguration configuration prerequisites before the configuration, accomplish the following tasks first: ■ enable ipv6 packet forwarding. ■ configure an ip address for each interface, and make sure all nodes are reachable. Configuration procedure follow these steps t...
Page 435
Configuring ripng route control 435 configuring ripng route summarization follow these steps to configure ripng route summarization: advertising a default route follow these steps to advertise a default route: n with this feature enabled, a default route is advertised via the specified interface reg...
Page 436
436 c hapter 33: ip v 6 rip ng c onfiguration configuring ripng route redistribution follow these steps to configure ripng route redistribution: tuning and optimizing the ripng network this section describes how to tune and optimize the performance of the ripng network as well as applications under ...
Page 437
Tuning and optimizing the ripng network 437 n when adjusting ripng timers, you should consider the network performance and perform unified configurations on routers running ripng to avoid unnecessary network traffic increase or route oscillation. Configuring split horizon and poison reverse n if bot...
Page 438
438 c hapter 33: ip v 6 rip ng c onfiguration configuring zero field check on ripng packets some fields in the ripng packet must be zero. These fields are called zero fields. With zero field check on ripng packets enabled, if such a field contains a non-zero value, the entire ripng packet will be di...
Page 439
Ripng configuration example 439 network diagram figure 142 network diagram for ripng configuration configuration procedure 1 configure the ipv6 address for each interface (omitted) 2 configure basic ripng functions # configure switch a. System-view [switcha] ipv6 [switcha] ripng 1 [switcha-ripng-1] ...
Page 440
440 c hapter 33: ip v 6 rip ng c onfiguration # display the routing table of switch b. [switchb] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-collect ---------------------------------------------------------------- peer fe80::20f:e2ff:fe23:82f5 on vlan-interface100 dest ...
Page 441
Ripng configuration example 441 peer fe80::20f:e2ff:fe00:100 on vlan-interface200 dest 4::/64, via fe80::20f:e2ff:fe00:100, cost 1, tag 0, a, 5 sec dest 5::/64, via fe80::20f:e2ff:fe00:100, cost 1, tag 0, a, 5 sec [switcha] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-co...
Page 442
442 c hapter 33: ip v 6 rip ng c onfiguration.
Page 443: 6 Ospf
34 ip v 6 ospf v 3 c onfiguration n ■ the term “router” in this document refers to a layer 3 switch running routing protocols. ■ the switch 4800g only support single ospfv3 process. Introduction to ospfv3 ospfv3 overview ospfv3 is ospf (open shortest path first) version 3 for short, supporting ipv6 ...
Page 444
444 c hapter 34: ip v 6 ospf v 3 c onfiguration major fields: ■ version #: version of ospf, which is 3 for ospfv3. ■ type: type of ospf packet, from 1 to 5 are hello, dd, lsr, lsu, and lsack respectively. ■ packet length: packet length in bytes, including header. ■ instance id: instance id for a lin...
Page 445
Ipv6 ospfv3 configuration task list 445 if a router receives no hello packet from a neighbor after a period, it will declare the peer is down. The period is called dead interval. After sending an lsa to its adjacency, a router waits for an acknowledgment from the adjacency. If no response is receive...
Page 446
446 c hapter 34: ip v 6 ospf v 3 c onfiguration configuring ospfv3 basic functions prerequisites ■ make neighboring nodes accessible with each other at network layer. ■ enable ipv6 packet forwarding configuring ospfv3 basic functions follow these steps to configure ospfv3 basic functions: n ■ config...
Page 447
Configuring ospfv3 routing information management 447 prerequisites ■ enable ipv6 packet forwarding ■ configure ospfv3 basic functions configuring an ospfv3 stub area follow these steps to configure an ospfv3 stub area: n ■ configurations on the ospfv3 routers attached to the same area must be consi...
Page 448
448 c hapter 34: ip v 6 ospf v 3 c onfiguration prerequisites ■ enable ipv6 packet forwarding ■ configure ospfv3 basic functions configuring ospfv3 route summarization follow these steps to configure route summarization between areas: n the abr-summary command is available on abrs only. If contiguou...
Page 449
Configuring ospfv3 routing information management 449 configuring the maximum number of ospfv3 load-balanced routes if multiple routes to a destination are available, using load balancing to send ipv6 packets on these routes in turn can improve link utility. Follow these steps to configure the maxim...
Page 450
450 c hapter 34: ip v 6 ospf v 3 c onfiguration ■ since ospfv3 is a link state based routing protocol, it cannot directly filter lsas to be advertised. Therefore, you need to configure filtering redistributed routes before advertising routes that are not filtered in lsas into the routing domain. ■ u...
Page 451
Tuning and optimizing an ospfv3 network 451 n ■ the dead interval set on neighboring interfaces cannot be so short. Otherwise, a neighbor is easily considered down. ■ the lsa retransmission interval cannot be so short; otherwise, unnecessary retransmissions occur. Configuring the dr priority for an ...
Page 452
452 c hapter 34: ip v 6 ospf v 3 c onfiguration displaying and maintaining ospfv3 enable the logging on neighbor state changes log-peer-change required enabled by default to do… use the command… remarks to do… use the command… remarks display ospfv3 debugging state information display debugging ospf...
Page 453
Ospfv3 configuration examples 453 ospfv3 configuration examples configuring ospfv3 areas network requirements in the following figure, all switches run ospfv3. The as is split into three areas, in which, switch b and switch c act as abrs to forward routing information between areas. It is required t...
Page 454
454 c hapter 34: ip v 6 ospf v 3 c onfiguration [switchb-vlan-interface100] ospfv3 1 area 0 [switchb-vlan-interface100] quit [switchb] interface vlan-interface 200 [switchb-vlan-interface200] ospfv3 1 area 1 [switchb-vlan-interface200] quit # configure switch c system-view [switchc] ipv6 [switchc] o...
Page 455
Ospfv3 configuration examples 455 [switchd] display ospfv3 routing e1 - type 1 external route, ia - inter area route, i - intra area route e2 - type 2 external route, * - seleted route ospfv3 router with id (4.4.4.4) (process 1) -----------------------------------------------------------------------...
Page 456
456 c hapter 34: ip v 6 ospf v 3 c onfiguration type : ia cost : 4 nexthop : fe80::f40d:0:93d0:1 interface: vlan400 4 configure area 2 as a totally stub area # configure switch c, the abr, to make area 2 as a totally stub area. [switchc-ospfv3-1-area-0.0.0.2] stub no-summary # display ospfv3 routing...
Page 457
Ospfv3 configuration examples 457 # configure switch a system-view [switcha] ipv6 [switcha] ospfv3 [switcha-ospfv3-1] router-id 1.1.1.1 [switcha-ospfv3-1] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] ospfv3 1 area 0 [switcha-vlan-interface100] quit # configure switch b sys...
Page 458
458 c hapter 34: ip v 6 ospf v 3 c onfiguration [switchd] display ospfv3 peer ospfv3 area id 0.0.0.0 (process 1) ---------------------------------------------------------------------- neighbor id pri state dead time interface instance id 1.1.1.1 1 full/drother 00:00:30 vlan100 0 2.2.2.2 1 full/droth...
Page 459
Troubleshooting ospfv3 configuration 459 3.3.3.3 2 full/backup 00:00:39 vlan100 0 4.4.4.4 1 full/drother 00:00:37 vlan200 0 # display neighbor information on switch d. You can find switch a becomes the dr. [switchd] display ospfv3 peer ospfv3 area id 0.0.0.0 (process 1) -----------------------------...
Page 460
460 c hapter 34: ip v 6 ospf v 3 c onfiguration solution 1 use the display ospfv3 peer command to display ospfv3 neighbors. 2 use the display ospfv3 interface command to display ospfv3 interface information. 3 use the display ospfv3 lsdb command to display link state database information to check in...
Page 461: 6 Is-Is C
35 ip v 6 is-is c onfiguration n ■ ipv6 is-is supports all the features of ipv4 is-is except that it advertises ipv6 routing information instead. This document describes only ipv6 is-is exclusive configuration tasks. For other configuration tasks, refer to “is-is configuration” on page 325. ■ the te...
Page 462
462 c hapter 35: ip v 6 is-is c onfiguration configuration prerequisites before the configuration, accomplish the following tasks first: ■ enable ipv6 globally ■ configure ip addresses for interfaces, and make sure all neighboring nodes are reachable. ■ enable is-is configuration procedure follow th...
Page 463
Displaying and maintaining ipv6 is-is 463 n the ipv6 filter-policy export command, usually used in combination with the ipv6 import-route command, filters redistributed routes when advertising them to other routers. If no protocol is specified, routes redistributed from all routing protocols are fil...
Page 464
464 c hapter 35: ip v 6 is-is c onfiguration ipv6 is-is configuration example network requirements as shown in figure 146, switch a, switch b, switch c and switch d reside in the same autonomous system, and all are enabled with ipv6. Switch a and switch b are level-1 switches, switch d is a level-2 ...
Page 465
Ipv6 is-is configuration example 465 [switchb-isis-1] quit [switchb] interface vlan-interface 200 [switchb-vlan-interface200] isis ipv6 enable 1 [switchb-vlan-interface200] quit # configure switch c. System-view [switchc] isis 1 [switchc-isis-1] network-entity 10.0000.0000.0003.00 [switchc-isis-1] i...
Page 466
466 c hapter 35: ip v 6 is-is c onfiguration.
Page 467: 6 Bgp C
36 ip v 6 bgp c onfiguration n this chapter describes only configuration for ipv6 bgp. For other related information, refer to “bgp configuration” on page 365. When configuring ipv6 bgp, go to these sections for information you are interested in: ■ “ipv6 bgp overview” on page 467 ■ “configuration ta...
Page 468
468 c hapter 36: ip v 6 bgp c onfiguration configuration task list complete the following tasks to configure ipv6 bgp: task remarks “configuring ipv6 bgp basic functions” on page 469 “configuring an ipv6 peer” on page 469 required “advertising a local ipv6 route” on page 469 optional “configuring a ...
Page 469
Configuring ipv6 bgp basic functions 469 configuring ipv6 bgp basic functions prerequisites before configuring this task, you need to: ■ specify ip addresses for interfaces. ■ enable ipv6. N you need create a peer group before configuring basic functions for it. For related information, refer to “co...
Page 470
470 c hapter 36: ip v 6 bgp c onfiguration for routes from a peer, the routing policy sets a non-zero preferred value for routes matching it. Other routes not matching the routing policy uses the value set with the command. If the preferred value in the routing policy is zero, the routes matching it...
Page 471
Controlling route distribution and reception 471 configuring a description for a peer/peer group follow these steps to configure description for a peer/peer group: n the peer group to be configured with a description must have been created. Disabling session establishment to a peer/peer group follow...
Page 472
472 c hapter 36: ip v 6 bgp c onfiguration configuring ipv6 bgp route redistribution follow these steps to configure ipv6 bgp route redistribution and filtering: n if the default-route imported command is not configured, using the import-route command cannot redistribute any igp default route. Adver...
Page 473
Controlling route distribution and reception 473 n ■ members of a peer group must have the same outbound route policy with the peer group. ■ ipv6 bgp advertises routes passing the specified policy to peers. Using the protocol argument can filter only the specified protocol routes. If no protocol spe...
Page 474
474 c hapter 36: ip v 6 bgp c onfiguration follow these steps to configure ipv6 bgp and igp route synchronization: configuring route dampening follow these steps to configure bgp route dampening: configuring ipv6 bgp route attributes this section describes how to use ipv6 bgp route attributes to mod...
Page 475
Configuring ipv6 bgp route attributes 475 n ■ to make sure an ibgp peer can find the correct next hop, you can configure routes advertised to the peer to use the local router as the next hop. If bgp load balancing is configured, the local router specifies itself as the next hop of outbound routes to...
Page 476
476 c hapter 36: ip v 6 bgp c onfiguration tuning and optimizing ipv6 bgp networks this section describes configurations of ipv6 bgp timers, ipv6 bgp connection soft reset and the maximum number of load balanced routes. ■ ipv6 bgp timers after establishing an ipv6 bgp connection, two routers send ke...
Page 477
Tuning and optimizing ipv6 bgp networks 477 n ■ timers configured using the timer command have lower priority than timers configured using the peer timer command. ■ the holdtime interval must be at least three times the keepalive interval. Configuring ipv6 bgp soft reset enable route refresh follow ...
Page 478
478 c hapter 36: ip v 6 bgp c onfiguration n if the peer keep-all-routes command is used, all routes from the peer/peer group will be saved regardless of whether the filtering policy is available. These routes will be used to generate ipv6 bgp routes after soft-reset is performed. Configuring the ma...
Page 479
Configuring a large scale ipv6 bgp network 479 create a pure ebgp peer group follow these steps to configure a pure ebgp group: n ■ to create a pure ebgp peer group, you need to specify an as number for the peer group. ■ if a peer was added into an ebgp peer group, you cannot specify any as number f...
Page 480
480 c hapter 36: ip v 6 bgp c onfiguration n when creating a mixed ebgp peer group, you need to create a peer and specify its as number that can be different from as numbers of other peers, but you cannot specify as number for the ebgp peer group. Configuring ipv6 bgp community advertise community a...
Page 481
Configuring a large scale ipv6 bgp network 481 n ■ in general, since the route reflector forwards routing information between clients, it is not required to make clients of a route reflector fully meshed. If clients are fully meshed, it is recommended to disable route reflection between clients to r...
Page 482
482 c hapter 36: ip v 6 bgp c onfiguration displaying and maintaining ipv6 bgp configuration displaying bgp to do… use the command… remarks display ipv6 bgp peer group information display bgp ipv6 group [ ipv6-group-name ] available in any view display ipv6 bgp advertised routing information display...
Page 483
Ipv6 bgp configuration examples 483 resetting ipv6 bgp connections clearing ipv6 bgp information ipv6 bgp configuration examples n some examples for ipv6 bgp configuration are similar to those of bgp-4, so refer to “bgp configuration” on page 365 for related information. Ipv6 bgp basic configuration...
Page 484
484 c hapter 36: ip v 6 bgp c onfiguration system-view [switchb] ipv6 [switchb] bgp 65009 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] ipv6-family [switchb-bgp-af-ipv6] peer 9:1::2 as-number 65009 [switchb-bgp-af-ipv6] peer 9:3::2 as-number 65009 [switchb-bgp-af-ipv6] quit [switchb-bgp] quit # conf...
Page 485
Ipv6 bgp configuration examples 485 local as number : 65009 total number of peers : 3 peers in established state : 3 peer v as msgrcvd msgsent outq prefrcv up/down state 10::2 4 65008 3 3 0 0 00:01:16 established 9:3::2 4 65009 2 3 0 0 00:00:40 established 9:1::2 4 65009 2 4 0 0 00:00:19 established...
Page 486
486 c hapter 36: ip v 6 bgp c onfiguration [switcha-bgp] router-id 1.1.1.1 [switcha-bgp] ipv6-family [switcha-bgp-af-ipv6] peer 100::2 as-number 200 [switcha-bgp-af-ipv6] network 1:: 64 #configure switch b. System-view [switchb] ipv6 [switchb] bgp 200 [switchb-bgp] router-id 2.2.2.2 [switchb-bgp] ip...
Page 487
Troubleshooting ipv6 bgp configuration 487 processing steps 1 use the display current-configuration command to verify the peer’s as number. 2 use the display bgp ipv6 peer command to verify the peer’s ipv6 address. 3 if the loopback interface is used, check whether the peer connect-interface command...
Page 488
488 c hapter 36: ip v 6 bgp c onfiguration.
Page 489: Outing
37 r outing p olicy c onfiguration introduction to routing policy routing policy a routing policy is used on the router for route inspection, filtering, attributes modifying when routes are received, advertised, or redistributed. When distributing or receiving routing information, a router can use a...
Page 490
490 c hapter 37: r outing p olicy c onfiguration as-path as path is only applicable to ipv6 bgp. There is an as-path field in the ipv6 bgp packet. An as path list specifies matching conditions according to the as-path field. Community list community list only applies to ipv6 bgp. The ipv6 bgp packet...
Page 491
Defining filtering lists 491 defining an ipv6 prefix list identified by name, each ipv6 prefix list can comprise multiple items. Each item specifies a matching address range in the form of network prefix, which is identified by index number. During matching, the system compares the route to each ite...
Page 492
492 c hapter 37: r outing p olicy c onfiguration defining an extended community list you can define multiple items for an extended community list that is identified by number. During matching, the relation between items is logic or, that is, if routing information matches one of these items, it pass...
Page 493
Configuring a routing policy 493 creating a routing policy follow these steps to create a routing policy: n ■ if a node has the permit keyword specified, routing information meeting the node’s conditions will be handled using the apply clauses of this node, without needing to match against the next ...
Page 494
494 c hapter 37: r outing p olicy c onfiguration n ■ the if-match clauses of a route-policy are in logic and relationship, namely, routing information has to satisfy all if-match clauses before being executed with apply clauses. ■ you can specify no or multiple if-match clauses for a routing policy....
Page 495
Displaying and maintaining the routing policy 495 n the apply ipv6 next-hop commands do not apply to redistributed ipv6 routes respectively. Displaying and maintaining the routing policy routing policy configuration example applying routing policy when redistributing ipv6 routes network requirements...
Page 496
496 c hapter 37: r outing p olicy c onfiguration network diagram figure 149 network diagram for routing policy application to route redistribution configuration procedure 1 configure switch a # configure ipv6 addresses for vlan-interface 100 and vlan-interface 200. System-view [switcha] ipv6 [switch...
Page 497
Troubleshooting routing policy configuration 497 [switchb] ipv6 [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ipv6 address 10::2 32 # enable ripng on vlan-interface 100. [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # enable ripng. [switchb] ripng #...
Page 498
498 c hapter 37: r outing p olicy c onfiguration.
Page 499: 6 B
38 ip v 6 b asics c onfiguration when configuring ipv6 basics, go to these sections for information you are interested in: ■ “ipv6 overview” on page 499 ■ “ipv6 basics configuration task list” on page 508 ■ “configuring basic ipv6 functions” on page 508 ■ “configuring ipv6 ndp” on page 510 ■ “config...
Page 500
500 c hapter 38: ip v 6 b asics c onfiguration addresses, the size of basic ipv6 headers is 40 bytes and is only twice that of ipv4 headers (excluding the options field). Figure 150 comparison between ipv4 packet header format and basic ipv6 packet header format adequate address space the source and...
Page 501
Ipv6 overview 501 qos support the flow label field in the ipv6 header allows the device to label packets in a flow and provide special handling for these packets. Enhanced neighbor discovery mechanism the ipv6 neighbor discovery protocol is implemented through a group of internet control message pro...
Page 502
502 c hapter 38: ip v 6 b asics c onfiguration ■ unicast address: an identifier for a single interface, similar to an ipv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address. ■ multicast address: an identifier for a set of interfaces (typical...
Page 503
Ipv6 overview 503 node may fill this address in the source address field of an ipv6 packet, but may not use it as a destination ipv6 address. Multicast address ipv6 multicast addresses listed in table 48 are reserved for special purpose. Besides, there is another type of multicast address: solicited...
Page 504
504 c hapter 38: ip v 6 b asics c onfiguration introduction to ipv6 neighbor discovery protocol ipv6 neighbor discovery protocol (ndp) uses five types of icmpv6 messages to implement the following functions: ■ “address resolution” on page 504 ■ “neighbor reachability detection” on page 505 ■ “duplic...
Page 505
Ipv6 overview 505 figure 152 address resolution the address resolution procedure is as follows: 1 node a multicasts an ns message. The source address of the ns message is the ipv6 address of an interface of node a and the destination address is the solicited-node multicast address of node b. The ns ...
Page 506
506 c hapter 38: ip v 6 b asics c onfiguration the dad procedure is as follows: 1 node a sends an ns message whose source address is the unassigned address :: and destination address is the corresponding solicited-node multicast address of the ipv6 address to be detected. The ns message contains the...
Page 507
Ipv6 overview 507 ■ the selected route is not the default route. ■ the forwarded ipv6 packet does not contain any routing header. Ipv6 pmtu discovery the links that a packet passes from the source to the destination may have different mtus. In ipv6, when the packet size exceeds the link mtu, the pac...
Page 508
508 c hapter 38: ip v 6 b asics c onfiguration protocols and standards protocols and standards related to ipv6 include: ■ rfc 1881: ipv6 address allocation management ■ rfc 1887: an architecture for ipv6 unicast address allocation ■ rfc 1981: path mtu discovery for ip version 6 ■ rfc 2375: ipv6 mult...
Page 509
Configuring basic ipv6 functions 509 ■ eui-64 format: when the eui-64 format is adopted to form ipv6 addresses, the ipv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link-layer address of the interface. ■ manual configuration: ipv6 site-loc...
Page 510
510 c hapter 38: ip v 6 b asics c onfiguration ■ you need to execute the ipv6 address auto link-local command before the undo ipv6 address auto link-local command. However, if an ipv6 site-local address or aggregatable global unicast address is already configured for an interface, the interface stil...
Page 511
Configuring ipv6 ndp 511 configuring parameters related to an ra message you can configure whether the interface sends an ra message, the interval for sending ra messages, and parameters in ra messages. After receiving an ra message, a host can use these parameters to perform corresponding operation...
Page 512
512 c hapter 38: ip v 6 b asics c onfiguration follow these steps to configure parameters related to an ra message: to do… use the command… remarks enter system view system-view - configure the current hop limit ipv6 nd hop-limit value optional 64 by default. Enter interface view interface interface...
Page 513
Configuring pmtu discovery 513 c caution: the maximum interval for sending ra messages should be less than or equal to the router lifetime in ra messages. Configuring the number of attempts to send an ns message for dad an interface sends a neighbor solicitation (ns) message for dad after acquiring ...
Page 514
514 c hapter 38: ip v 6 b asics c onfiguration host sends subsequent packets to the destination host on basis of this mtu. After the aging time expires, the dynamically determined pmtu is removed and the source host re-determines an mtu to send packets through the pmtu mechanism. The aging time is i...
Page 515
Configuring ipv6 dns 515 configured capacity. One token allows one icmpv6 error packet to be sent. Each time an icmpv6 error packet is sent, the number of tokens in a token bucket decreases by 1. If the number of icmpv6 error packets successively sent exceeds the capacity of the token bucket, subseq...
Page 516
516 c hapter 38: ip v 6 b asics c onfiguration configuring dynamic ipv6 domain name resolution if you want to use the dynamic domain name function, you can use the following command to enable the dynamic domain name resolution function. In addition, you should configure a dns server so that a query ...
Page 517
Ipv6 configuration example 517 n the display dns domain command is the same as the one of ipv4 dns. For details about the commands, refer to “dns configuration” on page 971. Ipv6 configuration example network requirements two switches are directly connected through two ethernet ports. The ethernet p...
Page 518
518 c hapter 38: ip v 6 b asics c onfiguration # enable the ipv6 packet forwarding function. System-view [switcha] ipv6 # configure vlan-interface 2 to automatically generate a link-local address. [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ipv6 address auto link-local # configure...
Page 519
Ipv6 configuration example 519 nd dad is enabled, number of dad attempts: 1 nd reachable time is 30000 milliseconds nd retransmit interval is 1000 milliseconds hosts use stateless autoconfig for addresses # display the ipv6 information of the interface on switch b. [switchb-vlan-interface2] display ...
Page 520
520 c hapter 38: ip v 6 b asics c onfiguration --- 2001::20f:e2ff:fe00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/58/70 ms [switcha-vlan-interface2] ping ipv6 3001::2 ping 3001::2 : 56 data bytes, press ctrl_c to break reply from ...
Page 521: Ual
39 d ual s tack c onfiguration when configuring dual stack, go to these sections for information you are interested in: ■ “dual stack overview” on page 521 ■ “configuring dual stack” on page 521 dual stack overview dual stack is the most direct approach to making ipv6 nodes compatible with ipv4 node...
Page 523: Unneling
40 t unneling c onfiguration when configuring tunneling, go to these sections for information you are interested in: ■ “introduction to tunneling” on page 523 ■ “tunneling configuration task list” on page 526 ■ “configuring ipv6 manual tunnel” on page 526 ■ “configuring 6to4 tunnel” on page 530 ■ “c...
Page 524
524 c hapter 40: t unneling c onfiguration figure 157 principle of ipv6 over ipv4 tunnel the ipv6 over ipv4 tunnel processes packets in the following way: 1 a host in the ipv6 network sends an ipv6 packet to the device at the source end of the tunnel. 2 after determining according to the routing tab...
Page 525
Introduction to tunneling 525 among the above tunnels, the ipv6 manual tunnel is a configured tunnel, while the 6to4 tunnel, and intra-site automatic tunnel address protocol (isatap) tunnel are automatic tunnels. 1 ipv6 manually configured tunnel a manually configured tunnel is a point-to-point link...
Page 526
526 c hapter 40: t unneling c onfiguration tunneling configuration task list complete the following tasks to configure the tunneling feature: configuring ipv6 manual tunnel configuration prerequisites ip addresses are configured for interfaces such as the vlan interface and loopback interface on the...
Page 527
Configuring ipv6 manual tunnel 527 c caution: ■ after a tunnel interface is deleted, all the above features configured on the tunnel interface will be deleted. ■ if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the ...
Page 528
528 c hapter 40: t unneling c onfiguration network diagram figure 159 network diagram for an ipv6 manual tunnel configuration procedure ■ configuration on switch a # enable ipv6. System-view [switcha] ipv6 # configure a link aggregation group. Disable stp on the port before adding it into the link a...
Page 529
Configuring ipv6 manual tunnel 529 system-view [switchb] ipv6 # configure a link aggregation group. Disable stp on the port before adding it into the link aggregation group. [switchb] link-aggregation group 1 mode manual [switchb] link-aggregation group 1 service-type tunnel [switchb] interface giga...
Page 530
530 c hapter 40: t unneling c onfiguration line protocol current state :up ipv6 is enabled, link-local address is fe80::c0a8:3201 global unicast address(es): 3001::2, subnet is 3001::/64 joined group address(es): ff02::1:ffa8:3201 ff02::1:ff00:2 ff02::2 ff02::1 mtu is 1500 bytes nd reachable time is...
Page 531
Configuring 6to4 tunnel 531 c caution: ■ only one automatic tunnel can be configured at the same tunnel source. ■ no destination address needs to be configured for an automatic tunnel because the destination address can automatically be obtained from the ipv4 address embedded in the ipv4-compatible ...
Page 532
532 c hapter 40: t unneling c onfiguration ■ when you configure a static route, you need to configure a route to the destination address (the destination ip address of the packet, instead of the ipv4 address of the tunnel destination) and set the next-hop to the tunnel interface number or network ad...
Page 533
Configuring 6to4 tunnel 533 [switcha-vlan-interface100] ip address 2.1.1.1 24 [switcha-vlan-interface100] quit # configure a route to vlan-interface 100 of switch b. (here the next-hop address of the static route is represented by [nexthop]. In practice, you should configure the real next-hop addres...
Page 534
534 c hapter 40: t unneling c onfiguration [switchb-vlan100] quit [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ip address 5.1.1.1 24 [switchb-vlan-interface100] quit # configure a route to vlan-interface 100 of switch a. (here the next-hop address of the static route is represe...
Page 535
Configuring isatap tunnel 535 configuring isatap tunnel configuration prerequisites ip addresses are configured for interfaces such as vlan interface, and loopback interface on the device. Such an interface can serve as the source interface of a tunnel to ensure that the tunnel destination address i...
Page 536
536 c hapter 40: t unneling c onfiguration c caution: ■ if the addresses of the tunnel interfaces at the two ends of a tunnel are not in the same network segment, a forwarding route through the tunnel to the peer must be configured so that the encapsulated packet can be forwarded normally. You can c...
Page 537
Configuring isatap tunnel 537 # configure addresses for interfaces. [switch] vlan 100 [switch-vlan100] port gigabitethernet 1/0/2 [switch-vlan100] quit [switch] interface vlan-interface 100 [switch-vlan-interface100] ipv6 address 3001::1/64 [switch-vlan-interface100] quit [switch] vlan 101 [switch-v...
Page 538
538 c hapter 40: t unneling c onfiguration dad transmits 0 default site prefix length 48 # a link-local address (fe80::5efe:2.1.1.2) in the isatap format was automatically generated for the isatap interface. Configure the ipv4 address of the isatap switch on the isatap interface. C:\>ipv6 rlu 2 2.1....
Page 539
Troubleshooting tunneling configuration 539 interface is down, use the debugging tunnel event command in user view to view the cause. 2 another possible cause is that the tunnel destination is unreachable. Use the display ipv6 routing-table or display ip routing-table command to view whether the tun...
Page 540
540 c hapter 40: t unneling c onfiguration.
Page 541: Ulticast
41 m ulticast o verview n this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Introduction to multicast as a technique coexisting with unicast and broadcast, the multicast technique e...
Page 542
542 c hapter 41: m ulticast o verview in unicast transmission, the traffic over the network is proportional to the number of hosts that need the information. If a large number of users need the information, the information source needs to send a copy of the same information to each of these users. T...
Page 543
Introduction to multicast 543 figure 164 multicast transmission assume that hosts b, d and e need the information. To receive the information correctly, these hosts need to join a receiver set, which is known as a multicast group. The routers on the network duplicate and forward the information base...
Page 544
544 c hapter 41: m ulticast o verview n ■ a multicast source does not necessarily belong to a multicast group. Namely, a multicast source is not necessarily a multicast data receiver. ■ a multicast source can send data to multiple multicast groups at the same time, and multiple multicast sources can...
Page 545
Multicast architecture 545 ssm model in the practical life, users may be interested in the multicast data from only certain multicast sources. The ssm model provides a transmission service that allows users to specify the multicast sources they are interested in at the client side. The radical diffe...
Page 546
546 c hapter 41: m ulticast o verview n ■ the membership of a group is dynamic. Hosts can join or leave multicast groups at any time. ■ glop” is a mechanism for assigning multicast addresses between different autonomous systems (ass). By filling an as number into the middle two bytes of 233.0.0.0, y...
Page 547
Multicast architecture 547 figure 165 ipv6 multicast format ■ 0xff: 8 bits, indicating that this address is an ipv6 multicast address. ■ flags: 4 bits, of which the high-order flag is reserved and set to 0; the definition and usage of the second bit can be found in rfc 3956; and definition and usage...
Page 548
548 c hapter 41: m ulticast o verview figure 166 ipv4-to-mac address mapping the high-order four bits of a multicast ipv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a mac address, so five bits of the multicast ipv4 a...
Page 549
Multicast architecture 549 this section provides only general descriptions about applications and functions of the layer 2 and layer 3 multicast protocols in a network. For details of these protocols, refer to the respective chapters. Layer 3 multicast protocols layer 3 multicast protocols include m...
Page 550
550 c hapter 41: m ulticast o verview for the ssm model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through pim-sm are sufficient for multicast information transport. Layer 2 multi...
Page 551
Multicast packet forwarding mechanism 551 ■ to ensure multicast packet transmission in the network, unicast routing tables or multicast routing tables specially provided for multicast must be used as guidance for multicast forwarding. ■ to process the same multicast information from different peers ...
Page 552
552 c hapter 41: m ulticast o verview.
Page 553: Igmp S
42 igmp s nooping c onfiguration when configuring igmp snooping, go to the following sections for information you are interested in: ■ “igmp snooping overview” on page 553 ■ “igmp snooping configuration task list” on page 558 ■ “displaying and maintaining igmp snooping” on page 569 ■ “igmp snooping ...
Page 554
554 c hapter 42: igmp s nooping c onfiguration figure 170 before and after igmp snooping is enabled on the layer 2 device basic concepts in igmp snooping igmp snooping related ports as shown in figure 171, router a connects to the multicast source, igmp snooping runs on switch a and switch b, host a...
Page 555
Igmp snooping overview 555 switch registers all its local router ports (including static and dynamic router ports) in its router port list. ■ member port: a member port is a port on the ethernet switch that leads switch towards multicast group members. In the figure, ethernet 1/0/2 and ethernet 1/0/...
Page 556
556 c hapter 42: igmp s nooping c onfiguration when receiving a membership report a host sends an igmp report to the multicast router in the following circumstances: ■ upon receiving an igmp query, a multicast group member host responds with an igmp report. ■ when intended to join a multicast group,...
Page 557
Igmp snooping overview 557 ■ if the forwarding table entry exists and its outgoing port list contains the port, the switch forwards the leave group message to all router ports in the vlan. Because the switch does not know whether any other hosts attached to the port are still listening to that group...
Page 558
558 c hapter 42: igmp s nooping c onfiguration igmp snooping configuration task list complete these tasks to configure igmp snooping: n ■ configurations made in igmp snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the curren...
Page 559
Configuring basic functions of igmp snooping 559 configuring basic functions of igmp snooping configuration prerequisites before configuring the basic functions of igmp snooping, complete the following task: ■ configure the corresponding vlans. Before configuring the basic functions of igmp snooping...
Page 560
560 c hapter 42: igmp s nooping c onfiguration ■ keep forwarding entries for version 3 static (*, g) joins; ■ clear forwarding entries from version 3 static (s, g) joins, which will be restored when igmp snooping is switched back to version 3. For details about static joins, refer to “configuring st...
Page 561
Configuring igmp snooping port functions 561 configuring static ports if all the hosts attached to a port are interested in the multicast data addressed to a particular multicast group or the multicast data that a particular multicast source sends to a particular group, you can configure static (*, ...
Page 562
562 c hapter 42: igmp s nooping c onfiguration to avoid this situation from happening, you can enable simulated joining on a port of the switch, namely configure the port as a simulated member host for a multicast group. When an igmp query is heard, the simulated host gives a response. Thus, the swi...
Page 563
Configuring igmp snooping querier 563 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: c caution: if fast leave processing is enabled on a port to which more than one host is attached, when one host l...
Page 564
564 c hapter 42: igmp s nooping c onfiguration routers are present, the layer 2 switch will act as the igmp snooping querier to send igmp queries, thus allowing multicast forwarding entries to be established and maintained at the data link layer. Follow these steps to enable igmp snooping querier: c...
Page 565
Configuring an igmp snooping policy 565 configuring igmp queries and responses in a vlan follow these steps to configure igmp queries and responses in a vlan: c caution: in the configuration, make sure that the igmp general query interval is larger than the maximum response time for igmp general que...
Page 566
566 c hapter 42: igmp s nooping c onfiguration before configuring an igmp snooping policy, prepare the following data: ■ acl rule for multicast group filtering ■ the maximum number of multicast groups that can pass the ports configuring a multicast group filter on an igmp snooping-enabled switch, th...
Page 567
Configuring an igmp snooping policy 567 if this feature is disabled on a port, the port can be connected with both multicast sources and multicast receivers. Configuring multicast source port filtering globally follow these steps to configure multicast source port filtering globally: configuring mul...
Page 568
568 c hapter 42: igmp s nooping c onfiguration configuring igmp report suppression when a layer 2 device receives an igmp report from a multicast group member, the device forwards the message to the layer 3 device directly connected with it. Thus, when multiple members of a multicast group are attac...
Page 569
Displaying and maintaining igmp snooping 569 configuring multicast group replacement for some special reasons, the number of multicast groups that can be joined on the current switch or port may exceed the number configured for the switch or the port. In addition, in some specific applications, a mu...
Page 570
570 c hapter 42: igmp s nooping c onfiguration n ■ the reset igmp-snooping group command works only on an igmp snooping-enabled vlan, but not on a vlan with igmp enabled on its vlan interface. ■ the reset igmp-snooping group command cannot clear igmp snooping forwarding table entries for static join...
Page 571
Igmp snooping configuration examples 571 configuration procedure 1 configure the ip address of each interface configure an ip address and subnet mask for each interface as per figure 172. The detailed configuration steps are omitted. 2 configure router a # enable ip multicast routing, enable pim-dm ...
Page 572
572 c hapter 42: igmp s nooping c onfiguration (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:03:23 ) mac group(s): mac group address:0100-5e01-0101 host port(s):total 2 port. Ge1/0/3 ge1/0/4 as shown above, gigabitethernet 1/0/3 and g...
Page 573
Igmp snooping configuration examples 573 network diagram figure 173 network diagram for static router port configuration configuration procedure 1 configure the ip address of each interface configure an ip address and subnet mask for each interface as per figure 173. The detailed configuration steps...
Page 574
574 c hapter 42: igmp s nooping c onfiguration # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] igmp-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4 configure switch b # enable igmp snoop...
Page 575
Igmp snooping configuration examples 575 host port(s):total 1 port. Ge1/0/2 (d) ( 00:03:23 ) mac group(s): mac group address:0100-5e01-0101 host port(s):total 1 port. Ge1/0/2 as shown above, gigabitethernet 1/0/3 of switch a has become a static router port. Igmp snooping querier configuration networ...
Page 576
576 c hapter 42: igmp s nooping c onfiguration [switcha-vlan100] igmp-snooping enable [switcha-vlan100] igmp-snooping querier # set the source ip address of igmp general queries and group-specific queries to 192.168.1.1. [switcha-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [switcha-vl...
Page 577
Troubleshooting igmp snooping configuration 577 troubleshooting igmp snooping configuration switch fails in layer 2 multicast forwarding symptom a switch fails to implement layer 2 multicast forwarding. Analysis igmp snooping is not enabled. Solution 1 enter the display current-configuration command...
Page 578
578 c hapter 42: igmp s nooping c onfiguration whether this configuration conflicts with the configured multicast group policy. If any conflict exists, remove the port as a static member of the multicast group..
Page 579: Mld S
43 mld s nooping c onfiguration when configuring mld snooping, go to these sections for information you are interested in: ■ “mld snooping overview” on page 579 ■ “mld snooping configuration task list” on page 583 ■ “displaying and maintaining mld snooping” on page 595 ■ “mld snooping configuration ...
Page 580
580 c hapter 43: mld s nooping c onfiguration figure 175 before and after mld snooping is enabled on the layer 2 device basic concepts in mld snooping mld snooping related ports as shown in figure 171, router a connects to the multicast source, mld snooping runs on switch a and switch b, host a and ...
Page 581
Mld snooping overview 581 switch registers all its local router ports (including static and dynamic router ports) in its router port list. ■ member port: a member port (also known as ipv6 multicast group member port) is a port on the ethernet switch that leads switch towards multicast group members....
Page 582
582 c hapter 43: mld s nooping c onfiguration membership reports a host sends an mld report to the multicast router in the following circumstances: ■ upon receiving an mld query, an ipv6 multicast group member host responds with an mld report. ■ when intended to join an ipv6 multicast group, a host ...
Page 583
Mld snooping configuration task list 583 sends an mld multicast-address-specific query to that ipv6 multicast group through the port that received the done message. Upon hearing the mld multicast-address-specific query, the switch forwards it through all its router ports in the vlan and all member p...
Page 584
584 c hapter 43: mld s nooping c onfiguration n ■ configurations made in mld snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in mld snooping view is effective only if ...
Page 585
Configuring mld snooping port functions 585 n ■ mld snooping must be enabled globally before it can be enabled in a vlan. ■ after enabling mld snooping in a vlan, you cannot enable mld and/or ipv6 pim on the corresponding vlan interface, and vice versa. ■ when you enable mld snooping in a specified ...
Page 586
586 c hapter 43: mld s nooping c onfiguration ■ ipv6 multicast group and ipv6 multicast source addresses configuring aging timers for dynamic ports if the switch receives no mld general queries or ipv6 pim hello messages on a dynamic router port, the switch removes the port from the router port list...
Page 587
Configuring mld snooping port functions 587 n ■ the ipv6 static (s, g) joining function is available only if a valid ipv6 multicast source address is specified and mld snooping version 2 is currently running on the switch. ■ a static member port does not respond to queries from the mld querier; when...
Page 588
588 c hapter 43: mld s nooping c onfiguration n ■ each simulated host is equivalent to an independent host. For example, when receiving an mld query, the simulated host corresponding to each configuration responds respectively. ■ unlike a static member port, a port configured as a simulated member h...
Page 589
Configuring mld snooping querier 589 c caution: if fast leave processing is enabled on a port to which more than one host is connected, when one host leaves an ipv6 multicast group, the other hosts connected to port and interested in the same ipv6 multicast group will fail to receive ipv6 multicast ...
Page 590
590 c hapter 43: mld s nooping c onfiguration take part in mld querier elections, it may affect mld querier elections because it sends mld general queries with a low source ipv6 address. Configuring mld queries and responses you can tune the mld general query interval based on actual condition of th...
Page 591
Configuring an mld snooping policy 591 c caution: make sure that the mld query interval is greater than the maximum response time for mld general queries; otherwise undesired deletion of ipv6 multicast members may occur. Configuring source ipv6 addresses of mld queries this configuration allows you ...
Page 592
592 c hapter 43: mld s nooping c onfiguration configuring an ipv6 multicast group filter on a port or a group of ports follow these steps to configure an ipv6 multicast group filer on a port or a group of ports: configuring ipv6 multicast source port filtering with the ipv6 multicast source port fil...
Page 593
Configuring an mld snooping policy 593 n when enabled to filter ipv6 multicast data based on the source ports, the device is automatically enabled to filter ipv4 multicast data based on the source ports. Configuring dropping unknown ipv6 multicast data unknown ipv6 multicast data refers to ipv6 mult...
Page 594
594 c hapter 43: mld s nooping c onfiguration configuring maximum multicast groups that that can be joined on a port by configuring the maximum number of ipv6 multicast groups that can be joined on a port or a group of ports, you can limit the number of multicast programs available to vod users, thu...
Page 595
Displaying and maintaining mld snooping 595 ■ if the ipv6 multicast group replacement is not enabled, new mld reports will be automatically discarded. Configuring ipv6 multicast group replacement globally follow these steps to configure ipv6 multicast group replacement globally: configuring ipv6 mul...
Page 596
596 c hapter 43: mld s nooping c onfiguration mld snooping configuration examples simulated joining network requirements as shown in figure 177, router a connects to the ipv6 multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Router a is the mld querier on ...
Page 597
Mld snooping configuration examples 597 # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and enable mld snooping in the vlan. [switcha] vlan 100 [switcha-vlan100]...
Page 598
598 c hapter 43: mld s nooping c onfiguration ■ suppose stp runs on the network. To avoid data loops, the forwarding path from switch a to switch c is blocked under normal conditions, and ipv6 multicast traffic flows to the receivers, host a and host c, attached to switch c only along the path of sw...
Page 599
Mld snooping configuration examples 599 [routera-gigabitethernet 1/0/2] pim ipv6 dm [routera-gigabitethernet 1/0/2] quit 3 configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabit...
Page 600
600 c hapter 43: mld s nooping c onfiguration total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): attribute: host p...
Page 601
Mld snooping configuration examples 601 # create vlan 100 and add gigabitethernet 1/0/1 and gigabitethernet 1/0/2 to vlan 100. [switcha] vlan 100 [switcha-vlan100] port gigabitethernet 1/0/1 gigabitethernet 1/0/2 # enable mld snooping in vlan 100 and configure the mld-snooping querier feature. [swit...
Page 602
602 c hapter 43: mld s nooping c onfiguration troubleshooting mld snooping switch fails in layer 2 multicast forwarding symptom a switch fails to implement layer 2 multicast forwarding. Analysis mld snooping is not enabled. Solution 1 enter the display current-configuration command to view the runni...
Page 603
Troubleshooting mld snooping 603 whether this configuration conflicts with the configured ipv6 multicast group policy. If any conflict exists, remove the port as a static member of the ipv6 multicast group..
Page 604
604 c hapter 43: mld s nooping c onfiguration.
Page 605: Ulticast
44 m ulticast vlan c onfiguration introduction to multicast vlan as shown in figure 180, in the traditional multicast programs-on-demand mode, when hosts that belong to different vlans, host a, host b and host c require multicast programs on demand service, router a needs to forward a separate copy ...
Page 606
606 c hapter 44: m ulticast vlan c onfiguration n ■ the vlan to be configured as the multicast vlan and the vlans to be configured as sub-vlans of the multicast vlan must exist. ■ the number of sub-vlans of the multicast vlan must not exceed the system-defined limit (an switch 4800g supports a maxim...
Page 607
Multicast vlan configuration example 607 network diagram figure 181 network diagram for multicast vlan configuration configuration procedure 1 configure an ip address for each interconnecting interface configure an ip address and subnet mask for each interface as per figure 181. The detailed configu...
Page 608
608 c hapter 44: m ulticast vlan c onfiguration the configuration for vlan 12 and vlan 13 is similar to the configuration for vlan 11. # create vlan 1024, assign gigabitethernet 1/0/1 to this vlan and enable igmp snooping in the vlan. [switcha] vlan 1024 [switcha-vlan1024] port gigabitethernet 1/0/1...
Page 609: 6 M
45 ip v 6 m ulticast vlan c onfiguration introduction to ipv6 multicast vlan as shown in figure 182, in the traditional ipv6 multicast programs-on-demand mode, when hosts that belong to different vlans, host a, host b and host c require ipv6 multicast programs on demand service, router a needs to fo...
Page 610
610 c hapter 45: ip v 6 m ulticast vlan c onfiguration n ■ the vlan to be configured as an ipv6 multicast vlan and the vlans to be configured as sub-vlans of the ipv6 multicast vlan must exist. ■ the total number of sub-vlans of an ipv6 multicast vlan must not exceed the system-defined limit (an swi...
Page 611
Ipv6 multicast vlan configuration examples 611 network diagram figure 183 network diagram for ipv6 multicast vlan configuration configuration procedure 1 enable ipv6 forwarding and configure ipv6 addresses of the interfaces of each device. Enable ipv6 forwarding and configure the ipv6 address and ad...
Page 612
612 c hapter 45: ip v 6 m ulticast vlan c onfiguration [switcha] vlan 11 [switcha-vlan11] port gigabitethernet 1/0/2 [switcha-vlan11] quit the configuration for vlan 12 and vlan 13 is similar. The detailed configuration steps are omitted. # create vlan 1024, add gigabitethernet 1/0/1 to vlan 1024, a...
Page 613: Igmp C
46 igmp c onfiguration when configuring igmp, go to the following sections for the information you are interested in: ■ “igmp overview” on page 613 ■ “igmp configuration task list” on page 617 ■ “igmp configuration example” on page 624 ■ “troubleshooting igmp” on page 626 n the term “router” in this...
Page 614
614 c hapter 46: igmp c onfiguration figure 184 joining multicast groups assume that host b and host c are expected to receive multicast data addressed to multicast group g1, while host a is expected to receive multicast data addressed to g2, as shown in figure 184. The basic process that the hosts ...
Page 615
Igmp overview 615 address being the address of that multicast group. If no member of a multicast group exists on the subnet, the igmp routers will not receive any report addressed to that multicast group, so the routers will delete the multicast forwarding entries corresponding to that multicast gro...
Page 616
616 c hapter 46: igmp c onfiguration enhancements in igmpv3 n the support for the exclude mode varies with device models. Built upon and being compatible with igmpv1 and igmpv2, igmpv3 provides hosts with enhanced control capabilities and provides enhancements of query and report messages. Enhanceme...
Page 617
Igmp configuration task list 617 enhancements in query and report capabilities 1 query message carrying the source addresses igmpv3 supports not only general queries (feature of igmpv1) and group-specific queries (feature of igmpv2), but also group-and-source-specific queries. ■ a general query does...
Page 618
618 c hapter 46: igmp c onfiguration n ■ configurations performed in igmp view are effective on all interfaces, while configurations performed in interface view are effective on the current interface only. ■ if a feature is not configured for an interface in interface view, the global configuration ...
Page 619
Configuring basic functions of igmp 619 configuring igmp versions because messages vary with different igmp versions, the same igmp version should be configured for all routers on the same subnet before igmp can work properly. Configuring an igmp version globally follow these steps to configure an i...
Page 620
620 c hapter 46: igmp c onfiguration n ■ before you can configure an interface of a pim-sm device as a static member of a multicast group, if the interface is pim-sm enabled, it must be a pim-sm dr; if this interface is igmp enabled but not pim-sm enabled, it must be an igmp querier. ■ as a static m...
Page 621
Adjusting igmp performance 621 ■ by default, for the consideration of compatibility, the device does not check the router-alert option, namely it processes all the igmp messages it received. In this case, igmp messages are directly passed to the upper layer protocol, no matter whether the igmp messa...
Page 622
622 c hapter 46: igmp c onfiguration igmp is robust to “robustness variable minus 1" packet losses on a network. Therefore, a greater value of the robustness variable makes the igmp querier “more robust”, but results in a longer multicast group timeout time. Upon receiving an igmp query (general que...
Page 623
Displaying and maintaining igmp 623 n ■ if not statically configured, the other querier present interval is [ igmp query interval ] times [ igmp robustness variable ] plus [ maximum response time for igmp general queries ] divided by two. By default, the values of these three parameters are 60 (seco...
Page 624
624 c hapter 46: igmp c onfiguration n ■ the reset igmp group command cannot clear the igmp forwarding entries of static joins. ■ the reset igmp group port-info command cannot clear layer 2 port information about igmp multicast groups of static joins. C caution: the reset igmp group command may caus...
Page 625
Igmp configuration example 625 network diagram figure 186 network diagram for igmp configuration configuration procedure 1 configure the ip addresses of the switch interfaces and configure a unicast routing protocol configure the ip address and subnet mask of each interface as per figure 186. The de...
Page 626
626 c hapter 46: igmp c onfiguration # enable ip multicast routing on switch c, and enable igmp (version 2) on vlan-interface 200. System-view [switchc] multicast routing-enable [switchc] interface vlan-interface 200 [switchc-vlan-interface200] igmp enable [switchc-vlan-interface200] igmp version 2 ...
Page 627
Troubleshooting igmp 627 abnormal. Typically this is because the shutdown command has been executed on the interface, or the interface connection is incorrect, or no correct ip address has been configured on the interface. 5 check that no acl rule has been configured to restrict the host from joinin...
Page 628
628 c hapter 46: igmp c onfiguration.
Page 629: Pim C
47 pim c onfiguration when configuring pim, go to these sections for information you are interested in: ■ “pim overview” on page 629 ■ “configuring pim-dm” on page 641 ■ “configuring pim-sm” on page 643 ■ “configuring pim-ssm” on page 652 ■ “configuring pim common information” on page 653 ■ “display...
Page 630
630 c hapter 47: pim c onfiguration ■ pim-dm assumes that at least one multicast group member exists on each subnet of a network, and therefore multicast data is flooded to all nodes on the network. Then, branches without multicast forwarding are pruned from the forwarding tree, leaving only those b...
Page 631
Pim overview 631 a prune process is first initiated by a leaf router. As shown in figure 187, a router without any receiver attached to it (the router connected with host a, for example) sends a prune message, and this prune process goes on until only necessary branches are left in the pim-dm domain...
Page 632
632 c hapter 47: pim c onfiguration figure 188 assert mechanism as shown in figure 188, after router a and router b receive an (s, g) packet from the upstream node, they both forward the packet to the local subnet. As a result, the downstream node router c receives two identical multicast packets, a...
Page 633
Pim overview 633 ■ when a receiver is interested in the multicast data addressed to a specific multicast group, the router connected to this receiver sends a join message to the rp corresponding to that multicast group. The path along which the message goes hop by hop to the rp forms a branch of the...
Page 634
634 c hapter 47: pim c onfiguration figure 189 dr election as shown in figure 189, the dr election process is as follows: 1 routers on the multi-access network send hello messages to one another. The hello messages contain the router priority for dr election. The router with the highest dr priority ...
Page 635
Pim overview 635 domain, and the position of the rp corresponding to each multicast group is calculated through the bsr mechanism. Figure 190 shows the positions of c-rps and the bsr in the network. Figure 190 bsr and c-rps rpt establishment figure 191 rpt establishment in a pim-sm domain as shown i...
Page 636
636 c hapter 47: pim c onfiguration the multicast data addressed to the multicast group g flows through the rp, reaches the corresponding dr along the established rpt, and finally is delivered to the receiver. When a receiver is no longer interested in the multicast data addressed to a multicast gro...
Page 637
Pim overview 637 switchover from rpt to spt initially, multicast traffic flows along an rpt from the rp to the receivers. Because the rpt is not necessarily the tree that has the shortest path, upon receiving the first multicast packet along the rpt (by default), or when detecting that the multicast...
Page 638
638 c hapter 47: pim c onfiguration figure 193 relationship between bsr admin-scope regions and the global scope zone in geographic space bsr admin-scope regions are geographically separated from one another. Namely, a router must not serve different bsr admin-scope regions. In other words, differen...
Page 639
Pim overview 639 ■ the global scope zone and each bsr admin-scope region have their own c-rps and bsr. These devices are effective only in their respective admin-scope regions. Namely, the bsr election and rp election are implemented independently within each admin-scope region. ■ each bsr admin-sco...
Page 640
640 c hapter 47: pim c onfiguration figure 195 spt establishment in pim-ssm as shown in figure 195, host b and host c are multicast information receivers. They send igmpv3 report messages denoted as (include s, g) to the respective drs to express their interest in the information of the specific mul...
Page 641
Configuring pim-dm 641 ■ draft-ietf-pim-v2-dm-03: protocol independent multicast version 2 dense mode specification ■ draft-ietf-pim-sm-bsr-03: bootstrap router (bsr) mechanism for pim sparse mode ■ draft-ietf-ssm-arch-02: source-specific multicast for ip ■ draft-ietf-ssm-overview-04: an overview of...
Page 642
642 c hapter 47: pim c onfiguration c caution: ■ all the interfaces of the same router must work in the same pim mode. ■ pim-dm cannot be used for multicast groups in the ssm group grange. Enabling state refresh an interface without the state refresh capability cannot forward state refresh messages....
Page 643
Configuring pim-sm 643 configuring pim-dm graft retry period in pim-dm, graft is the only type of message that uses the acknowledgment mechanism. In a pim-dm domain, if a router does not receive a graft-ack message from the upstream router within the specified time after it sends a graft message, th...
Page 644
644 c hapter 47: pim c onfiguration before configuring pim-sm, prepare the following data: ■ an acl rule defining a legal bsr address range ■ hash mask length for rp selection calculation ■ c-bsr priority ■ bootstrap interval ■ bootstrap timeout time ■ an acl rule defining a legal c-rp address range...
Page 645
Configuring pim-sm 645 ■ you can configure these parameters at three levels: global configuration level, global scope level, and bsr admin-scope level. ■ by default, the global scope parameters and bsr admin-scope parameters are those configured at the global configuration level. ■ parameters config...
Page 646
646 c hapter 47: pim c onfiguration follow these steps to complete basic c-bsr configuration: n since a large amount of information needs to be exchanged between a bsr and the other devices in the pim-sm domain, a relatively large bandwidth should be provided between the c-bsr and the other devices ...
Page 647
Configuring pim-sm 647 configuring a bsr admin-scope region boundary a bsr has its specific service scope. A number of bsr boundary interfaces divide a network into different bsr admin-scope regions. Bootstrap messages cannot cross the admin-scope region boundary, while other types of pim messages c...
Page 648
648 c hapter 47: pim c onfiguration ■ by default, the bootstrap timeout time is determined by this formula: bootstrap timeout = bootstrap interval × 2 + 10. The default bootstrap interval is 60 seconds, so the default bootstrap timeout = 60 × 2 + 10 = 130 (seconds). ■ if this parameter is manually c...
Page 649
Configuring pim-sm 649 every c-bsr has a chance to become the bsr, you need to configure the same filtering policy on all c-bsrs. Follow these steps to configure a c-rp: n ■ when configuring a c-rp, ensure a relatively large bandwidth between this c-rp and the other devices in the pim-sm domain. ■ a...
Page 650
650 c hapter 47: pim c onfiguration n ■ the commands introduced in this section are to be configured on c-rps. ■ for the configuration of other timers in pim-sm, refer to “configuring pim common timers” on page 656. Configuring pim-sm register messages within a pim-sm domain, the source-side dr send...
Page 651
Configuring pim-sm 651 n typically, you need to configure the above-mentioned parameters on the receiver-side dr and the rp only. Since both the dr and rp are elected, however, you should carry out these configurations on the routers that may win the dr election and on the c-rps that may win rp elec...
Page 652
652 c hapter 47: pim c onfiguration configuring pim-ssm n the pim-ssm model needs the support of igmpv3. Therefore, be sure to enable igmpv3 on pim routers with multicast receivers. Pim-ssm configuration task list complete these tasks to configure pim-ssm: configuration prerequisites before configur...
Page 653
Configuring pim common information 653 n the commands introduced in this section are to be configured on all routers in the pim domain. C caution: ■ make sure that the same ssm group range is configured on all routers in the entire domain. Otherwise, multicast information cannot be delivered through...
Page 654
654 c hapter 47: pim c onfiguration ■ prune delay (global value/interface level value) ■ prune override interval (global value/interface level value) ■ hello interval (global value/interface level value) ■ maximum delay between hello message (interface level value) ■ assert timeout time (global valu...
Page 655
Configuring pim common information 655 neighbor tracking flag bit. You can configure this parameter on all routers in the pim domain. If different lan-delay or override-interval values result from the negotiation among all the pim routers, the largest value will take effect. The lan-delay setting wi...
Page 656
656 c hapter 47: pim c onfiguration configuring hello options on an interface follow these steps to configure hello options on an interface: configuring pim common timers pim routers discover pim neighbors and maintain pim neighboring relationships with other routers by periodically sending out hell...
Page 657
Configuring pim common information 657 configuring pim common timers on an interface follow these steps to configure pim common timers on an interface: n if there are no special networking requirements, we recommend that you use the default settings. Configuring join/prune message limits a larger jo...
Page 658
658 c hapter 47: pim c onfiguration displaying and maintaining pim configure the maximum size of a join/prune message jp-pkt-size packet-size optional 8,100 bytes by default configure the maximum number of (s, g) entries in a join/prune message jp-queue-size queue-size optional 1,020 by default to d...
Page 659
Pim configuration examples 659 pim configuration examples pim-dm configuration example network requirements ■ receivers receive vod information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire ...
Page 660
660 c hapter 47: pim c onfiguration configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each interface as per figure 196. Detailed configuration steps are omitted here. Configure the ospf protocol fo...
Page 661
Pim configuration examples 661 vlan101 1 30 1 192.168.2.2 (local) vlan102 1 30 1 192.168.3.2 (local) carry out the display pim neighbor command to view the pim neighboring relationships among the switches. For example: # view the pim neighboring relationships on switch d. [switchd] display pim neigh...
Page 662
662 c hapter 47: pim c onfiguration downstream interface(s) information: total number of downstreams: 3 1: vlan-interface103 protocol: pim-dm, uptime: 00:03:27, expires: never 2: vlan-interface101 protocol: pim-dm, uptime: 00:03:27, expires: never 3: vlan-interface102 protocol: pim-dm, uptime: 00:03...
Page 663
Pim configuration examples 663 network diagram figure 197 network diagram for pim-sm domain configuration configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each interface as per figure 197. Detaile...
Page 664
664 c hapter 47: pim c onfiguration system-view [switcha] multicast routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-interface100] igmp enable [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [switcha] interface vlan-interface 101 [switcha-vlan-interface101] pim...
Page 665
Pim configuration examples 665 [switche] display pim bsr-info elected bsr address: 192.168.9.2 priority: 0 hash mask length: 30 state: elected scope: not scoped uptime: 00:00:18 next bsr message scheduled at: 00:01:52 candidate bsr address: 192.168.9.2 priority: 0 hash mask length: 30 state: pending...
Page 666
666 c hapter 47: pim c onfiguration uptime: 00:00:42 upstream interface: vlan-interface101, upstream neighbor: 192.168.9.2 rpf prime neighbor: 192.168.9.2 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 protocol: pim-sm, uptime: 00:00:42, expires:00:03:06 the...
Page 667
Pim configuration examples 667 ■ igmpv3 is to run between switch a and n1, and between switch b/switch c and n2. Network diagram figure 198 network diagram for pim-ssm configuration configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure ...
Page 668
668 c hapter 47: pim c onfiguration # enable ip multicast routing on switch a, enable pim-sm on each interface, and enable igmpv3 on vlan-interface 100, which connects switch a to the stub network. System-view [switcha] multicast routing-enable [switcha] interface vlan-interface 100 [switcha-vlan-in...
Page 669
Troubleshooting pim configuration 669 (10.110.5.100, 232.1.1.1) protocol: pim-ssm, flag: uptime: 00:13:25 upstream interface: vlan-interface101 upstream neighbor: 192.168.1.2 rpf prime neighbor: 192.168.1.2 downstream interface(s) information: total number of downstreams: 1 1: vlan-interface100 prot...
Page 670
670 c hapter 47: pim c onfiguration existing unicast route, and is independent of pim. The rpf interface must be pim-enabled, and the rpf neighbor must also be a pim neighbor. If pim is not enabled on the router where the rpf interface or the rpf neighbor resides, the establishment of a multicast di...
Page 671
Troubleshooting pim configuration 671 solution 1 check the multicast forwarding boundary configuration. Use the display current-configuration command to check the multicast forwarding boundary settings. Use the multicast boundary command to change the multicast forwarding boundary settings. 2 check ...
Page 672
672 c hapter 47: pim c onfiguration ■ the rp is the core of a pim-sm domain. Make sure that the rp information on all routers is exactly the same, a specific group g is mapped to the same rp, and unicast routes are available to the rp. Solution 1 check whether routes to c-rps, the rp and the bsr are...
Page 673: Msdp C
48 msdp c onfiguration when configuring msdp, go to these sections for information you are interested in: ■ “msdp overview” on page 673 ■ “msdp configuration task list” on page 679 * mergeformat ■ “displaying and maintaining msdp” on page 685 ■ “msdp configuration examples” on page 685 ■ “troublesho...
Page 674
674 c hapter 48: msdp c onfiguration interconnected in series. Relayed by these msdp peers, an sa message sent by an rp can be delivered to all other rps. Figure 199 where msdp peers are in the network as shown in figure 199, an msdp peer can be created on any pim-sm router. Msdp peers created on pi...
Page 675
Msdp overview 675 implementing inter-domain multicast delivery by leveraging msdp peers as shown in figure 200, an active source (source) exists in the domain pim-sm 1, and rp 1 has learned the existence of source through multicast source registration. If rps in pim-sm 2 and pim-sm 3 also wish to kn...
Page 676
676 c hapter 48: msdp c onfiguration 5 upon receiving the sa message create by rp 1, rp 2 in pim-sm 2 checks whether there are any receivers for the multicast group in the domain. 6 if so, the rpt for the multicast group g is maintained between rp 2 and the receivers. Rp 2 creates an (s, g) entry, a...
Page 677
Msdp overview 677 as illustrated in figure 201, these msdp peers dispose of sa messages according to the following rpf check rules: 1 when rp 2 receives an sa message from rp 1 because the source-side rp address carried in the sa message is the same as the msdp peer address, which means that the msd...
Page 678
678 c hapter 48: msdp c onfiguration n usually an anycast rp address is configured on a logic interface, like a loopback interface. Figure 202 typical network diagram of anycast rp the work process of anycast rp is as follows: 1 the multicast source registers with the nearest rp. In this example, so...
Page 679
Msdp configuration task list 679 protocols and standards msdp is documented in the following specifications: ■ rfc 3618: multicast source discovery protocol (msdp) ■ rfc 3446: anycast rendezvous point (rp) mechanism using protocol independent multicast (pim) and multicast source discovery protocol (...
Page 680
680 c hapter 48: msdp c onfiguration creating an msdp peer connection an msdp peering relationship is identified by an address pair, namely the address of the local msdp peer and that of the remote msdp peer. An msdp peer connection must be created on both devices that are a pair of msdp peers. Foll...
Page 681
Configuring an msdp peer connection 681 before configuring an msdp peer connection, prepare the following data: ■ description information of msdp peers ■ name of an msdp mesh group ■ msdp peer connection retry interval configuring msdp peer description with the msdp peer description information, the...
Page 682
682 c hapter 48: msdp c onfiguration configuring msdp peer connection control msdp peers are interconnected over tcp (port number 639). You can flexibly control sessions between msdp peers by manually deactivating and reactivating the msdp peering connections. When the connection between two msdp pe...
Page 683
Configuring sa messages related parameters 683 if the source-side rp is enabled to encapsulate register messages in sa messages, when there is a multicast packet to deliver, the source-side rp encapsulates a register message containing the multicast packet in an sa message and sends it out. After re...
Page 684
684 c hapter 48: msdp c onfiguration configuring an sa message filtering rule by configuring an sa message creation rule, you can enable the router to filter the (s, g) entries to be advertised when creating an sa message, so that the propagation of messages of multicast sources is controlled. In ad...
Page 685
Displaying and maintaining msdp 685 displaying and maintaining msdp msdp configuration examples inter-as multicast configuration leveraging bgp routes network requirements ■ there are two ass in the network, as 100 and as 200 respectively. Ospf is running within each as, and bgp is running between t...
Page 686
686 c hapter 48: msdp c onfiguration network diagram figure 203 network diagram for inter-as multicast configuration leveraging bgp routes configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each int...
Page 687
Msdp configuration examples 687 system-view [switcha] multicast routing-enable [switcha] interface vlan-interface 103 [switcha-vlan-interface103] pim sm [switcha-vlan-interface103] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [switch...
Page 688
688 c hapter 48: msdp c onfiguration [switchb] ospf 1 [switchb-ospf-1] import-route bgp [switchb-ospf-1] quit the configuration on switch c and switch e is similar to the configuration on switch b. 5 configure msdp peers # configure an msdp peer on switch b. [switchb] msdp [switchb-msdp] peer 192.16...
Page 689
Msdp configuration examples 689 to view the bgp routing table information on the switches, use the display bgp routing-table command. For example: # view the bgp routing table information on switch c. [switchc] display bgp routing-table total number of routes: 13 bgp local router id is 2.2.2.2 statu...
Page 690
690 c hapter 48: msdp c onfiguration description: information about connection status: state: up up/down time: 00:15:47 resets: 0 connection interface: vlan-interface101 (192.168.1.1) number of sent/received messages: 16/16 number of discarded output messages: 0 elapsed time since last connection or...
Page 691
Msdp configuration examples 691 network diagram figure 204 network diagram for inter-as multicast configuration leveraging static rpf peers configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each in...
Page 692
692 c hapter 48: msdp c onfiguration system-view [switcha] multicast routing-enable [switcha] interface vlan-interface 103 [switcha-vlan-interface103] pim sm [switcha-vlan-interface103] quit [switcha] interface vlan-interface 100 [switcha-vlan-interface100] pim sm [switcha-vlan-interface100] quit [s...
Page 693
Msdp configuration examples 693 [switche] ip ip-prefix list-c permit 192.168.0.0 16 greater-equal 16 less-equal 32 [switche] msdp [switche-msdp] peer 192.168.3.2 connect-interface vlan-interface 102 [switche-msdp] static-rpf-peer 192.168.3.2 rp-policy list-c [switche-msdp] quit 5 verify the configur...
Page 694
694 c hapter 48: msdp c onfiguration network diagram figure 205 network diagram for anycast rp configuration configuration procedure 1 configure the interface ip addresses and unicast routing protocol for each switch configure the ip address and subnet mask for each interface as per figure 205. Deta...
Page 695
Msdp configuration examples 695 [switchb] interface vlan-interface 100 [switchb-vlan-interface100] igmp enable [switchb-vlan-interface100] pim sm [switchb-vlan-interface100] quit [switchb] interface vlan-interface 103 [switchb-vlan-interface103] pim sm [switchb-vlan-interface103] quit [switchb] inte...
Page 696
696 c hapter 48: msdp c onfiguration [switchd] display msdp brief msdp peer brief information configured up listen connect shutdown down 1 1 0 0 0 0 peer’s address state up/down time as sa count reset count 1.1.1.1 up 00:10:18 ? 0 0 to view the pim routing information on the switches, use the displa...
Page 697
Troubleshooting msdp 697 [switchd] display pim routing-table total 1 (*, g) entry; 1 (s, g) entry (*, 225.1.1.1) rp: 10.1.1.1 (local) protocol: pim-sm, flag: wc uptime: 00:12:07 upstream interface: register upstream neighbor: null rpf prime neighbor: null downstream interface(s) information: total n...
Page 698
698 c hapter 48: msdp c onfiguration no sa entries in the router’s sa cache symptom msdp fails to send (s, g) entries through sa messages. Analysis ■ the import-source command is used to control sending (s, g) entries through sa messages to msdp peers. If this command is executed without the acl-num...
Page 699
Troubleshooting msdp 699 4 verify that the c-bsr address is different from the anycast rp address..
Page 700
700 c hapter 48: msdp c onfiguration.
Page 701: Ulticast
49 m ulticast r outing and f orwarding c onfiguration when configuring multicast routing and forwarding, go to these sections for information you are interested in: ■ “multicast routing and forwarding overview” on page 701 ■ “configuring multicast routing and forwarding” on page 706 ■ “displaying an...
Page 702
702 c hapter 49: m ulticast r outing and f orwarding c onfiguration implementation of the rpf mechanism upon receiving a multicast packet that a multicast source s sends to a multicast group g, the router first searches its multicast forwarding table: 1 if the corresponding (s, g) entry exists, and ...
Page 703
Multicast routing and forwarding overview 703 destination address. The corresponding routing entry explicitly defines the rpf interface and the rpf neighbor. 4 then, the router selects one from these two optimal routes as the rpf route. The selection is as follows: 5 if configured to use the longest...
Page 704
704 c hapter 49: m ulticast r outing and f orwarding c onfiguration 2. This means that the interface on which the packet actually arrived is not the rpf interface. The rpf check fails and the packet is discarded. ■ a multicast packet from source arrives on vlan-interface 2 of switch c, and the corre...
Page 705
Configuration task list 705 multicast information from source travels from switch a to switch b and then to switch c. Multicast traceroute the multicast traceroute utility is used to trace the path that a multicast stream flows down from the multicast source to the last-hop router. Concepts in multi...
Page 706
706 c hapter 49: m ulticast r outing and f orwarding c onfiguration configuring multicast routing and forwarding configuration prerequisites before configuring multicast routing and forwarding, complete the following tasks: ■ configure a unicast routing protocol so that all devices in the domain are...
Page 707
Configuring multicast routing and forwarding 707 c caution: when configuring a multicast static route, you cannot designate an rpf neighbor by specifying an interface (by means of the interface-type interface-number command argument combination) if the interface type of that switch is loopback or vl...
Page 708
708 c hapter 49: m ulticast r outing and f orwarding c onfiguration configuring the multicast forwarding table size too many multicast routing entries can exhaust the router’s memory and thus result in lower router performance. Therefore, the number of multicast routing entries should be limited. Yo...
Page 709
Displaying and maintaining multicast routing and forwarding 709 displaying and maintaining multicast routing and forwarding c caution: ■ the reset command clears the information in the multicast routing table or the multicast forwarding table, and thus may cause failure of multicast transmission. ■ ...
Page 710
710 c hapter 49: m ulticast r outing and f orwarding c onfiguration ■ switch a, switch b and switch c run ospf. ■ typically, receiver can receive the multicast data from source through the path switch a - switch b, which is the same as the unicast route. ■ perform the following configuration so that...
Page 711
Configuration examples 711 [switchb-vlan-interface101] quit [switchb] interface vlan-interface 102 [switchb-vlan-interface102] pim dm [switchb-vlan-interface102] quit # enable ip multicast routing on switch a, and enable pim-dm on each interface. System-view [switcha] multicast routing-enable [switc...
Page 712
712 c hapter 49: m ulticast r outing and f orwarding c onfiguration ■ switch b and switch c run ospf, and have no unicast routes to switch a. ■ typically, receiver can receive the multicast data from source 1 in the ospf domain. ■ perform the following configuration so that receiver can receive mult...
Page 713
Troubleshooting multicast routing and forwarding 713 [switchc-vlan-interface300] pim dm [switchc-vlan-interface300] quit [switchc] interface vlan-interface 102 [switchc-vlan-interface102] pim dm [switchc-vlan-interface102] quit the configuration on switch b is similar to that on switch a. The specif...
Page 714
714 c hapter 49: m ulticast r outing and f orwarding c onfiguration analysis ■ if the multicast static route is not configured or updated correctly to match the current network conditions, the route entry does not exist in the multicast route configuration table and multicast routing table. ■ if the...
Page 715: 802.1
50 802.1 x c onfiguration when configuring 802.1x, go to these sections for information you are interested in: ■ “802.1x overview” on page 715 ■ “configuring 802.1x” on page 726 ■ “configuring a guest vlan” on page 728 ■ “displaying and maintaining 802.1x” on page 729 ■ “802.1x configuration example...
Page 716
716 c hapter 50: 802.1 x c onfiguration figure 210 architecture of 802.1x ■ supplicant system: a system at one end of the lan segment, which is authenticated by the authenticator system at the other end. A supplicant system is usually a user-end device and initiates 802.1x authentication through 802...
Page 717
802.1x overview 717 ■ the uncontrolled port is always open in both the inbound and outbound directions to allow eapol protocol frames to pass, guaranteeing that the supplicant can always send and receive authentication frames. ■ the controlled port is open to allow normal traffic to pass only when i...
Page 718
718 c hapter 50: 802.1 x c onfiguration figure 212 eapol frame format ■ pae ethernet type: protocol type. It takes the value 0x888e. ■ protocol version: version of the eapol protocol supported by the eapol frame sender. ■ type: type of the eapol frame. Table 57 shows the defined types of eapol frame...
Page 719
802.1x overview 719 figure 213 eap packet format ■ code: type of the eap packet, which can be request, response, success, or failure. An eap packet of the type of success or failure has no data field, and has a length of 4. An eap packet of the type of request or response has a data field in the for...
Page 720
720 c hapter 50: 802.1 x c onfiguration message-authenticator figure 216 shows the encapsulation format of the message-authenticator attribute. The message-authenticator attribute is used to prevent access requests from being snooped during eap or chap authentication. It must be included in any pack...
Page 721
802.1x overview 721 figure 217 message exchange in eap relay mode 1 when a user launches the 802.1x client software and enters the registered username and password, the 802.1x client software generates an eapol-start frame and sends it to the authenticator to initiate an authentication process. 2 up...
Page 722
722 c hapter 50: 802.1 x c onfiguration 7 when receiving the eap-request/md5 challenge packet, the supplicant uses the offered challenge to encrypt the password part (this process is not reversible), creates an eap-response/md5 challenge packet, and then sends the packet to the authenticator. 8 afte...
Page 723
802.1x overview 723 figure 218 message exchange in eap termination mode different from the authentication process in eap relay mode, it is the authenticator that generates the random challenge for encrypting the user password information in eap termination authentication process. Consequently, the a...
Page 724
724 c hapter 50: 802.1 x c onfiguration multicasts eap-request/identity frames to the supplicant system at an interval defined by this timer. ■ supplicant timeout timer (supp-timeout): once an authenticator sends an eap-request/md5 challenge frame to a supplicant, it starts this timer. If this timer...
Page 725
802.1x overview 725 ■ if the port link type is hybrid, the assigned vlan is allowed to pass the current port without carrying the tag. The default vlan id of the port is that of the assigned vlan. The assigned vlan neither changes nor affects the configuration of a port. However, as the assigned vla...
Page 726
726 c hapter 50: 802.1 x c onfiguration device. You can change the access rights of users by modifying authorization acl settings on the radius server or changing the corresponding acl rules on the device. Configuring 802.1x configuration prerequisites 802.1x provides a user identity authentication ...
Page 727
Configuring 802.1x 727 n ■ for 802.1x to take effect on a port, you must enable it both globally in system view and for the port in system view or ethernet interface view. ■ you can also enable 802.1x and set port access control parameters (that is, the port access control mode, port access method, ...
Page 728
728 c hapter 50: 802.1 x c onfiguration n ■ you can neither add an 802.1x-enabled port into an aggregation group nor enable 802.1x on a port being a member of an aggregation group. ■ once enabled with the 802.1x multicast trigger function, a port sends multicast trigger messages to the client period...
Page 729
Displaying and maintaining 802.1x 729 n ■ you can specify a tagged vlan as the guest vlan for a hybrid port, but the guest vlan does not take effect. Similarly, if a guest vlan for a hybrid port is in operation, you cannot configure the guest vlan to carry tags. ■ configurations in system view are e...
Page 730
730 c hapter 50: 802.1 x c onfiguration ■ specify the switch to try up to five times at an interval of 5 seconds in transmitting a packet to the radius server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes. ■ specify t...
Page 731
802.1x configuration example 731 [sysname-radius-radius1] primary authentication 10.1.1.1 [sysname-radius-radius1] primary accounting 10.1.1.2 # configure the ip addresses of the secondary authentication and accounting radius servers. [sysname-radius-radius1] secondary authentication 10.1.1.2 [sysna...
Page 732
732 c hapter 50: 802.1 x c onfiguration # enable 802.1x globally. [sysname] dot1x # enable 802.1x for port gigabitethernet 1/0/1. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitgigabitethernet1/0/1] dot1x [sysname-gigabitgigabitethernet1/0/1] quit # set the port access control method. (op...
Page 733
Guest vlan configuration example 733 network diagrams figure 220 network diagram for guest vlan configuration figure 221 network diagram with vlan 10 as the guest vlan internet update server authenticator server supplicant vlan 10 ge 1/0 /4 vlan 1 ge 1/0/1 vlan 5 ge1/0/2 vlan 2 ge 1/0 /3 switch inte...
Page 734
734 c hapter 50: 802.1 x c onfiguration figure 222 network diagram when the supplicant passes authentication configuration procedure # configure radius scheme 2000. System-view [sysname] radius scheme 2000 [sysname-radius-2000] primary authentication 10.11.1.1 1812 [sysname-radius-2000] primary acco...
Page 735
Acl assignment configuration example 735 [sysname-gigabitgigabitethernet1/0/1] dot1x port-control auto [sysname-gigabitgigabitethernet1/0/1] quit # create vlan 10. [sysname] vlan 10 [sysname-vlan10] quit # specify port gigabitethernet 1/0/1 to use vlan 10 as its guest vlan. [sysname] dot1x guest-vla...
Page 736
736 c hapter 50: 802.1 x c onfiguration system-view [sysname] radius scheme 2000 [sysname-radius-2000] primary authentication 10.1.1.1 1812 [sysname-radius-2000] primary accounting 10.1.1.2 1813 [sysname-radius-2000] key authentication abc [sysname-radius-2000] key accounting abc [sysname-radius-200...
Page 737: Habp C
51 habp c onfiguration when configuring habp, go to these sections for the information you are interested in: ■ “introduction to habp” on page 737 ■ “configuring habp” on page 737 ■ “displaying and maintaining habp” on page 738 introduction to habp when a switch is configured with the 802.1x functio...
Page 738
738 c hapter 51: habp c onfiguration configuring an habp client configure habp to work in client mode on a device connected to the administrative device. Since habp is enabled and works in client mode by default, this configuration task is optional. Follow these steps to configure an habp client: di...
Page 739: Mac A
52 mac a uthentication c onfiguration when configuring mac authentication, go to these sections for information you are interested in: ■ “mac authentication overview” on page 739 ■ “related concepts” on page 740 ■ “configuring mac authentication” on page 741 ■ “displaying and maintaining mac authent...
Page 740
740 c hapter 52: mac a uthentication c onfiguration if the authentication succeeds, the user will be granted permission to access the network resources. Local mac authentication in local mac authentication, the device performs authentication of users locally and different items need to be manually c...
Page 741
Configuring mac authentication 741 configuring mac authentication configuration prerequisites ■ create and configure an isp domain. ■ for local authentication, create the local users and configure the passwords. ■ for radius authentication, ensure that a route is available between the device and the...
Page 742
742 c hapter 52: mac a uthentication c onfiguration ■ you can neither add a mac authentication enabled port into an aggregation group, nor enable mac authentication on a port added into an aggregation group. Displaying and maintaining mac authentication mac authentication configuration examples loca...
Page 743
Mac authentication configuration examples 743 [sysname] domain aabbcc.Net [sysname-isp-aabbcc.Net] authentication lan-access local [sysname-isp-aabbcc.Net] quit # enable mac authentication globally. [sysname] mac-authentication # enable mac authentication for port gigabitethernet 1/0/1. [sysname] ma...
Page 744
744 c hapter 52: mac a uthentication c onfiguration network diagram figure 225 network diagram for mac authentication using radius configuration procedure 1 configure mac authentication on the device # configure the ip addresses of the interfaces. (omitted) # configure a radius scheme. System-view [...
Page 745
Mac authentication configuration examples 745 [sysname] mac-authentication user-name-format fixed account aaa pass word simple 123456 2 verify the configuration # display global mac authentication information. Display mac-authentication mac address authentication is enabled. User name format is fixe...
Page 746
746 c hapter 52: mac a uthentication c onfiguration configuration procedure # configure the ip addresses of the interfaces. (omitted) # configure the radius scheme. System-view [sysname] radius scheme 2000 [sysname-radius-2000] primary authentication 10.1.1.1 1812 [sysname-radius-2000] primary accou...
Page 747: Aaa/radius/hwtacacs
53 aaa/radius/hwtacacs c onfiguration when configuring aaa/radius/hwtacacs, go to these sections for information you are interested in: ■ “aaa/radius/hwtacacs overview” on page 747 ■ “aaa/radius/hwtacacs configuration task list” on page 756 ■ “configuring aaa” on page 758 ■ “configuring radius” on p...
Page 748
748 c hapter 53: aaa/radius/hwtacacs c onfiguration figure 227 aaa networking diagram when a user tries to establish a connection to the nas and obtain the rights to access other networks or some network resources, the nas authenticates the user or the corresponding connection. The nas can also tran...
Page 749
Aaa/radius/hwtacacs overview 749 aaa can be implemented through multiple protocols. Currently, the device supports using radius and hwtacacs for aaa, and radius is often used in practice. Introduction to radius remote authentication dial-in user service (radius) is a distributed information interact...
Page 750
750 c hapter 53: aaa/radius/hwtacacs c onfiguration a radius server supports multiple user authentication methods, such as the password authentication protocol (pap) and challenge handshake authentication protocol (chap) of point-to-point protocol (ppp). In addition, a radius server can act as the c...
Page 751
Aaa/radius/hwtacacs overview 751 6 the subscriber accesses the network resources. 7 the host requests the radius client to tear down the connection and the radius client sends a stop-accounting request (accounting-request) to the radius server. 8 the radius server returns a stop-accounting response ...
Page 752
752 c hapter 53: aaa/radius/hwtacacs c onfiguration 2 the identifier field (1-byte long) is for matching request packets and response packets and detecting retransmitted request packets. The request and response packets of the same type have the same identifier. 3 the length field (2-byte long) indi...
Page 753
Aaa/radius/hwtacacs overview 753 n the attribute types listed in table 59 are defined by rfc 2865, rfc 2866, rfc 2867, and rfc 2568. Radius extended attributes the radius protocol features excellent extensibility. Attribute 26 (vender-specific) defined by rfc 2865 allows a vender to define extended ...
Page 754
754 c hapter 53: aaa/radius/hwtacacs c onfiguration ■ vendor-type: indicates the type of the sub-attribute. ■ vendor-length: indicates the length of the sub-attribute. ■ vendor-data: indicates the contents of the sub-attribute. Figure 231 segment of a radius packet containing an extended attribute i...
Page 755
Aaa/radius/hwtacacs overview 755 basic message exchange process of hwtacacs the following takes telnet user as an example to describe how hwtacacs performs user authentication, authorization, and accounting. Figure 232 illustrates the basic message exchange process of hwtacacs. Figure 232 basic mess...
Page 756
756 c hapter 53: aaa/radius/hwtacacs c onfiguration 6 after receiving the username from the user, the hwtacacs client sends to the server a continue-authentication packet carrying the username. 7 the hwtacacs server sends back an authentication response, requesting the login password. 8 upon receipt...
Page 757
Aaa/radius/hwtacacs configuration task list 757 radius configuration task list hwtacacs configuration task list “configuring an aaa authentication scheme for an isp domain” on page 759 required for local authentication, refer to “configuring local user attributes” on page 763. For radius authenticat...
Page 758
758 c hapter 53: aaa/radius/hwtacacs c onfiguration configuring aaa by configuring aaa, you can provide network access service for legal users, protect the networking devices, and avoid unauthorized access and bilking. In addition, you can configure isp domains to perform aaa on accessing users. In ...
Page 759
Configuring aaa 759 n a self-service radius server, for example, cams, is required for the self-service server localization function. With the self-service function, a user can manage and control his or her accounting information or module number. A server with self-service software is a self-servic...
Page 760
760 c hapter 53: aaa/radius/hwtacacs c onfiguration n ■ the authentication scheme specified with the authentication default command is for all types of users and has a priority lower than that for a specific access mode. ■ with a radius authentication scheme configured, aaa accepts only the authenti...
Page 761
Configuring aaa 761 before configuring an authorization scheme, complete these three tasks: 1 for hwtacacs authorization, configure the hwtacacs scheme to be referenced first. For radius authorization, the radius authorization scheme must be same as the radius authentication scheme; otherwise, it do...
Page 762
762 c hapter 53: aaa/radius/hwtacacs c onfiguration ■ if the primary authentication scheme is local or none, the system performs local authorization or does not perform any authorization, rather than uses the radius or hwtacacs scheme. ■ authorization information of the radius server is sent to the ...
Page 763
Configuring aaa 763 n ■ with the accounting optional command configured, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. ■ the accounting scheme specified with th...
Page 764
764 c hapter 53: aaa/radius/hwtacacs c onfiguration n ■ with the local-user password-display-mode cipher-force command configured, a local user password is always displayed in cipher text, regardless of the configuration of the password command. In this case, if you use the save command to save the ...
Page 765
Configuring radius 765 ■ the attribute ip command only applies to authentications that support ip address passing, such as 802.1x. If you configure the command to authentications that do not support ip address passing, such as mac address authentication, the local authentication will fail. ■ the att...
Page 766
766 c hapter 53: aaa/radius/hwtacacs c onfiguration n ■ in practice, you may specify two radius servers as the primary and secondary authentication/authorization servers respectively. At a moment, a server can be the primary authentication/authorization server for a scheme and the secondary authenti...
Page 767
Configuring radius 767 authentication/authorization and accounting packets, the port for authentication/authorization must be different from that for accounting. ■ you can set the maximum number of stop-accounting request transmission buffer, allowing the device to buffer and resend a stop-accountin...
Page 768
768 c hapter 53: aaa/radius/hwtacacs c onfiguration n ■ the maximum number of retransmission attempts of radius packets multiplied by the radius server response timeout period cannot be greater than 75. ■ refer to the timer response-timeout command in the command manual for configuring radius server...
Page 769
Configuring radius 769 n ■ if both the primary server and the secondary server are in the blocked state, it is necessary to manually turn the secondary server to the active state so that the secondary server can perform authentication. If the secondary server is still in the blocked state, the prima...
Page 770
770 c hapter 53: aaa/radius/hwtacacs c onfiguration command is thus provided for you to decide whether to include a domain name in a username to be sent to a radius server. ■ if a radius scheme defines that the username is sent without the isp domain name, do not apply the radius scheme to more than...
Page 771
Configuring hwtacacs 771 ■ to configure the maximum number of retransmission attempts of radius packets, refer to the command retry in the command manual. Configuring radius accounting-on with the accounting-on function enabled, a device sends, whenever it reboots, accounting-on packets to the radiu...
Page 772
772 c hapter 53: aaa/radius/hwtacacs c onfiguration n ■ up to 16 hwtacacs schemes can be configured. ■ a scheme can be deleted only when it is not referenced. Specifying the hwtacacs authentication servers follow these steps to specify the hwtacacs authentication servers: n ■ the ip addresses of the...
Page 773
Configuring hwtacacs 773 n ■ the ip addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails. ■ you can remove an authorization server only when no active tcp connection for sending authorization packets is using it. Specifying the hwtacacs ...
Page 774
774 c hapter 53: aaa/radius/hwtacacs c onfiguration configuring attributes related to the data sent to the tacacs server follow these steps to configure the attributes related to the data sent to the hwtacacs server: n ■ if a hwtacacs server does not support a username with the domain name, you can ...
Page 775
Displaying and maintaining aaa/radius/hwtacacs 775 n ■ for real-time accounting, a nas must transmit the accounting information of online users to the hwtacacs accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online ...
Page 776
776 c hapter 53: aaa/radius/hwtacacs c onfiguration displaying and maintaining hwtacacs aaa/radius/hwtac acs configuration examples aaa for telnet users by a hwtacacs server network requirements as shown in figure 233, configure the switch to use the hwtacacs server to provide authentication, author...
Page 777
Aaa/radius/hwtacacs configuration examples 777 network diagram figure 233 configure aaa for telnet users by a hwtacacs server configuration procedure # configure the ip addresses of various interfaces (omitted). # enable the telnet server on the switch. System-view [switch] telnet server enable # co...
Page 778
778 c hapter 53: aaa/radius/hwtacacs c onfiguration [switch-isp-1] accounting default hwtacacs-scheme hwtac [switch-isp-hwtacacs] accounting default hwtacacs-scheme hwtac aaa for telnet users by separate servers network requirements as shown in figure 234, configure the switch to provide local authe...
Page 779
Troubleshooting aaa/radius/hwtacacs 779 [switch] hwtacacs scheme hwtac [switch-hwtacacs-hwtac] primary authorization 10.1.1.2 49 [switch-hwtacacs-hwtac] key authorization expert [switch-hwtacacs-hwtac] user-name-format without-domain [switch-hwtacacs-hwtac] quit # configure the radius scheme. [switc...
Page 780
780 c hapter 53: aaa/radius/hwtacacs c onfiguration check that: 1 the nas and the radius server can ping each other. 2 the username is in the userid@isp-name format and a default isp domain is specified on the nas. 3 the user is configured on the radius server. 4 the password entered by the user is ...
Page 781: Arp C
54 arp c onfiguration when configuring arp, go to these sections for information you are interested in: ■ “arp overview” on page 781 ■ “configuring arp” on page 783 ■ “configuring gratuitous arp” on page 785 ■ “displaying and maintaining arp” on page 786 arp overview arp function address resolution ...
Page 782
782 c hapter 54: arp c onfiguration ■ hardware address length and protocol address length: they respectively specify the length of a hardware address and a protocol address, in bytes. For an ethernet address, the value of the hardware address length field is "6". For an ip(v4) address, the value of ...
Page 783
Configuring arp 783 when host a and host b are not on the same subnet, host a first sends an arp request to the gateway. The destination ip address in the arp request is the ip address of the gateway. After obtaining the mac address of the gateway from an arp reply, host a encapsulates the packet an...
Page 784
784 c hapter 54: arp c onfiguration c caution: the vlan-id argument must be the id of an existing vlan which corresponds to the arp entries. In addition, the ethernet port following the argument must belong to that vlan. A vlan interface must be created for the vlan. Configuring the maximum number o...
Page 785
Configuring gratuitous arp 785 arp configuration example network requirements ■ enable the arp entry check. ■ set the aging time for dynamic arp entries to 10 minutes. ■ set the maximum number of dynamic arp entries that vlan-interface 10 can learn to 1000. ■ add a static arp entry, with the ip addr...
Page 786
786 c hapter 54: arp c onfiguration displaying and maintaining arp n executing the reset arp interface interface-type interface-number command only removes dynamic arp entries of the specified port. To remove specified static arp entries, you need to use the undo arp ip-address command. Enable the g...
Page 787: Roxy
55 p roxy arp c onfiguration when configuring proxy arp, go to these sections for information you are interested in: ■ “proxy arp overview” on page 787 ■ “enabling proxy arp” on page 787 ■ “displaying and maintaining proxy arp” on page 787 proxy arp overview for an arp request of a host on a network...
Page 788
788 c hapter 55: p roxy arp c onfiguration proxy arp configuration examples proxy arp configuration example network requirements host a and host d have ip addresses of the same network segment. Host a belongs to vlan 1, and host d belongs to vlan 2. Configure proxy arp on the device to enable the co...
Page 789
Proxy arp configuration examples 789 local proxy arp configuration example in case of port isolation network requirements ■ host a and host b belong to the same vlan, and are connected to gigabitethernet 1/0/2 and gigabitethernet 1/0/3 of switch b respectively. ■ switch b is connected to switch a vi...
Page 790
790 c hapter 55: p roxy arp c onfiguration ping host b on host a to verify that the two hosts cannot be pinged through, which indicates they are isolated at layer 2. # configure local proxy arp to let host a and host b communicate at layer 3. [switcha-vlan-interface2] local-proxy-arp enable [switcha...
Page 791: Dhcp O
56 dhcp o verview when configuring arp, go to these sections for information you are interested in: ■ “introduction to dhcp” on page 791 ■ “dhcp address allocation” on page 792 ■ “dhcp message format” on page 793 ■ “dhcp options” on page 794 ■ “protocols and standards” on page 796 introduction to dh...
Page 792
792 c hapter 56: dhcp o verview dhcp address allocation allocation mechanisms dhcp supports three mechanisms for ip address allocation. ■ manual allocation: the network administrator assigns an ip address to a client like a www server, and dhcp conveys the assigned address to the client. ■ automatic...
Page 793
Dhcp message format 793 ■ if there are multiple dhcp servers, ip addresses offered by other dhcp servers are assignable to other clients. Ip address lease extension the ip address dynamically allocated by a dhcp server to a client has a lease. After the lease duration elapses, the ip address will be...
Page 794
794 c hapter 56: dhcp o verview server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use. ■ ciaddr: client ip address. ■ yiaddr: ’your’ (client) ip address, assigned by the server. ■ siaddr: server ip address, from which the clients obtained configurat...
Page 795
Dhcp options 795 ■ option 67: bootfile name option. It specifies the bootfile name to be assigned to the client. ■ option 150: tftp server ip address option. It specifies the tftp server ip address to be assigned to the client. For more information about dhcp options, refer to rfc 2132. Self-defined...
Page 796
796 c hapter 56: dhcp o verview 2 verbose padding format: the padding contents for sub-options in the verbose padding format are: ■ sub-option 1: padded with the user-specified access node identifier (id of the device that adds option 82 in dhcp messages), and type, number, and vlan id of the port t...
Page 797: Dhcp S
57 dhcp s erver c onfiguration when configuring the dhcp server, go to these sections for information you are interested in: ■ “introduction to dhcp server” on page 797 ■ “dhcp server configuration task list” on page 799 ■ “enabling dhcp” on page 799 ■ “enabling the dhcp server on an interface” on p...
Page 798
798 c hapter 57: dhcp s erver c onfiguration leaves are addresses statically bound to clients. For the same level address pools, a previously configured pool has a higher selection priority than a new one. At the very beginning, subnetworks inherit network parameters and clients inherit subnetwork p...
Page 799
Dhcp server configuration task list 799 5 the ip address that was a conflict or passed its lease duration if no ip address is assignable, the server will not respond. Dhcp server configuration task list complete the following tasks to configure the dhcp server: enabling dhcp enable dhcp before perfo...
Page 800
800 c hapter 57: dhcp s erver c onfiguration ■ without subaddress specified, assign an ip address from the address pool of the subnet which the primary ip address of the server’s interface (connected to the client) belongs to. Configuring an address pool for the dhcp server configuration task list c...
Page 801
Configuring an address pool for the dhcp server 801 when the client with the mac address or id requests an ip address, the dhcp server will find the ip address from the binding for the client. A dhcp address pool now supports only one static binding, which can be a mac-to-ip or id-to-ip binding. Fol...
Page 802
802 c hapter 57: dhcp s erver c onfiguration n ■ in dhcp address pool view, using the network command repeatedly overwrites the previous configuration. ■ using the dhcp server forbidden-ip command repeatedly can specify multiple ip address ranges not assignable. Configuring a domain name suffix for ...
Page 803
Configuring an address pool for the dhcp server 803 configuring wins servers and netbios node type for the client a microsoft dhcp client using netbios protocol contacts a windows internet naming service (wins) server for name resolution. Therefore, the dhcp server should assign a wins server addres...
Page 804
804 c hapter 57: dhcp s erver c onfiguration follow these steps to configure the bims server ip address, port number, and shared key in the dhcp address pool: configuring gateways for the client dhcp clients that want to access hosts outside the local subnet request gateways to forward data. You can...
Page 805
Configuring an address pool for the dhcp server 805 n specify an ip address for the network calling processor before performing other configuration. Configuring the tftp server and bootfile name for the client this task is to specify the ip address and name of a tftp server and the bootfile name in ...
Page 806
806 c hapter 57: dhcp s erver c onfiguration ■ define existing dhcp options. Some options have no unified definitions in rfc 2132; however, vendors can define such options as needed. The self-defined dhcp option enables dhcp clients to obtain vendor-specific information. ■ extend existing dhcp optio...
Page 807
Configuring the dhcp server security functions 807 configuration prerequisites before performing this configuration, complete the following configuration on the dhcp server: ■ enable dhcp ■ configure the dhcp address pool enabling unauthorized dhcp server detection there are unauthorized dhcp server...
Page 808
808 c hapter 57: dhcp s erver c onfiguration configuring the handling mode for option 82 when the dhcp server receives a message with option 82, if the server is configured to handle option 82, it will return a response message carrying option 82 to assign an ip address to the requesting client. If ...
Page 809
Dhcp server configuration examples 809 n using the save command does not save dhcp server lease information. Therefore, when the system boots up or the reset dhcp server ip-in-use command is executed, no lease information will be available in the configuration file. In this case, the server will den...
Page 810
810 c hapter 57: dhcp s erver c onfiguration network diagram figure 246 dhcp network diagram configuration procedure specify ip addresses for vlan interfaces (omitted). Configure the dhcp server # enable dhcp. System-view [switcha] dhcp enable # exclude ip addresses (addresses of the dns server, win...
Page 811
Troubleshooting dhcp server configuration 811 [switcha] dhcp server ip-pool 2 [switcha-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [switcha-dhcp-pool-2] expired day 5 [switcha-dhcp-pool-2] gateway-list 10.1.1.254 troubleshooting dhcp server configuration symptom a client’s ip address obtain...
Page 812
812 c hapter 57: dhcp s erver c onfiguration.
Page 813: Dhcp R
58 dhcp r elay a gent c onfiguration when configuring the dhcp relay agent, go to these sections for information you are interested in: ■ “introduction to dhcp relay agent” on page 813 ■ “configuration task list” on page 815 ■ “configuring the dhcp relay agent” on page 815 ■ “displaying and maintain...
Page 814
814 c hapter 58: dhcp r elay a gent c onfiguration figure 247 dhcp relay agent application no matter whether a relay agent exists or not, the dhcp server and client interact with each other in a similar way (see section “dynamic ip address allocation process” on page 792). The following describes th...
Page 815
Configuration task list 815 if a reply returned by the dhcp server contains option 82, the dhcp relay agent will remove the option 82 before forwarding the reply to the client. Configuration task list complete the following tasks to configure the dhcp relay agent: configuring the dhcp relay agent en...
Page 816
816 c hapter 58: dhcp r elay a gent c onfiguration n if the dhcp client obtains an ip address via the dhcp relay agent, the address pool of the subnet which the ip address of the dhcp relay agent belongs to must be configured on the dhcp server. Otherwise, the dhcp client cannot obtain a correct ip ...
Page 817
Configuring the dhcp relay agent 817 receiving the dhcp-release request, the dhcp server then releases the ip address for the client. Follow these steps to configure the dhcp relay agent in system view to send a dhcp-release request: configuring the dhcp relay agent security functions creating stati...
Page 818
818 c hapter 58: dhcp r elay a gent c onfiguration simply conveys the message to the dhcp server, thus it does not remove the ip address from its bindings. To solve this, the dhcp relay agent can update dynamic bindings at a specified interval. The dhcp relay agent uses the ip address of a client an...
Page 819
Displaying and maintaining dhcp relay agent configuration 819 ■ enabling the dhcp relay agent on the specified interface ■ correlating a dhcp server group with relay agent interfaces configuring the dhcp relay agent to support option 82 follow these steps to configure the dhcp relay agent to support...
Page 820
820 c hapter 58: dhcp r elay a gent c onfiguration dhcp relay agent configuration example network requirements vlan-interface 1 on the dhcp relay agent (switch a) connects to the network where dhcp clients reside. The ip address of vlan-interface 1 is 10.10.1.1/24 and ip address of vlan-interface 2 ...
Page 821
Troubleshooting dhcp relay agent configuration 821 troubleshooting dhcp relay agent configuration symptom dhcp clients cannot obtain any configuration parameters via the dhcp relay agent. Analysis some problems may occur with the dhcp relay agent or server configuration. Enable debugging and execute...
Page 822
822 c hapter 58: dhcp r elay a gent c onfiguration.
Page 823: Dhcp C
59 dhcp c lient c onfiguration when configuring the dhcp client, go to these sections for information you are interested in: ■ “introduction to dhcp client” on page 823 ■ “enabling the dhcp client on an interface” on page 823 ■ “displaying and maintaining the dhcp client” on page 824 ■ “dhcp client ...
Page 824
824 c hapter 59: dhcp c lient c onfiguration n ■ an interface can be configured to acquire an ip address in multiple ways, but these ways are exclusive. The latest configuration will overwrite the previous configuration. ■ after the dhcp client is enabled on an interface, no secondary ip address is ...
Page 825: Dhcp S
60 dhcp s nooping c onfiguration when configuring dhcp snooping, go to these sections for information you are interested in: ■ “dhcp snooping overview” on page 825 ■ “configuring dhcp snooping basic functions” on page 828 ■ “configuring dhcp snooping to support option 82” on page 828 ■ “displaying a...
Page 826
826 c hapter 60: dhcp s nooping c onfiguration configured as trusted or untrusted, ensuring the clients to obtain ip addresses from authorized dhcp servers. ■ trusted: a trusted port forwards dhcp messages, ensuring that dhcp clients can obtain valid ip addresses. ■ untrusted: the dhcp-ack or dhcp-o...
Page 827
Dhcp snooping overview 827 figure 251 configure trusted ports in a cascaded network dhcp snooping support for option 82 option 82 records the location information of the dhcp client. The administrator can locate the dhcp client to further implement security control and accounting. For more informati...
Page 828
828 c hapter 60: dhcp s nooping c onfiguration configuring dhcp snooping basic functions follow these steps to configure dhcp snooping basic functions: n ■ you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trus...
Page 829
Displaying and maintaining dhcp snooping 829 ■ if the handling strategy of the dhcp-snooping-enabled device is configured as replace, you need to configure a padding format for option 82. If the handling strategy is keep or drop, you need not configure any padding format. ■ if the option 82 is padde...
Page 830
830 c hapter 60: dhcp s nooping c onfiguration # specify gigabitethernet 1/0/1 as trusted port. [switchb] interface gigabitethernet 1/0/1 [switchb-gigabitethernet1/0/1] dhcp-snooping trust [switchb-gigabitethernet1/0/1] quit # configure dhcp snooping to support option 82 on gigabitethernet 1/0/2. [s...
Page 831: Bootp C
61 bootp c lient c onfiguration while configuring a bootp client, go to these sections for information you are interested in: ■ “introduction to bootp client” on page 831 ■ “configuring an interface to dynamically obtain an ip address through bootp” on page 832 ■ “displaying and maintaining bootp cl...
Page 832
832 c hapter 61: bootp c lient c onfiguration obtaining an ip address dynamically n a dhcp server can take the place of the bootp server in the following dynamic ip address acquisition. A bootp client dynamically obtains an ip address from a bootp server in the following way: 1 the bootp client broa...
Page 833
Bootp client configuration example 833 # configure vlan-interface 1 to dynamically obtain an ip address from the dhcp server. System-view [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address bootp-alloc n to make the bootp client to obtain an ip address from the dhcp server, you...
Page 834
834 c hapter 61: bootp c lient c onfiguration.
Page 835: Acl O
62 acl o verview in order to filter traffic, network devices use sets of rules, called access control lists (acls), to identify and handle packets. When configuring acls, go to these chapters for information you are interested in: ■ “acl overview” on page 835 ■ “ipv4 acl configuration” on page 841 ■...
Page 836
836 c hapter 62: acl o verview n ■ when an acl is assigned to a piece of hardware and referenced by a qos policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the acl. ■ when an acl is referenced by a piece of...
Page 837
Introduction to ipv4 acl 837 depth-first match for a basic ipv4 acl the following shows how your switch performs depth-first match in a basic ipv4 acl: 1 sort rules by source ip address wildcard first and compare packets against the rule configured with more zeros in the source ip address wildcard p...
Page 838
838 c hapter 62: acl o verview whenever the step changes, the rules are renumbered. Continuing with the above example, if you change the step from 5 to 2, the rules are renumbered 0, 2, 4, 6, and so on. Benefits of using the step with the step and rule numbering/renumbering mechanism, you do not nee...
Page 839
Introduction to ipv6 acl 839 ipv6 acl naming when creating an ipv6 acl, you can specify a unique name for it. Afterwards, you can identify the ipv6 acl by its name. An ipv6 acl can have only one name. Whether to specify a name for an acl is up to you. After creating an acl, you cannot specify a name...
Page 840
840 c hapter 62: acl o verview ipv6 acl step refer to “ipv4 acl step” on page 837. Effective period of an ipv6 acl refer to “effective period of an ipv4 acl” on page 838..
Page 841: 4 Acl C
63 ip v 4 acl c onfiguration when configuring an ipv4 acl, go to these sections for information you are interested in: ■ “creating a time range” on page 851 ■ “configuring a basic ipv4 acl” on page 842 ■ “configuring an advanced ipv4 acl” on page 844 ■ “configuring an ethernet frame header acl” on p...
Page 843
Configuring a basic ipv4 acl 843 n ■ you will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the acl match order is set to auto rather than config, you cannot modify acl rules. ■ you may use the display acl command to verify rules co...
Page 844
844 c hapter 63: ip v 4 acl c onfiguration configuring an advanced ipv4 acl advanced ipv4 acls filter packets based on source ip address, destination ip address, protocol carried on ip, and other protocol header fields, such as the tcp/udp source port, tcp/udp destination port, icmp message type, an...
Page 845
Configuring an ethernet frame header acl 845 n ■ you will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the acl match order is set to auto rather than config, you cannot modify acl rules. ■ you may use the display acl command to ver...
Page 846
846 c hapter 63: ip v 4 acl c onfiguration n ■ you will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the acl match order is set to auto rather than config, you cannot modify acl rules. ■ you may use the display acl command to verif...
Page 847
Displaying and maintaining ipv4 acls 847 configuration procedure follow these steps to copy an ipv4 acl: c caution: ■ the source ipv4 acl and the destination ipv4 acl must be of the same type. ■ the generated acl does not take the name of the source ipv4 acl. Displaying and maintaining ipv4 acls ipv...
Page 848
848 c hapter 63: ip v 4 acl c onfiguration network diagram figure 253 network diagram for ipv4 acl configuration configuration procedure 1 create a time range for office hours # create a periodic time range spanning 8:00 to 18:00 in working days. System-view [switch] time-range trname 8:00 to 18:00 ...
Page 849
Ipv4 acl configuration example 849 [switch] traffic behavior b_rd [switch-behavior-b_rd] filter deny [switch-behavior-b_rd] quit # configure class c_market for packets matching ipv4 acl 3001. [switch] traffic classifier c_market [switch-classifier-c_market] if-match acl 3001 [switch-classifier-c_mar...
Page 850
850 c hapter 63: ip v 4 acl c onfiguration.
Page 851: 6 Acl C
64 ip v 6 acl c onfiguration when configuring ipv6 acls, go to these sections for information you are interested in: ■ “creating a time range” on page 851 ■ “configuring a basic ipv6 acl” on page 851 ■ “configuring an advanced ipv6 acl” on page 852 ■ “copying an ipv6 acl” on page 854 ■ “displaying a...
Page 852
852 c hapter 64: ip v 6 acl c onfiguration n ■ you will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the acl match order is set to auto rather than config, you cannot modify acl rules. ■ you may use the display acl command to verif...
Page 853
Configuring an advanced ipv6 acl 853 n ■ you will fail to create or modify a rule if its permit/deny statement is exactly the same as another rule. In addition, if the acl match order is set to auto rather than config, you cannot modify acl rules. ■ you may use the display acl command to verify rule...
Page 854
854 c hapter 64: ip v 6 acl c onfiguration system-view [sysname] acl ipv6 number 3000 [sysname-acl6-adv-3000] rule permit tcp source 2030:5060::9050/64 # verify the configuration. [sysname-acl6-adv-3000] display acl ipv6 3000 advanced ipv6 acl 3000, named -none-, 1 rule, acl’s step is 5 rule 0 permi...
Page 855
Ipv6 acl configuration example 855 configure an acl to deny access of the r&d department to external networks. Network diagram figure 254 network diagram for ipv6 acl configuration configuration procedure # create an ipv6 acl 2000. System-view [switch] acl ipv6 number 2000 [switch-acl6-basic-2000] r...
Page 856
856 c hapter 64: ip v 6 acl c onfiguration.
Page 857: S O
65 q o s o verview introduction quality of service (qos) is a concept generally existing in occasions where service supply-demand relations exist. Qos measures the ability to meet the service needs of customers. Generally, the evaluation is not to give precise grading. The purpose of the evaluation ...
Page 858
858 c hapter 65: q o s o verview telnet do not necessarily require high bandwidth but they are highly dependent on low delay and need to be processed preferentially in case of congestion. The emergence of new services brings forward higher requirements for the service capability of the ip network. I...
Page 859
Major traffic management techniques 859 ■ aggravated congestion will consume a large amount of network resources (especially memory resources), and unreasonable resource assignment will even lead to system resource deadlock and cause the system breakdown. It is obvious that congestion is the root of...
Page 860
860 c hapter 65: q o s o verview.
Page 861: Raffic
66 t raffic c lassification , tp, and lr c onfiguration when configuring traffic classification, tp, and lr, go to these section for information you are interested in: ■ “traffic classification overview” on page 861 ■ “tp and lr overview” on page 864 ■ “traffic evaluation and token bucket” on page 8...
Page 862
862 c hapter 66: t raffic c lassification , tp, and lr c onfiguration occurs, queue scheduling is performed on the packets; when congestion get worse, congestion avoidance is performed on the packets. Priority the following describes several types of precedence: 1 ip precedence, tos precedence, and ...
Page 863
Traffic classification overview 863 ■ class selector (cs) class: this class comes from the ip tos field and includes eight subclasses; ■ best effort (be) class: this class is a special class without any assurance in the cs class. The af class can be degraded to the be class if it exceeds the limit. ...
Page 864
864 c hapter 66: t raffic c lassification , tp, and lr c onfiguration figure 258 802.1q tag headers in the figure above, the 3-bit priority field in tci is 802.1p precedence in the range of 0 to 7. In the figure above, the priority field (three bits in length) in tci is 802.1p precedence (also known...
Page 865
Traffic evaluation and token bucket 865 figure 259 evaluate traffic with a token bucket evaluating traffic with a token bucket the evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding. If the number of tokens in the bu...
Page 866
866 c hapter 66: t raffic c lassification , tp, and lr c onfiguration implement different regulation policies in different conditions, including “enough tokens in c bucket”, “insufficient tokens in c bucket but enough tokens in e bucket” and “insufficient tokens in both c bucket and e bucket”. Tp th...
Page 867
Displaying and maintaining lr 867 lr configuration examples limit the outbound rate of gigabitethernet 1/0/1 to 640 kbps. # enter system view system-view # enter interface view [sysname] interface gigabitethernet 1/0/1 # configure lr parameter and limit the outbound rate to 640 kbps [sysname-gigabit...
Page 868
868 c hapter 66: t raffic c lassification , tp, and lr c onfiguration.
Page 869: S P
67 q o s p olicy c onfiguration when configuring qos policy, go to these sections for information that you are interested in: ■ “overview” on page 869 ■ “configuring qos policy” on page 870 ■ “introduction to qos policies” on page 870 ■ “configuring a qos policy” on page 870 ■ “displaying and mainta...
Page 870
870 c hapter 67: q o s p olicy c onfiguration configuring qos policy the procedure for configuring qos policy is as follows: 1 define a class and define a group of traffic classification rules in class view. 2 define a traffic behavior and define a group of qos actions in traffic behavior view. 3 de...
Page 871
Configuring a qos policy 871 configuration procedure follow these steps to define a class: match-criteria: matching rules to be defined for a class. Table 69 describes the available forms of this argument. To do… use the command… remarks enter system view system-view - create a class and enter the c...
Page 872
872 c hapter 67: q o s p olicy c onfiguration n suppose the logical relationship between classification rules is and. Note the following when using the if-match command to define matching rules. ■ if multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actua...
Page 873
Configuring a qos policy 873 configuration example 1 network requirements create a traffic behavior named test, configuring tp action for it, with the car being 640 kbps. 2 configuration procedure # enter system view. System-view to do… use the command… remarks enter system view system-view - create...
Page 874
874 c hapter 67: q o s p olicy c onfiguration # create the traffic behavior (this operation leads you to traffic behavior view). [sysname] traffic behavior test # configure tp action for the traffic behavior. [sysname-behavior-test] car cir 640 defining a policy a policy associates a class with a tr...
Page 875
Configuring a qos policy 875 c caution: follow these rules when configuring a behavior. Otherwise the corresponding qos policy cannot be applied successfully. ■ the action of creating an outer vlan tag cannot be configured simultaneously with any other action except the traffic filtering action or t...
Page 876
876 c hapter 67: q o s p olicy c onfiguration [sysname] qos policy test [sysname-qospolicy-test] # associate the traffic behavior named test_behavior with the class named test_class. [sysname-qospolicy-test] classifier test_class behavior test_behavio r [sysname-qospolicy-test] quit # enter port vie...
Page 877: Ongestion
68 c ongestion m anagement when configuring congestion management, go to these section for information that you are interested in: ■ “overview” on page 877 ■ “congestion management policy” on page 877 ■ “configuring an sp queue” on page 879 ■ “configuring a wrr queue” on page 880 ■ “configuring sp+w...
Page 878
878 c hapter 68: c ongestion m anagement the following paragraphs describe strict-priority (sp) queue-scheduling algorithm, and weighted round robin (wrr) queue-scheduling algorithm. 1 sp queue-scheduling algorithm figure 260 diagram for sp queuing sp queue-scheduling algorithm is specially designed...
Page 879
Configuring an sp queue 879 figure 261 diagram for wrr queuing a port of the switch supports eight outbound queues. The wrr queue-scheduling algorithm schedules all the queues in turn to ensure that every queue can be assigned a certain service time. Assume there are eight output queues on the port....
Page 880
880 c hapter 68: c ongestion m anagement configuration examples network requirements configure gigabitethernet1/0/1 to adopt sp queue scheduling algorithm. Configuration procedure # enter system view. System-view # configure an sp queue for gigabitethernet1/0/1 port. [sysname] interface gigabitether...
Page 881
Configuring sp+wrr queues 881 configuration examples network requirements configure wrr queue scheduling algorithm on gigabitethernet1/0/1, and assign weight 1, 2, 4, 6, 8, 10, 12, and 14 to queue 0 through queue 7. Configuration procedure # enter system view. System-view # configure the wrr queues ...
Page 882
882 c hapter 68: c ongestion m anagement configuration examples network requirements ■ configure to adopt sp+wrr queue scheduling algorithm on gigabitethernet1/0/1. ■ configure queue 0, queue 1, queue 2 and queue 3 on gigabitethernet1/0/1 to be in sp queue scheduling group. ■ configure queue 4, queu...
Page 883: Riority
69 p riority m apping when configuring priority mapping, go to these sections for information you are interested in: ■ “priority mapping overview” on page 883 ■ “configuring a priority mapping table” on page 884 ■ “configuring the port priority” on page 885 ■ “configuring port priority trust mode” o...
Page 884
884 c hapter 69: p riority m apping n you cannot configure to map any dscp value to drop precedence 1. Configuring a priority mapping table you can modify the priority mapping tables in a switch as required. Follow the two steps to configure priority mapping tables: ■ enter priority mapping table vi...
Page 885
Configuring the port priority 885 configuration examples network requirements modify the dot1p-lp mapping table as those listed in table 73. Configuration procedure # enter system view. System-view # enter dot1p-lp priority mapping table view. [sysname] qos map-table dot1p-lp # modify dot1p-lp prior...
Page 886
886 c hapter 69: p riority m apping configuration prerequisites the port priority of the port is determined. Configuration procedure follow these steps to configure port priority: configuration examples network requirements configure the port priority to 7. Configuration procedure # enter system vie...
Page 887
Displaying and maintaining priority mapping 887 configuration examples network requirements configure to trust the dscp precedence of the received packets. Configuration procedure # enter system view. System-view # enter port view. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/...
Page 888
888 c hapter 69: p riority m apping.
Page 889: Pplying
70 a pplying a q o s p olicy to vlan s when applying a qos policy to vlans, go to these sections for information that you are interested in: ■ “overview” on page 889 ■ “applying a qos policy to vlans” on page 889 ■ “displaying and maintaining qos policies applied to vlans” on page 890 ■ “configurati...
Page 890
890 c hapter 70: a pplying a q o s p olicy to vlan s displaying and maintaining qos policies applied to vlans configuration examples network requirements ■ the qos policy test is defined to perform traffic policing for the packets matching basic ipv4 acl 2000, with cir as 64 kbps. The exceeding pack...
Page 891: Raffic
71 t raffic m irroring c onfiguration when configuring traffic mirroring, go to these sections for information that you are interested in: ■ “overview” on page 891 ■ “configuring traffic mirroring” on page 891 ■ “displaying and maintaining traffic mirroring” on page 892 ■ “traffic mirroring configur...
Page 892
892 c hapter 71: t raffic m irroring c onfiguration displaying and maintaining traffic mirroring traffic mirroring configuration examples network requirements the user’s network is as described below: ■ host a (with the ip address 192.168.0.1) and host b are connected to gigabitethernet1/0/1 of the ...
Page 893
Traffic mirroring configuration examples 893 # configure a traffic behavior and define the action of mirroring traffic to gigabitethernet1/0/2 in the traffic behavior. [sysname] traffic behavior 1 [sysname-behavior-1] mirror-to interface gigabitethernet 1/0/2 [sysname-behavior-1] quit # configure a ...
Page 894
894 c hapter 71: t raffic m irroring c onfiguration.
Page 895: Ort
72 p ort m irroring c onfiguration when configuring port mirroring, go to these sections for information you are interested in: ■ “introduction to port mirroring” on page 895 ■ “configuring local port mirroring” on page 897 ■ “configuring remote port mirroring” on page 898 ■ “displaying and maintain...
Page 896
896 c hapter 72: p ort m irroring c onfiguration devices in a network. Currently, remote port mirroring can only be implemented on layer 2. Implementing port mirroring port mirroring is implemented through port mirroring groups, which fall into these three categories: local port mirroring group, rem...
Page 897
Configuring local port mirroring 897 destination device contains destination mirroring port, and remote destination port mirroring groups are created on destination devices. Upon receiving a mirrored packet, the destination device checks to see if the vlan id of the received packet is the same as th...
Page 898
898 c hapter 72: p ort m irroring c onfiguration configuring remote port mirroring configuring a remote source mirroring group follow these steps to configure a remote port mirroring group n ■ all ports in a remote mirroring group belong to the same device. A remote source mirroring group can have o...
Page 899
Displaying and maintaining port mirroring 899 configuring a remote destination port mirroring group follow these steps to configure a remote destination port mirroring group: n ■ the remote destination mirroring port cannot be a member port of the current mirroring group. ■ the remote destination mi...
Page 900
900 c hapter 72: p ort m irroring c onfiguration port mirroring configuration examples local port mirroring configuration example network requirements the departments of a company connect to each other through ethernet switches: ■ research and development (r&d) department is connected to switch c th...
Page 901
Port mirroring configuration examples 901 # add port gigabitethernet 1/0/1 and gigabitethernet 1/0/2 to the port mirroring group as source ports. Add port gigabitethernet 1/0/3 to the port mirroring group as the destination port. [switchc] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gig a...
Page 902
902 c hapter 72: p ort m irroring c onfiguration network diagram figure 266 network diagram for remote port mirroring configuration configuration procedure 1 configure switch a (the source device). # create a remote source port mirroring group. System-view [switcha] mirroring-group 1 remote-source #...
Page 903
Port mirroring configuration examples 903 # configure port gigabitethernet 1/0/2 as a trunk port and configure the port to permit the packets of vlan 2. [switchb] interface gigabitethernet 1/0/2 [switchb-gigabitethernet1/0/2] port link-type trunk [switchb-gigabitethernet1/0/2] port trunk permit vlan...
Page 904
904 c hapter 72: p ort m irroring c onfiguration.
Page 905: Luster
73 c luster m anagement c onfiguration when configuring cluster management, go to these sections for information you are interested in: ■ “cluster management overview” on page 905 ■ “cluster configuration task list” on page 911 ■ “configuring the management device” on page 912 ■ “configuring the mem...
Page 906
906 c hapter 73: c luster m anagement c onfiguration figure 267 network diagram for a cluster cluster management offers the following advantages: ■ saving public ip address resource ■ simplifying configuration and management tasks. By configuring a public ip address on the management device, you can...
Page 907
Cluster management overview 907 figure 268 role change in a cluster a device in a cluster changes its role according to the following rules: ■ a candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becomi...
Page 908
908 c hapter 73: c luster m anagement c onfiguration introduction to ndp ndp is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. Ndp works in the following ways: ■ a device running ndp perio...
Page 909
Cluster management overview 909 ■ the adjacent device performs the same operation until the ntdp topology collection request is sent to all the devices within specified hops. When the ntdp topology collection request is advertised in the network, large numbers of network devices receive the ntdp top...
Page 910
910 c hapter 73: c luster m anagement c onfiguration devices at the same interval. Upon receiving the handshake packets from the other side, the management device or member device simply changes or remains its state as active, without sending a response. ■ if the management device does not receive t...
Page 911
Cluster configuration task list 911 of the management vlan can you set the packets without tags from the management vlan to pass the ports; otherwise, only the packets with tags from the management vlan can pass the ports. Refer to “introduction to vlan” on page 83. Cluster configuration task list b...
Page 912
912 c hapter 73: c luster m anagement c onfiguration c caution: disabling the ndp and ntdp functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed, but will influence the normal operation of the cluster. Configuring the management d...
Page 913
Configuring the management device 913 c caution: ■ for ntdp to work normally, you must enable ntdp both globally and on the specified port. ■ the ntdp function is mutually exclusive with the bpdu tunnel function under a port and you cannot enable them at the same time. For the detailed description o...
Page 914
914 c hapter 73: c luster m anagement c onfiguration enabling the cluster function establishing a cluster before establishing a cluster, you need to configure a private ip address pool for the devices to be added to the cluster. When a candidate device is added to a cluster, the management device as...
Page 915
Configuring the management device 915 automatically establishing a cluster in addition to establishing a cluster manually, you are also provided with the means to establish a cluster automatically. With only a few commands (as shown in the table below) on the management device, you can let the syste...
Page 916
916 c hapter 73: c luster m anagement c onfiguration configuring communication between the management device and the member devices within a cluster in a cluster, the management device and member devices communicate by sending handshake packets to maintain connection between them. You can configure ...
Page 917
Configuring the member devices 917 rebooting a member device communication between the management and member devices may be interrupted due to some configuration errors. Through the remote control function of member devices, you can control them remotely on the management device. For example, you ca...
Page 918
918 c hapter 73: c luster m anagement c onfiguration configuring access between the management device and its member devices after having successfully configured ndp, ntdp and cluster, you can configure, manage and monitor the member devices through the management device. You can manage member devic...
Page 919
Adding a candidate device to a cluster 919 adding a candidate device to a cluster follow these steps to add a candidate device to a cluster: configuring advanced cluster functions this section covers these topics: ■ “configuring topology management” on page 919 ■ “configuring interaction for a clust...
Page 920
920 c hapter 73: c luster m anagement c onfiguration configuring interaction for a cluster after establishing a cluster, you can configure ftp/tftp server, nm host and log host for the cluster on the management device. ■ after you configure an ftp/tftp server for a cluster, the members in the cluste...
Page 921
Configuring advanced cluster functions 921 c caution: ■ for the configured log host to take effect, you must execute the info-center loghost command in system view first. For more information about the info-center loghost command, refer to “configuring information center” on page 1009. ■ to isolate ...
Page 922
922 c hapter 73: c luster m anagement c onfiguration displaying and maintaining cluster management n ■ support for the display ntdp single-device mac-address command varies with devices. ■ when you display the cluster topology information, the devices attached to the switch that is listed in the bla...
Page 923
Cluster management configuration examples 923 ■ ethernet 1/1 port of the management device belongs to vlan 2, whose interface ip address is 163.172.55.1/24. The network management interface of the management device is vlan-interface 2. Vlan 2 is the network management (nm) interface of the managemen...
Page 924
924 c hapter 73: c luster m anagement c onfiguration 2 configuring the management device # enable ndp globally and for the gigabitethernet1/0/2,gigabitethernet1/0/3 ports. System-view [switch] ndp enable [switch] interface gigabitethernet1/0/2 [switch- gigabitethernet1/0/2] ndp enable [switch-gigabi...
Page 925
Cluster management configuration examples 925 [switch-gigabitethernet 1/0/3] port trunk permit vlan 10 [switch-gigabitethernet 1/0/3] quit # enable the cluster function. [switch] cluster enable # enter cluster view. [switch] cluster # configure an ip address pool for the cluster. The ip address pool...
Page 926
926 c hapter 73: c luster m anagement c onfiguration ■ you can execute the cluster switch-to administrator command to switch to the operation interface of the management device. ■ for detailed information about these configurations, refer to the preceding description in this chapter..
Page 927: Udp H
74 udp h elper c onfiguration when configuring udp helper, go to these sections for information you are interested in: ■ “introduction to udp helper” on page 927 ■ “configuring udp helper” on page 927 ■ “displaying and maintaining udp helper” on page 928 ■ “udp helper configuration example” on page ...
Page 928
928 c hapter 74: udp h elper c onfiguration c caution: ■ the udp helper enabled device cannot forward dhcp broadcast packets. That is to say, the udp port number cannot be set to 67 or 68. ■ for the dns, netbios-ds, netbios-ns, tacacs, tftp, and time keywords, you can specify port numbers or the cor...
Page 929
Udp helper configuration example 929 # enable udp helper. System-view [switcha] udp-helper enable # enable the forwarding broadcast packets with the udp destination port number 55. [switcha] udp-helper port 55 # specify the server with the ip address of 10.2.1.1 as the destination server to which ud...
Page 930
930 c hapter 74: udp h elper c onfiguration.
Page 931: Snmp C
75 snmp c onfiguration when configuring snmp, go to these sections for information you are interested in: ■ “snmp overview” on page 931 ■ “snmp configuration” on page 933 ■ “configuring snmp logging” on page 935 ■ “trap configuration” on page 936 ■ “displaying and maintaining snmp” on page 937 ■ “sn...
Page 932
932 c hapter 75: snmp c onfiguration ■ get operation: nms gets the value of a certain variable of agent through this operation. ■ set operation: nms can reconfigure certain values in the agent mib (management information base) to make the agent perform certain tasks by means of this operation. ■ tra...
Page 933
Snmp configuration 933 string of numbers {1.2.1.1}. This string of numbers is the oid of the managed object b. Figure 273 mib tree snmp configuration as configurations for snmpv3 differ substantially from those of snmpv1 and snmpv2c, their snmp functionalities will be introduced separately below. Fo...
Page 935
Configuring snmp logging 935 c caution: the validity of a usm user depends on the switch fabric id of the snmp agent. If the switch fabric id used for usm user creation is not identical to the current switch fabric id, the usm user is invalid. Configuring snmp logging introduction to snmp logging sn...
Page 936
936 c hapter 75: snmp c onfiguration ■ the size of snmp logs cannot exceed that allowed by the information center and the sum of the node, and value field of each log information cannot exceed 1k bytes; otherwise, the exceeded part will be output. ■ for the detailed description of system information...
Page 937
Displaying and maintaining snmp 937 n the extended linkup/linkdown traps comprise the standard linkup/linkdown traps defined in rfc plus interface description and interface type. If the extended messages are not supported on nms, you can disable this function and enable the device to send standard l...
Page 938
938 c hapter 75: snmp c onfiguration snmp configuration example network requirements ■ the nms connects to the agent, a switch, through an ethernet. ■ the ip address of the nms is 1.1.1.2/24. ■ the ip address of vlan interface on the switch is 1.1.1.1/24. ■ nms monitors and manages agent using snmpv...
Page 939
Snmp logging configuration example 939 with snmpv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the nms. N the configurations on the agent and the nms must match. Snmp...
Page 940
940 c hapter 75: snmp c onfiguration ■ the following log information is displayed on the terminal when nms performs the set operation to agent. %jan 1 02:59:42:576 2006 sysname snmp/6/set: seqno = srcip = op = errorindex = errorstatus = node = value = e> n the system information of the information c...
Page 941: Rmon C
76 rmon c onfiguration when configuring rmon, go to these sections for information you are interested in: ■ “rmon overview” on page 941 ■ “configuring rmon” on page 943 ■ “displaying and maintaining rmon” on page 944 ■ “rmon configuration example” on page 945 rmon overview this section covers these ...
Page 942
942 c hapter 76: rmon c onfiguration information but four groups of information, alarm, event, history, and statistics, in most cases. The device adopts the second way. By using rmon agents on network monitors, an nms can obtain information about traffic size, error statistics, and performance stati...
Page 943
Configuring rmon 943 ■ compares the result with the defined threshold and generates an appropriate event. N if the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group the hist...
Page 944
944 c hapter 76: rmon c onfiguration n ■ two entries with the same configuration cannot be created. If the parameters of a newly created entry are identical to the corresponding parameters of an existing entry, the system considers their configurations the same and the creation fails. Refer to table...
Page 945
Rmon configuration example 945 rmon configuration example network requirements agent is connected to a configuration terminal through its console port and to a remote nms across the internet. Create an entry in the rmon ethernet statistics table to gather statistics on gigabitethernet 1/0/1, and log...
Page 946
946 c hapter 76: rmon c onfiguration # configure an alarm group to sample received bytes on gigabitethernet 1/0/1. When the received bytes exceed the upper or below the lower limit, logging is enabled. [sysname] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.4.1 delta rising-threshold 1000 1 falling-threshold 10...
Page 947: Ntp C
77 ntp c onfiguration n the local clock of a switch 4800gcannot be set as a reference clock. It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized. When configuring ntp, go to these sections for information you are interested in: ■ “ntp over...
Page 948
948 c hapter 77: ntp c onfiguration ■ to implement certain functions, such as scheduled restart of all devices within the network, all devices must be consistent in timekeeping. ■ when multiple systems process a complex event in cooperation, these systems must use that same reference clock to ensure...
Page 949
Ntp overview 949 the process of system clock synchronization is as follows: ■ switch a sends switch b an ntp message, which is timestamped when it leaves switch a. The time stamp is 10:00:00 am (t1). ■ when this ntp message arrives at switch b, it is timestamped by switch b. The timestamp is 11:00:0...
Page 950
950 c hapter 77: ntp c onfiguration figure 278 clock synchronization message format main fields are described as follows: ■ li: 2-bit leap indicator. When set to 11, it warns of an alarm condition (clock unsynchronized); when set to any other value, it is not to be processed by ntp. ■ vn: 3-bit vers...
Page 951
Ntp overview 951 ■ receive timestamp: the local time at which the request arrived at the service host. ■ transmit timestamp: the local time at which the reply departed the service host for the client. ■ authenticator: authentication information. Operation modes of ntp switches running ntp can implem...
Page 952
952 c hapter 77: ntp c onfiguration passive mode and sends a reply, with the mode field in the message set to 2 (symmetric passive). By exchanging messages, the symmetric peers mode is established between the two switches. Then, the two switches can synchronize, or be synchronized by, each other. If...
Page 953
Ntp configuration task list 953 messages set to 5 (multicast mode). Clients listen to the multicast messages from servers. After a client receives the first multicast message, the client and the server start to exchange messages, with the mode field set to 3 (client mode) and 4 (server mode) to calc...
Page 954
954 c hapter 77: ntp c onfiguration configuring ntp server/client mode for switches working in the server/client mode, you only need to make configurations on the clients, and not on the servers. Follow these steps to configure an ntp client: n ■ in the ntp-service unicast-server command, ip-address...
Page 955
Configuring the operation modes of ntp 955 ■ typically, at least one of the symmetric-active and symmetric-passive peers has been synchronized; otherwise the clock synchronization will not proceed. ■ you can configure multiple symmetric-passive peers by repeating the ntp-service unicast-peer command...
Page 956
956 c hapter 77: ntp c onfiguration configuring the multicast server n ■ a multicast server can synchronize broadcast clients only after its clock has been synchronized. ■ you can configure up to 1024 multicast clients, among which 128 can take effect at the same time. Configuring optional parameter...
Page 957
Configuring access-control rights 957 configuring the maximum number of dynamic sessions allowed configuring access-control rights with the following command, you can configure the ntp service access-control right to the local switch. There are four access-control rights, as follows: ■ query: contro...
Page 958
958 c hapter 77: ntp c onfiguration n the access-control right mechanism provides only a minimum degree of security protection for the system running ntp. A more secure method is identity authentication. Configuring ntp authentication the ntp authentication feature should be enabled for a system run...
Page 959
Configuring ntp authentication 959 n after you enable the ntp authentication feature for the client, make sure that you configure for the client an authentication key that is the same as on the server and specify that the authentication is trusted; otherwise, the client cannot be synchronized to the...
Page 960
960 c hapter 77: ntp c onfiguration displaying and maintaining ntp ntp configuration examples configuring ntp server/client mode network requirements ■ the local clock of switch a is to be used as a reference source, with the stratum level of 2. ■ switch b works in the server/client mode and switch ...
Page 961
Ntp configuration examples 961 # specify switch a as the ntp server of switch b so that switch b is synchronized to switch a. System-view [switchb] ntp-service unicast-server 1.0.1.11 # view the ntp status of switch b after clock synchronization. [switchb] display ntp-service status clock status: sy...
Page 962
962 c hapter 77: ntp c onfiguration network diagram figure 284 network diagram for ntp symmetric peers mode configuration configuration procedure 1 configuration on switch a: # specify the local clock as the reference source, with the stratum level of 2. System-view [switcha] ntp-service refclock-ma...
Page 963
Ntp configuration examples 963 clock precision: 2^7 clock offset: -21.1982 ms root delay: 15.00 ms root dispersion: 775.15 ms peer dispersion: 34.29 ms reference time: 15:22:47.083 utc apr 20 2007 (c6d95647.153f7ced) as shown above, switch b has been synchronized to switch c, and the clock stratum l...
Page 964
964 c hapter 77: ntp c onfiguration # configure switch c to work in the broadcast server mode and send broadcast messages through vlan-interface 2. [switchc] interface vlan-interface 2 [switchc-vlan-interface2] ntp-service broadcast-server 1 configuration on switch d: # configure switch d to work in...
Page 965
Ntp configuration examples 965 configuring ntp multicast mode network requirements ■ switch c’s local clock is to be used as a reference source, with the stratum level of 2. ■ switch c works in the multicast server mode and sends out multicast messages from vlan-interface 2. ■ switch d and switch a ...
Page 966
966 c hapter 77: ntp c onfiguration # view the ntp status of switch d after clock synchronization. [switchd] display ntp-service status clock status: synchronized clock stratum: 3 reference clock id: 3.0.1.31 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^7 clock off...
Page 967
Ntp configuration examples 967 # view the ntp status of switch a after clock synchronization. [switcha] display ntp-service status clock status: synchronized clock stratum: 3 reference clock id: 3.0.1.31 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^7 clock offset: ...
Page 968
968 c hapter 77: ntp c onfiguration 2 configuration on switch b: system-view # enable ntp authentication on switch b. [switchb] ntp-service authentication enable # set an authentication key. [switchb] ntp-service authentication-keyid 42 authentication-mode md5 anicekey # specify the key as key as a ...
Page 969
Ntp configuration examples 969 [switchb] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [12345] 1.0.1.11 127.127.1.0 2 63 64 3 -75.5 31.0 16.5 note: 1 source(master),2 source(peer),3 sel...
Page 970
970 c hapter 77: ntp c onfiguration 2 configuration on switch d: # configure ntp authentication system-view [switchd] ntp-service authentication enable [switchd] ntp-service authentication-keyid 88 authentication-mode md5 123456 [switchd] ntp-service reliable authentication-keyid 88 # configure swit...
Page 971: Dns C
78 dns c onfiguration when configuring dns, go to these sections for information you are interested in: ■ “dns overview” on page 971 ■ “configuring the dns client” on page 973 ■ “configuring the dns proxy” on page 974 ■ “displaying and maintaining dns” on page 974 ■ “dns configuration examples” on p...
Page 972
972 c hapter 78: dns c onfiguration 4 the dns client returns the resolution result to the application after receiving a response from the dns server. Figure 289 dynamic domain name resolution figure 289 shows the relationship between the user program, dns client, and dns server. The resolver and cac...
Page 973
Configuring the dns client 973 n if an alias is configured for a domain name on the dns server, the device can resolve the alias into the ip address of the host. Dns proxy introduction to dns proxy a dns proxy forwards dns requests and replies between dns clients and a dns server. As shown in figure...
Page 974
974 c hapter 78: dns c onfiguration n the ip address you last assign to the host name will overwrite the previous one if there is any. You may create up to 50 static mappings between domain names and ip addresses. Configuring dynamic domain name resolution follow these steps to configure dynamic dom...
Page 975
Dns configuration examples 975 dns configuration examples static domain name resolution configuration example network requirements switch uses the static domain name resolution to access host with ip address 10.1.1.2 through domain name host.Com. Network diagram figure 291 network diagram for static...
Page 976
976 c hapter 78: dns c onfiguration network diagram figure 292 network diagram for dynamic domain name resolution configuration procedure n ■ before performing the following configuration, make sure that there is a route between the device and the host, and configurations are done on both the device...
Page 977
Dns configuration examples 977 figure 294 add a host in figure 294, right click zone com, and then select new host to bring up a dialog box as shown in figure 295. Enter host name host and ip address 3.1.1.1. Figure 295 add a mapping between domain name and ip address 1 configure the dns client # en...
Page 978
978 c hapter 78: dns c onfiguration system-view [sysname] dns resolve # specify the dns server 2.1.1.2. [sysname] dns server 2.1.1.2 # configure com as the name suffix. [sysname] dns domain com 2 configuration verification # execute the ping host command on the device to verify that the communicatio...
Page 979
Dns configuration examples 979 network diagram figure 296 network diagram for dns proxy configuration procedure n before performing the following configuration, assume that switch a, the dns server, and the host are reachable to each other and the ip addresses of the interfaces are configured as sho...
Page 980
980 c hapter 78: dns c onfiguration [switchb] ping host.Com trying dns resolve, press ctrl_c to break trying dns server (2.1.1.2) ping host.Com (3.1.1.1): 56 data bytes, press ctrl_c to break reply from 3.1.1.1: bytes=56 sequence=1 ttl=126 time=3 ms reply from 3.1.1.1: bytes=56 sequence=2 ttl=126 ti...
Page 981: Ile
79 f ile s ystem m anagement c onfiguration when configuring the file system management, go to these sections for information you are interested in: ■ “file system management” on page 981 ■ “configuration file management” on page 985 ■ “displaying and maintaining device configuration” on page 989 n ...
Page 982
982 c hapter 79: f ile s ystem m anagement c onfiguration n ■ the directory to be removed must be empty, meaning before you remove a directory, you must delete all the files and the subdirectory under this directory. For file deletion, refer to the delete command and for subdirectory deletion, refer...
Page 983
File system management 983 c caution: ■ empty the recycle bin timely with the reset recycle-bin command to save memory space. ■ as the delete /unreserved file-url command deletes a file permanently and the action cannot be undone, use it with caution. ■ the execute command cannot ensure the executio...
Page 984
984 c hapter 79: f ile s ystem m anagement c onfiguration ■ alert: where the system warns you about operations that may bring undesirable consequence such as file corruption or data loss. ■ quiet: where the system does not do that in any cases. To prevent undesirable consequence resulted from misope...
Page 985
Configuration file management 985 configuration file management the device provides the configuration file management function with a user-friendly operating interface for you to manage the configuration files conveniently. This section covers these topics: ■ “configuration file overview” on page 98...
Page 986
986 c hapter 79: f ile s ystem m anagement c onfiguration ■ when removing a configuration file from a device, you can specify to remove the main or backup configuration file. Or, if it is a file having both the main and backup attributes, you can specify to erase the main or backup attribute of the ...
Page 987
Configuration file management 987 filename you entered is different from that existing in the system, this command will erase its backup attribute to allow only one backup attribute configuration file in the device. ■ normal attribute. When you use the save file-name command to save the current conf...
Page 988
988 c hapter 79: f ile s ystem m anagement c onfiguration c caution: this command will permanently delete the configuration file from the device. Use it with caution. Specifying a configuration file for next startup you can assign main or backup attribute to the configuration file for next startup w...
Page 989
Displaying and maintaining device configuration 989 ■ use the display startup command (in user view) to verify if you have set the startup configuration file, and use the dir command to verify if this file exists. If the file is set as null or does not exist, the backup will be unsuccessful. Restori...
Page 990
990 c hapter 79: f ile s ystem m anagement c onfiguration.
Page 991: Ftp C
80 ftp c onfiguration when configuring ftp, go to these sections for information you are interested in: ■ “ftp overview” on page 991 ■ “configuring the ftp client” on page 992 ■ “configuring the ftp server” on page 996 ■ “displaying and maintaining ftp” on page 999 ftp overview introduction to ftp t...
Page 992
992 c hapter 80: ftp c onfiguration c caution: ■ the ftp function is available when a route exists between the ftp server and the ftp client. ■ when a device serving as the ftp server logs onto the device using ie, some ie functions are not supported because multiple user connections are established...
Page 993
Configuring the ftp client 993 n ■ if no primary ip address is configured on the source interface, the ftp connection fails. ■ if you use the ftp client source command to first configure the source interface and then the source ip address of the transmitted packets, the new source ip address will ov...
Page 994
994 c hapter 80: ftp c onfiguration n ■ ftp uses two modes for file transfer: ascii mode and binary mode. ■ the is command can only display the file/directory name, while the dir command can display more information, such as the size and date of creation of files or directories. Ftp client configura...
Page 995
Configuring the ftp client 995 network diagram figure 298 network diagram for ftping an image file from an ftp server configuration procedure # check files on your device. Remove those redundant to ensure adequate space for the startup file to be downloaded. Dir directory of flash:/ 0 drw- - dec 07 ...
Page 996
996 c hapter 80: ftp c onfiguration c caution: startup files for next startup must be saved under the root directory. You can copy or move a file to change the path of it to the root directory. For description of the corresponding command, refer to “specifying a boot rom file for the next device boo...
Page 997
Configuring the ftp server 997 n if ftp server performs authentication, authorization and accounting (aaa) policy on ftp client, aaa related parameters should be configured on the ftp server. For more information about the local-user, password, service-type ftp, and work-directory commands and the a...
Page 998
998 c hapter 80: ftp c onfiguration [sysname-luser-abc] password simple pwd [sysname-luser-abc] level 3 # specify abc to use ftp, and authorize its access to certain directory. [sysname-luser-abc] service-type ftp [sysname-luser-abc] work-directory flash:/ [sysname-luser-abc] quit # enable ftp serve...
Page 999
Displaying and maintaining ftp 999 description of the corresponding command, refer to “specifying a boot rom file for the next device boot” on page 1040. Displaying and maintaining ftp to do… use the command… remarks display the configuration of the ftp client display ftp client configuration availa...
Page 1000
1000 c hapter 80: ftp c onfiguration.
Page 1001: Tftp C
81 tftp c onfiguration when configuring tftp, go to these sections for information you are interested in: ■ “tftp overview” on page 1001 ■ “configuring the tftp client” on page 1002 ■ “displaying and maintaining the tftp client” on page 1003 ■ “tftp client configuration example” on page 1003 tftp ov...
Page 1002
1002 c hapter 81: tftp c onfiguration before using tftp, the administrator needs to configure ip addresses for the tftp client and server, and make sure that there is a route between the tftp client and server. Configuring the tftp client when a device acts as a tftp client, you can upload files on ...
Page 1003
Displaying and maintaining the tftp client 1003 n ■ if no primary ip address is configured on the source interface, tftp connection fails. ■ if you use the ftp client source command to first configure the source interface and then the source ip address of the packets of the tftp client, the new sour...
Page 1004
1004 c hapter 81: tftp c onfiguration configuration procedure 1 configure pc (tftp server), the configuration procedure omitted. 2 on the pc, enable tftp server 3 configure a tftp working directory 4 configure the device (tftp client) c caution: if the free memory space of the device is not big enou...
Page 1005: Nformation
82 i nformation c enter c onfiguration when configuring information center, go to these sections for information you are interested in: ■ “information center overview” on page 1005 ■ “configuring information center” on page 1009 ■ “displaying and maintaining information center” on page 1015 ■ “infor...
Page 1006
1006 c hapter 82: i nformation c enter c onfiguration information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. ■ if the threshold is set to 0, only information with the severity being emergencies w...
Page 1007
Information center overview 1007 outputting system information by source module the system is composed of a variety of protocol modules, module drivers, and configuration modules. The system information can be classified, filtered, and output by source module. Some source module names and descriptio...
Page 1008
1008 c hapter 82: i nformation c enter c onfiguration to sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system informat...
Page 1009
Configuring information center 1009 note that there is a space between the timestamp and sysname (host name) fields. Sysname sysname is the system name of the current host. You can use the sysname command to modify the system name. (refer to “system maintaining” on page 1035 for details) note that t...
Page 1010
1010 c hapter 82: i nformation c enter c onfiguration enabling the display of system information on the console after setting to output system information to the console, you need to enable the associated display function to display the output information on the console. Follow these steps in user v...
Page 1011
Configuring information center 1011 setting to output system information to a monitor terminal system information can also be output to a monitor terminal, which is a user terminal that has login connections through the aux, or vty user interface. Setting to output system information to a monitor te...
Page 1012
1012 c hapter 82: i nformation c enter c onfiguration setting to output system information to a log host setting to output system information to the trap buffer enable the display of debugging information on a monitor terminal terminal debugging required disabled by default enable the display of log...
Page 1013
Configuring information center 1013 setting to output system information to the log buffer setting to output system information to the snmp nms configure the channel through which system information can be output to the trap buffer and specify the buffer size info-center trapbuffer [ channel { chann...
Page 1014
1014 c hapter 82: i nformation c enter c onfiguration n to ensure that system information can be output to the snmp nms, you need to make the necessary configurations on the snmp agent and the nms. For detailed information on snmp, refer to the “snmp configuration” on page 931. Configuring synchrono...
Page 1015
Displaying and maintaining information center 1015 ■ in the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt will be made, rather only your input will be displayed in a new line. Displaying and maintaining information cente...
Page 1016
1016 c hapter 82: i nformation c enter c onfiguration # specify the host with ip address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and specify local4 as the logging facility. [sysname] info-center loghost 1.2.0.1 channel loghost facilit...
Page 1018
1018 c hapter 82: i nformation c enter c onfiguration step 1: issue the following commands as a root user. # mkdir /var/log/mydevice # touch /var/log/mydevice/information step 2: edit the file /etc/syslog.Conf as a root user and add the following selector/action pair. # mydevice configuration messag...
Page 1019
Information center configuration examples 1019 # use channel console to output log information to the console (optional, console by default). [sysname] info-center console channel console # disable the output of log, trap, and debugging information of all modules on the channel console. [sysname] in...
Page 1020
1020 c hapter 82: i nformation c enter c onfiguration.
Page 1021: Asic
83 b asic c onfigurations while performing basic configurations of the system, go to these sections for information you are interested in: ■ “basic configurations” on page 1021 ■ “cli features” on page 1027 basic configurations this section covers the following topics: ■ “entering/exiting system vie...
Page 1022
1022 c hapter 83: b asic c onfigurations displaying the system clock the system clock is displayed by system time stamp, which is the same as that displayed by the display clock command. The system clock is decided by the commands clock datetime, clock timezone and clock summer-time. If these three ...
Page 1023
Basic configurations 1023 configuring a banner introduction to banners banners are prompt information displayed by the system when users are connected to the device, perform login authentication, and start interactive configuration. The administrator can set corresponding banners as needed. 1 and 3 ...
Page 1024
1024 c hapter 83: b asic c onfigurations at present, the system supports the following five kinds of welcome information. ■ shell banner, also called session banner, displayed when a non modem user enters user view. ■ incoming banner, also called user interface banner, displayed when a user interfac...
Page 1025
Basic configurations 1025 configuring cli hotkeys follow these steps to configure cli hotkeys: n by default, the , and hotkeys are configured with command line and the and commands are null. ■ corresponds to the display current-configuration command. ■ corresponds to the display ip routing-table com...
Page 1026
1026 c hapter 83: b asic c onfigurations n these hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be defined to perform other operations. If so, the definition of the terminal software will dominate. Configuring user levels and command level...
Page 1027
Cli features 1027 ■ you are recommended to use the default user level; otherwise the change of user level may bring inconvenience to your maintenance and operation. Displaying and maintaining basic configurations during daily maintenance or when the system is operating abnormally, you need to view e...
Page 1028
1028 c hapter 83: b asic c onfigurations introduction to cli cli is an interaction interface between devices and users. Through cli, you can configure your devices by entering commands and view the output information and verify your configurations, thus facilitating your configuration and management...
Page 1029
Cli features 1029 [sysname] interface vlan-interface 1 ? [sysname] interface vlan-interface 1 where, indicates that there is no parameter at this position. The command is then repeated in the next command line and executed if you press . 4 enter a character string followed by a >. All the commands s...
Page 1030
1030 c hapter 83: b asic c onfigurations n when editing command line, you can use other shortcut keys (for details, see table 81) besides the shortcut keys defined in table 83, or you can define shortcut keys by yourself. (for details, see “configuring cli hotkeys” on page 1025.) cli display filteri...
Page 1031
Cli features 1031 display functions cli offers the following feature: when the information displayed exceeds one screen, you can pause using one of the methods shown in table 85. Saving history commands the cli can automatically save the commands that have been used. You can invoke and repeatedly ex...
Page 1032
1032 c hapter 83: b asic c onfigurations table 86 common command line errors error information cause % unrecognized command found at ’^’ position. The command was not found. The keyword was not found. Parameter type error the parameter value is beyond the allowed range. % incomplete command found at...
Page 1033: Ystem
84 s ystem m aintaining and d ebugging when maintaining and debugging the system, go to these sections for information you are interested in: ■ “system maintaining and debugging overview” on page 1033 ■ “system maintaining and debugging” on page 1035 ■ “system maintaining example” on page 1036 syste...
Page 1034
1034 c hapter 84: s ystem m aintaining and d ebugging the tracert command by using the tracert command, you can trace the routers involved in delivering a packet from source to destination. This is useful for identification of failed node(s) in the event of network failure. The tracert command invol...
Page 1035
System maintaining and debugging 1035 figure 305 the relationship between the protocol and screen debugging switch n displaying debugging information on the terminal is the most commonly used way to output debugging information. You can also output debugging information to other directions. For deta...
Page 1036
1036 c hapter 84: s ystem m aintaining and d ebugging ■ only the directly connected segment address can be pinged if the outgoing interface is specified with the -i argument. System debugging n ■ the debugging commands are usually used by administrators in diagnosing network failure. ■ output of the...
Page 1037
System maintaining example 1037 7 129.140.70.13 99 ms 99 ms 80 ms 8 129.140.71.6 139 ms 239 ms 319 ms 9 129.140.81.7 220 ms 199 ms 199 ms 10 10.1.1.4 239 ms 239 ms 239 ms the above output shows that nine routers are used from the source to the destination device..
Page 1038
1038 c hapter 84: s ystem m aintaining and d ebugging.
Page 1039: Evice
85 d evice m anagement when configuring device management, go to these sections for information you are interested in: ■ “device management overview” on page 1039 ■ “configuring device management” on page 1039 ■ “displaying and maintaining device management configuration” on page 1043 ■ “device mana...
Page 1040
1040 c hapter 85: d evice m anagement c caution: ■ the precision of the rebooting timer is 1 minute. One minute before the rebooting time, the device will prompt “reboot in one minute” and will reboot in one minute. ■ the execution of the reboot, schedule reboot at, and schedule reboot delay command...
Page 1041
Configuring device management 1041 correctness and version configuration information to ensure a successful upgrade. You are recommended to enable the validity check function before upgrading boot rom. Follow these steps to upgrade boot rom: n restart the device to validate the upgraded boot rom. Cl...
Page 1042
1042 c hapter 85: d evice m anagement identifying and diagnosing pluggable transceivers introduction to pluggable transceivers at present, four types of pluggable transceivers are commonly used, and they can be divided into optical transceivers and electrical transceivers based on transmission media...
Page 1043
Displaying and maintaining device management configuration 1043 parameters such as temperature, voltage, laser bias current, tx power, and rx power. When these parameters are abnormal, you can take corresponding measures to prevent transceiver faults. Follow these steps to display pluggable transcei...
Page 1044
1044 c hapter 85: d evice m anagement device through command lines). Ensure that a route exists between user and device. Network diagram figure 306 network diagram for remote upgrade configuration procedure ■ configuration on ftp server (note that configurations may vary with different types of serv...
Page 1045
Device management configuration example 1045 230 logged in successfully [ftp] # download the aaa.Bin and boot.Btm programs on ftp server to the flash of device. [ftp] get aaa.Bin [ftp] get boot.Btm # clear the ftp connection and return to user view. [ftp] bye # enable the validity check function for...
Page 1046
1046 c hapter 85: d evice m anagement.
Page 1047: Nqa C
86 nqa c onfiguration when configuring nqa, go to these sections for information you are interested in: ■ “nqa overview” on page 1047 ■ “nqa configuration task list” on page 1050 ■ “configuring the nqa server” on page 1050 ■ “enabling the nqa client” on page 1051 ■ “creating an nqa test group” on pa...
Page 1048
1048 c hapter 86: nqa c onfiguration in an nqa test, the client sends different types of test packets to the peer to detect the availability and the response time of the peer, helping you know protocol availability and network performance based on the test results. Supporting the collaboration funct...
Page 1049
Nqa overview 1049 supporting delivery of traps traps can be sent to the network management server when a test is completed, fails, or a probe fails. A trap contains destination ip address, operation status, minimum and maximum round trip time (rtt), probes sent, and time when the last probe is perfo...
Page 1050
1050 c hapter 86: nqa c onfiguration server must be consistent with those on the client and must be different from those of an existing listening service. Nqa test operation after you create a test group and enter the test group view, you can configure related test parameters. Test parameters vary w...
Page 1051
Enabling the nqa client 1051 enabling the nqa client configurations on the nqa client take effect only when the nqa client is enabled. Follow these steps to enable the nqa client: creating an nqa test group one test corresponds to one test group. You can configure test types after you create a test ...
Page 1052
1052 c hapter 86: nqa c onfiguration enter nqa test group view nqa entry admin-name operation-tag - configure the test type as icmp-echo and enter test type view type icmp-echo required configure the destination address for a test operation destination ip ip-address required by default, no destinati...
Page 1053
Configuring an nqa test group 1053 configuring the dhcp test the dhcp test is mainly used to test the existence of a dhcp server on the network as well as the time necessary for the dhcp server to respond to a client request and assign an ip address to the client. Configuration prerequisites before ...
Page 1054
1054 c hapter 86: nqa c onfiguration configuring the http test the http test is used to test the connection with a specified http server and the time required to obtain data from the http server. Configuration prerequisites before performing an http test, you need to configure the http server. Confi...
Page 1055
Configuring an nqa test group 1055 n the tcp port number for the http server must be 80 in an http test. Otherwise, the test will fail. Configuring the udp-jitter test n you are not recommended to perform an nqa udp-jitter test on ports from 1 to 1023 (known ports). Otherwise, the nqa test will fail...
Page 1056
1056 c hapter 86: nqa c onfiguration configuration prerequisites a udp-jitter test requires cooperation between the nqa server and the nqa client. Before the udp-jitter test, make sure that the udp listening function is configured on the nqa server. Configuring the udp-jitter test follow these steps...
Page 1057
Configuring an nqa test group 1057 n the number of probes made in a udp-jitter test depends on the probe count command, while the number of probe packets sent in each probe depends on the probe packet-number command. Configuring the snmp test the snmp query test is used to test the time the nqa clie...
Page 1058
1058 c hapter 86: nqa c onfiguration configuring the tcp test n you are not recommended to perform an nqa tcp test on ports from 1 to 1023 (known ports). Otherwise, the nqa test will fail or the corresponding services of this port will be unavailable. The tcp test is used to test the tcp connection ...
Page 1059
Configuring an nqa test group 1059 configuring the udp-echo test n you are not recommended to perform an nqa udp test on ports from 1 to 1023 (known ports). Otherwise, the nqa test will fail or the corresponding services of this port will be unavailable. The udp-echo test is used to test the roundtr...
Page 1060
1060 c hapter 86: nqa c onfiguration configuring the dlsw test the dlsw test is used to test the response time of the dlsw device. Configuration prerequisites enable the dlsw function on the peer device before dlsw test. Configuring the dlsw test follow these steps to configure the dlsw test: config...
Page 1061
Configuring the collaboration function 1061 configuring the collaboration function collaboration is implemented by establishing collaboration entries to monitor the detection results of the current test group. If the number of consecutive probe failures reaches the threshold, the configured action i...
Page 1062
1062 c hapter 86: nqa c onfiguration configuring trap delivery follow these steps to configure trap delivery: configuring optional parameters common to an nqa test group optional parameters common to an nqa test group are valid only for tests in this test group. Unless otherwise specified, the follo...
Page 1063
Scheduling an nqa test group 1063 scheduling an nqa test group with this configuration, you can set the start time and time period for a test group to perform the test and start the test. Configuration prerequisites before scheduling an nqa test group, make sure: ■ required test parameters correspon...
Page 1064
1064 c hapter 86: nqa c onfiguration displaying and maintaining nqa nqa configuration examples icmp-echo test configuration example network requirements use the nqa icmp function to test whether the nqa client (device a) can send packets to the specified destination (device b) and test the roundtrip...
Page 1065
Nqa configuration examples 1065 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 dhcp test configuration example network requirements use the nqa dhcp function to test the time necessary for switch a to obtain an ip address from the dhcp server swit...
Page 1066
1066 c hapter 86: nqa c onfiguration network diagram figure 311 network diagram for ftp configuration procedure # create an ftp test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type ftp [devicea-nqa-admin-test-ftp] destination ip 1...
Page 1067
Nqa configuration examples 1067 network diagram figure 312 network diagram for the http test configuration procedure # create an http test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type http [devicea-nqa-admin-test-http] destinat...
Page 1068
1068 c hapter 86: nqa c onfiguration network diagram figure 313 network diagram for udp-jitter test configuration procedure 1 configure device b. # enable the nqa server and configure the listening ip address as 10.2.2.2 and port number as 9000. System-view [deviceb] nqa server enable [deviceb] nqa ...
Page 1069
Nqa configuration examples 1069 min negative sd: 1 min negative ds: 1 max negative sd: 15 max negative ds: 1 negative sd number: 3 negative ds number: 3 negative sd sum: 17 negative ds sum: 17 negative sd average: 6 negative ds average: 6 negative sd square sum: 227 negative ds square sum: 227 sd lo...
Page 1070
1070 c hapter 86: nqa c onfiguration packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 tcp test configuration example network requiremen...
Page 1071
Nqa configuration examples 1071 extend results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 udp-echo test configuration example ne...
Page 1072
1072 c hapter 86: nqa c onfiguration extend results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 dlsw test configuration example n...
Page 1073: Vrrp C
87 vrrp c onfiguration when configuring vrrp, go to these sections for information you are interested in: ■ “introduction to vrrp” on page 1073 ■ “configuring vrrp for ipv4” on page 1081 ■ “configuring vrrp for ipv6” on page 1084 ■ “ipv4-based vrrp configuration examples” on page 1088 ■ “ipv6-based ...
Page 1074
1074 c hapter 87: vrrp c onfiguration apparently, this approach to enabling hosts on a network to communicate with external networks is easy to configure but it imposes a very high requirement of performance stability on the device acting as the gateway. A common way to improve system reliability is...
Page 1075
Introduction to vrrp 1075 as shown in figure 319, switch a, switch b, and switch c form a virtual router, which has its own ip address. Hosts on the ethernet use the virtual router as the default gateway. The switch with the highest priority of the three switches is elected as the master switch to a...
Page 1076
1076 c hapter 87: vrrp c onfiguration ■ md5: md5 authentication you can adopt md5 authentication in a network facing severe security problems. The switch encrypts a packet to be sent using the authentication key and md5 algorithm and saves the encrypted packet in the authentication header. The switc...
Page 1077
Introduction to vrrp 1077 ipv4-based vrrp packet format figure 320 ipv4-based vrrp packet format as shown in figure 320, an ipv4-based vrrp packet consists of the following fields: ■ version: version number of the protocol, 2 for vrrpv2. ■ type: type of the vrrp packet. Only one vrrp packet type is ...
Page 1078
1078 c hapter 87: vrrp c onfiguration ipv6-based vrrp packet format figure 321 ipv6-based vrrp packet format as shown in figure 321, an ipv6-based vrrp packet consists of the following fields: ■ version: version number of the protocol, 3 for vrrpv3. ■ type: type of the vrrp packet. Only one vrrp pac...
Page 1079
Introduction to vrrp 1079 master, while the others are the backups. The master sends vrrp advertisement packets periodically to notify the backups that it is working properly, and each of the backups starts a timer to wait for advertisement packets from the master. ■ in preemption mode, when a backu...
Page 1080
1080 c hapter 87: vrrp c onfiguration master. The new master takes over the forwarding task to provide services to hosts on the lan. Load balancing you can create more than one standby group on an interface of a switch, allowing the switch to be the master of one standby group but a backup of anothe...
Page 1081
Configuring vrrp for ipv4 1081 configuring vrrp for ipv4 vrrp for ipv4 configuration task list complete these tasks to configure vrrp for ipv4: enabling users to ping virtual ip addresses you can configure whether the master switch responds to the received icmp echo requests, that is, whether the vi...
Page 1082
1082 c hapter 87: vrrp c onfiguration ip address. In this case, you can associate the virtual ip address of the standby group with the real mac address, so that the packets from a host are forwarded to the ip address owner according the real mac address. Follow these steps to configure the associati...
Page 1083
Configuring vrrp for ipv4 1083 ■ the virtual ip address of the standby group cannot be 0.0.0.0, 255.255.255.255, loopback address, non a/b/c address and other illegal ip addresses such as 0.0.0.1. ■ only when the configured virtual ip address and the interface ip address belong to the same segment a...
Page 1084
1084 c hapter 87: vrrp c onfiguration n ■ you may configure different authentication modes and authentication keys for the standby groups on an interface. However, the members of the same standby group must use the same authentication mode and authentication key. ■ factors like excessive traffic or ...
Page 1085
Configuring vrrp for ipv6 1085 enabling users to ping virtual ipv6 addresses you can configure whether the master switch responds to the received icmpv6 echo requests, that is, whether the virtual ipv6 address of a standby group can be pinged through. Follow these steps to enable a user to successfu...
Page 1086
1086 c hapter 87: vrrp c onfiguration c caution: you should configure this function before creating a standby group. Otherwise, you cannot modify the mapping between the virtual ipv6 address and the mac address. Creating standby group and configuring virtual ipv6 address you need to configure a virt...
Page 1087
Configuring vrrp for ipv6 1087 configuring standby group priority, preemption mode and interface tracking configuration prerequisites before configuring these features, you should first create the standby group and configure the virtual ipv6 address. Configuration procedure by configuring standby gr...
Page 1088
1088 c hapter 87: vrrp c onfiguration you may configure different authentication modes and authentication keys for the standby groups on an interface. However, the members of the same standby group must use the same authentication mode and authentication key. Factors like excessive traffic or differ...
Page 1089
Ipv4-based vrrp configuration examples 1089 network diagram figure 324 network diagram for single vrrp standby group configuration configuration procedure 1 configure switch a # configure vlan 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/5 [switcha-vlan2] quit [switcha] i...
Page 1090
1090 c hapter 87: vrrp c onfiguration [switchb-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # set switch b to work in preemption mode. The preemption delay is five seconds. [switchb-vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5 3 verify the configuration after the configuration, ...
Page 1091
Ipv4-based vrrp configuration examples 1091 vrid : 1 adver. Timer : 1 admin status : up state : master config pri : 100 run pri : 100 preempt mode : yes delay time : 5 auth type : none virtual ip : 202.38.160.111 virtual mac : 0000-5e00-0101 master ip : 202.38.160.2 the above information indicates t...
Page 1092
1092 c hapter 87: vrrp c onfiguration # create a standby group 1 and set its virtual ip address to 202.38.160.111. [switcha-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 # configure the priority of switch a in the standby group to 110. [switcha-vlan-interface2] vrrp vrid 1 priority 110 # co...
Page 1093
Ipv4-based vrrp configuration examples 1093 virtual ip ping : enable interface : vlan-interface2 vrid : 1 adver. Timer : 5 admin status : up state : master config pri : 110 run pri : 110 preempt mode : yes delay time : 0 auth type : simple text key : hello track if : vlan-interface3 pri reduced : 30...
Page 1094
1094 c hapter 87: vrrp c onfiguration run method : virtual-mac virtual ip ping : enable interface : vlan-interface2 vrid : 1 adver. Timer : 5 admin status : up state : master config pri : 100 run pri : 100 preempt mode : yes delay time : 0 auth type : simple text key : hello virtual ip : 202.38.160....
Page 1095
Ipv4-based vrrp configuration examples 1095 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 202.38.160.1 255.255.255.0 # create a standby group 1 and set its virtual ip address to 202.38.160.111. [switcha-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.1...
Page 1096
1096 c hapter 87: vrrp c onfiguration interface : vlan-interface2 vrid : 2 adver. Timer : 1 admin status : up state : backup config pri : 100 run pri : 100 preempt mode : yes delay time : 0 auth type : none virtual ip : 202.38.160.112 master ip : 202.38.160.2 # display detailed information of the st...
Page 1097
Ipv6-based vrrp configuration examples 1097 ■ if switch a operates normally, packets sent from host a to host b are forwarded by switch a; if switch a fails, packets sent from host a to host b are forwarded by switch b. Network diagram figure 327 network diagram for single vrrp standby group configu...
Page 1098
1098 c hapter 87: vrrp c onfiguration # configure vlan 2. System-view [switchb] ipv6 [switchb] vlan 2 [switchb-vlan2] port gigabitethernet 1/0/5 [switchb-vlan2] quit [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address fe80::2 link-local # create a standby group 1 and set its ...
Page 1099
Ipv6-based vrrp configuration examples 1099 if switch a fails, you can still ping through host b on host a. You can use the display vrrp ipv6 command to view the detailed information of the standby group on switch b. # if switch a fails, the detailed information of standby group 1 on switch b is dis...
Page 1100
1100 c hapter 87: vrrp c onfiguration configuration procedure 1 configure switch a # configure vlan 2. System-view [switcha] ipv6 [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/5 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ipv6 address fe80::1 link-...
Page 1101
Ipv6-based vrrp configuration examples 1101 [switchb-vlan-interface2] vrrp ipv6 vrid 1 virtual-ip fe80::10 link- local # set the authentication mode for standby group 1 to simple and authentication key to hello. [switchb-vlan-interface2] vrrp ipv6 vrid 1 authentication-mode simpl e hello # set the v...
Page 1102
1102 c hapter 87: vrrp c onfiguration if switch a is in work, but its interface vlan-interface 3 is not available, you can still ping through host b on host a. You can use the display vrrp ipv6 command to view the detailed information of the standby group. # if switch a is in work, but its interface...
Page 1103
Ipv6-based vrrp configuration examples 1103 network diagram figure 329 network diagram for multiple vrrp standby group configuration configuration procedure 1 configure switch a # configure vlan 2. System-view [switcha] ipv6 [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/5 [switcha-vlan2]...
Page 1104
1104 c hapter 87: vrrp c onfiguration [switchb-vlan2] quit [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address fe80::2 link-local [switchb-vlan-interface2] ipv6 address 1::2 64 # create standby group 1 and set its virtual ip address to fe80::10. [switchb-vlan-interface2] vrrp...
Page 1105
Troubleshooting vrrp 1105 preempt mode : yes delay time : 0 auth type : none virtual ip : fe80::10 master ip : fe80::1 interface : vlan-interface2 vrid : 2 adver. Timer : 100 admin status : up state : master config pri : 110 run pri : 110 preempt mode : yes delay time : 0 auth type : none virtual ip...
Page 1106
1106 c hapter 87: vrrp c onfiguration ■ if the ping fails, check network connectivity. ■ if the ping succeeds, check that their configurations are consistent in terms of number of virtual ip addresses, virtual ip addresses, advertisement interval, and authentication. Symptom 3: frequent vrrp state t...
Page 1107: Ssh C
88 ssh c onfiguration when configuring ssh, go to these sections for information you are interested in: ■ “ssh2.0 overview” on page 1107 ■ “configuring the device as an ssh server” on page 1110 ■ “configuring the device as an ssh client” on page 1115 ■ “displaying and maintaining ssh” on page 1118 ■...
Page 1108
1108 c hapter 88: ssh c onfiguration asymmetric key algorithm encrypts data using the public key and decrypts the data using the private key, thus ensuring data security. You can also use the asymmetric key algorithm for digital signature. For example, user 1 adds his signature to the data using the...
Page 1109
Ssh2.0 overview 1109 key and algorithm negotiation ■ the server and the client send key algorithm negotiation packets to each other, which include the supported public key algorithm list, encryption algorithm list, mac algorithm list, and compression algorithm list. ■ based on the received algorithm...
Page 1110
1110 c hapter 88: ssh c onfiguration ■ password-publickey: performs both password authentication and publickey authentication of the client. A client running ssh1 client only needs to pass either type of the two, while a client running ssh2 client must pass both of them to login. ■ any: performs eit...
Page 1111
Configuring the device as an ssh server 1111 n as a client uses either rsa or dsa algorithm for authentication and different clients may support different algorithms, the server needs to generate both rsa and dsa key pairs for successful authentication. Enabling ssh server follow these steps to enab...
Page 1112
1112 c hapter 88: ssh c onfiguration c caution: ■ configuration of the rsa local-key-pair create and public-key local create dsa command can survive a reboot. You only need to configure it once. ■ the length of an rsa server/host key is in the range 512 to 2048 bits. With ssh2, however, some clients...
Page 1113
Configuring the device as an ssh server 1113 for an ssh user that uses publickey authentication to login, the server must be configured with the client rsa or dsa host public key in advance, and the corresponding private key for the client must be specified on the client. You can manually configure ...
Page 1114
1114 c hapter 88: ssh c onfiguration c caution: ■ after passing aaa authentication, an aaa user without ssh user account still can log on to the server using password authentication and stelnet or sftp service. ■ an ssh server supports up to 1024 ssh users. ■ the service type of an ssh user can be s...
Page 1115
Configuring the device as an ssh client 1115 ■ after login, the commands available for a user are determined by the user privilege level, which is configured with the user privilege level command on the user interface. By default, the command privilege level is 0. For users using password authentica...
Page 1116
1116 c hapter 88: ssh c onfiguration specifying a source ip address/interface for the ssh client this configuration task allows you to specify a source ip address or interface for the client to access the ssh server, improving service manageability. Configuring whether first-time authentication is s...
Page 1117
Configuring the device as an ssh client 1117 establishing a connection between the ssh client and the server follow these steps to establish the connection between the ssh client and the server: to do… use the command… remarks enter system view system-view - disable first-time authentication support...
Page 1118
1118 c hapter 88: ssh c onfiguration displaying and maintaining ssh to do… use the command… remarks establish a connection between the ssh client and the server, and specify the preferred key exchange algorithm, encryption algorithms, and hmac algorithms for them establish a connection between the s...
Page 1119
Ssh server configuration examples 1119 ssh server configuration examples when using password authentication network requirements ■ as shown in figure 331, a local ssh connection is established between the host (ssh client) and the switch (ssh server) for secure data exchange. ■ password authenticati...
Page 1120
1120 c hapter 88: ssh c onfiguration # create local user client001, and set the user command privilege level to 3 [switch] local-user client001 [switch-luser-client001] password simple aabbcc [switch-luser-client001] service-type ssh level 3 [switch-luser-client001] quit # specify the service type f...
Page 1121
Ssh server configuration examples 1121 when using publickey authentication network requirements ■ as shown in figure 333, a local ssh connection is established between the host (ssh client) and the switch (ssh server) for secure data exchange. ■ publickey authentication is used, the algorithm is rsa...
Page 1122
1122 c hapter 88: ssh c onfiguration run puttygen.Exe, choose ssh2-(rsa) and click generate. Figure 334 generate a client key pair (1) while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in figure 335. Otherwise, the process bar stop...
Page 1123
Ssh server configuration examples 1123 figure 335 generate a client key pair (2) after the key pair is generated, click save public key to save the key in a file by entering a file name (“key.Pub” in this case). Figure 336 generate a client key pair (3).
Page 1124
1124 c hapter 88: ssh c onfiguration likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click yes and enter the name of the file for saving the key (“private” in this case). Figure 337 generate a c...
Page 1125
Ssh client configuration examples 1125 figure 339 ssh client configuration interface (2) from the window shown in figure 339, click open. The following ssh client interface appears. If the connection is normal, you will be prompted to enter the username (client002) to enter the configuration interfa...
Page 1126
1126 c hapter 88: ssh c onfiguration configuration procedure 1 configure the ssh server # create an rsa and dsa key pair and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server enable # create an ip address for vlan inte...
Page 1127
Ssh client configuration examples 1127 88317c1bd8171d41ecb83e210c03cc9 [switcha-pkey-key-code]b32e810561c21621c73d6daac028f4b1585da7f42519718cc 9b09eef0381840002818000af995917 [switcha-pkey-key-code]e1e570a3f6b1c2411948b3b4ffa256699b3bf871221cc9c5d f257523777d033bee77fc378145f2ad [switcha-pkey-key-c...
Page 1128
1128 c hapter 88: ssh c onfiguration [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [switchb-vlan-interface1] quit # set the authentication mode for the user interface to aaa. [switchb] user-interface vty 0 4 [switchb-ui-vty0-4] authentication-m...
Page 1129
Ssh client configuration examples 1129 **************************************************************************.
Page 1130
1130 c hapter 88: ssh c onfiguration.
Page 1131: Sftp S
89 sftp s ervice when configuring sftp, go to these sections for information you are interested in: ■ “sftp overview” on page 1131 ■ “configuring an sftp server” on page 1131 ■ “configuring an sftp client” on page 1132 ■ “sftp configuration example” on page 1135 sftp overview the secure file transfe...
Page 1132
1132 c hapter 89: sftp s ervice configuring the sftp connection idle timeout period once the idle period of an sftp connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing. Follow these steps to configure t...
Page 1133
Configuring an sftp client 1133 working with the sftp directories sftp directory operations include: ■ changing or displaying the current working directory ■ displaying files under a specified directory or the directory information ■ changing the name of a specified directory on the server ■ creatin...
Page 1134
1134 c hapter 89: sftp s ervice working with sftp files sftp file operations include: ■ changing the name of a file ■ downloading a file ■ uploading a file ■ displaying a list of the files ■ deleting a file follow these steps to work with sftp files: return to the upper-level directory cdup optional...
Page 1135
Sftp configuration example 1135 displaying help information this configuration task is to display a list of all commands or the help information of an sftp client command, such as the command format and parameters. Follow these steps to display a list of all commands or the help information of an sf...
Page 1136
1136 c hapter 89: sftp s ervice network diagram figure 342 network diagram for sftp configuration configuration procedure 1 configure the sftp server (switch b) # generate rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local cr...
Page 1137
Sftp configuration example 1137 # establish a connection to the remote sftp server and enter sftp client view. Sftp 192.168.0.1 input username: client001 trying 192.168.0.1 ... Press ctrl+k to abort connected to 192.168.0.1 ... The server is not authenticated. Continue? [y/n]:y do you want to save t...
Page 1138
1138 c hapter 89: sftp s ervice -rwxrwxrwx 1 noone nogroup 225 sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 sep 02 06:33 new2 # download the file “pubkey2” from the server and change the name to “public”. Sftp-client> get pubkey2 public remote file:/pubkey2 ---> local file: public downloading file ...
Page 1139: Rrpp C
90 rrpp c onfiguration when configuring rrpp, go to these sections for information you are interested in: ■ “rrpp overview” on page 1139 ■ “rrpp configuration task list” on page 1146 ■ “configuring master node” on page 1147 ■ “configuring transit node” on page 1148 ■ “configuring edge node” on page ...
Page 1140
1140 c hapter 90: rrpp c onfiguration rrpp domain the interconnected devices with the same domain id and control vlans constitute an rrpp domain. An rrpp domain contains multiple rrpp rings, in which one ring serves as the primary ring and other rings serve as sub rings. You can set a ring as either...
Page 1141
Rrpp overview 1141 as shown in figure 343, ring 1 is the primary ring and ring 2 is a sub ring. Device a is the master node of ring 1, device b, device c and device d are the transit nodes of ring 1; device e is the master node of ring 2, device b is the edge node of ring 2, and device c is the assi...
Page 1142
1142 c hapter 90: rrpp c onfiguration ■ the fail timer is used for the secondary port to receive health packets from the master node. If the secondary port receives the health packets before the fail timer expires, the overall ring is in health state. Otherwise, the ring transits into disconnect sta...
Page 1143
Rrpp overview 1143 single ring figure 344 single ring there is only a single ring in the network topology. In this case, you only need to define an rrpp domain. Multi-domain tangent rings figure 345 multi-domain tangent rings there are two or more rings in the network topology and only one common no...
Page 1144
1144 c hapter 90: rrpp c onfiguration single-domain intersecting rings figure 346 single-domain intersecting rings there are two or more rings in the network topology and two common nodes between rings. In this case, you only need to define an rrpp domain, and set one ring as the primary ring and ot...
Page 1145
Rrpp overview 1145 multi-domain intersecting rings figure 348 multi-domain intersecting rings there are two or more domains in a network, and there two different common nodes between any two domains. Figure 348 defines three rrpp domains, each containing one and only one rrpp primary ring. In the ca...
Page 1146
1146 c hapter 90: rrpp c onfiguration edge node are up again. A temporary loop may arise in the data vlan in this period. As a result, broadcast storm occurs. To prevent temporary loops, non-master nodes block them immediately (and permits only the packets of the control vlan) when they find their p...
Page 1147
Configuring master node 1147 ■ when configuring multi-domain intersecting rings, do not enable or disable the rrpp ring on which the multi-domain intersection common port resides with rrpp globally enabled. ■ in the case of multi-domain intersection, the rings in different domains are independently ...
Page 1148
1148 c hapter 90: rrpp c onfiguration c caution: ■ the control vlan configured for an rrpp domain must be a new one. ■ control vlan configuration is required for configuring an rrpp ring. ■ to use the undo rrpp domain command to remove an rrpp domain, you must ensure the rrpp domain has no rrpp ring...
Page 1149
Configuring edge node 1149 c caution: ■ the control vlan configured for an rrpp domain must be a new one. ■ control vlan configuration is required for configuring an rrpp ring. ■ to use the undo rrpp domain command to remove an rrpp domain, you must ensure the rrpp domain has no rrpp ring. Transit n...
Page 1150
1150 c hapter 90: rrpp c onfiguration c caution: ■ the control vlan configured for an rrpp domain must be a new one. ■ control vlan configuration is required for configuring an rrpp ring. ■ a ring id cannot be applied to more than one rrpp ring in an rrpp domain. ■ you must first configure the prima...
Page 1151
Configuring assistant edge node 1151 configuration procedure system-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] link-delay 0 [sysname-gigabitethernet1/0/1] quit [sysname] interface gigabitethernet 1/0/2 [sysname-gigabitethernet1/0/2] link-delay 0 [sysname-gigabiteth...
Page 1152
1152 c hapter 90: rrpp c onfiguration ■ control vlan configuration is required for configuring an rrpp ring. ■ a ring id cannot be applied to more than on rrpp ring in an rrpp domain. ■ you must first configure the primary ring and then the sub ring when configuring an edge node. Moreover, you must ...
Page 1153
Rrpp typical configuration examples 1153 configuring single ring topology networking requirements ■ device a, device b, device c and device d constitute rrpp domain 1; ■ specify the control vlan of rrpp domain 1 as vlan 4092; ■ device a, device b, device c and device d constitute primary ring 1; ■ s...
Page 1154
1154 c hapter 90: rrpp c onfiguration [device a-rrpp-domain1] quit [device a] rrpp enable 2 perform the following configuration on device b: system-view [deviceb] interface gigabitethernet 1/0/1 [deviceb-gigabitethernet1/0/1] link-delay 0 [deviceb-gigabitethernet1/0/1] quit [deviceb] interface gigab...
Page 1155
Rrpp typical configuration examples 1155 ■ device d is the transit node of primary ring 1, gigabitethernet 1/0/1 is the primary port and gigabitethernet 1/0/2 is the secondary port; ■ the timers of both the primary ring and the sub ring adopt the default value. Figure 350 networking diagram for sing...
Page 1156
1156 c hapter 90: rrpp c onfiguration [deviceb-gigabitethernet1/0/3] quit [device b] rrpp domain 1 [device b-rrpp-domain1] control-vlan 4092 [device b-rrpp-domain1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 0 [device b-rrpp-domain1] ring 2...
Page 1157
Rrpp typical configuration examples 1157 ■ on primary ring 1 in rrpp domain 1, device a is the master node, gigabitethernet 1/0/1 is the primary port and gigabitethernet 1/0/2 is the secondary port; ■ on primary ring 2 in rrpp domain 2, device e is the master node, gigabitethernet 1/0/1 is the prima...
Page 1158
1158 c hapter 90: rrpp c onfiguration configuration procedure 1 perform the following configuration on device a: system-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] link-delay 0 [devicea-gigabitethernet1/0/1] quit [devicea] interface gigabitethernet 1/0/2 [devicea-gi...
Page 1159
Rrpp typical configuration examples 1159 [devicee] interface gigabitethernet 1/0/2 [devicee-gigabitethernet1/0/2] link-delay 0 [devicee-gigabitethernet1/0/2] quit [device e] rrpp domain 2 [device e-rrpp-domain2] control-vlan 4092 [device e-rrpp-domain2] ring 2 node-mode master primary-port gigabitet...
Page 1160
1160 c hapter 90: rrpp c onfiguration.
Page 1161: Ort
91 p ort s ecurity c onfiguration when configuring port security, go to these sections for information you are interested in: ■ “introduction to port security” on page 1161 ■ “port security configuration task list” on page 1164 ■ “displaying and maintaining port security” on page 1169 ■ “port securi...
Page 1162
1162 c hapter 91: p ort s ecurity c onfiguration intrusion protection the intrusion protection feature checks the source mac addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port perm...
Page 1163
Introduction to port security 1163 n ■ currently, port security supports two authentication methods: 802.1x and mac authentication. Different port security modes employ different authentication method or different combinations of authentication methods. ■ the maximum number of authenticated users th...
Page 1164
1164 c hapter 91: p ort s ecurity c onfiguration port security configuration task list complete the following tasks to configure port security: enabling port security configuration prerequisites before enabling port security, you need to disable 802.1x and mac authentication globally. Configuration ...
Page 1165
Setting the maximum number of secure mac addresses 1165 setting the maximum number of secure mac addresses with port security enabled, more than one authenticated user is allowed on a port. The number of authenticated users allowed, however, cannot exceed the specified upper limited. By setting the ...
Page 1166
1166 c hapter 91: p ort s ecurity c onfiguration enabling the autolearn mode configuration prerequisites before enabling the autolearn mode, you need to set the maximum number of secure mac addresses allowed on the port. Configuration procedure follow these steps to enable the autolearn mode: n when...
Page 1167
Configuring port security features 1167 n on a port operating in either macaddresselseuserloginsecure mode or macaddresselseuserloginsecureext mode, intrusion protection is triggered only after both mac authentication and 802.1x authentication for the same frame fail. Configuring port security featu...
Page 1168
1168 c hapter 91: p ort s ecurity c onfiguration configuring secure mac addresses secure mac addresses are special mac addresses. They never age out or get lost if saved before the device restarts. One secure mac address can be added to only one port in the same vlan. Thus, you can bind a mac addres...
Page 1169
Displaying and maintaining port security 1169 displaying and maintaining port security port security configuration examples port security configuration for autolearn mode network requirements restrict port gigabitethernet 1/0/1 of the switch as follows: ■ allow up to 64 users to access the port with...
Page 1170
1170 c hapter 91: p ort s ecurity c onfiguration system-view [switch] port-security enable # enable intrusion protection trap. [switch] port-security trap intrusion [switch] interface gigabitethernet 1/0/1 # set the maximum number of secure mac addresses allowed on the port to 64. [switch-gigabiteth...
Page 1171
Port security configuration examples 1171 port-security max-mac-count 64 port-security port-mode autolearn port-security mac-address security 0002-0000-0015 vlan 1 port-security mac-address security 0002-0000-0014 vlan 1 port-security mac-address security 0002-0000-0013 vlan 1 port-security mac-addr...
Page 1172
1172 c hapter 91: p ort s ecurity c onfiguration network diagram figure 353 network diagram for port security configuration for userloginwithoui mode configuration procedure n ■ the following configuration steps cover some aaa/radius configuration commands. For details about the commands, refer to “...
Page 1173
Port security configuration examples 1173 # set the interval at which the switch sends real-time accounting packets to the radius server to 15 minutes. [switch-radius-radsun] timer realtime-accounting 15 # specify that the switch sends user names without domain names to the radius server. [switch-ra...
Page 1174
1174 c hapter 91: p ort s ecurity c onfiguration retransmission times for timeout = 5 interval for realtime accounting(minute) = 15 retransmission times of realtime-accounting packet = 5 retransmission times of stop-accounting packet = 500 quiet-interval(min) = 5 username format = without-domain dat...
Page 1175
Port security configuration examples 1175 gigabitethernet1/0/1 is link-up 802.1x protocol is enabled handshake is enabled the port is an authenticator authentication mode is auto port control type is mac-based 802.1x multicast-trigger is enabled guest vlan: 0 max number of on-line users is 256 eapol...
Page 1176
1176 c hapter 91: p ort s ecurity c onfiguration configuration procedure n configurations on the host and radius servers are omitted. 1 configure the radius protocol the required radius authentication/accounting configurations are the same as those in “port security configuration for userloginwithou...
Page 1177
Port security configuration examples 1177 display mac-authentication interface gigabitethernet 1/0/1 mac address authentication is enabled. User name format is fixed account fixed username:aaa fixed password:123456 offline detect period is 300s quiet period is 60s server response timeout value is 10...
Page 1178
1178 c hapter 91: p ort s ecurity c onfiguration in addition, since ntk is enabled, frames with unknown destination mac addresses, multicast addresses, and broadcast addresses should be discarded. Troubleshooting port security cannot set the port security mode symptom cannot set the port security mo...
Page 1179
Troubleshooting port security 1179 solution use the cut command to forcibly disconnect the user from the port before changing the port security mode. [switch-gigabitethernet1/0/1] cut connection interface gigabitethernet 1/0/1 [switch-gigabitethernet1/0/1] undo port-security port-mode.
Page 1180
1180 c hapter 91: p ort s ecurity c onfiguration.
Page 1181: Lldp C
92 lldp c onfiguration when configuring lldp, go to these sections for information you are interested in: ■ “introduction to lldp” on page 1181 ■ “lldp configuration tasks list” on page 1184 ■ “performing basic lldp configuration” on page 1184 ■ “configuring lldp trap” on page 1188 ■ “displaying and...
Page 1182
1182 c hapter 92: lldp c onfiguration to enable the neighboring devices to be informed of the existence of a device or an lldp operating mode change (from the disable mode to txrx mode, or from the rx mode to tx mode) timely, a device can invoke the fast sending mechanism. In this case, the interval...
Page 1183
Introduction to lldp 1183 organization defined lldp tlvs 1 lldp tlvs defined in ieee802.1 include the following: ■ port vlan id tlv, which carries port vlan id. ■ port and protocol vlan id tlv, which carries port protocol vlan id. ■ vlan name tlv, which carries port vlan name. ■ protocol identity tl...
Page 1184
1184 c hapter 92: lldp c onfiguration ■ manufacturer name tlv, which carries the manufacturer name of an med device. ■ model name tlv, which carries the model of an med device. ■ asset id tlv, which carries the asset id of an med device. Asset id is used for directory management and asset tracking. ...
Page 1185
Performing basic lldp configuration 1185 n to make lldp take effect, you need to enable it both globally and on the related ports. Setting lldp operating mode follow these steps to set lldp operating mode: configuring lldpdu tlvs follow these steps to configure lldpdu tlvs: to do… use the command… r...
Page 1186
1186 c hapter 92: lldp c onfiguration n ■ to enable med related lldp tlv sending, you need to enable lldp-med capabilities tlv sending first. Conversely, to disable lldp-med capabilities tlv sending, you need to disable the sending of other med related lldp tlvs. ■ to disable mac/phy configuration/s...
Page 1187
Performing basic lldp configuration 1187 c caution: to enable local device information to be updated on neighboring devices before being aged out, make sure the interval to send lldpdus is shorter than the ttl of the local device information. Setting the number of the lldpdus to be sent when a new n...
Page 1188
1188 c hapter 92: lldp c onfiguration n the configuration does not apply to lldp-cdp packets, which use only snap encapsulation. Configuring lldp trap lldp trap is used to notify nms of the events such as new neighboring devices detected and link malfunctions. Lldp traps are sent periodically and yo...
Page 1189
Lldp configuration example 1189 lldp configuration example lldp configuration example network requirements ■ the nms and switch a are located in the same ethernet. An med device and switch b are connected to gigabitethernet 1/0/1 and gigabitethernet 1/0/2 of switch a. ■ enable lldp on the ports of s...
Page 1190
1190 c hapter 92: lldp c onfiguration [switcha] interface gigabitethernet1/0/1 [switcha-gigabitethernet1/0/1] lldp enable [switcha-gigabitethernet1/0/1] lldp admin-status rx [switcha-gigabitethernet1/0/1] quit [switcha] interface gigabitethernet1/0/2 [switcha-gigabitethernet1/0/2] lldp enable [switc...
Page 1191
Lldp configuration example 1191 display lldp status global status of lldp : enable the current number of neighbors : 1 neighbor information last changed time : 0 days, 0 hours, 5 minutes, 20 seconds transmit interval : 30s hold multiplier : 4 reinit delay : 2s transmit delay : 2s trap interval : 5s ...
Page 1192
1192 c hapter 92: lldp c onfiguration.
Page 1193: E C
93 p o e c onfiguration when configuring poe, go to these sections for information you are interested in: ■ “poe overview” on page 1193 ■ “poe configuration task list” on page 1194 ■ “configuring the poe interface” on page 1194 ■ “configuring pd power management” on page 1196 ■ “configuring a power ...
Page 1194
1194 c hapter 93: p o e c onfiguration ■ pse pse is a module or subcard. Pse manages its own poe interfaces independently. Pse examines the ethernet cables connected to poe interfaces, searches for the devices, classifies them, and supplies power to them. When detecting that a pd is unplugged, the p...
Page 1195
Configuring the poe interface 1195 n the switch 4800g do not support power over spare cables. In this case, if the pd only supports power over spare cables, you have to change the order of the lines in the twisted pair cable to supply power to the pd. Configuring a poe interface through the command ...
Page 1196
1196 c hapter 93: p o e c onfiguration c caution: ■ after a poe configuration file is applied to a poe interface, other poe configuration files can not take effect on this poe interface. ■ if a poe configuration file is already applied to a poe interface, you must execute the undo apply poe-profile ...
Page 1197
Configuring a power alarm threshold for the pse 1197 interface from critical to a lower level, the pds connecting to other poe interfaces will have an opportunity of being powered. Configuration prerequisites enable poe for poe interfaces. Configuration procedure follow these steps to configure pd p...
Page 1198
1198 c hapter 93: p o e c onfiguration online pse processing software upgrade may be unexpectedly interrupted (for example, an error results in device reboot). If you fail to upgrade the pse processing software in full mode after reboot, you can power off the device and restart it before upgrading i...
Page 1199
Displaying and maintaining poe 1199 displaying and maintaining poe poe configuration example network requirements the device provides power supply for pds through poe interfaces. ■ gigabitethernet 1/0/1 and gigabitethernet 1/0/2 are connected to ip telephones. ■ gigabitethernet 1/0/11 and gigabiteth...
Page 1200
1200 c hapter 93: p o e c onfiguration [sysname-gigabitethernet1/0/1] poe enable [sysname-gigabitethernet1/0/1] quit [sysname] interface gigabitethernet 1/0/2 [sysname-gigabitethernet1/0/2] poe enable [sysname-gigabitethernet1/0/2] quit [sysname] interface gigabitethernet 1/0/11 [sysname-gigabitethe...
Page 1201
Troubleshooting poe 1201 ■ in the first case, you can solve the problem by removing the original configurations of those configurations. ■ in the second case, you need to modify some configurations in the poe configuration file. ■ in the third case, you need to remove the application of the undesire...
Page 1202
1202 c hapter 93: p o e c onfiguration.
Page 1203: Low
94 s f low c onfiguration when configuring sflow, go to these sections for information you are interested in: ■ “sflow overview” on page 1203 ■ “configuring sflow” on page 1204 ■ “displaying sflow” on page 1204 ■ “sflow configuration example” on page 1204 ■ “troubleshooting sflow configuration” on p...
Page 1204
1204 c hapter 94: s f low c onfiguration operation of sflow sflow operates as follows: 1 with sflow enabled, a physical port encapsulates received data into packets and sends them to the sflow agent. 2 the sflow agent periodically collects interface statistics on all sflow enabled ports. 3 when the ...
Page 1205
Sflow configuration example 1205 ■ gigabitethernet 1/0/3 belongs to vlan 1, having an ip address of 3.3.3.1. Run sflow agent on switch, and enable sflow on gigabitethernet 1/0/1 to monitor traffic on this interface. Switch sends sflow packets through gigabitethernet 1/0/3 to host b, which then analy...
Page 1206
1206 c hapter 94: s f low c onfiguration troubleshooting sflow configuration the remote sflow collector cannot receive sflow packets symptom the remote sflow collector cannot receive sflow packets. Analysis ■ sflow is not enabled globally because the sflow agent or/and the sflow collector are not sp...
Page 1207: Ssl C
95 ssl c onfiguration when configuring ssl, go to these sections for information you are interested in: ■ “ssl overview” on page 1207 ■ “ssl configuration task list” on page 1208 ■ “displaying and maintaining ssl” on page 1211 ■ “troubleshooting ssl” on page 1211 ssl overview secure sockets layer (s...
Page 1208
1208 c hapter 95: ssl c onfiguration ■ ssl change cipher spec protocol: used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key. ■ ssl alert protocol: allowing a client and the server to ...
Page 1209
Configuring an ssl server policy 1209 n if you enable client authentication here, you must request a local certificate for the client. Ssl server policy configuration example network requirements ■ a switch works as the https server. ■ a host works as the client and accesses the https server through...
Page 1210
1210 c hapter 95: ssl c onfiguration [sysname-pki-domain-1] certificate request from ra [sysname-pki-domain-1] certificate request entity en [sysname-pki-domain-1] quit # create a local key pair through rsa. [sysname] public-key local create rsa # retrieve the ca certificate. [sysname] pki retrieval...
Page 1211
Displaying and maintaining ssl 1211 configuration prerequisites before configuring an ssl client policy, you must configure a pki domain. For details about pki domain configuration, refer to “configuring a pki domain” on page 1223. Configuration procedure follow these steps to configure an ssl clien...
Page 1212
1212 c hapter 95: ssl c onfiguration 3 if the server certificate cannot be trusted, install on the ssl client the root certificate of the ca that issues the local certificate to the ssl server, or let the server requests a certificate from the ca that the ssl client trusts. 4 if the ssl server is co...
Page 1213: Https C
96 https c onfiguration when configuring https, go to these sections for information you are interested in: ■ “https overview” on page 1213 ■ “https configuration task list” on page 1213 ■ “associating the https service with an ssl server policy” on page 1214 ■ “enabling the https service” on page 1...
Page 1214
1214 c hapter 96: https c onfiguration associating the https service with an ssl server policy you need to associate the https service with a created ssl server policy before enabling the https service. Follow these steps to associate the https service with an ssl server policy: n ■ if the ip https ...
Page 1215
Associating the https service with a certificate attribute access control policy 1215 associating the https service with a certificate attribute access control policy associating the https service with a configured certificate access control policy helps control the access right of the client, thus ...
Page 1216
1216 c hapter 96: https c onfiguration ■ host accesses switch through web to control switch. ■ ca (certificate authority) issues certificate to switch. The common name of ca is new-ca. C caution: in this configuration example, windows server serves as ca and you need to install simple certificate en...
Page 1217
Https configuration example 1217 2 configure an ssl server policy associated with the https service # configure ssl server policy. [switch] ssl server-policy myssl [switch-ssl-server-policy-myssl] pki-domain 1 [switch-ssl-server-policy-myssl] client-verify enable [switch-ssl-server-policy-myssl] qui...
Page 1218
1218 c hapter 96: https c onfiguration.
Page 1219: Pki C
97 pki c onfiguration when configuring pki, go to these sections for information you are interested in: ■ “introduction to pki” on page 1219 ■ “pki configuration task list” on page 1222 ■ “displaying and maintaining pki” on page 1229 ■ “pki configuration examples” on page 1230 ■ “troubleshooting pki...
Page 1220
1220 c hapter 97: pki c onfiguration crl an existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with the user identity information. In pki, the r...
Page 1221
Introduction to pki 1221 ra a registration authority (ra) is an extended part of a ca or an independent authority. An ra can implement functions including identity authentication, crl management, key pair generation and key pair backup. The pki standard recommends that an independent ra be used for ...
Page 1222
1222 c hapter 97: pki c onfiguration 4 the ra receives the certificate from the ca, sends it to the ldap server to provide directory navigation service, and notifies the entity that the certificate is successfully issued. 5 the entity retrieves the certificate. With the certificate, the entity can c...
Page 1223
Configuring a pki domain 1223 follow these steps to configure an entity dn: n ■ currently, up to two entities can be created on a device. ■ windows 2000 ca server has some restrictions on the data length of a certificate request. If the entity dn in a certificate request goes beyond a certain limit,...
Page 1224
1224 c hapter 97: pki c onfiguration ■ ra generally, an independent ra is in charge of certificate request management. It receives the registration request from an entity, checks its qualification, and determines whether to ask the ca to sign a digital certificate. The ra only checks the application...
Page 1225
Submitting a pki certificate request 1225 n ■ currently, up to two pki domains can be created on a device. ■ the ca name is required only when you retrieve a ca certificate. It is not used when in local certificate request. Submitting a pki certificate request when requesting a certificate, an entit...
Page 1226
1226 c hapter 97: pki c onfiguration generating an rsa key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, while the public key is transferred to the ca along with some other information. For detailed inform...
Page 1227
Configuring pki certificate validation 1227 mode, you need to retrieve a certificate by an out-of-band means like ftp, disk, e-mail and then import it into the local pki system. Certificate retrieval serves two purposes: ■ locally store the certificates associated with the local security domain for ...
Page 1228
1228 c hapter 97: pki c onfiguration configuring crl-checking-disabled pki certificate validation follow these steps to configure crl-checking-disabled pki certificate validation: n ■ the crl update period refers to the interval at which the entity downloads crls from the crl server. The crl update ...
Page 1229
Deleting a certificate 1229 n for details about the public-key local destroy rsa command, refer to “ssh configuration” on page 1107. Deleting a certificate when a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate ...
Page 1230
1230 c hapter 97: pki c onfiguration pki configuration examples c caution: ■ the scep plug-in is required when you use the windows server as the ca. In this case, when configuring the pki domain, you need to use the certificate request from ra command to specify that the entity requests a certificat...
Page 1231
Pki configuration examples 1231 ■ nickname: name of the trusted ca. ■ subject dn: dn information of the ca, including the common name (cn), organization unit (ou), organization (o), and country (c). The other attributes may be left using the default values. 2 configure extended attributes after conf...
Page 1232
1232 c hapter 97: pki c onfiguration [switch-pki-domain-torsa] certificate request entity aaa # configure the url for the crl distribution point. [switch-pki-domain-torsa] crl url http://4.4.4.133:447/myca.Crl [switch-pki-domain-torsa] quit 6 generate a local key pair using rsa [switch] public-key l...
Page 1233
Pki configuration examples 1233 9a96a48f 9a509fd7 05fff4df 104ad094 signature algorithm: sha1withrsaencryption issuer: c=cn o=org ou=test cn=myca validity not before: jan 8 09:26:53 2007 gmt not after : jan 8 09:26:53 2008 gmt subject: cn=switch subject public key info: public key algorithm: rsaencr...
Page 1234
1234 c hapter 97: pki c onfiguration networking diagram figure 362 diagram for configuring a certificate attribute-based access control policy configuration procedure n ■ for detailed information about ssl configuration, refer to “ssl configuration” on page 1207. ■ for detailed information about htt...
Page 1235
Troubleshooting pki 1235 2 configure the certificate attribute-based access control policy # create the certificate attribute-based access control policy of myacp and add two access control rules. [switch] pki certificate access-control-policy myacp [switch-pki-cert-acp-myacp] rule 1 deny mygroup1 [...
Page 1236
1236 c hapter 97: pki c onfiguration failed to request a local certificate symptom failed to request a local certificate. Analysis possible reasons include these: ■ the network connection is not proper. For example, the network cable may be damaged or loose. ■ no ca certificate has been retrieved. ■...
Page 1237: Rack
98 t rack c onfiguration when configuring track, go to these sections for information you are interested in: ■ “track overview” on page 1237 ■ “track configuration task list” on page 1238 ■ “configuring collaboration between the track module and the detection modules” on page 1238 ■ “configuring col...
Page 1238
1238 c hapter 98: t rack c onfiguration collaboration between the track module and the detection modules you can establish the collaboration between the track module and the detection modules through configuration. A detection module probes the link status and informs the track module of the probe r...
Page 1239
Configuring collaboration between the track module and the application modules 1239 c caution: when you configure a track object, the specified nqa test group and reaction entry can be nonexistent. In this case, the status of the configured track object is invalid. Configuring collaboration between ...
Page 1240
1240 c hapter 98: t rack c onfiguration n ■ do not perform track object monitoring on the ip address owner. ■ when the status of the monitored track object turns from negative to positive, the corresponding master restores its priority automatically. ■ the monitored track object can be nonexistent, ...
Page 1241
Displaying and maintaining track object(s) 1241 displaying and maintaining track object(s) track configuration example vrrp-track-nqa collaboration configuration example network requirements ■ host a needs to access host b on the internet. The default gateway of host a is 10.1.1.10/24. ■ switch a an...
Page 1242
1242 c hapter 98: t rack c onfiguration [switcha-nqa-admin-test] type icmp-echo # configure the destination address as 10.1.2.2. [switcha-nqa-admin-test-icmp-echo] destination ip 10.1.2.2 # set the test frequency to 100 ms. [switcha-nqa-admin-test-icmp-echo] frequency 100 # configure reaction entry ...
Page 1243
Track configuration example 1243 system-view [switchb] interface vlan-interface 2 # create vrrp group 1, and configure the virtual ip address 10.1.1.10 for the group. [switchb-vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.10 # set the authentication mode of vrrp group 1 to simple, and the authentic...
Page 1244
1244 c hapter 98: t rack c onfiguration the above output information indicates that in vrrp group 1, switch a is the master and switch b is a backup. Packets from host a to host b are forwarded through switch a. When there is a fault on the link between switch a and switch c, you can still successfu...
Page 1245: Cronyms
A a cronyms a aaa authentication, authorization and accounting abr area border router acl access control list arp address resolution protocol as autonomous system asbr autonomous system border router b bdr backup designated router c car committed access rate cli command line interface cos class of s...
Page 1246
1246 c hapter a: a cronyms lsdb link state database m mac medium access control mib management information base n nbma non broadcast multiaccess nic network information center nms network management system nvram nonvolatile ram o ospf open shortest path first p pim protocol independent multicast pim...