- DL manuals
- H3C
- Switch
- S5120-EI Series
- Operation Manual
H3C S5120-EI Series Operation Manual
Summary of S5120-EI Series
Page 1
H3c s5120-ei series ethernet switches operation manual hangzhou h3c technologies co., ltd. Manual version: 6w101-20100305 product version: release 2202.
Page 2
Copyright © 2009-2010, hangzhou h3c technologies co., ltd. And its licensors h3c technologies co., ltd., a subsidiary of 3com corporation. All rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologie...
Page 3: About This Manual
About this manual organization h3c s5120-ei series ethernet switches operation manual is organized as follows: volume features 00-product overview product overview acronyms ethernet port link aggregation port isolation mstp lldp vlan gvrp qinq 01-access volume bpdu tunneling mirroring ip addressing ...
Page 5
Related documentation in addition to this manual, each h3c s5120-ei series ethernet switch documentation set includes the following: manual description h3c s5120-ei series ethernet switches installation manual it introduces the installation procedure, commissioning, maintenance and monitoring of the...
Page 6
Implementation services are offered to fill resource gaps and ensure the success of your networking projects. More information on 3com maintenance and professional services is available at http://www.H3cnetworks.Com . Contact your authorized reseller or 3com for a complete list of the value-added se...
Page 7: Table of Contents
I table of contents 1 obtaining the documentation ··················································································································1-1 h3c website·························································································································...
Page 8: Obtaining The Documentation
1-1 1 obtaining the documentation h3c technologies co., ltd. Provides two ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways: z h3c website z softwa...
Page 9: Software
2-1 2 correspondence between documentation and software manual list manual name corresponding product h3c s5120-ei series ethernet switches installation manual h3c s5120-ei series ethernet switches quick start h3c s5120-ei series ethernet switches compliance and safety manual h3c s5120-ei series eth...
Page 10: Product Features
3-1 3 product features introduction to product h3c s5120-ei series ethernet switches are gigabit ethernet switching products developed by hangzhou h3c technologies co., ltd. The s5120-ei series switches have abundant service features. They are designed as distribution and access devices for intranet...
Page 11
3-2 volume features login basic system configuration device management file system management http snmp rmon mac address table system maintaining and debugging information center poe hotfix nqa ntp cluster management irf 08-system volume automatic configuration.
Page 12: Features
4-1 4 features the following sections provide an overview of the main features of each module supported by the s5120-ei series. Access volume table 4-1 features in access volume features description ethernet port this document describes: z combo port configuration z basic ethernet interface configur...
Page 13
4-2 features description lldp lldp enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: z introduction to lldp z perfor...
Page 14: Ip Services Volume
4-3 ip services volume table 4-2 features in the ip services volume features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the internet. This document describes: z introduction to ip addresses z ip address configuration arp ...
Page 15: Ip Routing Volume
4-4 features description dual stack a network node that supports both ipv4 and ipv6 is called a dual stack node. A dual stack node configured with an ipv4 address and an ipv6 address can have both ipv4 and ipv6 packets transmitted. This document describes: z dual stack overview z dual stack configur...
Page 16: Qos Volume
4-5 features description mld snooping multicast listener discovery snooping (mld snooping) is an ipv6 multicast constraining mechanism that runs on layer 2 devices to manage and control ipv6 multicast groups. This document describes: z configuring basic functions of mld snooping z configuring mld sn...
Page 17
4-6 features description habp on an habp-capable switch, habp packets can bypass 802.1x authentication and mac authentication, allowing communication among switches in a cluster. This document describes: z introduction to habp z habp configuration mac authentication mac authentication provides a way...
Page 18: High Availability Volume
4-7 features description arp attack protection currently, arp attacks and viruses are threatening lan security. The device can provide multiple features to detect and prevent such attacks. This document describes: z configuring arp defense against ip packet attacks z configuring arp packet rate limi...
Page 19: System Volume
4-8 features description ethernet oam ethernet oam is a tool monitoring layer-2 link status. It helps network administrators manage their networks effectively. This document describes: z ethernet oam overview z configuring basic ethernet oam functions z configuring link monitoring z enabling oam loo...
Page 20
4-9 features description device management through the device management function, you can view the current condition of your device and configure running parameters. This document describes: z device management overview z configuring the exception handling method z rebooting a device z configuring ...
Page 21
4-10 features description information center as the system information hub, information center classifies and manages all types of system information. This document describes: z information center overview z setting to output system information to the console z setting to output system information t...
Page 22
4-11 features description cluster management a cluster is a group of network devices. Cluster management is to implement management of large numbers of distributed network devices. This document describes: z cluster management overview z configuring the management device z configuring the member dev...
Page 23: Appendix A Acronyms
A-1 appendix a acronyms # a b c d e f g h i k l m n o p q r s t u v w x z acronyms full spelling # return 10ge ten-gigabitethernet a return aaa authentication, authorization and accounting abc activity based costing abr area border router ac alternating current ack acknowledgement acl access control...
Page 24
A-2 acronyms full spelling bgp border gateway protocol bims branch intelligent management system bootp bootstrap protocol bpdu bridge protocol data unit bri basic rate interface bsr bootstrap router bt bittorrent bt burst tolerance c return ca call appearance ca certificate authority car committed a...
Page 25
A-3 acronyms full spelling cv connectivity verification d return dar deeper application recognition dce data circuit-terminal equipment dd database description ddn digital data network dhcp dynamic host configuration protocol dis designated is dlci data link connection identifier dldp device link de...
Page 26
A-4 acronyms full spelling fdi forward defect indication fec forwarding equivalence class ffd fast failure detection fg forwarding group fib forwarding information base fifo first in first out fqdn full qualified domain name fr frame relay frr fast reroute frtt fairness round trip time ft functional...
Page 27
A-5 acronyms full spelling ibm international business machines icmp internet control message protocol icmpv6 internet control message protocol for ipv6 id identification/identity ieee institute of electrical and electronics engineers ietf internet engineering task force igmp internet group managemen...
Page 28
A-6 acronyms full spelling lacp link aggregation control protocol lacpdu link aggregation control protocol data unit lan local area network lcp link control protocol ldap lightweight directory access protocol ldp label distribution protocol ler label edge router lfib label forwarding information bas...
Page 29
A-7 acronyms full spelling mld multicast listener discovery protocol mld-snooping multicast listener discovery snooping mmc meet-me conference modem modulator-demodulator mp multilink ppp mp-bgp multiprotocol extensions for bgp-4 mpe middle-level pe mp-group multilink point to point protocol group m...
Page 30
A-8 acronyms full spelling nms network management station npdu network protocol data unit npe network provider edge nqa network quality analyzer nsap network service access point nsc netstream collector n-sel nsap selector nssa not-so-stubby area ntdp neighbor topology discovery protocol ntp network...
Page 31
A-9 acronyms full spelling poe power over ethernet pop point of presence pos packet over sdh ppp point-to-point protocol pptp point to point tunneling protocol ppvpn provider-provisioned virtual private network pq priority queuing prc primary reference clock pri primary rate interface ps protection ...
Page 32
A-10 acronyms full spelling rpr resilient packet ring rpt rendezvous point tree rrpp rapid ring protection protocol rsb reservation state block rsoh regenerator section overhead rstp rapid spanning tree protocol rsvp resource reservation protocol rtcp real-time transport control protocol rte route t...
Page 33
A-11 acronyms full spelling spf shortest path first spt shortest path tree ssh secure shell ssm synchronization status marker ssm source-specific multicast st shared tree stm-1 sdh transport module -1 stm-16 sdh transport module -16 stm-16c sdh transport module -16c stm-4c sdh transport module -4c s...
Page 34
A-12 acronyms full spelling v return vbr variable bit rate vci virtual channel identifier ve virtual ethernet vfs virtual file system vlan virtual local area network vll virtual leased lines vod video on demand voip voice over ip vos virtual operate system vpdn virtual private dial-up network vpdn v...
Page 35: Access Volume Organization
Access volume organization manual version 6w101-20100305 product version release 2202 organization the access volume is organized as follows: features description ethernet port this document describes: z combo port configuration z basic ethernet interface configuration z configuring flow control on ...
Page 36
Features description mstp mstp is used to eliminate loops in a lan. It is compatible with stp and rstp. This document describes: z introduction to stp/rstp/mstp z configuring mstp lldp lldp enables a device to maintain and manage its own and its immediate neighbor’s device information, based on whic...
Page 37
Features description mirroring port mirroring copies packets passing through a port to another port connected with a monitoring device for packet analysis to help implement network monitoring and troubleshooting. Traffic mirroring is implemented by a qos policy, which defines certain match criteria ...
Page 38: Table of Contents
I table of contents 1 ethernet port configuration ·····················································································································1-1 ethernet port configuration ·····································································································...
Page 39: Ethernet Port Configuration
1-1 1 ethernet port configuration ethernet port configuration ge and 10ge ports on the s5120-ei series ethernet switches are numbered in the following format: interface type a/b/c . Z a: number of a member device in an irf. If no irf is formed, this value is 1. Z b: slot number on the device. A valu...
Page 40
1-2 in case of a combo port, only one port (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Basic ethernet port configuration configuring an ethernet port three types of...
Page 41
1-3 10-gigabit ethernet ports do not support the duplex command or the speed command. Configuring an auto-negotiation transmission rate usually, the transmission rate on an ethernet port is determined through negotiation with the peer end, which can be any rate within the capacity range. With auto-n...
Page 42
1-4 z this function is available for auto-negotiation-capable gigabit layer-2 ethernet electrical ports only. Z if you repeatedly use the speed and the speed auto commands to configure the transmission rate on a port, only the latest configuration takes effect. Configuring flow control on an etherne...
Page 43
1-5 configuring loopback testing on an ethernet port you can enable loopback testing to check whether the ethernet port functions properly. Note that no data packets can be forwarded during the testing. Loopback testing falls into the following two categories: z internal loopback testing, which is p...
Page 44
1-6 to do… use the command… remarks add ethernet ports to the manual port group group-member interface-list required configuring storm suppression you can use the following commands to suppress the broadcast, multicast, and unknown unicast traffic. In port configuration mode, the suppression ratio i...
Page 45
1-7 if you set storm suppression ratios in ethernet port view or port group view repeatedly for an ethernet port that belongs to a port group, only the latest settings take effect. Setting the interval for collecting ethernet port statistics you can use the reset counters interface command to clear ...
Page 46
1-8 enabling loopback detection on an ethernet port if a port receives a packet that it sent out, a loop occurs. Loops may cause broadcast storms. The purpose of loopback detection is to detect loops on a port. When loopback detection is enabled on an ethernet port, the device periodically checks wh...
Page 47
1-9 10-gigabit ethernet ports and optical ports of sfp ports do not support this function. Two types of ethernet cables can be used to connect ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an ethernet port on a device can operate in one of th...
Page 48
1-10 z 10-gigabit ethernet ports and optical ports of sfp ports do not support this feature. Z a link in the up state goes down and then up automatically if you perform the operation described in this section on one of the ethernet ports forming the link. Follow these steps to test the current opera...
Page 49
1-11 to do… use the command… remarks set the interval for generating traffic statistics storm-constrain interval seconds optional 10 seconds by default enter ethernet port view interface interface-type interface-number — enable the storm constrain function and set the lower threshold and the upper t...
Page 51: Table of Contents
I table of contents 1 ethernet link aggregation configuration·······························································································1-1 overview ···································································································································...
Page 52: Overview
1-1 1 ethernet link aggregation configuration when configuring ethernet link aggregation, go to these sections for information you are interested in: z overview z ethernet link aggregation configuration task list z configuring an aggregation group z configuring an aggregate interface z configuring l...
Page 53
1-2 interfaces. When an aggregate interface is created, an aggregation group of the same type and numbered the same is created automatically. For example, when you create interface bridge-aggregation 1, layer 2 aggregation group 1 is created. To a layer 2 aggregation group, you can assign only layer...
Page 54
1-3 z class-two configurations made on an aggregate interface are automatically synchronized to all its member ports. These configurations are retained on the member ports even after the aggregate interface is removed. Z any class-two configuration change may affect the aggregation state of link agg...
Page 55
1-4 for details about irf, member devices, intermediate devices, and the lacp mad mechanism, see irf configuration in the system volume. 2) lacp priorities there are two types of lacp priorities: system lacp priority and port lacp priority, as described in table 1-3 . Table 1-3 lacp priorities type ...
Page 56
1-5 aggregation group, while a link aggregation group operating in dynamic mode is called a dynamic link aggregation group. Table 1-4 compares the two aggregation modes. Table 1-4 a comparison between static and dynamic aggregation modes aggregation mode lacp status on member ports pros cons static ...
Page 57
1-6 figure 1-2 set the aggregation state of a member port in a static aggregation group z because any port attribute or class-two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services, you are recommended to do tha...
Page 58
1-7 selecting a reference port the local system (the actor) negotiates with the remote system (the partner) to select a reference port as follows: 1) compare the system id (comprising the system lacp priority and the system mac address) of the actor with that of the partner. The system with the lowe...
Page 59
1-8 z because any port attribute or class-two configuration change on a member port may cause the aggregation state of the port and other member ports to change and thus affect services, you are recommended to do that with caution. Z in a dynamic aggregation group, when the aggregation state of a lo...
Page 60
1-9 port type reference stack ports irf configuration in the system volume mac address authentication-enabled ports mac authentication configuration in the security volume port security-enabled ports port security configuration in the security volume ip source guard-enabled ports ip source guard con...
Page 61
1-10 to guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the aggregation state of each member port. Follow these steps to configure a dynamic aggregation group: to do... Use the com...
Page 62
1-11 configuring the description of an aggregate interface you can configure the description of an aggregate interface for administration purposes such as describing the purpose of the interface. Follow these steps to configure the description of an aggregate interface: to do... Use the command... R...
Page 63
1-12 to do... Use the command... Remarks enter system view system-view — enter aggregate interface view interface bridge-aggregation interface-number — shut down the aggregate interface shutdown required by default, aggregate interfaces are up. Configuring load sharing for link aggregation groups co...
Page 64
1-13 currently, when you configure the global link-aggregation load sharing criterion or criteria, the switch supports the following criteria: z use a source ip address alone. Z use a destination ip address alone. Z use a source mac address alone. Z use a destination mac address alone. Z combine a s...
Page 65
1-14 displaying and maintaining ethernet link aggregation to do... Use the command... Remarks display the local system id display lacp system-id available in any view display the global or group-specific link-aggregation load sharing criteria display link-aggregation load-sharing mode [ interface [ ...
Page 66
1-15 figure 1-4 network diagram for static aggregation configuration procedure 1) configure device a # create vlan 10, and assign port gigabitethernet1/0/4 to vlan 10. System-view [devicea] vlan 10 [devicea-vlan10] port gigabitethernet 1/0/4 [devicea-vlan10] quit # create vlan 20, and assign port gi...
Page 67
1-16 [devicea] interface bridge-aggregation 1 [devicea-bridge-aggregation1] port link-type trunk [devicea-bridge-aggregation1] port trunk permit vlan 10 20 please wait... Done. Configuring gigabitethernet1/0/1... Done. Configuring gigabitethernet1/0/2... Done. Configuring gigabitethernet1/0/3... Don...
Page 68
1-17 z configure a layer 2 dynamic link aggregation group on device a and device b respectively, enable vlan 10 at one end of the aggregate link to communicate with vlan 10 at the other end, and vlan 20 at one end to communicate with vlan 20 at the other end. Z enable traffic to be load-shared acros...
Page 69
1-18 # configure layer 2 aggregate interface 1 as a trunk port and assign it to vlans 10 and 20. This configuration automatically propagates to all the member ports in link aggregation group 1. [devicea] interface bridge-aggregation 1 [devicea-bridge-aggregation1] port link-type trunk [devicea-bridg...
Page 70
1-19 aggregation load sharing configuration example network requirements as shown in figure 1-6: z device a and device b are connected by their layer 2 ethernet interfaces gigabitethernet 1/0/1 through gigabitethernet 1/0/4. Z configure two layer 2 static link aggregation groups (1 and 2) on device ...
Page 71
1-20 [devicea-gigabitethernet1/0/1] port link-aggregation group 1 [devicea-gigabitethernet1/0/1] quit [devicea] interface gigabitethernet 1/0/2 [devicea-gigabitethernet1/0/2] port link-aggregation group 1 [devicea-gigabitethernet1/0/2] quit # configure layer 2 aggregate interface 1 as a trunk port a...
Page 72
1-21 configuring gigabitethernet1/0/4... Done. [devicea-bridge-aggregation2] quit 2) configure device b configure device b as you configure device a. 3) verify the configurations # display the summary information about all aggregation groups on device a. [devicea] display link-aggregation summary ag...
Page 73: Table of Contents
I table of contents 1 port isolation configuration ·····················································································································1-1 introduction to port isolation ·································································································...
Page 74: Port Isolation Configuration
1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z introduction to port isolation z configuring the isolation group z displaying and maintaining isolation groups z port isolation configuration example introduction to port...
Page 75
1-2 displaying and maintaining isolation groups to do… use the command… remarks display the isolation group information display port-isolate group available in any view port isolation configuration example network requirements z users host a, host b, and host c are connected to gigabitethernet 1/0/1...
Page 76
1-3 uplink port support: no group id: 1 group members: gigabitethernet1/0/1 gigabitethernet1/0/2 gigabitethernet1/0/3.
Page 77: Table of Contents
I table of contents 1 mstp configuration ··································································································································1-1 overview ····················································································································...
Page 78: Mstp Configuration
1-1 1 mstp configuration when configuring mstp, go to these sections for information you are interested in: z overview z introduction to stp z introduction to rstp z introduction to mstp z mstp configuration task list z configuring mstp z displaying and maintaining mstp z mstp configuration example ...
Page 79
1-2 z topology change notification (tcn) bpdus, used for notifying the concerned devices of network topology changes, if any. Basic concepts in stp root bridge a tree network must have a root; hence the concept of root bridge was introduced in stp. There is one and only one root bridge in the entire...
Page 80
1-3 figure 1-1 a schematic diagram of designated bridges and designated ports all the ports on the root bridge are designated ports. Path cost path cost is a reference value used for link selection in stp. By calculating path costs, stp selects relatively robust links and blocks redundant links, and...
Page 81
1-4 for simplicity, the descriptions and examples below involve only four fields of configuration bpdus: z root bridge id (represented by device priority) z root path cost (related to the rate of the link connecting the port) z designated bridge id (represented by device priority) z designated port ...
Page 82
1-5 initially, each stp-enabled device on the network assumes itself to be the root bridge, with the root bridge id being its own device id. By exchanging configuration bpdus, the devices compare their root bridge ids to elect the device with the smallest root bridge id as the root bridge. Z selecti...
Page 83
1-6 figure 1-2 network diagram for the stp algorithm ap1 ap2 device a with priority 0 device b with priority 1 device c with priority 2 bp1 bp2 cp1 cp2 5 10 4 z initial state of each device table 1-4 shows the initial state of each device. Table 1-4 initial state of each device device port name bpdu...
Page 84
1-7 device comparison process bpdu of port after comparison z port bp1 receives the configuration bpdu of device a {0, 0, 0, ap1}. Device b finds that the received configuration bpdu is superior to the configuration bpdu of the local port {1, 0, 1, bp1}, and updates the configuration bpdu of bp1. Z ...
Page 85
1-8 device comparison process bpdu of port after comparison after comparison: z because the root path cost of cp2 (9) (root path cost of the bpdu (5) plus path cost corresponding to cp2 (4)) is smaller than the root path cost of cp1 (10) (root path cost of the bpdu (0) + path cost corresponding to c...
Page 86: Introduction to Rstp
1-9 z if a path becomes faulty, the root port on this path will no longer receive new configuration bpdus and the old configuration bpdus will be discarded due to timeout. In this case, the device will generate a configuration bpdu with itself as the root and send out the bpdus and tcn bpdus. This t...
Page 87: Introduction to Mstp
1-10 introduction to mstp why mstp weaknesses of stp and rstp stp does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge ...
Page 88
1-11 basic concepts in mstp figure 1-4 basic concepts in mstp cst region a0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region b0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region c0 vlan 1 mapped to instance 1 vlan 2 and...
Page 89
1-12 vlan-to-instance mapping table as an attribute of an mst region, the vlan-to-instance mapping table describes the mapping relationships between vlans and mstis. In figure 1-4 , for example, the vlan-to-instance mapping table of region a0 is as follows: vlan 1 is mapped to msti 1, vlan 2 to msti...
Page 90
1-13 during mstp calculation, a boundary port’s role on an msti is consistent with its role on the cist. But that is not true with master ports. A master port on mstis is a root port on the cist. Roles of ports mstp calculation involves these port roles: root port, designated port, master port, alte...
Page 91
1-14 port states in mstp, port states fall into the following three: z forwarding: the port learns mac addresses and forwards user traffic; z learning: the port learns mac addresses but does not forward user traffic; z discarding: the port neither learns mac addresses nor forwards user traffic. When...
Page 92: Mstp Configuration Task List
1-15 z within an mst region, the packet is forwarded along the corresponding msti. Z between two mst regions, the packet is forwarded along the cst. Implementation of mstp on devices mstp is compatible with stp and rstp. Stp and rstp protocol packets can be recognized by devices running mstp and use...
Page 93
1-16 task remarks enabling the mstp feature required configuring an mst region required configuring the work mode of an mstp device optional configuring the timeout factor optional configuring the maximum port rate optional configuring ports as edge ports optional configuring path costs of ports opt...
Page 94: Configuring Mstp
1-17 configuring mstp configuring an mst region make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an mst region: to do... Use the command... Remarks enter system view system-view — enter mst region view stp region-configuration — c...
Page 95
1-18 configuring the root bridge or a secondary root bridge mstp can determine the root bridge of a spanning tree through mstp calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system. Note that: z a device...
Page 96
1-19 z after specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, ref...
Page 97
1-20 z after configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z during root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest mac address will be selected as the root bridge of the span...
Page 98
1-21 z based on the network diameter you configured, mstp automatically sets an optimal hello time, forward delay, and max age for the device. Z the configured network diameter is effective for the cist only, and not for mstis. Each mst region is considered as a device. Z the network diameter must b...
Page 99
1-22 to do... Use the command... Remarks configure the max age timer stp timer max-age time optional 2,000 centiseconds (20 seconds) by default z the length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer...
Page 100
1-23 to do... Use the command... Remarks enter system view system-view — configure the timeout factor of the device stp timer-factor factor required 3 by default configuring the maximum port rate the maximum rate of a port refers to the maximum number of bpdus the port can send within each hello tim...
Page 101
1-24 to do... Use the command... Remarks enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure the current por...
Page 102
1-25 table 1-7 link speed vs. Path cost link speed duplex state 802.1d-1998 802.1t private standard 0 — 65535 200,000,000 200,000 10 mbps single port aggregate link 2 ports aggregate link 3 ports aggregate link 4 ports 100 100 100 100 2,000,000 1,000,000 666,666 500,000 2,000 1,800 1,600 1,400 100 m...
Page 103
1-26 z if you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. Z when the path cost of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. If you use 0...
Page 104
1-27 z when the priority of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. Z generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends...
Page 105
1-28 z dot1s :802.1s-compliant standard format, and z legacy :compatible format by default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two mstp packet formats, and determines the format of packets it will send based on the recognized format....
Page 107
1-30 by then, you can perform an mcheck operation to force the port to migrate to the mstp (or rstp) mode. You can perform mcheck on a port through the following two approaches, which lead to the same result. Performing mcheck globally follow these steps to perform global mcheck: to do... Use the co...
Page 108
1-31 before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run mstp. Configuring the digest snooping feature you can enable digest snooping only on a device that is connected to a third-party device that uses its private key to calculate the conf...
Page 109
1-32 digest snooping configuration example 1) network requirements z device a and device b connect to device c, a third-party device, and all these devices are in the same region. Z enable digest snooping on device a and device b so that the three devices can communicate with one another. Figure 1-6...
Page 110
1-33 figure 1-7 shows the rapid state transition mechanism on mstp designated ports. Figure 1-7 rapid state transition of an mstp designated port figure 1-8 shows rapid state transition of an rstp designated port. Figure 1-8 rapid state transition of an rstp designated port root port designated port...
Page 111
1-34 to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface or port group view enter port group view port-group manual port-group-name required use either command...
Page 112
1-35 ports and start a new spanning tree calculation process. This will cause a change of network topology. Under normal conditions, these ports should not receive configuration bpdus. However, if someone forges configuration bpdus maliciously to attack the devices, network instability will occur. M...
Page 113
1-36 to do... Use the command... Remarks enter port group view port-group manual port-group-name enable the root guard function for the port(s) stp root-protection required disabled by default among loop guard, root guard and edge port settings, only one function (whichever is configured the earlies...
Page 114
1-37 enabling tc-bpdu guard when receiving topology change (tc) bpdus (the bpdus used to notify topology changes), a switch flushes its forwarding address entries. If someone forges tc-bpdus to attack the switch, the switch will receive a large number of tc-bpdus within a short time and be busy with...
Page 115: Mstp Configuration Example
1-38 to do... Use the command... Remarks enter port group view port-group manual port-group-name enable bpdu dropping for the port(s) bpdu-drop any required disabled by default displaying and maintaining mstp to do... Use the command... Remarks view information about abnormally blocked ports display...
Page 116
1-39 figure 1-10 network diagram for mstp configuration g e 1/ 0/ 1 g e 1/0 /1 g e 1/ 0/ 1 g e 1/0 /1 configuration procedure 1) vlan and vlan member port configuration create vlan 10, vlan 20, and vlan 30 on device a and device b respectively, create vlan 10, vlan 20, and vlan 40 on device c, and c...
Page 117
1-40 system-view [deviceb] stp region-configuration [deviceb-mst-region] region-name example [deviceb-mst-region] instance 1 vlan 10 [deviceb-mst-region] instance 3 vlan 30 [deviceb-mst-region] instance 4 vlan 40 [deviceb-mst-region] revision-level 0 # activate mst region configuration. [deviceb-mst...
Page 118
1-41 # activate mst region configuration. [deviced-mst-region] active region-configuration [deviced-mst-region] quit # enable mstp globally. [deviced] stp enable 6) verifying the configurations you can use the display stp brief command to display brief spanning tree information on each device after ...
Page 119
1-42 3 gigabitethernet1/0/2 alte discarding none 4 gigabitethernet1/0/3 root forwarding none based on the above information, you can draw the msti corresponding to each vlan, as shown in figure 1-11 . Figure 1-11 mstis corresponding to different vlans.
Page 120: Table of Contents
I table of contents 1 lldp configuration···································································································································1-1 overview ····················································································································...
Page 121: Lldp Configuration
1-1 1 lldp configuration when configuring lldp, go to these sections for information you are interested in: z overview z lldp configuration task list z performing basic lldp configuration z configuring cdp compatibility z configuring lldp trapping z displaying and maintaining lldp z lldp configurati...
Page 122
1-2 figure 1-1 ethernet ii-encapsulated lldp frame format the fields in the frame are described in table 1-1 : table 1-1 description of the fields in an ethernet ii-encapsulated lldp frame field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0...
Page 123
1-3 field description source mac address the mac address of the sending port. If the port does not have a mac address, the mac address of the sending bridge is used. Type the snap type for the upper layer protocol. It is 0xaaaa-0300-0000-88cc for lldp. Data lldpdu. Fcs frame check sequence, a 32-bit...
Page 124
1-4 type description remarks port description port description of the sending port. System name assigned name of the sending device. System description description of the sending device. System capabilities identifies the primary functions of the sending device and the primary functions that have be...
Page 125
1-5 management. In addition, lldp-med tlvs make deploying voice devices in ethernet easier. Lldp-med tlvs are shown in table 1-6 : table 1-6 lldp-med tlvs type description lldp-med capabilities allows a med endpoint to advertise the supported lldp-med tlvs and its device type. Network policy allows ...
Page 126: Lldp Configuration Task List
1-6 transmitting lldp frames an lldp-enabled port operating in txrx mode or tx mode sends lldp frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by lldp frames at times of frequent local device informati...
Page 127
1-7 lldp-related configurations made in ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing basic lldp configuration enabling lldp to make lldp take effect on certain ports, you need to enabl...
Page 128
1-8 setting the lldp re-initialization delay when lldp operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the lldp re-initialization delay, you can avoid frequent initializations caused by frequent lldp operating mode changes on a p...
Page 129
1-9 configuring the management address and its encoding format lldp encodes management addresses in numeric or character string format in management address tlvs. By default, management addresses are encoded in numeric format. If a neighbor encoded its management address in character string format, ...
Page 130
1-10 to do… use the command… remarks set the lldpdu transmit interval lldp timer tx-interval interval optional 30 seconds by default set lldpdu transmit delay lldp timer tx-delay delay optional 2 seconds by default set the number of lldp frames sent each time fast lldpdu transmission is triggered. L...
Page 131
1-11 lldp-cdp (cdp is short for the cisco discovery protocol) packets use only snap encapsulation. Configuring cdp compatibility for detailed information about voice vlan, refer to vlan configuration in the access volume. You need to enable cdp compatibility for your device to work with cisco ip pho...
Page 132: Configuring Lldp Trapping
1-12 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure cdp-compatible lldp to operate in txrx mode lld...
Page 134
1-14 [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] lldp enable [switcha-gigabitethernet1/0/1] lldp admin-status rx [switcha-gigabitethernet1/0/1] quit [switcha] interface gigabitethernet 1/0/2 [switcha-gigabitethernet1/0/2] lldp enable [switcha-gigabitethernet1/0/2] lldp a...
Page 135
1-15 admin status : rx_only trap flag : no roll time : 0s number of neighbors : 1 number of med neighbors : 0 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 3 as the sample output shows, gigabitethernet 1/0/1 of switch a connects a med device, and gigabi...
Page 136
1-16 number of sent optional tlv : 0 number of received unknown tlv : 0 as the sample output shows, gigabitethernet 1/0/2 of switch a does not connect any neighboring devices. Cdp-compatible lldp configuration example network requirements as shown in figure 1-5 : z gigabitethernet 1/0/1 and gigabite...
Page 137
1-17 [switcha-gigabitethernet1/0/1] lldp admin-status txrx [switcha-gigabitethernet1/0/1] lldp compliance admin-status cdp txrx [switcha-gigabitethernet1/0/1] quit [switcha] interface gigabitethernet 1/0/2 [switcha-gigabitethernet1/0/2] lldp enable [switcha-gigabitethernet1/0/2] lldp admin-status tx...
Page 138: Table of Contents
I table of contents 1 vlan configuration ··································································································································1-1 introduction to vlan·········································································································...
Page 139
Ii.
Page 140: Vlan Configuration
1-1 1 vlan configuration when configuring vlan, go to these sections for information you are interested in: z introduction to vlan z configuring basic vlan settings z configuring basic settings of a vlan interface z port-based vlan configuration z mac-based vlan configuration z protocol-based vlan c...
Page 141
1-2 2) confining broadcast traffic within individual vlans. This reduces bandwidth waste and improves network performance. 3) improving lan security. By assigning user groups to different vlans, you can isolate them at layer 2. To enable communication between vlans, routers or layer 3 switches are r...
Page 142
1-3 z the ethernet ii encapsulation format is used here. Besides the ethernet ii encapsulation format, other encapsulation formats, including 802.2 llc, 802.2 snap, and 802.3 raw, are also supported by ethernet. The vlan tag fields are also added to frames encapsulated in these formats for vlan iden...
Page 143
1-4 z as the default vlan, vlan 1 cannot be created or removed. Z you cannot manually create or remove vlans reserved for special purposes. Z dynamic vlans cannot be removed with the undo vlan command. Z a vlan with a qos policy applied cannot be removed. Z for isolate-user-vlans or secondary vlans,...
Page 144
1-5 before creating a vlan interface for a vlan, create the vlan first. Port-based vlan configuration introduction to port-based vlan port-based vlans group vlan members by port. A port forwards traffic for a vlan only after it is assigned to the vlan. Port link type z you can configure the link typ...
Page 145
1-6 figure 1-4 network diagram for port link type configuration default vlan by default, vlan 1 is the default vlan for all ports. You can configure the default vlan for a port as required. Use the following guidelines when configuring the default vlan on a port: z because an access port can join on...
Page 146
1-7 actions (in the inbound direction) port type untagged frame tagged frame actions (in the outbound direction) access tag the frame with the default vlan tag. Z receive the frame if its vlan id is the same as the default vlan id. Z drop the frame if its vlan id is different from the default vlan i...
Page 147
1-8 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter interface view or port group view enter port group view port-group ma...
Page 148
1-9 follow these steps to assign a trunk port to one or multiple vlans: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter i...
Page 149
1-10 follow these steps to assign a hybrid port to one or multiple vlans: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter...
Page 150: Mac-Based Vlan Configuration
1-11 mac-based vlan configuration introduction to mac-based vlan mac-based vlans group vlan members by mac address. They are mostly used in conjunction with security technologies such as 802.1x to provide secure, flexible network access for terminal devices. Mac-based vlan implementation with mac-ba...
Page 151
1-12 z mac-based vlans are available only on hybrid ports. Z because mac-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation. Z with mstp enabled, if the mst instance for the corresponding vla...
Page 152
1-13 protocol-based vlan configuration introduction to protocol-based vlan protocol-based vlans are only applicable on hybrid ports. In this approach, inbound packets are assigned to different vlans based on their protocol types and encapsulation formats. The protocols that can be used for vlan assi...
Page 153
1-14 to do… use the command… remarks enter layer-2 aggregate interface view interface bridge-aggregation interface-number group view enter port group view port-group manual port-group-name use either command. Z in ethernet interface view, the subsequent configurations apply to the current port. Z in...
Page 154
1-15 ip subnet-based vlan configuration introduction in this approach, packets are assigned to vlans based on their source ip addresses and subnet masks. A port configured with ip subnet-based vlans assigns a received untagged packet to a vlan based on the source address of the packet. This feature ...
Page 155: Vlan Configuration Example
1-16 after you configure a command on a layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member port...
Page 156
1-17 z gigabitethernet 1/0/1 allows packets from vlan 2, vlan 6 through vlan 50, and vlan 100 to pass through. Figure 1-5 network diagram for port-based vlan configuration configuration procedure 1) configure device a # create vlan 2, vlan 6 through vlan 50, and vlan 100. System-view [devicea] vlan ...
Page 157
1-18 unknown-speed mode, unknown-duplex mode link speed type is autonegotiation, link duplex type is autonegotiation flow-control is not enabled the maximum frame length is 9216 broadcast max-ratio: 100% unicast max-ratio: 100% multicast max-ratio: 100% allow jumbo frame to pass pvid: 100 mdi type: ...
Page 158: Overview
2-1 2 isolate-user-vlan configuration when configuring an isolate-user vlan, go to these sections for information you are interested in: z overview z configuring isolate-user-vlan z displaying and maintaining isolate-user-vlan z isolate-user-vlan configuration example overview an isolate-user-vlan a...
Page 159
2-2 3) assign non-trunk ports to the isolate-user-vlan and ensure that at least one port takes the isolate-user-vlan as its default vlan; 4) assign non-trunk ports to each secondary vlan and ensure that at least one port in a secondary vlan takes the secondary vlan as its default vlan; 5) associate ...
Page 160
2-3 displaying and maintaining isolate-user-vlan to do... Use the command... Remarks display the mapping between an isolate-user-vlan and its secondary vlan(s) display isolate-user-vlan [ isolate-user-vlan-id ] available in any view isolate-user-vlan configuration example network requirements z conn...
Page 161
2-4 [deviceb] vlan 2 [deviceb-vlan2] port gigabitethernet 1/0/2 [deviceb-vlan2] quit # associate the isolate-user-vlan with the secondary vlans. [deviceb] isolate-user-vlan 5 secondary 2 to 3 2) configure device c # configure the isolate-user-vlan. System-view [devicec] vlan 6 [devicec-vlan6] isolat...
Page 162
2-5 gigabitethernet 1/0/2 gigabitethernet 1/0/5 vlan id: 3 vlan type: static isolate-user-vlan type : secondary route interface: not configured description: vlan 0003 name: vlan 0003 tagged ports: none untagged ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5.
Page 163: Voice Vlan Configuration
3-1 3 voice vlan configuration when configuring a voice vlan, go to these sections for information you are interested in: z overview z configuring a voice vlan z displaying and maintaining voice vlan z voice vlan configuration overview as voice communication technologies grow more mature, voice devi...
Page 164
3-2 number oui address vendor 7 00e0-bb00-0000 3com phone z in general, as the first 24 bits of a mac address (in binary format), an oui address is a globally unique identifier assigned to a vendor by ieee. Oui addresses mentioned in this document, however, are different from those in common sense. ...
Page 165
3-3 figure 3-2 only ip phones access the network z both modes forward tagged packets according to their tags. The following tables list the required configurations on ports of different link types in order for these ports to support tagged or untagged voice traffic sent from ip phones when different...
Page 166
3-4 table 3-3 required configurations on ports of different links types in order for the ports to support tagged voice traffic port link type voice vlan assignment mode support for untagged voice traffic configuration requirements automatic no — access manual yes configure the default vlan of the po...
Page 167: Configuring A Voice Vlan
3-5 table 3-4 how a voice vlan-enable port processes packets in security/normal mode voice vlan working mode packet type packet processing mode untagged packets packets carrying the voice vlan tag if the source mac address of a packet matches an oui address configured for the device, it is forwarded...
Page 168
3-6 to do... Use the command... Remarks add a recognizable oui address voice vlan mac-address oui mask oui-mask [ description text] optional by default, each voice vlan has default oui addresses configured. Refer to table 3-1 for the default oui addresses of different vendors. Enter ethernet interfa...
Page 169
3-7 to do... Use the command... Remarks access port refer to assigning an access port to a vlan . Trunk port refer to assigning a trunk port to a vlan . Assign the port in manual voice vlan assignment mode to the voice vlan hybrid port refer to assigning a hybrid port to a vlan . Use one of the thre...
Page 170
3-8 z device a uses voice vlan 2 to transmit voice packets for ip phone a and voice vlan 3 to transmit voice packets for ip phone b. Configure gigabitethernet 1/0/1 and gigabitethernet 1/0/2 to work in automatic voice vlan assignment mode. In addition, if one of them has not received any voice packe...
Page 171
3-9 [devicea-gigabitethernet1/0/1] quit # configure gigabitethernet 1/0/2. [devicea] interface gigabitethernet 1/0/2 [devicea-gigabitethernet1/0/2] voice vlan mode auto [devicea-gigabitethernet1/0/2] port link-type hybrid [devicea-gigabitethernet1/0/2] voice vlan 3 enable [devicea-gigabitethernet1/0...
Page 172
3-10 figure 3-4 network diagram for manual voice vlan assignment mode configuration configuration procedure # configure the voice vlan to operate in security mode. (optional. A voice vlan operates in security mode by default.) system-view [devicea] voice vlan security enable # add a recognizable oui...
Page 173
3-11 0060-b900-0000 ffff-ff00-0000 philips/nec phone 00e0-7500-0000 ffff-ff00-0000 polycom phone 00e0-bb00-0000 ffff-ff00-0000 3com phone # display the current voice vlan state. Display voice vlan state maximum of voice vlans: 8 current voice vlans: 1 voice vlan security mode: security voice vlan ag...
Page 174: Table of Contents
I table of contents 1 gvrp configuration ··································································································································1-1 introduction to gvrp ········································································································...
Page 175: Gvrp Configuration
1-1 1 gvrp configuration the garp vlan registration protocol (gvrp) is a garp application. It functions based on the operating mechanism of garp to maintain and propagate dynamic vlan registration information for the gvrp devices on the network. When configuring gvrp, go to these sections for inform...
Page 176
1-2 z hold timer –– when a garp application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one join message. This helps you save bandwidth. Z join timer –– a garp participant send...
Page 177
1-3 garp message format figure 1-1 garp message format figure 1-1 illustrates the garp message format. Table 1-1 describes the garp message fields. Table 1-1 description on the garp message fields field description value protocol id protocol identifier for garp 1 message one or multiple messages, ea...
Page 178: Gvrp Configuration Task List
1-4 about active vlan members and through which port they can be reached. It thus ensures that all gvrp participants on a bridged lan maintain the same vlan registration information. The vlan registration information propagated by gvrp includes both manually configured local static entries and dynam...
Page 179: Configuring Garp Timers
1-5 to do… use the command… remarks enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface view, or port-group view enter port-group view port-group manual port-group-name required perform...
Page 180
1-6 to do… use the command… remarks enter ethernet or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface view, or port-group view enter port-group view port-group manual port-group-name required perform either of the ...
Page 181: Gvrp Configuration Examples
1-7 to do… use the command… remarks display the current gvrp state display gvrp state interface interface-type interface-number vlan vlan-id available in any view display statistics about gvrp display gvrp statistics [ interface interface-list ] available in any view display the global gvrp state di...
Page 182
1-8 [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [deviceb-gigabitethernet1/0/1] port link-type trunk [deviceb-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on trunk port gigabitet...
Page 183
1-9 [devicea-gigabitethernet1/0/1] quit # create vlan 2 (a static vlan). [devicea] vlan 2 2) configure device b # enable gvrp globally. System-view [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [de...
Page 184
1-10 [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on gigabitethernet 1/0/1 and set the gvrp registration type to forbidden on the port. [devicea-gigabitethernet1/0/1] gvrp [device...
Page 185: Table of Contents
I table of contents 1 qinq configuration ···································································································································1-1 introduction to qinq········································································································...
Page 186: Qinq Configuration
1-1 1 qinq configuration when configuring qinq, go to these sections for information you are interested in: z introduction to qinq z qinq configuration task list z configuring basic qinq z configuring selective qinq z configuring the tpid value in vlan tags z qinq configuration examples throughout t...
Page 187
1-2 how qinq works the devices in the public network forward a frame only according to its outer vlan tag and learn its source mac address into the mac address table of the outer vlan. The inner vlan tag of the frame is transmitted as the payload. Figure 1-1 schematic diagram of the qinq feature net...
Page 188
1-3 figure 1-2 single-tagged frame structure vs. Double-tagged ethernet frame structure the default maximum transmission unit (mtu) of an interface is 1500 bytes. The size of an outer vlan tag is 4 bytes. Therefore, you are recommended to increase the mtu of each interface on the service provider ne...
Page 189
1-4 figure 1-3 vlan tag structure of an ethernet frame the device determines whether a received frame carries a svlan tag or a cvlan tag by checking the corresponding tpid value. Upon receiving a frame, the device compares the configured tpid value with the value of the tpid field in the frame. If t...
Page 190: Qinq Configuration Task List
1-5 qinq configuration task list table 1-2 qinq configuration task list configuration task remarks configuring basic qinq optional configuring selective qinq configuring an outer vlan tagging policy optional configuring the tpid value in vlan tags optional z qinq requires configurations only on the ...
Page 191: Qinq Configuration Examples
1-6 follow these steps to configure an outer vlan tagging policy: to do... Use the command... Remarks enter system view system-view — enter ethernet or layer-2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group ...
Page 192
1-7 make configuration to achieve the following: z frames of vlan 200 through vlan 299 can be exchanged between customer a1and customer a2 through vlan 10 of the service provider network. Z frames of vlan 250 through vlan 350 can be exchanged between customer b1 and customer b2 through vlan 50 of th...
Page 193
1-8 [providera-gigabitethernet1/0/2] port hybrid vlan 50 untagged # enable basic qinq on gigabitethernet 1/0/2. [providera-gigabitethernet1/0/2] qinq enable [providera-gigabitethernet1/0/2] quit z configure gigabitethernet 1/0/3 # configure gigabitethernet 1/0/3 as a trunk port to permit frames of v...
Page 194
1-9 comprehensive selective qinq configuration example network requirements z provider a and provider b are edge devices on the service provider network and are interconnected through trunk ports. They belong to svlan 1000 and svlan 2000 separately. Z customer a, customer b and customer c are edge d...
Page 195
1-10 # tag cvlan 10 frames with svlan 1000. [providera-gigabitethernet1/0/1] qinq vid 1000 [providera-gigabitethernet1/0/1-vid-1000] raw-vlan-id inbound 10 [providera-gigabitethernet1/0/1-vid-1000] quit # tag cvlan 20 frames with svlan 2000. [providera-gigabitethernet1/0/1] qinq vid 2000 [providera-...
Page 196
1-11 [providerb-gigabitethernet1/0/2] qinq vid 2000 [providerb-gigabitethernet1/0/2-vid-2000] raw-vlan-id inbound 20 # set the tpid value in the outer tag to 0x8200. [providera-gigabitethernet1/0/3] quit [providera] qinq ethernet-type 8200 3) configuration on third-party devices configure the third-...
Page 197: Table of Contents
I table of contents 1 bpdu tunneling configuration················································································································1-1 introduction to bpdu tunneling ·······································································································...
Page 198: Bpdu Tunneling Configuration
1-1 1 bpdu tunneling configuration when configuring bpdu tunneling, go to these sections for information you are interested in: z introduction to bpdu tunneling z configuring bpdu tunneling z bpdu tunneling configuration examples introduction to bpdu tunneling as a layer 2 tunneling technology, bpdu...
Page 199
1-2 3) the encapsulated layer 2 protocol packet (called bridge protocol data unit, bpdu) is forwarded to pe 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination mac address of the packet, and then sends the packet to user a network 2. D...
Page 200
1-3 to allow each network to calculate an independent spanning tree with stp, bpdu tunneling was introduced. Bpdu tunneling delivers the following benefits: z bpdus can be transparently transmitted. Bpdus of the same customer network can be broadcast in a specific vlan across the service provider ne...
Page 201: Configuring Bpdu Tunneling
1-4 configuring bpdu tunneling configuration prerequisites z before configuring bpdu tunneling for a protocol, enable the protocol in the customer network first. Z assign the port on which you want to enable bpdu tunneling on the pe device and the connected port on the ce device to the same vlan. Z ...
Page 202
1-5 enabling bpdu tunneling for a protocol in layer 2 aggregate interface view follow these steps to enable bpdu tunneling for a protocol in layer 2 aggregate interface view: to do… use the command… remarks enter system view system-view — enter layer 2 aggregate interface view interface bridge-aggre...
Page 203
1-6 it is required that, after the configuration, ce 1 and ce 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast mac address carried in bpdus be 0x0100-0ccd-cdd0. Figure 1-3 network diagram for configuring bpdu tunneling for stp c...
Page 204
1-7 bpdu tunneling for pvst configuration example network requirements as shown in figure 1-4 : z ce 1 and ce 2 are edges devices on the geographically dispersed network of user a; pe 1 and pe 2 are edge devices on the service provider network. Z all ports that connect service provider devices and c...
Page 205
1-8 [pe2] interface gigabitethernet 1/0/2 [pe2-gigabitethernet1/0/2] port link-type trunk [pe2-gigabitethernet1/0/2] port trunk permit vlan all # disable stp on gigabitethernet 1/0/2, and then enable bpdu tunneling for stp and pvst on it. [pe2-gigabitethernet1/0/2] undo stp enable [pe2-gigabitethern...
Page 206: Table of Contents
I table of contents 1 port mirroring configuration ····················································································································1-1 introduction to port mirroring ··································································································...
Page 207: Port Mirroring Configuration
1-1 1 port mirroring configuration when configuring port mirroring, go to these sections for information you are interested in: z introduction to port mirroring z configuring local port mirroring z configuring remote port mirroring z displaying and maintaining port mirroring z port mirroring configu...
Page 208
1-2 figure 1-1 local port mirroring implementation pc mirroring port monitor port data monitoring device mirroring port how the device processes packets monitor port traffic mirrored to remote port mirroring remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is ...
Page 209
1-3 z destination device the destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the vlan id carried in the packet with the id of the probe vlan configured in the r...
Page 210
1-4 z a local port mirroring group takes effect only after its mirroring and monitor ports are configured. Z to ensure operation of your device, do not enable stp, mstp, or rstp on the monitor port. Z a port mirroring group can have multiple mirroring ports, but only one monitor port. Z a mirroring ...
Page 212
1-6 z to remove the vlan configured as a remote probe vlan, you must remove the remote probe vlan with undo mirroring-group remote-probe vlan command first. Removing the probe vlan can invalidate the remote source mirroring group. Z you are recommended to use a remote probe vlan exclusively for the ...
Page 213
1-7 when configuring the monitor port, use the following guidelines: z the port can belong to only the current mirroring group. Z disable these functions on the port: stp, mstp, and rstp. Z you are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring ...
Page 214
1-8 figure 1-3 network diagram for local port mirroring configuration switch c data monitoring device r&d department switch a switch b ge1/0/2 ge1/0/1 ge1/0/3 marketing department configuration procedure configure switch c. # create a local port mirroring group. System-view [switchc] mirroring-group...
Page 215
1-9 as shown in figure 1-4 , the administrator wants to monitor the packets sent from department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: z use switch a as the source device, switch b as the inte...
Page 216
1-10 [switcha-gigabitethernet1/0/3] port link-type trunk [switcha-gigabitethernet1/0/3] port trunk permit vlan 2 2) configure switch b (the intermediate device). # configure port gigabitethernet 1/0/1 as a trunk port and configure the port to permit the packets of vlan 2. System-view [switchb] inter...
Page 217: Traffic Mirroring Overview
2-1 2 traffic mirroring configuration when configuring traffic mirroring, go to these sections for information you are interested in: z traffic mirroring overview z configuring traffic mirroring z displaying and maintaining traffic mirroring z traffic mirroring configuration examples traffic mirrori...
Page 218
2-2 to do… use the command… remarks create a behavior and enter behavior view traffic behavior behavior-name required by default, no traffic behavior exists. Specify the destination interface for traffic mirroring mirror-to interface interface-type interface-number required by default, traffic mirro...
Page 219
2-3 to do… use the command… remarks exit policy view quit — apply the qos policy see applying a qos policy required applying a qos policy for details about applying a qos policy, see qos configuration in the qos volume. Apply a qos policy to an interface by applying a qos policy to an interface, you...
Page 220
2-4 for details about the qos vlan-policy command, see qos commands in the qos volume. Apply a qos policy globally you can apply a qos policy globally to the inbound direction of all ports. Follow these steps to apply a qos policy globally: to do… use the command… remarks enter system view system-vi...
Page 221
2-5 figure 2-1 network diagram for configuring traffic mirroring to a port configuration procedure configure switch: # enter system view. System-view # configure basic ipv4 acl 2000 to match packets with the source ip address 192.168.0.1. [sysname] acl number 2000 [sysname-acl-basic-2000] rule permi...
Page 222: Manual Version
Ip services volume organization manual version 6w101-20100305 product version release 2202 organization the ip services volume is organized as follows: features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the internet. Thi...
Page 223
Features description udp helper udp helper functions as a relay agent that converts udp broadcast packets into unicast packets and forwards them to a specified server. This document describes: z udp helper overview z udp helper configuration ipv6 basics internet protocol version 6 (ipv6), also calle...
Page 224: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 225: Ip Addressing Configuration
1-1 1 ip addressing configuration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying and maintaining ip addressing ip addressing overview this section covers these topi...
Page 226
1-2 table 1-1 ip address classes and ranges class address range remarks a 0.0.0.0 to 127.255.255.255 the ip address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packe...
Page 227: Configuring Ip Addresses
1-3 in the absence of subnetting, some special addresses such as the addresses with the net id of all zeros and the addresses with the host id of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeof...
Page 228
1-4 z the primary ip address you assigned to the interface can overwrite the old one if there is any. Z you cannot assign secondary ip addresses to an interface that has bootp or dhcp configured. Z the primary and secondary ip addresses you assign to the interface can be located on the same network ...
Page 229
1-5 ping 172.16.1.2 ping 172.16.1.2: 56 data bytes, press ctrl_c to break reply from 172.16.1.2: bytes=56 sequence=1 ttl=255 time=25 ms reply from 172.16.1.2: bytes=56 sequence=2 ttl=255 time=27 ms reply from 172.16.1.2: bytes=56 sequence=3 ttl=255 time=26 ms reply from 172.16.1.2: bytes=56 sequence...
Page 230: Table of Contents
I table of contents 1 arp configuration·····································································································································1-1 arp overview················································································································...
Page 231: Arp Configuration
1-1 this document is organized as follows: z arp configuration z proxy arp configuration 1 arp configuration when configuring arp, go to these sections for information you are interested in: z arp overview z configuring arp z configuring gratuitous arp z displaying and maintaining arp support for co...
Page 232
1-2 arp message format figure 1-1 arp message format the following explains the fields in figure 1-1 . Z hardware type: this field specifies the hardware address type. The value “1” represents ethernet. Z protocol type: this field specifies the type of the protocol address to be mapped. The hexadeci...
Page 233
1-3 4) after receiving the arp reply, host a adds the mac address of host b to its arp table. Meanwhile, host a encapsulates the ip packet and sends it out. Figure 1-2 arp address resolution process if host a is not on the same subnet with host b, host a first sends an arp request to the gateway. Th...
Page 234: Configuring Arp
1-4 in the non-permanent static arp entry, the device adds the interface receiving the arp reply to the non-permanent static arp entry. Then the entry can be used for forwarding ip packets. Z usually arp dynamically resolves ip addresses to mac addresses, without manual intervention. Z to allow comm...
Page 235
1-5 to do… use the command… remarks set the maximum number of dynamic arp entries that an interface can learn arp max-learning-num number optional 256 by default. Setting the aging time for dynamic arp entries to keep pace with the network changes, the arp table is refreshed. Each dynamic arp entry ...
Page 236
1-6 figure 1-3 arp quick notify application scenario with arp quick notify enabled, the device updates the corresponding arp entry immediately after the change of the mapping between a mac address and an outbound interface to ensure nonstop data forwarding. Follow these steps to enable arp quick not...
Page 237: Configuring Gratuitous Arp
1-7 [sysname-gigabitethernet1/0/1] port access vlan 10 [sysname-gigabitethernet1/0/1] quit [sysname] interface vlan-interface 10 [sysname-vlan-interface10] arp max-learning-num 100 [sysname-vlan-interface10] quit [sysname] arp static 192.168.1.1 000f-e201-0000 10 gigabitethernet 1/0/1 configuring gr...
Page 239: Proxy Arp Configuration
2-1 2 proxy arp configuration when configuring proxy arp, go to these sections for information you are interested in: z proxy arp overview z enabling proxy arp z displaying and maintaining proxy arp proxy arp overview if a host sends an arp request for the mac address of another host that actually r...
Page 240: Enabling Proxy Arp
2-2 you can solve the problem by enabling proxy arp on switch. After that, switch can reply to the arp request from host a with the mac address of vlan-interface 1, and forward packets sent from host a to host b. In this case, switch seems to be a proxy of host b. A main advantage of proxy arp is th...
Page 241
2-3 to do… use the command… remarks enable local proxy arp local-proxy-arp enable required disabled by default. Displaying and maintaining proxy arp to do… use the command… remarks display whether proxy arp is enabled display proxy-arp [ interface vlan-interface vlan-id ] available in any view displ...
Page 242
2-4 [switch-vlan-interface1] quit [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.20.99 255.255.255.0 [switch-vlan-interface2] proxy-arp enable [switch-vlan-interface2] quit local proxy arp configuration example in case of port isolation network requirements z host a ...
Page 243
2-5 # configure an ip address of vlan-interface 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 192.168.10.100 255.255.0.0 the ping operation from host a to host b is unsuccessfu...
Page 244
2-6 [switchb-vlan2] port gigabitethernet 1/0/2 [switchb-vlan2] quit [switchb] vlan 3 [switchb-vlan3] port gigabitethernet 1/0/3 [switchb-vlan3] quit [switchb] vlan 5 [switchb-vlan5] port gigabitethernet 1/0/1 [switchb-vlan5] isolate-user-vlan enable [switchb-vlan5] quit [switchb] isolate-user-vlan 5...
Page 245: Table of Contents
I table of contents 1 dhcp overview··········································································································································1-1 introduction to dhcp ······································································································...
Page 246
Ii prerequisites····································································································································4-5 configuring dhcp snooping to support option 82 ········································································4-5 displaying and maintainin...
Page 247: Dhcp Overview
1-1 this document is organized as follows: z dhcp overview z dhcp relay agent configuration z dhcp client configuration z dhcp snooping configuration z bootp client configuration 1 dhcp overview support for enabling the dhcp relay agent to periodically refresh dynamic client entries is newly added i...
Page 248: Dhcp Address Allocation
1-2 a dhcp client can get an ip address and other configuration parameters from a dhcp server on another subnet via a dhcp relay agent. For information about the dhcp relay agent, refer to introduction to dhcp relay agent . Dhcp address allocation allocation mechanisms dhcp supports three mechanisms...
Page 249: Dhcp Message Format
1-3 z after receiving the dhcp-ack message, the client probes whether the ip address assigned by the server is in use by broadcasting a gratuitous arp packet. If the client receives no response within a specified time, the client can use this ip address. Otherwise, the client sends a dhcp-decline me...
Page 250: Dhcp Options
1-4 z secs: filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. Z flags: the leftmost bit is defined as the broadcast (b) flag. If this flag is set to 0, the dhcp server sent a reply back...
Page 251
1-5 z option 121: classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Z option 33: static route option. It specifies a list of classful static routes (the d...
Page 252
1-6 figure 1-6 format of the value field of the acs parameter sub-option z the value field of the service provider identifier sub-option contains the service provider identifier. Z figure 1-7 shows the format of the value field of the pxe server address sub-option. Currently, the value of the pxe se...
Page 253
1-7 figure 1-8 sub-option 1 in normal padding format z sub-option 2: padded with the mac address of the dhcp relay agent interface or the mac address of the dhcp snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that...
Page 254: Protocols and Standards
1-8 z sub-option 1: ip address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Z sub-option 2: ip address of the backup network calling processor that dhcp clients will contact when the primary one is unreacha...
Page 255
2-1 2 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z dhcp relay agent configuration task list z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent confi...
Page 256
2-2 figure 2-1 dhcp relay agent application ip network dhcp server dhcp relay agent dhcp client dhcp client dhcp client dhcp client no matter whether a relay agent exists or not, the dhcp server and client interact with each other in a similar way (see section dynamic ip address allocation process )...
Page 257
2-3 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal format...
Page 258
2-4 follow these steps to enable dhcp: to do… use the command… remarks enter system view system-view — enable dhcp dhcp enable required disabled by default. Enabling the dhcp relay agent on an interface with this task completed, upon receiving a dhcp request from the enabled interface, the relay age...
Page 259
2-5 to do… use the command… remarks correlate the dhcp server group with the current interface dhcp relay server-select group-id required by default, no interface is correlated with any dhcp server group. Z you can specify up to twenty dhcp server groups on the relay agent and eight dhcp server addr...
Page 260
2-6 z before enabling ip address check on an interface, you need to enable the dhcp service, and enable the dhcp relay agent on the interface; otherwise, the ip address check configuration is ineffective. Z the dhcp relay address-check enable command only checks ip and mac addresses of clients. Z wh...
Page 261
2-7 follow these steps to enable unauthorized dhcp server detection: to do… use the command… remarks enter system view system-view — enable unauthorized dhcp server detection dhcp relay server-detect required disabled by default. With the unauthorized dhcp server detection enabled, the device puts a...
Page 262
2-8 configuring the dhcp relay agent to support option 82 follow these steps to configure the dhcp relay agent to support option 82: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the relay agent to support opti...
Page 264
2-10 configuration procedure # specify ip addresses for the interfaces (omitted). # enable dhcp. System-view [switcha] dhcp enable # add dhcp server 10.1.1.1 into dhcp server group 1. [switcha] dhcp relay server-group 1 ip 10.1.1.1 # enable the dhcp relay agent on vlan-interface 1. [switcha] interfa...
Page 265
2-11 # enable the dhcp relay agent to support option 82, and perform option 82-related configurations. [switcha-vlan-interface1] dhcp relay information enable [switcha-vlan-interface1] dhcp relay information strategy replace [switcha-vlan-interface1] dhcp relay information circuit-id string company0...
Page 266: Dhcp Client Configuration
3-1 3 dhcp client configuration when configuring the dhcp client, go to these sections for information you are interested in: z introduction to dhcp client z enabling the dhcp client on an interface z displaying and maintaining the dhcp client z dhcp client configuration example z the dhcp client co...
Page 267
3-2 z an interface can be configured to acquire an ip address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. Z after the dhcp client is enabled on an interface, no secondary ip address is configurable for the interface. Z if the ip ...
Page 268
3-3 system-view [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address dhcp-alloc.
Page 269: Dhcp Snooping Configuration
4-1 4 dhcp snooping configuration when configuring dhcp snooping, go to these sections for information you are interested in: z dhcp snooping overview z configuring dhcp snooping basic functions z configuring dhcp snooping to support option 82 z displaying and maintaining dhcp snooping z dhcp snoopi...
Page 270
4-2 recording ip-to-mac mappings of dhcp clients dhcp snooping reads dhcp-request messages and dhcp-ack messages from trusted ports to record dhcp snooping entries, including mac addresses of clients, ip addresses obtained by the clients, ports that connect to dhcp clients, and vlans to which the po...
Page 271
4-3 figure 4-2 configure trusted ports in a cascaded network table 4-1 describes roles of the ports shown in figure 4-2 . Table 4-1 roles of ports device untrusted port trusted port disabled from recording binding entries trusted port enabled to record binding entries switch a ge1/0/1 ge1/0/3 ge1/0/...
Page 272
4-4 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal fo...
Page 273
4-5 z you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted port and the port connected to the dhcp client must be in the same vlan. Z you can specify layer 2 ethernet interfaces and layer 2 aggregate inter...
Page 276
4-8 [switchb-gigabitethernet1/0/1] dhcp-snooping trust [switchb-gigabitethernet1/0/1] quit dhcp snooping option 82 support configuration example network requirements z as shown in figure 4-3 , enable dhcp snooping and option 82 support on switch b. Z configure the handling strategy for dhcp requests...
Page 277: Bootp Client Configuration
5-1 5 bootp client configuration while configuring a bootp client, go to these sections for information you are interested in: z introduction to bootp client z configuring an interface to dynamically obtain an ip address through bootp z displaying and maintaining bootp client configuration z bootp c...
Page 278: Through Bootp
5-2 because a dhcp server can interact with a bootp client, you can use the dhcp server to configure an ip address for the bootp client, without any bootp server. Obtaining an ip address dynamically a dhcp server can take the place of the bootp server in the following dynamic ip address acquisition....
Page 279
5-3 displaying and maintaining bootp client configuration to do… use the command… remarks display related information on a bootp client display bootp client [ interface interface-type interface-number ] available in any view bootp client configuration example network requirement as shown in figure 5...
Page 280: Table of Contents
I table of contents 1 dns configuration·····································································································································1-1 dns overview················································································································...
Page 281: Dns Configuration
1-1 1 dns configuration when configuring dns, go to these sections for information you are interested in: z dns overview z configuring the dns client z configuring the dns proxy z displaying and maintaining dns z dns configuration examples z troubleshooting dns configuration this document only cover...
Page 282
1-2 3) the dns server looks up the corresponding ip address of the domain name in its dns database. If no match is found, it sends a query to a higher level dns server. This process continues until a result, whether successful or not, is returned. 4) the dns client returns the resolution result to t...
Page 283
1-3 if an alias is configured for a domain name on the dns server, the device can resolve the alias into the ip address of the host. Dns proxy introduction to dns proxy a dns proxy forwards dns requests and replies between dns clients and a dns server. As shown in figure 1-2 , a dns client sends a d...
Page 284: Configuring The Dns Client
1-4 configuring the dns client configuring static domain name resolution follow these steps to configure static domain name resolution: to do… use the command… remarks enter system view system-view –– configure a mapping between a host name and ip address in the static name resolution table ip host ...
Page 285: Configuring The Dns Proxy
1-5 configuring the dns proxy follow these steps to configure the dns proxy: to do… use the command… remarks enter system view system-view — enable dns proxy dns proxy enable required disabled by default. Displaying and maintaining dns to do… use the command… remarks display the static domain name r...
Page 286
1-6 56 data bytes, press ctrl_c to break reply from 10.1.1.2: bytes=56 sequence=1 ttl=128 time=1 ms reply from 10.1.1.2: bytes=56 sequence=2 ttl=128 time=4 ms reply from 10.1.1.2: bytes=56 sequence=3 ttl=128 time=3 ms reply from 10.1.1.2: bytes=56 sequence=4 ttl=128 time=2 ms reply from 10.1.1.2: by...
Page 287
1-7 in figure 1-5 , right click forward lookup zones, select new zone, and then follow the instructions to create a new zone named com. Figure 1-5 create a zone # create a mapping between the host name and ip address. Figure 1-6 add a host in figure 1-6 , right click zone com, and then select new ho...
Page 288
1-8 figure 1-7 add a mapping between domain name and ip address 2) configure the dns client # enable dynamic domain name resolution. System-view [sysname] dns resolve # specify the dns server 2.1.1.2. [sysname] dns server 2.1.1.2 # configure com as the name suffix. [sysname] dns domain com 3) config...
Page 289
1-9 dns proxy configuration example network requirements z specify switch a as the dns server of switch b (the dns client). Z switch a acts as a dns proxy. The ip address of the real dns server is 4.1.1.1. Z switch b implements domain name resolution through switch a. Figure 1-8 network diagram for ...
Page 290
1-10 # specify the dns server 2.1.1.2. [switchb] dns server 2.1.1.2 4) configuration verification # execute the ping host.Com command on switch b to verify that the communication between the switch and the host is normal and that the corresponding destination ip address is 3.1.1.1. [switchb] ping ho...
Page 291: Table of Contents
I table of contents 1 ip performance optimization configuration···························································································1-1 ip performance overview ······················································································································...
Page 292: Ip Performance Overview
1-1 1 ip performance optimization configuration when optimizing ip performance, go to these sections for information you are interested in: z ip performance overview z enabling reception and forwarding of directed broadcasts to a directly connected network z configuring tcp optional parameters z con...
Page 293
1-2 enabling forwarding of directed broadcasts to a directly connected network follow these steps to enable the device to forward directed broadcasts: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the interface...
Page 294
1-3 [switcha-vlan-interface3] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 2.2.2.2 24 # enable vlan-interface 2 to forward directed broadcasts. [switcha-vlan-interface2] ip forward-broadcast z configure switch b # enable switch b to receive directed broadcasts. Syst...
Page 295
1-4 actual length of the finwait timer = (configured length of the finwait timer – 75) + configured length of the synwait timer configuring icmp to send error packets sending error packets is a major function of icmp. In case of network abnormalities, icmp packets are usually sent by the network or ...
Page 296
1-5 z if the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” icmp error packet. Z when forwarding a packet, if the mtu of the sending...
Page 297
1-6 displaying and maintaining ip performance optimization to do… use the command… remarks display current tcp connection state display tcp status display tcp connection statistics display tcp statistics display udp statistics display udp statistics display statistics of ip packets display ip statis...
Page 298: Table of Contents
I table of contents 1 udp helper configuration ························································································································1-1 introduction to udp helper ······································································································...
Page 299: Udp Helper Configuration
1-1 1 udp helper configuration when configuring udp helper, go to these sections for information you are interested in: z introduction to udp helper z configuring udp helper z displaying and maintaining udp helper z udp helper configuration examples udp helper can be currently configured on vlan int...
Page 300
1-2 to do… use the command… remarks enter interface view interface interface-type interface-number — specify the destination server to which udp packets are to be forwarded udp-helper server ip-address required no destination server is specified by default. Z the udp helper enabled device cannot for...
Page 301
1-3 figure 1-1 network diagram for udp helper configuration configuration procedure the following configuration assumes that a route from switch a to the network segment 10.2.0.0/16 is available. # enable udp helper. System-view [switcha] udp-helper enable # enable the forwarding broadcast packets w...
Page 302: Table of Contents
I table of contents 1 ipv6 basics configuration ························································································································1-1 ipv6 overview ··················································································································...
Page 303: Ipv6 Basics Configuration
1-1 1 ipv6 basics configuration when configuring ipv6 basics, go to these sections for information you are interested in: z ipv6 overview z ipv6 basics configuration task list z configuring basic ipv6 functions z configuring ipv6 ndp z configuring pmtu discovery z configuring ipv6 tcp properties z c...
Page 304
1-2 the ipv4 address size, the basic ipv6 header size is 40 bytes and is only twice the ipv4 header size (excluding the options field). Figure 1-1 comparison between ipv4 packet header format and basic ipv6 packet header format adequate address space the source and destination ipv6 addresses are bot...
Page 305
1-3 enhanced neighbor discovery mechanism the ipv6 neighbor discovery protocol is implemented through a group of internet control message protocol version 6 (icmpv6) messages that manage the information exchange between neighbor nodes on the same link. The group of icmpv6 messages takes the place of...
Page 306
1-4 z anycast address: an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of dis...
Page 307
1-5 multicast address ipv6 multicast addresses listed in table 1-2 are reserved for special purpose. Table 1-2 reserved ipv6 multicast addresses address application ff01::1 node-local scope all nodes multicast address ff02::1 link-local scope all nodes multicast address ff01::2 node-local scope all ...
Page 308
1-6 z duplicate address detection z router/prefix discovery and address autoconfiguration z redirection table 1-3 lists the types and functions of icmpv6 messages used by the ndp. Table 1-3 types and functions of icmpv6 messages icmpv6 message number function used to acquire the link-layer address o...
Page 309
1-7 2) after receiving the ns message, node b judges whether the destination address of the packet is its solicited-node multicast address. If yes, node b learns the link-layer address of node a, and then unicasts an na message containing its link-layer address. 3) node a acquires the link-layer add...
Page 310
1-8 2) the router returns an ra message containing information such as prefix information option. (the router also regularly sends an ra message.) 3) the node automatically generates an ipv6 address and other information for its interface according to the address prefix and other configuration param...
Page 311
1-9 1) the source host uses its mtu to send packets to the destination host. 2) if the mtu supported by a forwarding interface is smaller than the packet size, the forwarding device will discard the packet and return an icmpv6 error packet containing the interface mtu to the source host. 3) after re...
Page 312
1-10 task remarks configuring icmpv6 packet sending optional configuring ipv6 dns client optional configuring basic ipv6 functions enabling ipv6 before performing ipv6-related configurations, you need to enable ipv6. Otherwise, an interface cannot forward ipv6 packets even if it has an ipv6 address ...
Page 313: Configuring Ipv6 Ndp
1-11 to do... Use the command... Remarks automatically generate a link-local address for the interface ipv6 address auto link-local configure an ipv6 link-local address manually assign a link-local address for the interface ipv6 address ipv6-address link-local optional by default, after an ipv6 site...
Page 315
1-13 table 1-4 parameters in an ra message and their descriptions parameters description cur hop limit when sending an ipv6 packet, a host uses the value to fill the cur hop limit field in ipv6 headers. The value is also filled into the cur hop limit field in response messages of a device. Prefix in...
Page 316
1-14 to do… use the command… remarks disable the ra message suppression undo ipv6 nd ra halt required by default, ra messages are suppressed. Configure the maximum and minimum intervals for sending ra messages ipv6 nd ra interval max-interval-value min-interval-value optional by default, the maximum...
Page 317: Configuring Pmtu Discovery
1-15 configuring the maximum number of attempts to send an ns message for dad an interface sends a neighbor solicitation (ns) message for duplicate address detection after acquiring an ipv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns re...
Page 318
1-16 follow these steps to configure the aging time for dynamic pmtus: to do… use the command… remarks enter system view system-view — configure the aging time for dynamic pmtus ipv6 pathmtu age age-time optional 10 minutes by default. Configuring ipv6 tcp properties the ipv6 tcp properties you can ...
Page 320: Configuring Ipv6 Dns Client
1-18 configuring ipv6 dns client configuring static ipv6 domain name resolution configuring static ipv6 domain name resolution is to establish the mapping between a host name and an ipv6 address. When using such applications as telnet, you can directly input a host name and the system will resolve t...
Page 321
1-19 displaying and maintaining ipv6 basics configuration to do… use the command… remarks display dns suffix information display dns domain [ dynamic ] display ipv6 dynamic domain name cache information display dns ipv6 dynamic-host display ipv6 dns server information display dns ipv6 server [ dynam...
Page 322: Ipv6 Configuration Example
1-20 the display dns domain command is the same as the one of ipv4 dns. For details about the commands, refer to dns commands in the ip services volume. Ipv6 configuration example network requirements z host, switch a and switch b are directly connected through ethernet ports. Add the ethernet ports...
Page 323
1-21 [switcha-vlan-interface1] undo ipv6 nd ra halt z configure switch b # enable ipv6. System-view [switchb] ipv6 # configure an aggregatable global unicast address for vlan-interface 2. [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address 3001::2/64 # configure an ipv6 stati...
Page 324
1-22 inbadoptions: 0 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 47 outrequests: 89 outforwdatagrams: 48 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 6 inmcastnotmembers: 25747 outmcastpkts: 48 inaddrerrors...
Page 325
1-23 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 159 outrequests: 1012 outforwdatagrams: 35 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 79 inmcastnotmembers: 65 outmcastpkts: 938 inaddrerrors: 0 indiscards...
Page 326
1-24 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 117 outrequests: 83 outforwdatagrams: 0 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 28 inmcastnotmembers: 0 outmcastpkts: 7 inaddrerrors: 0 indiscards: 0 outdiscards: 0 # ping switch a and switch b...
Page 327
1-25 troubleshooting ipv6 basics configuration symptom the peer ipv6 address cannot be pinged. Solution z use the display current-configuration command in any view or the display this command in system view to verify that ipv6 is enabled. Z use the display ipv6 interface command in any view to verif...
Page 328: Table of Contents
I table of contents 1 dual stack configuration··························································································································1-1 dual stack overview·············································································································...
Page 329: Dual Stack Configuration
1-1 1 dual stack configuration when configuring dual stack, go to these sections for information you are interested in: z dual stack overview z configuring dual stack dual stack overview dual stack is the most direct approach to making ipv6 nodes compatible with ipv4 nodes. The best way for an ipv6 ...
Page 331: Table of Contents
I table of contents 1 sflow configuration ··································································································································1-1 sflow overview··············································································································...
Page 332: Sflow Configuration
1-1 1 sflow configuration when configuring sflow, go to these sections for information you are interested in: z sflowoverview z configuring sflow z displaying and maintaining sflow z sflow configuration example z troubleshooting sflow configuration sflow overview introduction to sflow sampled flow (...
Page 333: Configuring Sflow
1-2 3) when the sflow packet buffer overflows or the one-second timer expires, the sflow agent sends sflow packets to the specified sflow collector. Configuring sflow the sflow feature enables the remote sflow collector to monitor the network and analyze sflow packet statistics. Follow these steps t...
Page 334: Sflow
1-3 sflow configuration example network requirements z host a and server are connected to switch through gigabitethernet 1/0/1 and gigabitethernet 1/0/2 respectively. Z host b works as an sflow collector with ip address 3.3.3.2 and port number 6343, and is connected to switch through gigabitethernet...
Page 335
1-4 collector ip:3.3.3.2 port:6343 interval(s): 30 sflow port information: interface direction rate mode status ge1/0/1 in/out 100000 random active troubleshooting sflow configuration the remote sflow collector cannot receive sflow packets symptom the remote sflow collector cannot receive sflow pack...
Page 336: Manual Version
Ip routing volume organization manual version 6w101-20100305 product version release 2202 organization the ip routing volume is organized as follows: features description ip routing overview this document describes: z introduction to ip routing and routing table z routing protocol overview static ro...
Page 337: Table of Contents
I table of contents 1 ip routing overview··································································································································1-1 routing······················································································································...
Page 338: Ip Routing Overview
1-1 1 ip routing overview go to these sections for information you are interested in: z routing z routing protocol overview z displaying and maintaining a routing table the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Routing routing in the internet is ac...
Page 339
1-2 introduction to routing table each router maintains a local routing table. Each routing protocol also maintains a protocol routing table. Z routing table of a protocol a protocol routing table stores routes discovered by the routing protocol. A routing protocol can redistribute and advertise rou...
Page 340: Routing Protocol Overview
1-3 figure 1-1 a sample routing table router a router b router h router e 16.0.0.2 17.0.0.3 15.0.0.0 12.0.0.0 17.0.0.0 11.0.0.0 16.0.0.0 13.0.0.0 14.0.0.0 router c router d router f router g 11.0.0.1 12.0.0.1 12.0.0.2 15.0.0.1 15.0.0.2 17.0.0.1 16.0.0.1 13.0.0.1 13.0.0.2 14.0.0.1 14.0.0.2 14.0.0.3 1...
Page 341
1-4 routing approach priority direct 0 static 60 unknown 256 z the smaller the priority value, the higher the priority. Z the priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured. Z each static route can be configure...
Page 342
1-5 to do… use the command… remarks display ipv6 routing information for an ipv6 address range display ipv6 routing-table ipv6-address1 prefix-length1 ipv6-address2 prefix-length2 [ verbose ] available in any view clear specified ipv6 routing table statistics reset ipv6 routing-table statistics prot...
Page 343: Table of Contents
I table of contents 1 static routing configuration····················································································································1-1 introduction ·····················································································································...
Page 344: Static Routing Configuration
1-1 1 static routing configuration when configuring a static route, go to these sections for information you are interested in: z introduction z configuring a static route z detecting reachability of the static route’s nexthop z displaying and maintaining static routes z static route configuration e...
Page 345: Configuring A Static Route
1-2 application environment of static routing before configuring a static route, you need to know the following concepts: 1) destination address and mask in the ip route-static command, an ipv4 address is in dotted decimal format and a mask can be either in dotted decimal format or in the form of ma...
Page 346
1-3 z when configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the ip address of a local interface. Z if you do not specify the preference when configuring a static route, the default preference will be used. Reconfigur...
Page 347
1-4 z to configure this feature for an existing static route, simply associate the static route with a track entry. For a non-existent static route, configure it and associate it with a track entry. Z if a static route needs route recursion, the associated track entry must monitor the nexthop of the...
Page 348
1-5 configuration procedure 1) configuring ip addresses for interfaces (omitted) 2) configuring static routes # configure a default route on switch a. System-view [switcha] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # configure two static routes on switch b. System-view [switchb] ip route-static 1.1.2....
Page 349
1-6 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 1.1.6.0/24 direct 0 0 1.1.6.1 vlan100 1.1.6.1/32 direct 0 0 127.0.0.1 inloop0 # use the ping command on host b to check reachability to host a, assuming windows xp runs on the two hosts. C:\documents and settings\...
Page 350: Table of Contents
I table of contents 1 ipv6 static routing configuration ···········································································································1-1 introduction to ipv6 static routing··································································································...
Page 351
1-1 1 ipv6 static routing configuration when configuring ipv6 static routing, go to these sections for information you are interested in: z introduction to ipv6 static routing z configuring an ipv6 static route z displaying and maintaining ipv6 static routes z ipv6 static routing configuration examp...
Page 352
1-2 z enabling ipv6 packet forwarding z ensuring that the neighboring nodes are ipv6 reachable configuring an ipv6 static route follow these steps to configure an ipv6 static route: to do… use the commands… remarks enter system view system-view — configure an ipv6 static route ipv6 route-static ipv6...
Page 353
1-3 figure 1-1 network diagram for static routes configuration procedure 1) configure the ipv6 addresses of all vlan interfaces (omitted) 2) configure ipv6 static routes. # configure the default ipv6 static route on switcha. System-view [switcha] ipv6 route-static :: 0 4::2 # configure two ipv6 stat...
Page 354
1-4 nexthop : 1::1 preference : 0 interface : vlan-interface100 cost : 0 destination : 1::1/128 protocol : direct nexthop : ::1 preference : 0 interface : inloop0 cost : 0 destination : fe80::/10 protocol : direct nexthop : :: preference : 0 interface : null0 cost : 0 # verify the connectivity with ...
Page 355: Manual Version
Ip multicast volume organization manual version 6w101-20100305 product version release 2202 organization the ip multicast volume is organized as follows: features description multicast overview this document describes the main concepts in multicast: z introduction to multicast z multicast models z m...
Page 356: Table of Contents
I table of contents 1 multicast overview ····································································································································1-1 introduction to multicast ·································································································...
Page 357: Multicast Overview
1-1 1 multicast overview this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Introduction to multicast as a technique coexisting with unicast and broadcast, the multicast technique ef...
Page 358
1-2 figure 1-1 unicast transmission source receiver receiver receiver host a host b host c host d host e packets for host b packets for host d packets for host e ip network assume that host b, host d and host e need the information. A separate transmission channel needs to be established from the in...
Page 359
1-3 figure 1-2 broadcast transmission assume that only host b, host d, and host e need the information. If the information is broadcast to the subnet, host a and host c also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet. Therefore, broad...
Page 360
1-4 figure 1-3 multicast transmission the multicast source (source in the figure) sends only one copy of the information to a multicast group. Host b, host d and host e, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the inf...
Page 361: Multicast Models
1-5 for a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of tv programs, as shown in table 1-1 . Table 1-1 an analogy between tv transmission and multicast transmission tv transmission multicast transmission a tv station transmits a tv pr...
Page 362: Multicast Architecture
1-6 asm model in the asm model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of ...
Page 363
1-7 multicast addresses to allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast ip addresses must be provided. In addition, a technique must be available to map multicast ip addresses to link-layer multicast mac addresses. Ip...
Page 364
1-8 address description 224.0.0.7 shared tree (st) routers 224.0.0.8 st hosts 224.0.0.9 routing information protocol version 2 (ripv2) routers 224.0.0.11 mobile agents 224.0.0.12 dynamic host configuration protocol (dhcp) server/relay agent 224.0.0.13 all protocol independent multicast (pim) routers...
Page 365
1-9 bit description t z when set to 0, it indicates that this address is an ipv6 multicast address permanently-assigned by iana z when set to 1, it indicates that this address is a transient, or dynamically assigned ipv6 multicast address z scope: 4 bits, indicating the scope of the ipv6 internetwor...
Page 366
1-10 figure 1-6 ipv4-to-mac address mapping the high-order four bits of a multicast ipv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a mac address, so five bits of the multicast ipv4 address are lost. As a result, 32 ...
Page 367
1-11 multicast protocols z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp/mld, pim/ipv6 pim, msdp, and mbgp/ipv6 mbgp; we refer to ip multicast working at the data link...
Page 368
1-12 in the asm model, multicast routes come in intra-domain routes and inter-domain routes. Z an intra-domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an as so as to deliver multicast data to receivers. Among a variety of mature ...
Page 369
1-13 multicast packet forwarding mechanism in a multicast model, a multicast source sends information to the host group identified by the multicast group address in the destination address field of ip multicast packets. Therefore, to deliver multicast packets to receivers located in different parts ...
Page 370: Table of Contents
I table of contents 1 igmp snooping configuration ·················································································································1-1 igmp snooping overview···············································································································...
Page 371: Igmp Snooping Configuration
1-1 1 igmp snooping configuration when configuring igmp snooping, go to the following sections for information you are interested in: z igmp snooping overview z igmp snooping configuration task list z displaying and maintaining igmp snooping z igmp snooping configuration examples z troubleshooting i...
Page 372
1-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in igmp snooping igmp snooping related ports as shown in figure 1-2 , router a connects to the multicast so...
Page 373
1-3 aging timers for dynamic ports in igmp snooping and related messages and actions table 1-1 aging timers for dynamic ports in igmp snooping and related messages and actions timer description message before expiry action after expiry dynamic router port aging timer for each dynamic router port, th...
Page 374
1-4 when receiving a membership report a host sends an igmp report to the igmp querier in the following circumstances: z upon receiving an igmp query, a multicast group member host responds with an igmp report. Z when intended to join a multicast group, a host sends an igmp report to the igmp querie...
Page 375
1-5 upon receiving the igmp leave message from a host, the igmp querier resolves the multicast group address in the message and sends an igmp group-specific query to that multicast group through the port that received the leave message. Upon receiving the igmp group-specific query, the switch forwar...
Page 376
1-6 z configurations made in igmp snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in igmp snooping view is effective only if the same configuration is not made in vlan...
Page 377
1-7 z igmp snooping must be enabled globally before it can be enabled in a vlan. Z when you enable igmp snooping in a specified vlan, this function takes effect for the ports in this vlan only. Configuring the version of igmp snooping by configuring an igmp snooping version, you actually configure t...
Page 378
1-8 configuring aging timers for dynamic ports if the switch receives no igmp general queries or pim hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no igmp reports for a multicast group o...
Page 379
1-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 380
1-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 381
1-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-typeinterface-number enter ethernet port/layer 2 aggregate...
Page 382
1-12 it is meaningless to configure an igmp snooping querier in a multicast network running igmp. Although an igmp snooping querier does not take part in igmp querier elections, it may affect igmp querier elections because it sends igmp general queries with a low source ip address. Configuring igmp ...
Page 383
1-13 to do... Use the command... Remarks configure the maximum response time to igmp general queries igmp-snooping max-response-time interval optional 10 seconds by default configure the igmp last-member query interval igmp-snooping last-member-query-interval interval optional 1 second by default in...
Page 384
1-14 before configuring an igmp snooping policy, prepare the following data: z acl rule for multicast group filtering z the maximum number of multicast groups that can pass the ports configuring a multicast group filter on an igmp snooping–enabled switch, the configuration of a multicast group allow...
Page 385
1-15 if this feature is disabled on a port, the port can be connected with both multicast sources and multicast receivers. Configuring multicast source port filtering globally follow these steps to configure multicast source port filtering globally: to do... Use the command... Remarks enter system v...
Page 386
1-16 to do... Use the command... Remarks enable the function of dropping unknown multicast data igmp-snooping drop-unknown required disabled by default configuring igmp report suppression when a layer 2 device receives an igmp report from a multicast group member, the device forwards the message to ...
Page 387
1-17 z when the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the igmp snooping forwarding table, and the hosts on this port need to join the multicast groups again. Z if you have configu...
Page 388
1-18 configuring multicast group replacement on a port or a group of ports follow these steps to configure multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/laye...
Page 389
1-19 igmp snooping configuration examples configuring group policy and simulated joining network requirements z as shown in figure 1-3 , router a connects to the multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Z igmpv2 is required on router a, igmp snoop...
Page 390
1-20 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and enabl...
Page 391
1-21 ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:0100-5e01-0101 host port(s):total 2 port. Ge1/0/3 ge1/...
Page 392
1-22 network diagram figure 1-4 network diagram for static port configuration source 1.1.1.1/24 router a igmp querier ge1/0/1 10.1.1.1/24 ge1/0/2 1.1.1.2/24 switch a switch c switch b ge1/0/1 g e1 /0/2 g e1 /0 /3 g e1 /0/1 ge1/0/2 g e1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e1 /0/3 g...
Page 393
1-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] igmp-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable igmp snooping globally. Syst...
Page 394
1-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total...
Page 395
1-25 igmp snooping querier configuration network requirements z as shown in figure 1-5 , in a layer 2–only network environment, two multicast sources source 1 and source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, host a and host c are receivers of multicast group...
Page 396
1-26 # enable the igmp-snooping querier function in vlan 100 [switcha-vlan100] igmp-snooping querier # set the source ip address of igmp general queries and group-specific queries to 192.168.1.1 in vlan 100. [switcha-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [switcha-vlan100] igmp-s...
Page 397
1-27 troubleshooting igmp snooping configuration switch fails in layer 2 multicast forwarding symptom a switch fails to implement layer 2 multicast forwarding. Analysis igmp snooping is not enabled. Solution 1) enter the display current-configuration command to view the running status of igmp snoopi...
Page 398: Table of Contents
I table of contents 1 multicast vlan configuration··················································································································1-1 introduction to multicast vlan······································································································...
Page 399: Multicast Vlan Configuration
1-1 1 multicast vlan configuration when configuring multicast vlan, go to these sections for information you are interested in: z introduction to multicast vlan z multicast vlan configuration task list z configuring sub-vlan-based multicast vlan z configuring port-based multicast vlan z displaying a...
Page 400
1-2 figure 1-2 sub-vlan-based multicast vlan source router a igmp querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (multicast vlan) after the configuration, igmp snooping manages router ports in the multicast vlan an...
Page 401
1-3 z for information about igmp snooping, router ports, and member ports, refer to igmp snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Multicast vlan configuration task list complete the following tasks to conf...
Page 402
1-4 z the vlan to be configured as a multicast vlan must exist. Z the vlans to be configured as sub-vlans of the multicast vlan must exist and must not be sub-vlans of another multicast vlan. Z the total number of sub-vlans of a multicast vlan must not exceed 63. Configuring port-based multicast vla...
Page 404
1-6 configuring multicast vlan ports in port view or port group view follow these steps to configure multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as a multicast vlan and enter multicast vlan view m...
Page 405
1-7 z configure the sub-vlan-based multicast vlan feature so that router a just sends multicast data to switch a through the multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Network diagram figure 1-4 network diagram for sub-vlan-based multicast ...
Page 406
1-8 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable igmp snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabiteth...
Page 407
1-9 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 0 port. Ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:0100-5e01-0101 host ...
Page 408
1-10 port-based multicast vlan configuration network requirements z as shown in figure 1-5 , router a connects to a multicast source (source) through gigabitethernet 1/0/1, and to switch a through gigabitethernet 1/0/2. Z igmpv2 is required on router a. Igmpv2 snooping is required on switch a. Route...
Page 409
1-11 [routera-gigabitethernet1/0/1] quit [routera] interface gigabitethernet 1/0/2 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] igmp enable 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 10...
Page 410
1-12 total 1 multicast-vlan(s) multicast vlan 10 subvlan list: no subvlan port list: ge1/0/2 ge1/0/3 ge1/0/4 # view the igmp snooping multicast group information on switch a. [switcha] display igmp-snooping group total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic ...
Page 411: Table of Contents
I table of contents 1 mld snooping configuration···················································································································1-1 mld snooping overview ···············································································································...
Page 412: Mld Snooping Configuration
1-1 1 mld snooping configuration when configuring mld snooping, go to these sections for information you are interested in: z mld snooping overview z mld snooping configuration task list z displaying and maintaining mld snooping z mld snooping configuration examples z troubleshooting mld snooping ml...
Page 413
1-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in mld snooping mld snooping related ports as shown in figure 1-2 , router a connects to the multicast sour...
Page 414
1-3 z whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Z unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. Z on an mld snooping-enabled switch, the ports that recei...
Page 415
1-4 general queries the mld querier periodically sends mld general queries to all hosts and routers (ff02::1) on the local subnet to find out whether ipv6 multicast group members exist on the subnet. Upon receiving an mld general query, the switch forwards it through all ports in the vlan except the...
Page 416
1-5 z if the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the mld done message instead of forwarding it to any port. Z if the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the mld d...
Page 417
1-6 task remarks configuring an ipv6 multicast group filter optional configuring ipv6 multicast source port filtering optional configuring mld report suppression optional configuring maximum multicast groups that can be joined on a port optional configuring an mld snooping policy configuring ipv6 mu...
Page 418
1-7 to do... Use the command... Remarks enter vlan view vlan vlan-id — enable mld snooping in the vlan mld-snooping enable required disabled by default z mld snooping must be enabled globally before it can be enabled in a vlan. Z when you enable mld snooping in a specified vlan, this function takes ...
Page 419
1-8 z configure the corresponding port groups before configuring mld snooping port functions, prepare the following data: z aging time of dynamic router ports, z aging timer of dynamic member ports, and z ipv6 multicast group and ipv6 multicast source addresses configuring aging timers for dynamic p...
Page 420
1-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 421
1-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 422
1-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregat...
Page 423
1-12 to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — enable the mld snooping querier mld-snooping querier required disabled by default it is meaningless to configure an mld snooping querier in an ipv6 multicast network running mld. Although an mld s...
Page 424
1-13 configuring mld queries and responses in a vlan follow these steps to configure mld queries and responses in a vlan to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — configure mld query interval mld-snooping query-interval interval optional 125 s...
Page 425
1-14 configuring an mld snooping policy configuration prerequisites before configuring an mld snooping policy, complete the following tasks: z enable mld snooping in the vlan before configuring an mld snooping policy, prepare the following data: z ipv6 acl rule for ipv6 multicast group filtering z t...
Page 426
1-15 to do... Use the command... Remarks configure an ipv6 multicast group filter mld-snooping group-policy acl6-number [ vlan vlan-list ] required by default, no group filter is configured on the current port, that is, hosts on this port can join any valid ipv6 multicast group. Configuring ipv6 mul...
Page 427
1-16 configuring mld report suppression when a layer 2 device receives an mld report from an ipv6 multicast group member, the layer 2 device forwards the message to the layer 3 device directly connected with it. Thus, when multiple members belonging to an ipv6 multicast group exist on the layer 2 de...
Page 428
1-17 z when the number of ipv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the mld snooping forwarding table, and the hosts on this port need to join ipv6 multicast groups again. Z if ...
Page 429
1-18 configuring ipv6 multicast group replacement on a port or a group of ports follow these steps to configure ipv6 multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet...
Page 430
1-19 mld snooping configuration examples configuring ipv6 group policy and simulated joining network requirements z as shown in figure 1-3 , router a connects to the ipv6 multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Router a is the mld querier on the ...
Page 431
1-20 [routera-gigabitethernet1/0/2] pim ipv6 dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and ena...
Page 432
1-21 ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:3333-0000-0101 host port(s):total 2 port. Ge1/0/3 ge1/0/4 as shown above, gigabitethernet 1/0/3 and gigabitethernet 1/0/4...
Page 433
1-22 network diagram figure 1-4 network diagram for static port configuration source 1::1/64 router a mld querier ge1/0/1 2001::1/64 ge1/0/2 1::2/64 switch a switch c switch b ge1/0/1 g e1 /0/2 g e1 /0 /3 g e1 /0/1 ge1/0/2 g e1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e1 /0/3 g e1 /0 /...
Page 434
1-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] mld-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable mld snooping globally. System...
Page 435
1-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 1 po...
Page 436
1-25 mld snooping querier configuration network requirements z as shown in figure 1-5 , in a layer-2-only network environment, two multicast sources source 1 and source 2 send ipv6 multicast data to multicast groups ff1e::101 and ff1e::102 respectively, host a and host c are receivers of multicast g...
Page 437: Troubleshooting Mld Snooping
1-26 [switchb] ipv6 [switchb] mld-snooping [switchb-mld-snooping] quit # create vlan 100, add gigabitethernet 1/0/1 through gigabitethernet 1/0/4 into vlan 100. [switchb] vlan 100 [switchb-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # enable the mld snooping feature in vlan 100. [sw...
Page 438
1-27 configured ipv6 multicast group policy fails to take effect symptom although an ipv6 multicast group policy has been configured to allow hosts to join specific ipv6 multicast groups, the hosts can still receive ipv6 multicast data addressed to other groups. Analysis z the ipv6 acl rule is incor...
Page 439: Table of Contents
I table of contents 1 ipv6 multicast vlan configuration ·········································································································1-1 introduction to ipv6 multicast vlan ···································································································...
Page 440
1-1 1 ipv6 multicast vlan configuration when configuring ipv6 multicast vlan, go to these sections for information you are interested in: z introduction to ipv6 multicast vlan z ipv6 multicast vlan configuration task list z configuring ipv6 sub-vlan-based ipv6 multicast vlan z configuring port-based...
Page 441
1-2 figure 1-2 sub-vlan-based ipv6 multicast vlan source router a mld querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c ipv6 multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (ipv6 multicast vlan) after the configuration, mld snooping manages router ports in the ipv6...
Page 442
1-3 z for information about mld snooping, router ports, and member ports, refer to mld snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Ipv6 multicast vlan configuration task list complete the following tasks to c...
Page 443
1-4 to do… use the command… remarks configure the specified vlan(s) as sub-vlan(s) of the ipv6 multicast vlan subvlan vlan-list required by default, an ipv6 multicast vlan has no sub-vlans. Z the vlan to be configured as an ipv6 multicast vlan must exist. Z the vlans to be configured as the sub-vlan...
Page 444
1-5 to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter port view or port group view port-group manual port-group-name required use either approach. Configue the user port link type as hybrid port link-type hybrid required access by def...
Page 445
1-6 configure ipv6 multicast vlan ports in terface view or port group view follow these steps to configure ipv6 multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as an ipv6 multicast vlan and enter ipv6...
Page 446
1-7 z configure the sub-vlan-based ipv6 multicast vlan feature so that router a just sends ipv6 multicast data to switch a through the ipv6 multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Figure 1-4 network diagram for sub-vlan-based ipv6 multic...
Page 447
1-8 the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable mld snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10]...
Page 448
1-9 ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:3333-0000-0101 host port(s):total 1 port. Ge1/0/3 vlan(id):4. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac gr...
Page 449
1-10 z switch a’s gigabitethernet 1/0/1 belongs to vlan 10, gigabitethernet 1/0/2 through gigabitethernet 1/0/4 belong to vlan 2 through vlan 4 respectively, and host a through host c are attached to gigabitethernet 1/0/2 through gigabitethernet 1/0/4 of switch a. Z the ipv6 multicast source sends i...
Page 450
1-11 # create vlan 10, assign gigabitethernet 1/0/1 to vlan 10, and enable mld snooping in this vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10] quit # create vlan 2 and enable mld snooping in the vlan. [switcha] vlan 2 [switch...
Page 451
1-12 total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):10. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge1/0/1 (d) ip group(s):the following ip group(s) match to one mac grou...
Page 452: Qos Volume Organization
Qos volume organization manual version 6w101-20100305 product version release 2202 organization the qos volume is organized as follows: features description qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a n...
Page 453: Table of Contents
I table of contents 1 qos overview ············································································································································1-1 introduction to qos ·····································································································...
Page 454
Ii configuration procedure··················································································································4-6 configuration example ····················································································································4-6 configuring th...
Page 455: Qos Overview
1-1 1 qos overview this chapter covers the following topics: z introduction to qos z introduction to qos service models z qos techniques overview introduction to qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. I...
Page 456: Qos Techniques Overview
1-2 however, the inter-serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the inter-serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the inter-serv model is poor in scalability, and therefor...
Page 457
1-3 z congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets..
Page 458: Qos Configuration Approaches
2-1 2 qos configuration approaches this chapter covers the following topics: z qos configuration approach overview z configuring a qos policy qos configuration approach overview two approaches are available for you to configure qos: policy-based and non policy-based. Some qos features can be configu...
Page 459: Configuring A Qos Policy
2-2 configuring a qos policy figure 2-1 shows how to configure a qos policy. Figure 2-1 qos policy configuration procedure defining a class to define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: to do… use the comma...
Page 461
2-4 z if multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the actual logical relationship between these rules is or when the policy is applied. Z if multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are defined in a class...
Page 462
2-5 to do… use the command… remarks enter system view system-view — create a policy and enter policy view qos policy policy-name required associate a class with a behavior in the policy classifier tcl-name behavior behavior-name required if an acl is referenced by a qos policy for defining traffic m...
Page 463
2-6 follow these steps to apply the qos policy to an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either co...
Page 464
2-7 z if a user profile is active, the qos policy, except acls referenced in the qos policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced acls cannot be modified either. Z the qos policies applied in user profile view support only t...
Page 465
2-8 displaying and maintaining qos policies to do… use the command… remarks display information about a class and the corresponding actions associated by a policy display qos policy user-defined [ policy-name [ classifier classifier-name ]] available in any view display information about the policie...
Page 466: Priority Mapping Overview
3-1 3 priority mapping configuration when configuring priority mapping, go to these sections for information you are interested in: z priority mapping overview z priority mapping configuration tasks z configuring priority mapping z displaying and maintaining priority mapping z priority mapping confi...
Page 467
3-2 the default priority mapping tables (as shown in appendix b default priority mapping tables ) are available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority mapping table cannot meet your requirements, you can modify the priority mapping table as r...
Page 468
3-3 figure 3-1 priority mapping procedure for an ethernet packet which priority is trusted on the port? Receive a packet on a port use the port priority as the 802.1p priority for priority mapping n look up the dot1p-dp and dot1p-lp mapping tables mark the packet with local precedence and drop prece...
Page 469: Configuring Priority Mapping
3-4 task remarks configuring a priority mapping table optional configuring the priority trust mode on a port optional configuring the port priority of a port optional configuring priority mapping configuring a priority mapping table follow these steps to configure an uncolored priority mapping table...
Page 470
3-5 to do… use the command… remarks trust the port priority undo qos trust display the priority trust mode configuration on the port display qos trust interface [ interface-type interface-number ] optional available in any view configuring the port priority of a port you can change the port priority...
Page 471
3-6 for information about priority marking, refer to priority marking configuration . Network requirements as shown in figure 3-2 , the enterprise network of a company interconnects all departments through device. The network is described as follows: z the marketing department connects to gigabiteth...
Page 472
3-7 figure 3-2 network diagram for priority mapping table and priority marking configuration configuration procedure 1) configure trusting port priority # set the port priority of gigabitethernet 1/0/1 to 3. System-view [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] qos prior...
Page 473
3-8 3) configure priority marking # mark the http traffic of the management department, marketing department, and r&d department to the internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6,...
Page 474: Configuration
4-1 4 traffic policing, traffic shaping, and line rate configuration when configuring traffic policing and line rate, go to these sections for information you are interested in: z traffic policing and line rate overview z configuring traffic policing z configuring gts z configuring the line rate z d...
Page 475
4-2 evaluation is performed for each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away; if the number of tokens in the bucket is not enough, the traffic is excessive....
Page 476
4-3 z forwarding the traffic if the evaluation result is “conforming.” z dropping the traffic if the evaluation result is “excess.” z marking a conforming packet or a non-conforming packet with a new dscp precedence value and forwarding the packet. Traffic shaping traffic shaping provides measures t...
Page 477: Configuring Traffic Policing
4-4 line rate the line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic control. With line rate configured on an interface, all packets to be sent through the interface are firstly handled by th...
Page 478
4-5 to do… use the command… remarks configure a traffic policing action car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [ yellow action ] required exit behavior view quit — create a policy and ent...
Page 479: Configuring Gts
4-6 configuring gts configuration procedure on the s5120-ei series, traffic shaping is implemented as queue-based gts, that is, configuring gts parameters for packets of a certain queue. Follow these steps to configure queue-based gts: to do… use the command… remarks enter system view system-view — ...
Page 480
4-7 to do… use the command… remarks configure the outbound line rate for the interface/port group qos lr outbound cir committed-information-rate [ cbs committed-burst-size ] required display interface line rate configuration information display qos lr interface [ interface-type interface-number ] av...
Page 481
5-1 5 congestion management configuration when configuring hardware congestion management, go to these sections for information you are interested in: z congestion management overview z congestion management configuration approaches z configuring congestion management z displaying and maintaining co...
Page 482
5-2 queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. The s5120-ei series support the following four queue scheduling methods: z scheduling all queues with the strict priority (sp) algo...
Page 483
5-3 figure 5-3 schematic diagram for wrr queuing assume there are eight output queues on a port. Wrr assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 mbps port, you can configure the weight valu...
Page 484
5-4 z short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with fq, wfq takes weights into account when determining...
Page 485
5-5 task remarks configuring wfq queuing optional configuring sp+wrr queues optional configuring congestion management configuring sp queuing configuration procedure follow these steps to configure sp queuing: to do… use the command… remarks enter system view system-view — enter interface view inter...
Page 486
5-6 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 487
5-7 to do… use the command… remarks group view enter port group view port-group manual port-group-name settings in port group view take effect on all ports in the port group. Enable wfq queuing qos wfq required by default, all the ports adopt the wrr queue scheduling algorithm, with the weight value...
Page 488
5-8 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 489
5-9 displaying and maintaining congestion management to do… use the command… remarks display wrr queue configuration information display qos wrr interface [ interface-type interface-number ] display sp queue configuration information display qos sp interface [ interface-type interface-number ] displ...
Page 490: Traffic Filtering Overview
6-1 6 traffic filtering configuration when configuring traffic filtering, go to these sections for information you are interested in: z traffic filtering overview z configuring traffic filtering z traffic filtering configuration example traffic filtering overview you can filter in or filter out a cl...
Page 491
6-2 to do… use the command… remarks associate the class with the traffic behavior in the qos policy classifier tcl-name behavior behavior-name — exit policy view quit — to an interface applying the qos policy to an interface — to online users applying the qos policy to online users — to a vlan apply...
Page 492
6-3 # create a behavior named behavior_1, and configure the traffic filtering action for the behavior to drop packets. [devicea] traffic behavior behavior_1 [devicea-behavior-behavior_1] filter deny [devicea-behavior-behavior_1] quit # create a policy named policy, and associate class classifier_1 w...
Page 493: Priority Marking Overview
7-1 7 priority marking configuration when configuring priority marking, go to these sections for information you are interested in: z priority marking overview z configuring priority marking z priority marking configuration example priority marking overview priority marking can be used together with...
Page 494
7-2 to do… use the command… remarks set the ip precedence for packets remark ip-precedence ip-precedence-value optional set the local precedence for packets remark local-precedence local-precedence optional exit behavior view quit — create a policy and enter policy view qos policy policy-name — asso...
Page 495
7-3 figure 7-1 network diagram for priority marking configuration internet host a host b device data server 192.168.0.1/24 mail server 192.168.0.2/24 file server 192.168.0.3/24 ge1/0/1 ge1/0/2 configuration procedure # create advanced acl 3000, and configure a rule to match packets with destination ...
Page 496
7-4 [device] traffic behavior behavior_dbserver [device-behavior-behavior_dbserver] remark local-precedence 4 [device-behavior-behavior_dbserver] quit # create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [device] traffic be...
Page 497: Traffic Redirecting Overview
8-1 8 traffic redirecting configuration when configuring traffic redirecting, go to these sections for information you are interested in: z traffic redirecting overview z configuring traffic redirecting traffic redirecting overview traffic redirecting traffic redirecting is the action of redirecting...
Page 498
8-2 to do… use the command… remarks globally applying the qos policy globally — z generally, the action of redirecting traffic to the cpu and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior. Z you can use the display traffic behav...
Page 499
9-1 9 class-based accounting configuration when configuring class-based accounting, go to these sections for information you are interested in: z class-based accounting overview z configuring class-based accounting z displaying and maintaining traffic accounting z class-based accounting configuratio...
Page 500
9-2 displaying and maintaining traffic accounting after completing the configuration above, you can verify the configuration with the display qos policy interface , or display qos vlan-policy command depending on the occasion where the qos policy is applied. Class-based accounting configuration exam...
Page 501
9-3 [devicea-gigabitethernet1/0/1] quit # display traffic statistics to verify the configuration. [devicea] display qos policy interface gigabitethernet 1/0/1 interface: gigabitethernet1/0/1 direction: inbound policy: policy classifier: classifier_1 operator: and rule(s) : if-match acl 2000 behavior...
Page 502: Appendix
10-1 10 appendix this chapter covers the following appendixes: z appendix a acronym z appendix b default priority mapping tables z appendix c introduction to packet precedences appendix a acronym table 10-1 appendix a acronym acronym full spelling af assured forwarding be best effort car committed a...
Page 503
10-2 acronym full spelling pe provider edge phb per-hop behavior pir peak information rate pq priority queuing qos quality of service red random early detection rsvp resource reservation protocol rtp real time protocol sla service level agreement te traffic engineering tos type of service tp traffic...
Page 504
10-3 input priority value dot1p-lp mapping dot1p-dp mapping 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 table 10-3 the default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables input priority value dscp-dp mapping dscp-dot1p mapping dscp drop precedence (dp) 802.1p priority (dot1p) 0 to 7 0...
Page 505
10-4 table 10-4 description on ip precedence ip precedence (decimal) ip precedence (binary) description 0 000 routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash-override 5 101 critical 6 110 internet 7 111 network table 10-5 description on dscp values dscp value (decimal) dscp value (bin...
Page 506
10-5 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where layer 3 header analysis is not needed and qos must be assured at layer 2. Figure 10-2 an ethernet frame with an 802.1q tag header as shown in figure 10-2 , the 4-byte 802.1q tag header consists o...
Page 507: Table of Contents
I table of contents 1 user profile configuration ························································································································1-1 user profile overview ·········································································································...
Page 508: User Profile Configuration
1-1 1 user profile configuration when configuring user profile, go to these sections for information you are interested in: z user profile overview z user profile configuration z displaying and maintaining user profile user profile overview user profile provides a configuration template to save pred...
Page 509
1-2 creating a user profile configuration prerequisites before creating a user profile, you need to configure authentication parameters. User profile supports 802.1x authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and bi...
Page 510
1-3 z when a user profile is active, you cannot configure or remove the qos policy applied to it. Z the qos policies applied in user profile view support only the remark, car, and filter actions. Z do not apply an empty qos policy in user profile view, because even if you can do that, the user profi...
Page 511: Security Volume Organization
Security volume organization manual version 6w101-20100305 product version release 2202 organization the security volume is organized as follows: features description aaa authentication, authorization and accounting (aaa) provide a uniform framework used for configuring these three security function...
Page 512
Features description port security port security is a mac address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and mac authentication. This document describes: z enabling port security z setting the maximum number of secure mac add...
Page 513: Table of Contents
I table of contents 1 aaa configuration ····································································································································1-1 introduction to aaa ········································································································...
Page 514
Ii specifying the hwtacacs authorization servers·······································································1-32 specifying the hwtacacs accounting servers··········································································1-32 setting the shared key for hwtacacs packets············...
Page 515: Aaa Configuration
1-1 1 aaa configuration when configuring aaa, go to these sections for information you are interested in: z introduction to aaa z introduction to radius z introduction to hwtacacs z protocols and standards z aaa configuration task list z configuring aaa z configuring radius z configuring hwtacacs z ...
Page 516: Introduction to Radius
1-2 requirements. For example, you can use the hwtacacs server for authentication and authorization, and the radius server for accounting. The three security functions are described as follows: z authentication: identifies remote users and judges whether a user is legal. Z authorization: grants diff...
Page 517
1-3 figure 1-2 radius server components z users: stores user information such as the usernames, passwords, applied protocols, and ip addresses. Z clients: stores information about radius clients, such as the shared keys and ip addresses. Z dictionary: stores information about the meanings of radius ...
Page 518
1-4 1) the host initiates a connection request carrying the username and password to the radius client. 2) having received the username and password, the radius client sends an authentication request (access-request) to the radius server, with the user password encrypted by using the message-digest ...
Page 519
1-5 code packet type description 2 access-accept from the server to the client. If all the attribute values carried in the access-request are acceptable, that is, the authentication succeeds, the server sends an access-accept response. 3 access-reject from the server to the client. If any attribute ...
Page 520
1-6 no. Attribute no. Attribute 6 service-type 50 acct-multi-session-id 7 framed-protocol 51 acct-link-count 8 framed-ip-address 52 acct-input-gigawords 9 framed-ip-netmask 53 acct-output-gigawords 10 framed-routing 54 (unassigned) 11 filter-id 55 event-timestamp 12 framed-mtu 56-59 (unassigned) 13 ...
Page 521: Introduction to Hwtacacs
1-7 no. Attribute no. Attribute 44 acct-session-id 91 tunnel-server-auth-id the attribute types listed in table 1-2 are defined by rfc 2865, rfc 2866, rfc 2867, and rfc 2568. Extended radius attributes the radius protocol features excellent extensibility. Attribute 26 (vender-specific) defined by rf...
Page 522
1-8 differences between hwtacacs and radius hwtacacs and radius have many common features, like implementing aaa, using a client/server model, using shared keys for user information security and having good flexibility and extensibility. Meanwhile, they also have differences, as listed in table 1-3 ...
Page 523
1-9 figure 1-6 basic message exchange process of hwtacacs for a telnet user host hwtacacs client hwtacacs server 1) the user logs in 2) start-authentication packet 3) authentication response requesting the username 4) request for username 5) the user inputs the username 6) authentication continuance...
Page 524: Protocols and Standards
1-10 11) the hwtacacs server sends back an authentication response indicating that the user has passed authentication. 12) the hwtacacs client sends the user authorization request packet to the hwtacacs server. 13) the hwtacacs server sends back the authorization response, indicating that the user i...
Page 525
1-11 for login users, it is necessary to configure the authentication mode for logging into the user interface as scheme. For detailed information, refer to login configuration of the system volume. Aaa configuration task list task remarks creating an isp domain required configuring isp domain attri...
Page 526: Configuring Aaa
1-12 hwtacacs configuration task list task remarks creating a hwtacacs scheme required specifying the hwtacacs authentication servers required specifying the hwtacacs authorization servers optional specifying the hwtacacs accounting servers optional setting the shared key for hwtacacs packets requir...
Page 527
1-13 follow these steps to create an isp domain: to do… use the command… remarks enter system view system-view — create an isp domain and enter isp domain view domain isp-name required return to system view quit — specify the default isp domain domain default enable isp-name optional by default, the...
Page 528
1-14 a self-service radius server, for example, imc, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Co...
Page 530
1-16 of these types is called an exec user). The default right for ftp users is to use the root directory of the device. Before configuring authorization methods, complete these three tasks: 1) for hwtacacs authorization, configure the hwtacacs scheme to be referenced first. For radius authorization...
Page 531
1-17 z the authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. Z radius authorization is special in that it takes effect only when the radius authorization scheme is the same as the radius auth...
Page 532
1-18 follow these steps to configure aaa accounting methods for an isp domain: to do… use the command… remarks enter system view system-view — create an isp domain and enter isp domain view domain isp-name required enable the accounting optional feature accounting optional optional disabled by defau...
Page 533
1-19 a local user represents a set of user attributes configured on a device and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry for it in the local user database of the device as follows: create a local user and con...
Page 535
1-21 user interface. For details regarding authentication method and commands accessible to user interface, refer to login configuration in the system volume. Z binding attributes are checked upon authentication of a local user. If the checking fails, the user fails the authentication. Therefore, be...
Page 536: Configuring Radius
1-22 displaying and maintaining aaa to do… use the command… remarks display the configuration information of a specified isp domain or all isp domains display domain [ isp-name ] available in any view display information about specified or all user connections display connection [ access-type { dot1...
Page 537
1-23 to do… use the command… remarks enter system view system-view — create a radius scheme and enter radius scheme view radius scheme radius-scheme-name required not defined by default a radius scheme can be referenced by more than one isp domain at the same time. Specifying the radius authenticati...
Page 538
1-24 to do… use the command… remarks specify the primary radius accounting server primary accounting ip-address [ port-number ] specify the secondary radius accounting server secondary accounting ip-address [ port-number ] required configure at least one of the commands no accounting server by defau...
Page 542
1-28 z some earlier radius servers cannot recognize usernames that contain an isp domain name. In this case, the device must remove the domain name before sending a username including a domain name. You can configure the user-name-format without-domain command on the device for this purpose. Z if a ...
Page 543
1-29 to do… use the command… remarks set the real-time accounting interval timer realtime-accounting minutes optional 12 minutes by default z the maximum number of retransmission attempts of radius packets multiplied by the radius server response timeout period cannot be greater than 75 and the uppe...
Page 544: Configuring Hwtacacs
1-30 you can specify up to eight security policy servers for a radius scheme. Enabling the listening port of the radius client follow these steps to enable the listening port of the radius client: to do… use the command… remarks enter system view system-view — enable the listening port of the radius...
Page 545
1-31 creating a hwtacacs scheme the hwtacacs protocol is configured on a per scheme basis. Before performing other hwtacacs configurations, follow these steps to create a hwtacacs scheme and enter hwtacacs scheme view: to do… use the command… remarks enter system view system-view — create a hwtacacs...
Page 546
1-32 specifying the hwtacacs authorization servers follow these steps to specify the hwtacacs authorization servers: to do… use the command… remarks enter system view system-view — create a hwtacacs scheme and enter hwtacacs scheme view hwtacacs scheme hwtacacs-scheme-name required not defined by de...
Page 547
1-33 z it is recommended to specify only the primary hwtacacs accounting server if backup is not required. Z if both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. Z the ip addresses of the primary and secondary accounting...
Page 549: Aaa Configuration Examples
1-35 z for real-time accounting, a nas must transmit the accounting information of online users to the hwtacacs accounting server periodically. Note that if the device does not receive any response to the information, it does not disconnect the online users forcibly z the real-time accounting interv...
Page 550
1-36 figure 1-7 configure aaa for telnet users by a hwtacacs server internet switch telnet user authentication/accounting server 10.1.1.1/24 configuration procedure # configure the ip addresses of the interfaces (omitted). # enable the telnet server on the switch. System-view [switch] telnet server ...
Page 551
1-37 aaa for telnet users by separate servers network requirements as shown in figure 1-8 , configure the switch to provide local authentication, hwtacacs authorization, and radius accounting services to telnet users. The user name and the password for telnet users are both hello. Z the hwtacacs ser...
Page 552
1-38 [switch-radius-rd] primary accounting 10.1.1.1 1813 [switch-radius-rd] key accounting expert [switch-radius-rd] server-type extended [switch-radius-rd] user-name-format without-domain [switch-radius-rd] quit # create a local user named hello. [switch] local-user hello [switch-luser-hello] servi...
Page 553
1-39 this example assumes that the radius server runs imc plat 3.20-r2602 or imc uam 3.60-e6102. # add an access device. Log into the imc management platform, select the service tab, and select access service > access device from the navigation tree to enter the access device page. Then, click add t...
Page 554
1-40 figure 1-11 add an account for device management 2) configure the switch # configure the ip address of vlan interface 2, through which the ssh user accesses the switch. System-view [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.1.70 255.255.255.0 [switch-vlan-in...
Page 555: Troubleshooting Aaa
1-41 [switch-radius-rad] user-name-format with-domain [switch-radius-rad] quit # configure the aaa methods for the domain. [switch] domain bbb [switch-isp-bbb] authentication login radius-scheme rad [switch-isp-bbb] authorization login radius-scheme rad [switch-isp-bbb] accounting login radius-schem...
Page 556
1-42 1) the communication links between the nas and the radius server work well at both physical and link layers. 2) the ip address of the radius server is correctly configured on the nas. 3) udp ports for authentication/authorization/accounting configured on the nas are the same as those configured...
Page 557: Table of Contents
I table of contents 1 802.1x configuration·································································································································1-1 802.1x overview··············································································································...
Page 558: 802.1X Configuration
1-1 1 802.1x configuration support for online user handshake security function is added in release 2202p19 of s5120-ei series ethernet switches. For details, refer to online user handshake function. When configuring 802.1x, go to these sections for information you are interested in: z 802.1x overvie...
Page 559
1-2 z authentication process of 802.1x z 802.1x timers z features working together with 802.1x architecture of 802.1x 802.1x operates in the typical client/server model and defines three entities: client, device, and server, as shown in figure 1-1 . Figure 1-1 architecture of 802.1x z client: an ent...
Page 560
1-3 z the controlled port and uncontrolled port are two parts of the same port. Any frames arriving at the port are visible to both of them. Authorized state and unauthorized state the device uses the authentication server to authenticate a client trying to access the lan and controls the status of ...
Page 561
1-4 figure 1-3 eapol frame format z pae ethernet type: protocol type. It takes the value 0x888e. Z protocol version: version of the eapol protocol supported by the eapol frame sender. Z type: type of the eapol frame. Table 1-1 lists the types that the device currently supports. Table 1-1 types of ea...
Page 562
1-5 eap over radius two attributes of radius are intended for supporting eap authentication: eap-message and message-authenticator. For information about radius packet format, refer to aaa configuration in the security volume . Eap-message the eap-message attribute is used to encapsulate eap packets...
Page 563
1-6 authentication process of 802.1x an 802.1x device communicates with a remotely located radius server in two modes: eap relay and eap termination. The following description takes the eap relay as an example to show the 802.1x authentication process. Eap relay eap relay is an ieee 802.1x standard ...
Page 564
1-7 4) upon receiving the eap-response/identity packet, the device relays the packet in a radius access-request packet to the authentication server. 5) when receiving the radius access-request packet, the radius server compares the identify information against its user information table to obtain th...
Page 565
1-8 figure 1-8 message exchange in eap termination mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge handshake request [ eap-request / identity ] handshake response [ eap-response / identity ] eapol-logoff...
Page 566
1-9 z handshake timer (handshake-period): after a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers th...
Page 567
1-10 the assigned vlan neither changes nor affects the configuration of a port. However, as the assigned vlan has higher priority than the initial vlan of the port, it is the assigned vlan that takes effect after a user passes authentication. After the user goes offline, the port returns to the init...
Page 568: Configuring 802.1X
1-11 the online user handshake security function helps prevent online users from using illegal client software to exchange handshake messages with the device. Using illegal client software for handshake message exchange may result in escape from some security inspection functions, such as proxy dete...
Page 569
1-12 to do… use the command… remarks specified or all ports set the maximum number of users for specified or all ports dot1x max-user user-number [ interface interface-list ] optional 256 by default set the maximum number of attempts to send an authentication request to a client dot1x retry max-retr...
Page 570
1-13 to do… use the command… remarks in system view dot1x interface interface-list interface interface-type interface-number enable 802.1x for one or more ports in ethernet interface view dot1x required use either approach. Disabled by default configuring 802.1x parameters for a port follow these st...
Page 571
1-14 z once enabled with the 802.1x multicast trigger function, a port sends multicast trigger messages to the client periodically to initiate authentication. Z for a user-side device sending untagged traffic, the voice vlan function and 802.1x are mutually exclusive and cannot be configured togethe...
Page 572: 802.1X Configuration Example
1-15 to do… use the command… remarks clear 802.1x statistics reset dot1x statistics [ interface interface-list ] available in user view 802.1x configuration example network requirements z the access control method of macbased is required on the port gigabitethernet 1/0/1 to control clients. Z all cl...
Page 573
1-16 the following configuration procedure covers most aaa/radius configuration commands for the device, while configuration on the 802.1x client and radius server are omitted. For information about aaa/radius configuration commands, refer to aaa configuration in the security volume. # configure the...
Page 574
1-17 [device-isp-aabbcc.Net] quit # configure aabbcc.Net as the default domain. [device] domain default enable aabbcc.Net # enable 802.1x globally. [device] dot1x # enable 802.1x for port gigabitethernet 1/0/1. [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] dot1x [device-giga...
Page 575
1-18 figure 1-11 network diagram with the port in the guest vlan figure 1-12 network diagram when the client passes authentication configuration procedure z the following configuration procedure uses many aaa/radius commands. For detailed configuration of these commands, refer to aaa configuration i...
Page 576
1-19 [device-radius-2000] key authentication abc [device-radius-2000] key accounting abc [device-radius-2000] user-name-format without-domain [device-radius-2000] quit # configure authentication domain system and specify to use radius scheme 2000 for users of the domain. [device] domain system [devi...
Page 577
1-20 figure 1-13 network diagram for acl assignment configuration procedure # configure the ip addresses of the interfaces. (omitted) # configure the radius scheme. System-view [device] radius scheme 2000 [device-radius-2000] primary authentication 10.1.1.1 1812 [device-radius-2000] primary accounti...
Page 578
1-21 c:\>.
Page 579: Ead Fast Deployment Overview
2-1 2 802.1x-based ead fast deployment configuration when configuring ead fast deployment, go to these sections for information you are interested in: z ead fast deployment overview z configuring ead fast deployment z displaying and maintaining ead fast deployment z ead fast deployment configuration...
Page 580
2-2 configuring ead fast deployment currently, mac authentication and port security cannot work together with ead fast deployment. Once mac authentication or port security is enabled globally, the ead fast deployment is disabled automatically. Configuration prerequisites z enable 802.1x globally. Z ...
Page 581
2-3 configuring the ie redirect url follow these steps to configure the ie redirect url: to do… use the command… remarks enter system view system-view — configure the ie redirect url dot1x url url-string required no redirect url is configured by default. The redirect url and the freely accessible ne...
Page 582
2-4 z after successful 802.1x authentication, the host can access outside network. Figure 2-1 network diagram for ead fast deployment host device free ip: web server 192.168.2.3/24 internet 192.168.1.10/24 192.168.1.1/24 192.168.2.0/24 ge1/0/1 configuration procedure 1) configure the web server befo...
Page 583
2-5 troubleshooting ead fast deployment users cannot be redirected correctly symptom when a user enters an external website address in the ie browser, the user is not redirected to the specified url. Analysis z the address is in the string format. In this case, the operating system of the host regar...
Page 584: Table of Contents
I table of contents 1 habp configuration ··································································································································1-1 introduction to habp·········································································································...
Page 585: Habp Configuration
1-1 1 habp configuration when configuring habp, go to these sections for the information you are interested in: z introduction to habp z configuring habp z displaying and maintaining habp z habp configuration example introduction to habp the hw authentication bypass protocol (habp) is used to enable...
Page 586: Configuring Habp
1-2 server learns the mac addresses of all the clients, it registers the mac addresses as habp entries. Then, link layer frames exchanged between the clients can bypass the 802.1x authentication on ports of the server without affecting the normal operation of the whole network. All habp packets must...
Page 587: Habp Configuration Example
1-3 as habp is enabled and works in client mode by default, this configuration task is optional. Follow these steps to configure an habp client: to do… use the command… remarks enter system view system-view — enable habp habp enable optional enabled by default configure habp to work in client mode u...
Page 588
1-4 figure 1-2 network diagram for habp configuration configuration procedure 1) configure switch a # perform 802.1x related configurations on switch a. For detailed configurations, refer to 802.1x configuration in the security volume. # enable habp. System-view [switcha] habp enable # configure hab...
Page 589: Table of Contents
I table of contents 1 mac authentication configuration··········································································································1-1 mac authentication overview ············································································································...
Page 590: Mac Authentication Overview
1-1 1 mac authentication configuration when configuring mac authentication, go to these sections for information you are interested in: z mac authentication overview z related concepts z configuring mac authentication z displaying and maintaining mac authentication z mac authentication configuration...
Page 591: Related Concepts
1-2 related concepts mac authentication timers the following timers function in the process of mac authentication: z offline detect timer: at this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the de...
Page 592
1-3 acl assigning acls assigned by an authorization server are referred to as authorization acls, which are designed to control access to network resources. If the radius server is configured with authorization acls, the device will permit or deny data flows traversing through the port through which...
Page 594
1-5 z different ports can be configured with different guest vlans, but a port can be configured with only one guest vlan. Z if you configure both the 802.1x authentication mgv and the mac authentication mgv on a port, only the 802.1x authentication mgv will take effect. For description on 802.1x au...
Page 595
1-6 configuration procedure 1) configure mac authentication on the device # add a local user, setting the username and password as 00-e0-fc-12-34-56, the mac address of the user. System-view [device] local-user 00-e0-fc-12-34-56 [device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [dev...
Page 596
1-7 radius-based mac authentication configuration example network requirements as illustrated in figure 1-2 , a host is connected to the device through port gigabitethernet 1/0/1. The device authenticates, authorizes and keeps accounting on the host through the radius server. Z mac authentication is...
Page 597
1-8 # enable mac authentication for port gigabitethernet 1/0/1. [device] mac-authentication interface gigabitethernet 1/0/1 # specify the isp domain for mac authentication. [device] mac-authentication domain 2000 # set the mac authentication timers. [device] mac-authentication timer offline-detect 1...
Page 598
1-9 figure 1-3 network diagram for acl assignment configuration procedure z make sure that there is a route available between the radius server and the switch. Z in this example, the switch uses the default username type (user mac address) for mac authentication. Therefore, you need to add the usern...
Page 599
1-10 [sysname] mac-authentication user-name-format mac-address # enable mac authentication for port gigabitethernet 1/0/1. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] mac-authentication after completing the above configurations, you can use the ping command to verify whe...
Page 600: Table of Contents
I table of contents 1 port security configuration······················································································································1-1 introduction to port security····································································································...
Page 601: Port Security Configuration
1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z introduction to port security z port security configuration task list z displaying and maintaining port security z port security configuration examples z troubleshooting po...
Page 602
1-2 intrusion protection the intrusion protection feature checks the source mac addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames from the mac addr...
Page 603
1-3 on the port, if you want to… use the security mode… feature that can be triggered these security mode naming rules may help you remember the modes: z userlogin specifies 802.1x authentication and port-based access control. Z macaddress specifies mac address authentication. Z else specifies that ...
Page 604
1-4 z for wireless users, the port performs oui check at first. If the oui check fails, the port performs 802.1x authentication. Perform mac authentication macaddresswithradius: a port in this mode performs mac authentication for users and services multiple users. Perform a combination of mac authen...
Page 605: Enabling Port Security
1-5 z userlogin specifies port-based 802.1x authentication. Z macaddress specifies mac address authentication. Z else specifies that the authentication method before else is applied first. If the authentication fails, the protocol type of the authentication request determines whether to turn to the ...
Page 606
1-6 to do… use the command… remarks enable port security port-security enable required disabled by default note that: 1) enabling port security resets the following configurations on a port to the bracketed defaults. Then, values of these configurations cannot be changed manually; the system will ad...
Page 607
1-7 setting the port security mode configuration prerequisites before setting the port security mode, ensure that: z 802.1x is disabled, the port access control method is macbased, and the port access control mode is auto. Z mac authentication is disabled. Z the port does not belong to any aggregati...
Page 608
1-8 z you cannot change the maximum number of secure mac addresses allowed on a port that operates in autolearn mode. Z oui, defined by ieee, is the first 24 bits of the mac address and uniquely identifies a device vendor. Z you can configure multiple oui values. However, a port in userloginwithoui ...
Page 609
1-9 configuring intrusion protection the intrusion protection enables a device to perform either of the following security policies when it detects illegal frames: z blockmac : adds the source mac addresses of illegal frames to the blocked mac addresses list and discards frames with blocked source m...
Page 610
1-10 configuring secure mac addresses secure mac addresses are special mac addresses. They never age out or get lost if saved before the device restarts. One secure mac address can be added to only one port in the same vlan. Thus, you can bind a mac address to one port in the same vlan. Secure mac a...
Page 611
1-11 to do… use the command… remarks interface-number ignore the authorization information from the radius server port-security authorization ignore required by default, a port uses the authorization information from the radius server. Displaying and maintaining port security to do… use the command…...
Page 612
1-12 [switch-gigabitethernet1/0/1] port-security max-mac-count 64 # set the port security mode to autolearn. [switch-gigabitethernet1/0/1] port-security port-mode autolearn # configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [switch-gigabitethernet1/...
Page 613
1-13 mac addr: 0.2.0.0.0.21 vlan id: 1 ifadminstatus: 1 in addition, you will see that the port security feature has disabled the port if you issue the following command: [switch-gigabitethernet1/0/1] display interface gigabitethernet 1/0/1 gigabitethernet1/0/1 current state: port security disabled ...
Page 614
1-14 figure 1-2 network diagram for configuring the userloginwithoui mode configuration procedure z the following configuration steps cover some aaa/radius configuration commands. For details about the commands, refer to aaa configuration in the security volume. Z configurations on the host and radi...
Page 615
1-15 # add five oui values. [switch] port-security oui 1234-0100-1111 index 1 [switch] port-security oui 1234-0200-1111 index 2 [switch] port-security oui 1234-0300-1111 index 3 [switch] port-security oui 1234-0400-1111 index 4 [switch] port-security oui 1234-0500-1111 index 5 [switch] interface gig...
Page 616
1-16 index is 5, oui value is 123405 gigabitethernet1/0/1 is link-up port mode is userloginwithoui needtoknow mode is disabled intrusion protection mode is noaction max mac address number is not configured stored mac address number is 0 authorization is permitted after an 802.1x user gets online, yo...
Page 617
1-17 mac addr vlan id state port index aging time(s) 1234-0300-0011 1 learned gigabitethernet1/0/1 aging --- 1 mac address(es) found --- configuring the macaddresselseuserloginsecure mode network requirements the client is connected to the switch through gigabitethernet 1/0/1. The switch authenticat...
Page 618
1-18 3) verify the configuration after completing the above configurations, you can use the following command to view the port security configuration information: display port-security interface gigabitethernet 1/0/1 equipment port-security is enabled trap is disabled disableport timeout: 20s oui va...
Page 619
1-19 the maximal retransmitting times 2 ead quick deploy configuration: ead timeout: 30m total maximum 802.1x user resource number is 1024 per slot total current used 802.1x resource number is 1 gigabitethernet1/0/1 is link-up 802.1x protocol is enabled handshake is enabled handshake secure is disab...
Page 620
1-20 cannot configure secure mac addresses symptom cannot configure secure mac addresses. [switch-gigabitethernet1/0/1] port-security mac-address security 1-1-2 vlan 1 error: security mac address configuration failed. Analysis no secure mac address can be configured on a port operating in a port sec...
Page 621: Table of Contents
I table of contents 1 ip source guard configuration················································································································1-1 ip source guard overview ············································································································...
Page 622: Ip Source Guard Overview
1-1 1 ip source guard configuration when configuring ip source guard, go to these sections for information you are interested in: z ip source guard overview z configuring a static binding entry z configuring dynamic binding function z displaying and maintaining ip source guard z ip source guard conf...
Page 624
1-3 z to implement dynamic binding in ip source guard, make sure that dhcp snooping or dhcp relay is configured and works normally. For dhcp configuration information, refer to dhcp configuration in the system volume. Z the dynamic binding function can be configured on ethernet ports and vlan interf...
Page 625
1-4 configuration procedure 1) configure switch a # configure the ip addresses of various interfaces (omitted). # configure port gigabitethernet 1/0/2 of switch a to allow only ip packets with the source mac address of 00-01-02-03-04-05 and the source ip address of 192.168.0.3 to pass. System-view [...
Page 626
1-5 z on port gigabitethernet 1/0/1 of switch a, enable dynamic binding function to prevent attackers from using forged ip addresses to attack the server. For detailed configuration of a dhcp server, refer to dhcp configuration in the ip service volume. Network diagram figure 1-2 network diagram for...
Page 627
1-6 the client binding table for all untrusted ports. Type : d--dynamic , s--static type ip address mac address lease vlan interface ==== =============== ============== ============ ==== ================= d 192.168.0.1 0001-0203-0406 86335 1 gigabitethernet1/0/1 as you see, port gigabitethernet 1/0/...
Page 628: Table of Contents
I table of contents 1 ssh2.0 configuration································································································································1-1 ssh2.0 overview···············································································································...
Page 629: Ssh2.0 Configuration
1-1 1 ssh2.0 configuration when configuring ssh2.0, go to these sections for information you are interested in: z ssh2.0 overview z configuring the device as an ssh server z configuring the device as an ssh client z displaying and maintaining ssh z ssh server configuration examples z ssh client conf...
Page 630
1-2 stages description communicate with each other. Version negotiation 1) the server opens port 22 to listen to connection requests from clients. 2) the client sends a tcp connection request to the server. After the tcp connection is established, the server sends the first packet to the client, whi...
Page 631
1-3 before the negotiation, the server must have already generated a dsa or rsa key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about dsa and rsa key pairs, refer to public key configuration in the s...
Page 632
1-4 back to the client an ssh_smsg_success packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an ssh_smsg_failure packet, indicating that the processing fails or it cannot resolve the request. Interaction in this stage, the server and ...
Page 633
1-5 z for details about the public-key local create command, refer to public key commands in the security volume . Z to ensure that all ssh clients can log into the ssh server successfully, you are recommended to generate both dsa and rsa key pairs on the ssh server. This is because different ssh cl...
Page 635
1-7 to do… use the command… remarks enter public key view public-key peer keyname — enter public key code view public-key-code begin — configure a client public key enter the content of the public key required spaces and carriage returns are allowed between characters. Return from public key code vi...
Page 636
1-8 z a user without an ssh account can still pass password authentication and log into the server through stelnet or sftp, as long as the user can pass aaa authentication and the service type is ssh. Z an ssh server supports up to 1024 ssh users. Z the service type of an ssh user can be stelnet (se...
Page 637
1-9 to do… use the command… remarks enable the ssh server to work with ssh1 clients ssh server compatible-ssh1x enable optional by default, the ssh server can work with ssh1 clients. Set the rsa server key pair update interval ssh server rekey-interval hours optional 0 by default, that is, the rsa s...
Page 638
1-10 configuring whether first-time authentication is supported when the device connects to the ssh server as an ssh client, you can configure whether the device supports first-time authentication. Z with first-time authentication, when an ssh client not configured with the server host public key ac...
Page 640
1-12 figure 1-1 switch acts as server for password authentication configuration procedure 1) configure the ssh server # generate rsa and dsa key pairs and enable the ssh server. System-view [switch] public-key local create rsa [switch] public-key local create dsa [switch] ssh server enable # configu...
Page 641
1-13 figure 1-2 ssh client configuration interface in the window shown in figure 1-2 , click open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. W...
Page 642
1-14 1) configure the ssh client # generate an rsa key pair. Run puttygen.Exe, select ssh-2 rsa and click generate. Figure 1-4 generate a key pair on the client 1) while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in figure 1-5 . O...
Page 643
1-15 figure 1-5 generate a key pair on the client 2) after the key pair is generated, click save public key and specify the file name as key.Pub to save the public key. Figure 1-6 generate a key pair on the client 3) likewise, to save the private key, click save private key. A warning window pops up...
Page 644
1-16 figure 1-7 save a key pair on the client 4) then, you need to transmit the public key file to the server through ftp or tftp. 2) configure the ssh server # generate rsa and dsa key pairs and enable ssh server. System-view [switch] public-key local create rsa [switch] public-key local create dsa...
Page 645
1-17 figure 1-8 ssh client configuration interface 1) select connection/ssh/auth from the navigation tree.The following window appears. Click browse… to bring up the file selection window, navigate to the private key file and click ok..
Page 646
1-18 figure 1-9 ssh client configuration interface 2) in the window shown in figure 1-9 , click open. If the connection is normal, you will be prompted to enter the username. After entering the correct username (client002), you can enter the configuration interface. Ssh client configuration examples...
Page 647
1-19 # create an ip address for vlan interface 1, which the ssh client will use as the destination for ssh connection. [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address 10.165.87.136 255.255.255.0 [switchb-vlan-interface1] quit # set the authentication mode for the user inter...
Page 648
1-20 0d757262c4584c44c211f18bd96e5f0 [switcha-pkey-key-code]61c4f0a423f7fe6b6b85b34cef72ce14a0d3a5222fe08cece 65be6c265854889dc1edbd13ec8b274 [switcha-pkey-key-code]da9f75ba26ccb987723602787e922ba84421f22c3c89cb9b0 6fd60fe01941ddd77fe6b12893da76e [switcha-pkey-key-code]ebc1d128d97f0678d7722b5341c850...
Page 649
1-21 configuration procedure during ssh server configuration, the client public key is required. Therefore, you are recommended to use the client software to generate a dsa key pair on the client before configuring the ssh server. 1) configure the ssh client # create vlan interface 1 and assign an i...
Page 650
1-22 trying 10.165.87.136 ... Press ctrl+k to abort connected to 10.165.87.136 ... The server is not authenticated. Continue? [y/n]:y do you want to save the server public key? [y/n]:n later, you will find that you have logged into switch b successfully..
Page 651: Sftp Service
2-1 2 sftp service when configuring sftp, go to these sections for information you are interested in: z sftp overview z configuring an sftp server z configuring an sftp client z sftp client configuration example z sftp server configuration example sftp overview the secure file transfer protocol (sft...
Page 652: Configuring An Sftp Client
2-2 when the device functions as the sftp server, only one client can access the sftp server at a time. If the sftp client uses winscp, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the sftp connec...
Page 654
2-4 working with sftp files sftp file operations include: z changing the name of a file z downloading a file z uploading a file z displaying a list of the files z deleting a file follow these steps to work with sftp files: to do… use the command… remarks enter sftp client view sftp [ ipv6 ] server [...
Page 656
2-6 [switcha] quit then, you need to transmit the public key file to the server through ftp or tftp. 2) configure the sftp server # generate rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server e...
Page 657
2-7 /z are you sure to delete it? [y/n]:y this operation may take a long time.Please wait... File successfully removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey drwxr...
Page 658
2-8 sftp server configuration example network requirements as shown in figure 2-2 , an ssh connection is established between the host and the switch. The host, an sftp client, logs into the switch for file management and file transfer. An ssh user uses password authentication with the username being...
Page 659
2-9 z there are many kinds of ssh client software. The following takes the psftp of putty version 0.58 as an example. Z the psftp supports only password authentication. # establish a connection with the remote sftp server. Run the psftp.Exe to launch the client interface as shown in figure 2-3 , and...
Page 660: Table of Contents
I table of contents 1 pki configuration ······································································································································1-1 introduction to pki·······································································································...
Page 661: Pki Configuration
1-1 1 pki configuration when configuring pki, go to these sections for information you are interested in: z introduction to pki z pki configuration task list z displaying and maintaining pki z pki configuration examples z troubleshooting pki introduction to pki this section covers these topics: z pk...
Page 662
1-2 crl an existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with the user identity information. In pki, the revocation is made through certifi...
Page 663: Pki Configuration Task List
1-3 pki repository a pki repository can be a lightweight directory access protocol (ldap) server or a common database. It stores and manages information like certificate requests, certificates, keys, crls and logs while providing a simple query function. Ldap is a protocol for accessing and managing...
Page 664: Configuring An Entity Dn
1-4 task remarks configuring an entity dn required configuring a pki domain required submitting a certificate request in auto mode submitting a pki certificate request submitting a certificate request in manual mode required use either approach retrieving a certificate manually optional configuring ...
Page 665: Configuring A Pki Domain
1-5 to do… use the command… remarks configure the common name for the entity common-name name optional no common name is specified by default. Configure the country code for the entity country country-code-str optional no country code is specified by default. Configure the fqdn for the entity fqdn n...
Page 666
1-6 any certificate. Sometimes, the registration management function is provided by the ca, in which case no independent ra is required. You are recommended to deploy an independent ra. Z url of the registration server an entity sends a certificate request to the registration server through simple c...
Page 667
1-7 z currently, up to two pki domains can be created on a device. Z the ca name is required only when you retrieve a ca certificate. It is not used when in local certificate request. Z currently, the url of the server for certificate request does not support domain name resolving. Submitting a pki ...
Page 668
1-8 to do… use the command… remarks enter system view system-view — enter pki domain view pki domain domain-name — set the certificate request mode to manual certificate request mode manual optional manual by default return to system view quit — retrieve a ca certificate manually refer to retrieving...
Page 669
1-9 z prepare for certificate verification. Before retrieving a local certificate in online mode, be sure to complete ldap server configuration. Follow these steps to retrieve a certificate manually: to do… use the command… remarks enter system view system-view — online pki retrieval-certificate { c...
Page 671: Deleting A Certificate
1-11 deleting a certificate when a certificate requested manually is about to expire or you want to request a new certificate, you can delete the current local certificate or ca certificate. Follow these steps to delete a certificate: to do… use the command… remarks enter system view system-view — d...
Page 673
1-13 z subject dn: dn information of the ca, including the common name (cn), organization unit (ou), organization (o), and country (c). The other attributes may be left using the default values. # configure extended attributes. After configuring the basic attributes, you need to perform configuratio...
Page 674
1-14 z apply for certificates # retrieve the ca certificate and save it locally. [switch] pki retrieval-certificate ca domain torsa retrieving ca/ra certificates. Please wait a while...... The trusted ca's finger print is: md5 fingerprint:ede9 0394 a273 b61a f1b3 0072 a0b1 f9ab sha1 fingerprint: 77f...
Page 675
1-15 d3a5c849 cbde350d 2a1926b7 0ae5ef5e d1d8b08a dbf16205 7c2a4011 05f11094 73eb0549 a65d9e74 0f2953f2 d4f0042f 19103439 3d4f9359 88fb59f3 8d4b2f6c 2b exponent: 65537 (0x10001) x509v3 extensions: x509v3 crl distribution points: uri:http://4.4.4.133:447/myca.Crl signature algorithm: sha1withrsaencry...
Page 676
1-16 plug-in installation completes, a url is displayed, which you need to configure on the switch as the url of the server for certificate registration. Z modify the certificate service attributes from the start menu, select control panel > administrative tools > certificate authority. If the ca se...
Page 677
1-17 . Z apply for certificates # retrieve the ca certificate and save it locally. [switch] pki retrieval-certificate ca domain torsa retrieving ca/ra certificates. Please wait a while...... The trusted ca's finger print is: md5 fingerprint:766c d2c8 9e46 845b 4dce 439c 1c1f 83ab sha1 fingerprint:97...
Page 678
1-18 x509v3 subject key identifier: b68e4107 91d7c44c 7abce3ba 9bf385f8 a448f4e1 x509v3 authority key identifier: keyid:9d823258 eadfefa2 4a663e75 f416b6f6 d41ee4fe x509v3 crl distribution points: uri:http://l00192b/certenroll/ca%20server.Crl uri:file://\\l00192b\certenroll\ca server.Crl authority i...
Page 679
1-19 z for detailed information about ssl configuration, refer to ssl configuration in the security volume . Z for detailed information about https configuration, refer to http configuration in the system volume . Z the pki domain to be referenced by the ssl policy must be created in advance. For de...
Page 680: Troubleshooting Pki
1-20 troubleshooting pki failed to retrieve a ca certificate symptom failed to retrieve a ca certificate. Analysis possible reasons include these: z the network connection is not proper. For example, the network cable may be damaged or loose. Z no trusted ca is specified. Z the url of the registrati...
Page 681
1-21 failed to retrieve crls symptom failed to retrieve crls. Analysis possible reasons include these: z the network connection is not proper. For example, the network cable may be damaged or loose. Z no ca certificate has been retrieved before you try to retrieve crls. Z the ip address of ldap serv...
Page 682: Table of Contents
I table of contents 1 ssl configuration ·····································································································································1-1 ssl overview ··············································································································...
Page 683: Ssl Configuration
1-1 1 ssl configuration when configuring ssl, go to these sections for information you are interested in: z ssl overview z ssl configuration task list z displaying and maintaining ssl z troubleshooting ssl ssl overview secure sockets layer (ssl) is a security protocol providing secure connection ser...
Page 684: Ssl Configuration Task List
1-2 z for details about symmetric key algorithms, asymmetric key algorithm rsa and digital signature, refer to public key configuration in the security volume. Z for details about pki, certificate, and ca, refer to pki configuration in the security volume. Ssl protocol stack as shown in figure 1-2 ,...
Page 685
1-3 configuring an ssl server policy an ssl server policy is a set of ssl parameters for a server to use when booting up. An ssl server policy takes effect only after it is associated with an application layer protocol, http protocol, for example. Configuration prerequisites when configuring an ssl ...
Page 686
1-4 z if you enable client authentication here, you must request a local certificate for the client. Z currently, ssl mainly comes in these versions: ssl 2.0, ssl 3.0, and tls 1.0, where tls 1.0 corresponds to ssl 3.1. When the device acts as an ssl server, it can communicate with clients running ss...
Page 687
1-5 # create a pki entity named en, and configure the common name as http-server1 and the fqdn as ssl.Security.Com . System-view [device] pki entity en [device-pki-entity-en] common-name http-server1 [device-pki-entity-en] fqdn ssl.Security.Com [device-pki-entity-en] quit # create a pki domain named...
Page 688
1-6 z for details about pki configuration commands, refer to pki commands in the security volume. Z for details about the public-key local create rsa command, refer to public key commands in the security volume . Z for details about https, refer to http configuration in the system volume. Configurin...
Page 690: Table of Contents
I table of contents 1 public key configuration··························································································································1-1 asymmetric key algorithm overview·······························································································...
Page 691: Public Key Configuration
1-1 1 public key configuration when configuring public keys, go to these sections for information you are interested in: z asymmetric key algorithm overview z configuring the local asymmetric key pair z configuring the public key of a peer z displaying and maintaining public keys z public key config...
Page 692
1-2 z encryption/decryption: the information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Z digital signature: the information encrypted with a sender's private key can be decrypted by anyone...
Page 693
1-3 z configuration of the public-key local create command can survive a reboot. Z the public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. Z the length of an rsa key modulus is in the range ...
Page 694
1-4 z import it from the public key file: the system automatically converts the public key to a string coded using the pkcs (public key cryptography standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through ftp or tftp. Z if you cho...
Page 695
1-5 public key configuration examples configuring the public key of a peer manually network requirements device a is authenticated by device b when accessing device b, so the public key of device a should be configured on device b in advance. In this example: z rsa is used. Z the host public key of ...
Page 696
1-6 307c300d06092a864886f70d0101010500036b003068026100999089e7aee9802002d9eb2d0433b87bb6158e 35000afb3ff310e42f109829d65bf70f7712507be1a3e0bc5c2c03faaf00dfddc63d004b4490dacba3cfa9e8 4b9151bdc7eece1c8770d961557d192de2b36caf9974b7b293363bb372771c2c1f0203010001 2) configure device b # configure the hos...
Page 697
1-7 notes: if the key modulus is greater than 512, it will take a few minutes. Press ctrl+c to abort. Input the bits of the modulus[default = 1024]: generating keys... ++++++ ++++++ ++++++++ ++++++++ # display the public keys of the created rsa key pairs. [devicea] display public-key local rsa publi...
Page 698
1-8 password: 230 user logged in. [ftp] binary 200 type set to i. [ftp] put devicea.Pub 227 entering passive mode (10,1,1,2,5,148). 125 binary mode data connection already open, transfer starting for /devicea.Pub. 226 transfer complete. Ftp: 299 byte(s) sent in 0.189 second(s), 1.00kbyte(s)/sec. 4) ...
Page 699: Table of Contents
I table of contents 1 acl overview ············································································································································1-1 introduction to acl ·····································································································...
Page 700
Ii configuring a basic ipv6 acl·················································································································3-1 configuration prerequisites ·············································································································3-1 configurati...
Page 701: Acl Overview
1-1 1 acl overview in order to filter traffic, network devices use sets of rules, called access control lists (acls), to identify and handle packets. When configuring acls, go to these chapters for information you are interested in: z acl overview z ipv4 acl configuration z ipv6 acl configuration z ...
Page 702: Introduction to Ipv4 Acl
1-2 z when an acl is assigned to a piece of hardware and referenced by a qos policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the acl. Z when an acl is referenced by a piece of software to control telnet, ...
Page 703
1-3 the name of an ipv4 acl must be unique among ipv4 acls. However, an ipv4 acl and an ipv6 acl can share the same name. Ipv4 acl match order an acl may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts. The match order is...
Page 704
1-4 1) sort rules by source mac address mask first and compare packets against the rule configured with more ones in the source mac address mask. 2) if two rules are present with the same number of ones in their source mac address masks, look at the destination mac address masks. Then, compare packe...
Page 705: Introduction to Ipv6 Acl
1-5 introduction to ipv6 acl this section covers these topics: z ipv6 acl classification z ipv6 acl naming z ipv6 acl match order z ipv6 acl step z effective period of an ipv6 acl ipv6 acl classification ipv6 acls, identified by acl numbers, fall into three categories, as shown in table 1-2 . Table ...
Page 706: Acl Application
1-6 depth-first match for a basic ipv6 acl the following shows how your device performs depth-first match in a basic ipv6 acl: 1) sort rules by source ipv6 address prefix first and compare packets against the rule configured with a longer prefix for the source ipv6 address. 2) in case of a tie, comp...
Page 707: Ipv4 Acl Configuration
2-1 2 ipv4 acl configuration when configuring an ipv4 acl, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv4 acl z configuring an advanced ipv4 acl z configuring an ethernet frame header acl z copying an ipv4 acl z displaying and maintaini...
Page 708: Configuring A Basic Ipv4 Acl
2-2 on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on wednesdays between january 1, 2004 00:00 and december 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59...
Page 710
2-4 system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # verify the configuration. [sysname-acl-basic-2000] display acl 2000 basic acl 2000, named -none-, 1 rule, acl's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) configuring an advanced ipv4 acl ad...
Page 712
2-6 system-view [sysname] acl number 3000 [sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination 202.38.160.0 0.0.0.255 destination-port eq 80 # verify the configuration. [sysname-acl-adv-3000] display acl 3000 advanced acl 3000, named -none-, 1 rule, acl's step is 5 rule 0 ...
Page 713: Copying An Ipv4 Acl
2-7 note that: z you can only modify the existing rules of an acl that uses the match order of config. When modifying a rule of such an acl, you may choose to change just some of the settings, in which case the other settings remain the same. Z you cannot create a rule with, or modify a rule to have...
Page 715
2-9 configuration procedure 1) create a time range for office hours # create a periodic time range spanning 8:00 to 18:00 in working days. System-view [switch] time-range trname 8:00 to 18:00 working-day 2) define an acl to control access to the salary query server # configure a rule to control acce...
Page 716
2-10 [switch] interface gigabitethernet 1/0/2 [switch-gigabitethernet1/0/2] qos apply policy p_rd inbound [switch-gigabitethernet1/0/2] quit # apply qos policy p_market to interface gigabitethernet 1/0/3. [switch] interface gigabitethernet 1/0/3 [switch-gigabitethernet1/0/3] qos apply policy p_marke...
Page 717: Ipv6 Acl Configuration
3-1 3 ipv6 acl configuration when configuring ipv6 acls, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv6 acl z configuring an advanced ipv6 acl z copying an ipv6 acl z displaying and maintaining ipv6 acls z ipv6 acl configuration example...
Page 718
3-2 to do… use the command… remarks configure a description for the basic ipv6 acl description text optional by default, a basic ipv6 acl has no acl description. Configure a rule description rule rule-id comment text optional by default, an ipv6 acl rule has no rule description. Note that: z you can...
Page 719
3-3 advanced ipv6 acls are numbered in the range 3000 to 3999. Compared with basic ipv6 acls, they allow of more flexible and accurate filtering. Configuration prerequisites if you want to reference a time range in a rule, define it with the time-range command first. Configuration procedure follow t...
Page 720: Copying An Ipv6 Acl
3-4 z when the acl match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the ids of the rules still remain the same. Z you can modify the match order of an ipv6 acl with the acl ipv6 number acl6-number [ name acl6-name ] match-o...
Page 722
3-6 [switch] traffic classifier c_rd [switch-classifier-c_rd] if-match acl ipv6 2000 [switch-classifier-c_rd] quit # configure traffic behavior b_rd to deny matching packets. [switch] traffic behavior b_rd [switch-behavior-b_rd] filter deny [switch-behavior-b_rd] quit # configure qos policy p_rd to ...
Page 723: Filtering Ipv4 Packets
4-1 4 acl application for packet filtering when applying an acl for packet filtering, go to these sections for information you are interested in: z filtering ipv4 packets z filtering ipv6 packets z acl application example you can apply an acl to the inbound or direction of an ethernet interface or v...
Page 724: Filtering Ipv6 Packets
4-2 to do… use the command… remarks exit to system view quit — configure the interval for collecting and outputting ipv4 packet filtering logs acl logging frequence frequence required by default, the interval is 0, that is, no ipv4 packet filtering logs are output. Z the packet filtering statistics ...
Page 725: Acl Application Example
4-3 z the packet filtering statistics are managed and output as device log information by the information center. Z the packet filtering statistics are of the severity level of 6, that is, informational. Informational messages are not output to the console by default; therefore, you need to modify t...
Page 726
4-4 [devicea-acl-basic-2009] quit # apply acl 2009 to the inbound direction of interface gigabitethernet 1/0/1. [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] packet-filter 2009 inbound # configure the device to collect and output ipv4 packet filtering logs at an interval o...
Page 727: Table of Contents
I table of contents 1 arp attack protection configuration······································································································1-1 arp attack protection overview ··········································································································...
Page 728
1-1 1 arp attack protection configuration when configuring arp attack protection, go to these sections for information you are interested in: z configuring arp defense against ip packet attacks z configuring arp packet rate limit z configuring source mac address based arp attack detection z configur...
Page 729
1-2 task remarks configuring arp packet source mac address consistency check optional configure this function on gateways (recommended). Configuring arp active acknowledgement optional configure this function on gateways (recommended). User and gateway spoofing prevention configuring arp detection o...
Page 730
1-3 enabling arp black hole routing follow these steps to configure arp black hole routing: to do… use the command… remarks enter system view system-view — enable arp black hole routing arp resolving-route enable optional enabled by default displaying and maintaining arp source suppression to do… us...
Page 731
1-4 detection entry is aged out, the device generates an alarm and filters out arp packets sourced from that mac address (in filter mode), or only generates an alarm (in monitor mode). A gateway or critical server may send a large number of arp packets. To prevent these arp packets from being discar...
Page 732: Configuring Arp Detection
1-5 configuration procedure follow these steps to enable arp packet source mac address consistency check: to do… use the command… remarks enter system view system-view — enable arp packet source mac address consistency check arp anti-attack valid-check enable required disabled by default. Configurin...
Page 733
1-6 z for information about dhcp snooping, refer to dhcp configuration in the ip services volume. Z for information about 802.1x, refer to 802.1x configuration in the security volume. Introduction to arp detection the arp detection feature allows only the arp packets of legal clients to be forwarded...
Page 734
1-7 3) after you enable arp detection based on static ip-to-mac bindings, the device, upon receiving an arp packet from an arp trusted/untrusted port, compares the source ip and mac addresses of the arp packet against the static ip-to-mac bindings. Z if an entry with a matching ip address but a diff...
Page 735
1-8 to do… use the command… remarks configure a static ip-to-mac binding for arp detection arp detection static-bind ip-address mac-address optional not configured by default. If the arp attack detection mode is static-bind , you need to configure static ip-to-mac bindings for arp detection. During ...
Page 736
1-9 z ip: checks both the source and destination ip addresses in an arp packet. The all-zero, all-one or multicast ip addresses are considered invalid and the corresponding packets are discarded. With this object specified, the source and destination ip addresses of arp replies, and the source ip ad...
Page 737
1-10 configuration procedure 1) add all the ports on switch b into vlan 10, and configure the ip address of vlan-interface 10 on switch a (the configuration procedure is omitted). 2) configure a dhcp server (the configuration procedure is omitted). 3) configure host a and host b as dhcp clients (the...
Page 738
1-11 z configure host a and host b as local 802.1x access users. Figure 1-2 network diagram for arp detection configuration configuration procedure 1) add all the ports on switch b into vlan 10, and configure the ip address of vlan-interface 10 on switch a (the configuration procedure is omitted). 2...
Page 739
1-12 # enable arp detection based on 802.1x security entries. [switchb] arp detection mode dot1x.
Page 740: Manual Version
High availability volume organization manual version 6w101-20100305 product version release 2202 organization the high availability volume is organized as follows: features description smart link smart link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink n...
Page 741
Features description dldp in the use of fibers, link errors, namely unidirectional links, are likely to occur. Dldp is designed to detect such errors. This document describes: z dldp introduction z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting t...
Page 742: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-2 smart link overview·············································································································...
Page 743: Smart Link Configuration
1-2 1 smart link configuration when configuring smart link, go to these sections for information that you are interested in: z smart link overview z configuring a smart link device z configuring an associated device z displaying and maintaining smart link z smart link configuration examples smart li...
Page 744
1-3 for more information about stp and rrpp, refer to mstp configuration in the access volume and rrpp configuration in the high availability volume. Smart link is a feature developed to address the slow convergence issue with stp. It provides link redundancy as well as fast convergence in a dual up...
Page 745
1-4 receive control vlan the receive control vlan is used for receiving and processing flush messages. When link switchover occurs, the devices (such as device a, device b, and device e in figure 1-1 ) receive and process flush messages in the receive control vlan and refresh their mac address forwa...
Page 746
1-5 configured with role preemption, ge1/0/1 takes over to forward traffic as soon as the former master link recovers, while ge1/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism a ring network may carry traffic of multiple vlans. Smart link can forward traffic of ...
Page 747
1-6 a loop may occur on the network during the time when stp is disabled but smart link has not yet taken effect on a port. Configuring protected vlans for a smart link group follow these steps to configure the protected vlans for a smart link group: to do… use the command… remarks enter system view...
Page 749
1-8 z the control vlan configured for a smart link group must be different from that configured for any other smart link group. Z make sure that the configured control vlan already exists, and assign the smart link group member ports to the control vlan. Z the control vlan of a smart link group shou...
Page 750
1-9 configuring an associated device enabling the receiving of flush messages you do not need to enable all ports on the associated devices to receive flush messages sent from the transmit control vlan, only those on the master and slave links between the smart link device and the destination device...
Page 752
1-11 [devicec-mst-region] instance 1 vlan 11 to 20 [devicec-mst-region] instance 2 vlan 21 to 30 [devicec-mst-region] active region-configuration [devicec-mst-region] quit # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 separately, and configure them as trunk ports that permit vlans...
Page 753
1-12 [deviced-gigabitethernet1/0/1] quit [deviced] interface gigabitethernet 1/0/2 [deviced-gigabitethernet1/0/2] undo stp enable [deviced-gigabitethernet1/0/2] port link-type trunk [deviced-gigabitethernet1/0/2] port trunk permit vlan 1 to 30 [deviced-gigabitethernet1/0/2] quit # create smart link ...
Page 754
1-13 [devicee] interface gigabitethernet 1/0/1 [devicee-gigabitethernet1/0/1] port link-type trunk [devicee-gigabitethernet1/0/1] port trunk permit vlan 1 to 30 [devicee-gigabitethernet1/0/1] smart-link flush enable [devicee-gigabitethernet1/0/1] quit [devicee] interface gigabitethernet 1/0/2 [devic...
Page 755
1-14 you can use the display smart-link flush command to display the flush messages received on each device. For example: # display the flush messages received on device b. [deviceb] display smart-link flush received flush packets : 5 receiving interface of the last flush packet : gigabitethernet1/0...
Page 756
1-15 [devicec-mst-region] quit # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 separately, configure the ports as trunk ports, and assign them to vlan 1 through vlan 200. [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitetherne...
Page 757
1-16 # configure gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as trunk ports and assign them to vlans 1 through 200; enable flush message receiving on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 and configure vlan 10 and vlan 101 as the receive control vlans. [deviceb] interface gigabitethern...
Page 758
1-17 [devicea-gigabitethernet1/0/2] smart-link flush enable control-vlan 10 101 [devicea-gigabitethernet1/0/2] quit 5) verifying the configurations you can use the display smart-link group command to display the smart link group configuration on each device. For example: # display the smart link gro...
Page 759: Table of Contents
I table of contents 1 monitor link configuration ······················································································································1-1 overview ························································································································...
Page 760: Monitor Link Configuration
1-1 1 monitor link configuration when configuring monitor link, go to these sections for information you are interested in: z overview z configuring monitor link z displaying and maintaining monitor link z monitor link configuration example overview monitor link is a port collaboration function. Mon...
Page 761: Configuring Monitor Link
1-2 uplink/downlink ports uplink port and downlink port are two port roles in monitor link groups: z uplink ports refer to the monitored ports. The state of a monitor link group adapts to that of its member uplink ports. When a monitor link group contains no uplink port or all the uplink ports are d...
Page 762
1-3 configuring monitor link group member ports you can configure member ports for a monitor link group either in monitor link group view or interface view. The configurations made in these two views lead to the same result. In monitor link group view follow these steps to configure member ports for...
Page 763
1-4 monitor link configuration example network requirements as shown in figure 1-2 : z vlans 1 through 10, 11 through 20, and 21 through 30 are mapped to mstis 0, 1, and 2 respectively. Traffic of vlans 1 through 30 on device c is dual-uplinked to device a through a smart link group. Z it is require...
Page 764
1-5 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port link-type trunk [devicec-gigabitethernet1/0/1] port trunk permit vlan 1 to 30 [devicec-gigabitethernet1/0/1] quit [devicec] interface gigabitethernet 1/0/2 [devicec-gigabitethernet1/0/2] undo stp enable [devicec-g...
Page 765
1-6 [deviceb-gigabitethernet1/0/1] port trunk permit vlan 1 to 30 [deviceb-gigabitethernet1/0/1] smart-link flush enable [deviceb-gigabitethernet1/0/1] quit [deviceb] interface gigabitethernet 1/0/2 [deviceb-gigabitethernet1/0/2] port link-type trunk [deviceb-gigabitethernet1/0/2] port trunk permit ...
Page 766
1-7 member role status ------------------------------------------ gigabitethernet1/0/1 uplink up gigabitethernet1/0/2 downlink up # check information about monitor link group 1 on device d. [deviced] display monitor-link group 1 monitor link group 1 information: group status: down last-up-time: 16:3...
Page 767: Table of Contents
I table of contents 1 rrpp configuration ··································································································································1-1 rrpp overview ···············································································································...
Page 768: Rrpp Configuration
1-1 1 rrpp configuration when configuring rrpp, go to these sections for information you are interested in: z rrpp overview z rrpp configuration task list z creating an rrpp domain z configuring control vlans z configuring protected vlans z configuring rrpp rings z activating an rrpp domain z config...
Page 769
1-2 basic concepts in rrpp figure 1-1 rrpp networking diagram rrpp domain the interconnected devices with the same domain id and control vlans constitute an rrpp domain. An rrpp domain contains the following elements: primary ring, subring, control vlan, master node, transit node, primary port, seco...
Page 770
1-3 ip address configuration is prohibited on the control vlan interfaces. 2) data vlan a data vlan is a vlan dedicated to transferring data packets. Both rrpp ports and non-rrpp ports can be assigned to a data vlan. Node each device on an rrpp ring is referred to as a node. The role of a node is co...
Page 771
1-4 common port and edge port the ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in figure 1-1 , device b and device c lie on ring 1 and ring 2. Devi...
Page 772
1-5 rrppdus of subrings are transmitted as data packets in the primary ring, while rrppdus of the primary ring can only be transmitted within the primary ring. Rrpp timers when rrpp checks the link state of an ethernet ring, the master node sends hello packets out the primary port according to the h...
Page 773
1-6 while sending common-flush-fdb packet to instruct all the transit nodes, the edge nodes and the assistant-edge nodes to update their own mac entries and arp/nd entries. After each node updates its own entries, traffic is switched to the normal link. Ring recovery the master node may find the rin...
Page 774
1-7 typical rrpp networking here are several typical networking applications. Single ring as shown in figure 1-2 , there is only a single ring in the network topology. In this case, you only need to define an rrpp domain. Figure 1-2 schematic diagram for a single-ring network tangent rings as shown ...
Page 775
1-8 figure 1-4 schematic diagram for an intersecting-ring network dual homed rings as shown in figure 1-5 , there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an rrpp domain, and configure one ring as the primary ring...
Page 776: Rrpp Configuration Task List
1-9 figure 1-6 schematic diagram for a single-ring load balancing network domain 1 ring 1 device a device b device d device c domain 2 intersecting-ring load balancing in an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in figure 1-7 , ring ...
Page 777: Creating An Rrpp Domain
1-10 complete the following tasks to configure rrpp: task remarks creating an rrpp domain required perform this task on all nodes in the rrpp domain. Configuring control vlans required perform this task on all nodes in the rrpp domain. Configuring protected vlans required perform this task on all no...
Page 778: Configuring Control Vlans
1-11 configuring control vlans before configuring rrpp rings in an rrpp domain, configure the same control vlans for all nodes in the rrpp domain first. Perform this configuration on all nodes in the rrpp domain to be configured. Follow these steps to configure control vlans: to do… use the command…...
Page 779: Configuring Rrpp Rings
1-12 configuring rrpp rings when configuring an rrpp ring, you must make some configurations on the ports connecting each node to the rrpp ring before configuring the nodes. Z rrpp ports, that is, ports connecting devices to an rrpp ring, must be layer-2 ge ports, layer-2 xge ports, or layer-2 aggre...
Page 781
1-14 to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — specify the current device as a transit node of the ring, and specify the primary port and the secondary port ring ring-id node-mode transit [ primary-port interface-type interface-num...
Page 782: Activating An Rrpp Domain
1-15 activating an rrpp domain to activate an rrpp domain on the current device, enable the rrpp protocol and rrpp rings for the rrpp domain on the current device. Perform this operation on all nodes in the rrpp domain. Follow these steps to activate an rrpp domain: to do… use the command… remarks e...
Page 783
1-16 z the fail timer value must be equal to or greater than three times the hello timer value. Z to avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the fail timer value on the master node of the subring and that on the master node o...
Page 784: Rrpp Configuration Examples
1-17 displaying and maintaining rrpp to do… use the command… remarks display brief rrpp information display rrpp brief display rrpp group configuration information display rrpp ring-group [ ring-group-id ] display detailed rrpp information display rrpp verbose domain domain-id [ ring ring-id ] displ...
Page 785
1-18 system-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] undo stp enable [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all [devicea-gigabitethernet1/0/1] qos trust dot1p [devicea-gigabitethernet1/0/1] quit [...
Page 786
1-19 [deviceb] rrpp domain 1 [deviceb-rrpp-domain1] control-vlan 4092 [deviceb-rrpp-domain1] protected-vlan reference-instance 0 to 16 # configure device b as the transit node of primary ring 1, with gigabitethernet 1/0/1 as the primary port and gigabitethernet 1/0/2 as the secondary port, and enabl...
Page 787
1-20 figure 1-9 network diagram for intersecting rings configuration configuration procedure 1) configuration on device a # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2, configure the two ports as trunk ports, and assign them to all vlans, and configure them to trust the 802.1p pre...
Page 788
1-21 [devicea] rrpp enable 2) configuration on device b # disable stp on gigabitethernet 1/0/1, gigabitethernet 1/0/2, and gigabitethernet 1/0/3, configure the ports as trunk ports, and assign them to all vlans, and configure them to trust the 802.1p precedence of the received packets. System-view [...
Page 789
1-22 system-view [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port link-type trunk [devicec-gigabitethernet1/0/1] port trunk permit vlan all [devicec-gigabitethernet1/0/1] qos trust dot1p [devicec-gigabitethernet1/0/1] quit [...
Page 790
1-23 [deviced-gigabitethernet1/0/1] qos trust dot1p [deviced-gigabitethernet1/0/1] quit [deviced] interface gigabitethernet 1/0/2 [deviced-gigabitethernet1/0/2] undo stp enable [deviced-gigabitethernet1/0/2] port link-type trunk [deviced-gigabitethernet1/0/2] port trunk permit vlan all [deviced-giga...
Page 791
1-24 [devicee-rrpp-domain1] ring 2 node-mode master primary-port gigabitethernet 1/0/1 secondary-port gigabitethernet 1/0/2 level 1 [devicee-rrpp-domain1] ring 2 enable [devicee-rrpp-domain1] quit # enable rrpp. [devicee] rrpp enable 6) verification after the configuration, you can use the display c...
Page 792
1-25 configuration procedure 1) configuration on device a # create vlans 10 and 20, map vlan 10 to msti 1 and vlan 20 to msti 2, and activate mst region configuration. System-view [devicea] vlan 10 [devicea-vlan10] quit [devicea] vlan 20 [devicea-vlan20] quit [devicea] stp region-configuration [devi...
Page 793
1-26 [devicea] rrpp domain 2 [devicea-rrpp-domain2] control-vlan 105 [devicea-rrpp-domain2] protected-vlan reference-instance 2 # configure device a as the master node of primary ring 1, with gigabitethernet 1/0/2 as the master port and gigabitethernet 1/0/1 as the secondary port, and enable ring 1....
Page 794
1-27 [deviceb-gigabitethernet1/0/3] port link-type trunk [deviceb-gigabitethernet1/0/3] undo port trunk permit vlan 1 [deviceb-gigabitethernet1/0/3] port trunk permit vlan 20 [deviceb-gigabitethernet1/0/3] qos trust dot1p [deviceb-gigabitethernet1/0/3] quit # disable stp on gigabitethernet 1/0/4, co...
Page 795
1-28 # enable rrpp. [deviceb] rrpp enable 3) configuration on device c # create vlans 10 and 20, map vlan 10 to msti 1 and vlan 20 to msti 2, and activate mst region configuration. System-view [devicec] vlan 10 [devicec-vlan10] quit [devicec] vlan 20 [devicec-vlan20] quit [devicec] stp region-config...
Page 796
1-29 [devicec-gigabitethernet1/0/4] port link-type trunk [devicec-gigabitethernet1/0/4] undo port trunk permit vlan 1 [devicec-gigabitethernet1/0/4] port trunk permit vlan 10 [devicec-gigabitethernet1/0/4] qos trust dot1p [devicec-gigabitethernet1/0/4] quit # create rrpp domain 1, configure vlan 10 ...
Page 797
1-30 [deviced] vlan 20 [deviced-vlan20] quit [deviced] stp region-configuration [deviced-mst-region] instance 1 vlan 10 [deviced-mst-region] instance 2 vlan 20 [deviced-mst-region] active region-configuration [deviced-mst-region] quit # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2,...
Page 798
1-31 [deviced-rrpp-domain2] quit # enable rrpp. [deviced] rrpp enable 5) configuration on device e # create vlan 20, map vlan 20 to msti 2, and activate mst region configuration. System-view [devicee] vlan 20 [devicee-vlan20] quit [devicee] stp region-configuration [devicee-mst-region] instance 2 vl...
Page 799
1-32 system-view [devicef] vlan 10 [devicef-vlan10] quit [devicef] stp region-configuration [devicef-mst-region] instance 1 vlan 10 [devicef-mst-region] active region-configuration [devicef-mst-region] quit # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2, configure the two ports as ...
Page 800: Troubleshooting
1-33 [devicec-rrpp-ring-group1] domain 2 ring 2 [devicec-rrpp-ring-group1] domain 1 ring 3 8) verification after the configuration, you can use the display command to view rrpp configuration and operational information on each device. Troubleshooting symptom: when the link state is normal, the maste...
Page 801: Table of Contents
I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...
Page 802: Dldp Configuration
1-1 1 dldp configuration when performing dldp configuration, go to these sections for information you are interested in: z overview z dldp configuration task list z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting the delaydown timer z setting the ...
Page 803
1-2 figure 1-1 correct and incorrect fiber connections correct fiber conecton unidirectional connection type 1 cross-connected fibers unidirectional connection type 2 one fiber of a fiber pair is not connected or is broken ge1/0/50 ge1/0/51 device a device b ge1/0/50 device a device b ge1/0/50 devic...
Page 804
1-3 state indicates… advertisement all neighbors are bi-directionally reachable or dldp has been in active state for more than five seconds. This is a relatively stable state where no unidirectional link has been detected. Probe dldp enters this state if it receives a packet from an unknown neighbor...
Page 805
1-4 dldp timer description enhanced timer in the enhanced mode, this timer is triggered if no packet is received from a neighbor when the entry aging timer expires. Enhanced timer is set to 1 second. After the enhanced timer is triggered, the device sends up to eight probe packets to the neighbor at...
Page 806
1-5 figure 1-2 a scenario for the enhanced dldp mode ge1/0/50 (up) ge1/0/50 (down) device a device b ethernet optical port tx end rx end fiber link unconnected or broken fiber z in normal dldp mode, only fiber cross-connected unidirectional links (as shown in figure 1-1 ) can be detected. Z in enhan...
Page 807
1-6 table 1-4 dldp packet types and dldp states dldp state type of dldp packets sent active advertisement packet with rsy tag advertisement normal advertisement packet probe probe packet disable disable packet and recoverprobe packet when a device transits from a dldp state other than inactive state...
Page 808
1-7 packet type processing procedure if the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the entry timer, and transits to probe state. If the neighbor information it carries conflicts with the corresponding locally maintained neighbor entry, drops the packet. Ech...
Page 809: Dldp Configuration Task List
1-8 the dldp down port sends out a recoverprobe packet, which carries only information about the local port, every two seconds. Upon receiving the recoverprobe packet, the remote end returns a recoverecho packet. Upon receiving the recoverecho packet, the local port checks whether neighbor informati...
Page 810: Enabling Dldp
1-9 z for dldp to work properly, enable dldp on both sides and make sure these settings are consistent: the interval for sending advertisement packets, dldp authentication mode, and password. Z dldp does not process any link aggregation control protocol (lacp) events. The links in an aggregation are...
Page 811: Setting The Delaydown Timer
1-10 z enhanced mode: in this mode, dldp actively detects neighbors when the corresponding neighbor entries age out. The system can thus identify two types of unidirectional links: cross-connected fibers and disconnected fibers. Follow these steps to set dldp mode: to do… use the command… remarks en...
Page 812
1-11 to do… use the command… remarks enter system view system-view — set the delaydown timer dldp delaydown-timer time optional 1 second by default delaydown timer setting applies to all dldp-enabled ports. Setting the port shutdown mode on detecting a unidirectional link, the ports can be shut down...
Page 813: Resetting Dldp State
1-12 configuring dldp authentication you can guard your network against attacks and vicious probes by configuring an appropriate dldp authentication mode, which can be clear text authentication or md5 authentication. If your network is safe, you can choose not to authenticate. Follow these steps to ...
Page 814: Dldp Configuration Example
1-13 resetting dldp state in port view/port group view resetting dldp state in port view or port group view applies to the current port or all the ports in the port group shut down by dldp. Follow these steps to reset dldp state in port view/port group view: to do… use the command… remarks enter sys...
Page 815
1-14 configuration procedure 1) configuration on device a # enable dldp globally and then on gigabitethernet1/0/50 and gigabitethernet 1/0/51 respectively. System-view [devicea] dldp enable [devicea] interface gigabitethernet 1/0/50 [devicea-gigabitethernet1/0/50] dldp enable [devicea-gigabitetherne...
Page 816
1-15 dldp global status : enable dldp interval : 6s dldp work-mode : enhance dldp authentication-mode : none dldp unidirectional-shutdown : auto dldp delaydown-timer : 2s the number of enabled ports is 2. Interface gigabitethernet1/0/50 dldp port state : disable dldp link state : down the neighbor n...
Page 817: Troubleshooting
1-16 neighbor port index : 59 neighbor state : two way neighbor aged time : 11 the output information indicates that both gigabitethernet 1/0/50 and gigabitethernet 1/0/51 are in advertisement state and the links are up, which means unidirectional links are not detected and the two ports are restore...
Page 818: Table of Contents
I table of contents 1 ethernet oam configuration ····················································································································1-1 ethernet oam overview ·············································································································...
Page 819: Ethernet Oam Configuration
1-1 1 ethernet oam configuration when configuring the ethernet oam function, go to these sections for information you are interested in: z ethernet oam overview z ethernet oam configuration task list z configuring basic ethernet oam functions z configuring link monitoring z enabling oam remote loopb...
Page 820
1-2 figure 1-1 formats of different types of ethernet oampdus the fields in an oampdu are described as follows: table 1-1 description of the fields in an oampdu field description dest addr destination mac address of the ethernet oampdu. It is a slow protocol multicast address 0180c2000002. As slow p...
Page 821
1-3 table 1-2 functions of different types of oampdus oampdu type function information oampdu used for transmitting state information of an ethernet oam entity (including the information about the local device and remote devices, and customized information) to the remote ethernet oam entity and main...
Page 822
1-4 z oam connections can be initiated only by oam entities operating in active oam mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. Z no oam connection can be established between oam entities operating in passive oam mode. After an etherne...
Page 823
1-5 z the system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this...
Page 824
1-6 non-oampdus to its peer. After receiving these pdus, the peer does not forward them according to their destination addresses. Instead, it returns them to the sender along the original path. Remote loopback enables you to check the link status and locate link failures. Performing remote loopback ...
Page 825: Configuring Link Monitoring
1-7 to change the ethernet oam operating mode on an ethernet oam-enabled port, you need to first disable ethernet oam on the port. Configuring link monitoring after ethernet oam connections are established, the link monitoring periods and thresholds configured in this section take effect on all ethe...
Page 826: Enabling Oam Remote Loopback
1-8 configuring errored frame period event detection an errored frame period event occurs if the number of frame errors in specific number of received frames exceeds the predefined threshold. Follow these steps to configure errored frame period event detection: to do… use the command… remarks enter ...
Page 827
1-9 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — enable ethernet oam remote loopback oam loopback required disabled by default. Because enabling ethernet oam remote loopback impacts other services, use this function with caution. Z ethernet oam...
Page 828
1-10 to do… use the command… remarks clear statistics on ethernet oam packets and ethernet oam link error events reset oam [ interface interface-type interface-number ] available in user view only ethernet oam configuration example network requirements z enable ethernet oam on device a and device b ...
Page 829
1-11 [devicea] display oam configuration configuration of the link event window/threshold : -------------------------------------------------------------------------- errored-symbol event period(in seconds) : 1 errored-symbol event threshold : 1 errored-frame event period(in seconds) : 20 errored-fr...
Page 830: Table of Contents
I table of contents 1 cfd configuration·····································································································································1-1 overview ···················································································································...
Page 831: Cfd Configuration
1-1 1 cfd configuration when configuring cfd, go to these sections for information you are interested in: z overview z cfd configuration task list z basic configuration tasks z configuring cc on meps z configuring lb on meps z configuring lt on meps z displaying and maintaining cfd z cfd configurati...
Page 832
1-2 figure 1-1 two nested mds cfd exchanges messages and performs operations on a per-domain basis. By planning mds properly in a network, you can use cfd to rapidly locate failure points. Maintenance association a maintenance association (ma) is a set of maintenance points (mps) in an md. An ma is ...
Page 833
1-3 as shown in figure 1-2 , an outward-facing mep sends packets to its host port. Figure 1-3 inward-facing mep as shown in figure 1-3 , an inward-facing mep does not send packets to its host port. Rather, it sends packets to other ports on the device. Z mip a mip is internal to an md. It cannot sen...
Page 834: Cfd Configuration Task List
1-4 cfd functions cfd works effectively only in properly-configured networks. Its functions, which are implemented through the mps, include: z continuity check (cc) z loopback (lb) z linktrace (lt) continuity check continuity check is responsible for checking the connectivity between meps. Connectiv...
Page 835: Basic Configuration Tasks
1-5 tasks remarks basic configuration tasks required these configurations are the foundation for other configuration tasks. Configuring cc on meps required configuring the meps to send ccms to manage link connectivity configuring lb on meps optional checking link state by testing link connectivity c...
Page 836
1-6 to do... Use the command... Remarks create an md cfd md md-name level level-value required not created by default create an ma cfd ma ma-name md md-name vlan vlan-id required not created by default create a service instance cfd service-instance instance-id md md-name ma ma-name required not crea...
Page 838: Configuring Lb On Meps
1-8 to do... Use the command... Remarks enable ccm sending on a mep cfd cc service-instance instance-id mep mep-id enable required disabled by default the relationship between the interval field value in the ccm messages, the interval between ccm messages and the timeout time of the remote mep is il...
Page 839
1-9 z to implement the first function, the specified mep first sends ltm messages to the target mep. Based on the ltr messages in response to the ltm messages, the path between the two meps can be identified. Z in the latter case, after lt messages automatic sending is enabled, if a mep fails to rec...
Page 840: Cfd Configuration Examples
1-10 to do... Use the command... Remarks display ltr information received by a mep display cfd linktrace-reply [ service-instance instance-id [mep mep-id] ] available in any view display the information of a remote mep display cfd remote-mep service-instance instance-id mep mep-id available in any v...
Page 841
1-11 [devicea] cfd enable [devicea] cfd md md_a level 5 [devicea] cfd ma ma_md_a md md_a vlan 100 [devicea] cfd service-instance 1 md md_a ma ma_md_a 2) configuration on device c system-view [devicec] cfd enable [devicec] cfd md md_b level 3 [devicec] cfd ma ma_md_b md md_b vlan 100 [devicec] cfd se...
Page 842
1-12 figure 1-6 network diagram of md and mep configuration configuration procedure 1) on device a system-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] cfd mep 1001 service-instance 1 inbound [devicea-gigabitethernet1/0/1] cfd remote-mep 5001 service-instance 1 mep 10...
Page 843
1-13 [devicee-gigabitethernet1/0/4] cfd remote-mep 1001 service-instance 1 mep 5001 [devicee-gigabitethernet1/0/4] cfd remote-mep 4002 service-instance 1 mep 5001 [devicee-gigabitethernet1/0/4] cfd mep service-instance 1 mep 5001 enable [devicee-gigabitethernet1/0/4] cfd cc service-instance 1 mep 50...
Page 844
1-14 configuring lb on meps network requirements use the lb function to trace the fault source after cc detects a link fault. As shown in figure 1-6 , enable lb on device a so that device a can send lbm messages to meps on device d. Configuration procedure # configure device a system-view [devicea] ...
Page 845: Table of Contents
I table of contents 1 track configuration···································································································································1-1 track overview ·············································································································...
Page 846: Track Configuration
1-1 1 track configuration when configuring track, go to these sections for information you are interested in: z track overview z track configuration task list z configuring collaboration between the track module and the detection modules z configuring collaboration between the track module and the a...
Page 847: Detection Modules
1-2 z if the probe succeeds, the status of the corresponding track object is positive; z if the probe fails, the status of the corresponding track object is negative. If the probe result is invalid (for example, the nqa test group collaborating with the track entry does not exist.), the status of th...
Page 848: Application Modules
1-3 to do… use the command… remarks create a track object and associate it with the specified reaction entry of the nqa test group track track-entry-number nqa entry admin-name operation-tag reaction item-number required no track object is created by default. When you configure a track object, the s...
Page 849: Track Configuration Examples
1-4 z for the configuration of track-static routing collaboration, the specified static route can be an existent or nonexistent one. For an existent static route, the static route and the specified track object are associated directly; for a nonexistent static route, the system creates the static ro...
Page 850
1-5 configuration procedure 1) configure the ip address of each interface as shown in figure 1-2 . 2) configure a static route on switch a and associate it with the track object. # configure the address of the next hop of the static route to switch c as 10.2.1.1, and configure the static route to as...
Page 851
1-6 destination/mask proto pre cost nexthop interface 10.1.1.0/24 static 60 0 10.2.1.1 vlan3 10.2.1.0/24 direct 0 0 10.2.1.2 vlan3 10.2.1.2/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 the output information above indicates the nq...
Page 852: System Volume Organization
System volume organization manual version 6w101-20100305 product version release 2202 organization the system volume is organized as follows: features description login upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes...
Page 853
Features description file system management a major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: z file system management z configurat...
Page 854
Features description poe the power over ethernet (poe) feature enables the power sourcing equipment (pse) to feed powered devices (pds) from ethernet ports through twisted pair cables. This document describes: z poe overview z configuring the poe interface z configuring poe power management z config...
Page 855
Features description irf intelligent resilient framework (irf) allows you to build an irf, namely a united device, by interconnecting multiple devices through irf ports. You can manage all the devices in the irf by managing the united device. This document describes: z irf overview z irf working pro...
Page 856: Table of Contents
I table of contents 1 logging in to an ethernet switch ············································································································1-1 logging in to an ethernet switch·····································································································...
Page 857
Ii configuration procedure··················································································································4-3 command accounting configuration example ·······················································································4-4 network diagram ········...
Page 858
1-1 1 logging in to an ethernet switch when logging in to an ethernet switch, go to these sections for information you are interested in: z logging in to an ethernet switch z introduction to user interface z specifying source for telnet packets z controlling login users logging in to an ethernet swi...
Page 859
1-2 users and user interfaces a device can support one aux ports and multiple ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. Z when the user initiates a connection request, based on the login type the system automatic...
Page 861: Introduction
2-1 2 logging in through the console port when logging in through the console port, go to these sections for information you are interested in: z introduction z setting up the connection to the console port z console port login configuration z console port login configuration with authentication mod...
Page 862
2-2 z if you use a pc to connect to the console port, launch a terminal emulation utility (such as hyperterminal in windows 9x/windows 2000/windows xp) and perform the configuration shown in figure 2-2 through figure 2-4 for the connection to be created. Normally, the parameters of a terminal are co...
Page 863
2-3 figure 2-4 set port parameters terminal window z turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. Z you can then configure the switch or check t...
Page 865: None
2-5 authentication mode console port login configuration description perform common configuration perform common configuration for console port login optional refer to common configuration for details. Specify to perform local authentication or radius authentication aaa configuration specifies wheth...
Page 866
2-6 configuration example network requirements assume the switch is configured to allow you to login through telnet, and your user level is set to the administrator level (level 3). After you telnet to the switch, you need to limit the console user at the following aspects. Z the user is not authent...
Page 867: Password
2-7 [sysname-ui-aux0] idle-timeout 6 after the above configuration, to ensure a successful login, the console user needs to change the corresponding configuration of the terminal emulation program running on the pc, to make the configuration consistent with that on the switch. Refer to setting up th...
Page 868
2-8 network diagram figure 2-6 network diagram for aux user interface configuration (with the authentication mode being password ) configuration procedure # enter system view. System-view # enter aux user interface view. [sysname] user-interface aux 0 # specify to authenticate the user logging in th...
Page 869: Scheme
2-9 console port login configuration with authentication mode being scheme configuration procedure follow these steps to perform console port login configuration (with authentication mode being scheme ): to do… use the command… remarks enter system view system-view — enter aux user interface view us...
Page 870
2-10 note that, when you log in to an ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the aaa scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command. When th...
Page 871
2-11 # create a local user named guest and enter local user view. [sysname] local-user guest # set the authentication password to 123456 (in plain text). [sysname-luser-guest] password simple 123456 # set the service type to terminal. [sysname-luser-guest] service-type terminal [sysname-luser-guest]...
Page 872
2-12 follow these steps to enable command authorization: to do… use the command… remarks enter system view system-view — enter aux user interface view user-interface aux 0 — enable command authorization command authorization required disabled by default, that is, users can execute commands without a...
Page 873: Logging In Through Telnet
3-1 3 logging in through telnet/ssh logging in through telnet when logging in through telnet, go to these sections for information you are interested in: z introduction z telnet connection establishment z telnet login configuration with authentication mode being none z telnet login configuration wit...
Page 874
3-2 # enable the telnet server function and configure the ip address of the management vlan interface as 202.38.160.92, and .The subnet mask as 255.255.255.0. System-view [sysname] telnet server enable [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 202.38.160.92 255.255.25...
Page 875
3-3 step 6: after successfully telnetting to a switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? At any time for help. Refer to the following chapters for the information about the commands. Z a telnet connection...
Page 876
3-4 common configuration table 3-2 lists the common telnet configuration. Table 3-2 common telnet configuration configuration remarks enter system view system-view — make the switch to operate as a telnet server telnet server enable by default, a switch does not operate as a telnet server enter one ...
Page 877
3-5 table 3-3 telnet login configuration tasks when different authentication modes are adopted task description telnet login configuration with authentication mode being none configure not to authenticate users logging in user interfaces telnet login configuration with authentication mode being pass...
Page 878
3-6 figure 3-4 network diagram for telnet configuration (with the authentication mode being none) 3) configuration procedure # enter system view, and enable the telnet service. System-view [sysname] telnet server enable # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure no...
Page 879
3-7 note that if you configure to authenticate the users in the password mode, the command level available to users logging in to a switch depends on both the authentication-mode password command and the user privilege level level command. Configuration example 1) network requirements assume that yo...
Page 880
3-8 telnet login configuration with authentication mode being scheme configuration procedure follow these steps to perform telnet configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter one or more vty user interface views user-int...
Page 881
3-9 when the radius or hwtacacs authentication mode is used, the user levels are set on the corresponding radius or hwtacacs servers. For more information about aaa, radius, and hwtacacs, see aaa configuration in the security volume . Configuration example 1) network requirements assume that you are...
Page 882: Logging In Through Ssh
3-10 # configure to authenticate users logging in to vty 0 in the scheme mode. [sysname-ui-vty0] authentication-mode scheme # configure telnet protocol is supported. [sysname-ui-vty0] protocol inbound telnet # set the maximum number of lines the screen can contain to 30. [sysname-ui-vty0] screen-len...
Page 883
3-11 to do… use the command… remarks enable command authorization command authorization required disabled by default, that is, users can execute commands without authorization. Configuring command accounting command accounting allows the hwtacacs server to record all commands executed on the device ...
Page 884
4-1 4 user interface configuration examples user authentication configuration example network diagram as shown in figure 4-1 , command levels should be configured for different users to secure device: z the device administrator accesses device through the console port on host a. When the administrat...
Page 885
4-2 [device-ui-vty0-4] quit # create a radius scheme and configure the ip address and udp port for the primary authentication server for the scheme. Ensure that the port number be consistent with that on the radius server. Set the shared key for authentication packets to expert for the scheme and th...
Page 886
4-3 configuration procedure # assign an ip address to device to make device be reachable from host a and hwtacacs server respectively. The configuration is omitted. # enable the telnet service on device. System-view [device] telnet server enable # set to use username and password authentication when...
Page 887
4-4 command accounting configuration example network diagram as shown in figure 4-3 , configure the commands that the login users execute to be recorded on the hwtacacs server to control and monitor user operations. Figure 4-3 network diagram for configuring command accounting internet console conne...
Page 888
4-5 [device-radius-rad] quit # create isp domain system, and configure the isp domain system to use hwtacacs scheme tac for accounting of command line users [device] domain system [device-isp-system] accounting command hwtacacs-scheme tac [device-isp-system] quit.
Page 889: Management System
5-1 5 logging in through web-based network management system introduction an s5120-ei series switch has a built-in web server. You can log in to an s5120-ei series switch through a web browser and manage and maintain the switch intuitively by interacting with the built-in web server. To log in to an...
Page 890: Displaying Web Users
5-2 to do… use the command… remarks configure the authorization attributes for the local user authorization-attribute level level optional by default, no authorization attribute is configured for a local user. Specify the service types for the local user service-type telnet optional by default, no s...
Page 891
5-3 step 4: log in to the switch through ie. Launch ie on the web-based network management terminal (your pc) and enter the ip address of the management vlan interface of the switch (here it is http://10.153.17.82). (make sure the route between the web-based network management terminal and the switc...
Page 892: Logging In Through Nms
6-1 6 logging in through nms when logging in through nms, go to these sections for information you are interested in: z introduction z connection establishment using nms introduction you can also log in to a switch through an nms (network management station), and then configure and manage the switch...
Page 893: Introduction
7-1 7 specifying source for telnet packets when specifying source ip address/interface for telnet packets, go to these sections for information you are interested in: z introduction z specifying source ip address/interface for telnet packets z displaying the source ip address/interface specified for...
Page 895: Controlling Login Users
8-1 8 controlling login users when controlling login users, go to these sections for information you are interested in: z introduction z controlling telnet users z controlling network management users by source ip addresses introduction multiple ways are available for controlling different types of ...
Page 897
8-3 controlling telnet users by source mac addresses this configuration needs to be implemented by layer 2 acl; a layer 2 acl ranges from 4000 to 4999. For the definition of acl, refer to acl configuration in the security volume. Follow these steps to control telnet users by source mac addresses: to...
Page 898
8-4 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [sysname-acl-basic-2000] rule 3 deny source any [sysname-acl-basic-20...
Page 900
8-6 controlling web users by source ip addresses the s5120-ei series ethernet switches support web-based remote management, which allows web users to access the switches using the http protocol. By referencing access control lists (acls), you can control the access of web users to the switches. Prer...
Page 901
8-7 figure 8-3 configure an acl to control the access of http users to the switch switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # create a basic acl. System-view [sysname] acl number 2030 match-order config [sysname-acl-basic-2030] rule 1 permit source 10.110.10...
Page 902: Table of Contents
I table of contents 1 basic configurations·································································································································1-1 configuration display········································································································...
Page 903: Basic Configurations
1-1 1 basic configurations while performing basic configurations of the system, go to these sections for information you are interested in: z configuration display z entering system view z exiting the current view z exiting to user view z configuring the device name z configuring the system clock z ...
Page 904: Entering System View
1-2 to do… use the command… remarks display the configuration saved on the storage media of the device display saved-configuration [ by-linenum ] for details of the display saved-configuration command, refer to file system management commands inthe system volume. Entering system view after you log i...
Page 905: Configuring The Device Name
1-3 to do… use the command… remarks exit to user view return required available in any view except user view configuring the device name the device name is used to identify a device in a network. Inside the system, the device name corresponds to the prompt of the cli. For example, if the device name...
Page 906
1-4 original system clock. If you combine these three commands in different ways, the system clock is displayed in the ways shown in table 1-1 . The meanings of the parameters in the configuration column are as follows: z 1 indicates date-time has been configured with the clock datetime. Z 2 indicat...
Page 907
1-5 configuration system clock displayed by the display clock command example configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:30 2007/1/1 display: 23:30:00 utc sun 12/31/2006 date-time is in the daylight saving time range: if the value of “date-time” - “sum...
Page 908: Configuring A Banner
1-6 enabling/disabling the display of copyright information z with the display of copyright information enabled, the copyright information is displayed when a user logs in through telnet or ssh, or when a user quits user view after logging in to the device through the console port, aux port, or vty ...
Page 909: Configuring Cli Hotkeys
1-7 configuring a banner when you configure a banner, the system supports two input modes. One is to input all the banner information right after the command keywords. The start and end characters of the input text must be the same but are not part of the banner information. In this case, the input ...
Page 910
1-8 by default, the ctrl+g, ctrl+l and ctrl+o hotkeys are configured with command line and the ctrl+t and ctrl+u commands are null. Z ctrl+g corresponds to the display current-configuration command. Z ctrl+l corresponds to the display ip routing-table command. Z ctrl+o corresponds to the undo debugg...
Page 911: Configuring Command Aliases
1-9 these hotkeys are defined by the device. When you interact with the device from terminal software, these keys may be defined to perform other operations. If so, the definition of the terminal software will dominate. Configuring command aliases you can replace the first keyword of a command suppo...
Page 912
1-10 levels, which are visit, monitor, system, and manage from low to high, and identified respectively by 0 through 3. Table 1-3 describes the levels of the commands. Table 1-3 default command levels level privilege description 0 visit involves commands for network diagnosis and commands for access...
Page 913
1-11 to do… use the command… remarks using local authentication z use the local-user command to create a local user and enter local user view. Z use the level keyword in the authorization-attribute command to configure the user level. Configure the user privilege level by using aaa authentication pa...
Page 914
1-12 follow these steps to configure the user privilege level under a user interface (ssh publickey authentication type): to do… use the command… remarks configure the authentication type for ssh users as publickey for the details, refer to ssh2.0 configuration in the security volume . Required if u...
Page 915
1-13 [sysname-ui-vty0-4] user privilege level 1 by default, when users telnet to the device, they can only use the following commands after passing the authentication: ? User view commands: cluster run cluster command display display current system information ping ping function quit exit from curre...
Page 916
1-14 switching user privilege level users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can exec...
Page 917
1-15 modifying command level all the commands in a view are defaulted to different levels, as shown in table 1-3 . The administrator can modify the command level based on users’ needs to make users of a lower level use commands with a higher level or improve device security. Follow these steps to mo...
Page 918
1-16 z for the detailed description of the display users command, refer to login commands in the system volume. Z support for the display configure-user and display current-configuration command depends on the device model. Z the display commands discussed above are for the global configuration. Ref...
Page 919: Cli Features
2-1 2 cli features this section covers the following topics: z introduction to cli z online help with command lines z synchronous information output z undo form of a command z editing features z cli display z saving history command z command line error information introduction to cli cli is an inter...
Page 920
2-2 bootrom update/read/backup/restore bootrom cd change current directory clock specify the system clock cluster run cluster command copy copy from one file to another debugging enable system debugging functions delete delete a file dir list files on a file system display show running system inform...
Page 921: Undo Form of A Command
2-3 you can use the info-center synchronous command to enable synchronous information output. For the detailed description of this function, refer to information center configuration in the system volume. Undo form of a command adding the keyword undo can form an undo command. Almost every configura...
Page 922: Cli Display
2-4 cli display by filtering the output information, you can find the wanted information effectively. If there is a lot of information to be displayed, the system displays the information in multiple screens. When the information is displayed in multiple screens, you can also filter the output infor...
Page 923
2-5 character meaning remarks - hyphen. It connects two values (the smaller one before it and the bigger one after it) to indicate a range together with [ ]. For example, “1-9” means numbers from 1 to 9 (inclusive); “a-h” means from a to h (inclusive). [ ] a range of characters, matches any characte...
Page 924: Saving History Commands
2-6 character meaning remarks \ escape character. If single special characters listed in this table follow \, the specific meanings of the characters will be removed. For example, “\\” can match a string containing “\”, “\^” can match a string containing “^”, and “\\b” can match a string containing ...
Page 925
2-7 needed. By default, the cli can save up to ten commands for each user. You can use the history-command max-size command to set the capacity of the history commands buffer for the current user interface (for the detailed description of the history-command max-size command, refer to login commands...
Page 926
2-8.
Page 927: Table of Contents
I table of contents 1 device management ··································································································································1-1 device management overview ···································································································...
Page 928: Device Management
1-1 1 device management when configuring device management, go to these sections for information you are interested in: z device management overview z device management configuration task list z configuring the exception handling method z rebooting a device z configuring the scheduled automatic exec...
Page 929: Rebooting A Device
1-2 z maintain : the system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are l...
Page 930
1-3 z use the save command to save the current configuration before you reboot the device to avoid configuration lost. (for details of the save command, refer to file system management configuration in the system volume.) z use the display startup command and the display boot-loader command to verif...
Page 931: Upgrading Device Software
1-4 z after the specified automatic execution time is reached, the system executes the specified command in the background without displaying any information except system information such as log, trap and debug. Z the system does not require any interactive information when it is executing the spec...
Page 932
1-5 the boot rom program and system boot file can both be upgraded through the boot rom menu or command lines. The following sections describe the upgrading through command lines. For instructions about how to upgrade them through the boot rom menu, refer to the installation menu of your device. Upg...
Page 933: Disabling Boot Rom Access
1-6 z to execute the boot-loader command successfully, you must save the file for the next device boot under the root directory of the storage media on a member device. Z the names of the files for the next boot of the master and slaves may be different, but the versions of the files must be the sam...
Page 934
1-7 clearing the 16-bit interface indexes not used in the current system in practical networks, the network management software requires the device to provide a uniform, stable 16-bit interface index. That is, a one-to-one relationship should be kept between the interface name and the interface inde...
Page 935
1-8 transceiver type application environment whether can be an optical transceiver whether can be an electrical transceiver gbic (gigabit interface converter) generally used for 1000m ethernet interfaces yes yes xfp (10-gigabit small form-factor pluggable) generally used for 10g ethernet interfaces ...
Page 936
1-9 to do… use the command… remarks display the current alarm information of the pluggable transceiver(s) display transceiver alarm interface [ interface-type interface-number ] available for all pluggable transceivers. Display the currently measured value of the digital diagnosis parameters of the ...
Page 937
1-10 device management configuration examples remote scheduled automatic upgrade configuration example (centralized device) network requirement z as shown in figure 1-2 , the current software version is soft-version1 for device. Upgrade the software version of device to soft-version2 and configurati...
Page 938
1-11 ftp 2.2.2.2 trying 2.2.2.2 ... Press ctrl+k to abort connected to 2.2.2.2. 220 wftpd 2.0 service (by texas imperial software) ready for new user user(2.2.2.2:(none)):aaa 331 give me your password, please password: 230 logged in successfully [ftp] # download file auto-update.Txt on the ftp serve...
Page 939
1-12 figure 1-3 network diagram for remote scheduled automatic upgrade configuration procedure 1) configuration on the tftp server (note that configurations may vary with different types of servers) obtain the boot file and configuration file through legitimate channels, such as the official website...
Page 940
1-13 ... Done! Setting the slave board ... Slot 2: set next configuration file successfully # specify file soft-version2.Bin as the boot file for the next boot for all members. Boot-loader file soft-version2.Bin slot all main this command will set the boot file of the specified board. Continue? [y/n...
Page 941: Table of Contents
I table of contents 1 file system management configuration ·································································································1-1 file system management ·····················································································································...
Page 942
Ii single device upgrade····················································································································3-4 irf system upgrade·······················································································································3-5.
Page 943: File System Management
1-1 1 file system management configuration when configuring file system management, go to these sections for information you are interested in: z file system management z configuration file management z displaying and maintaining device configuration file system management this section covers these ...
Page 944
1-2 format description length example path /file-name specifies a file in the specified folder under the current working directory. Path represents the folder name. You can specify multiple folders, indicating a file under a multi-level folder. 1 to 135 characters test/a.Txt: indicates that a file n...
Page 946
1-4 displaying file information to do… use the command… remarks display file or directory information dir [ /all ] [ file-url ] required available in user view displaying the contents of a file to do… use the command… remarks display the contents of a file more file-url required currently only a .Tx...
Page 947
1-5 z the files in the recycle bin still occupy storage space. To delete a file in the recycle bin, you need to execute the reset recycle-bin command in the directory that the file originally belongs. It is recommended to empty the recycle bin timely with the reset recycle-bin command to save storag...
Page 948
1-6 execution of a batch file does not guarantee the successful execution of every command in the batch file. If a command has error settings or the conditions for executing the command are not satisfied, this command will fail to be executed, and the system will skip the command to the next one. St...
Page 950
1-8 z saving the current configuration z setting configuration rollback z specifying a startup configuration file for the next system startup z backing up the startup configuration file z deleting the startup configuration file for the next startup z restoring the startup configuration file z displa...
Page 951
1-9 you can specify the main and backup startup configuration files for the next boot of the device in the following two methods: z specify them when saving the current configuration. For detailed configuration, refer to saving the current configuration . Z specify them when specifying the startup c...
Page 952
1-10 modes in saving the configuration z fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file more quickly but is likely to lose the existing configuration file if the device reboots or the power fails during the process. Z safe mode. T...
Page 953
1-11 is generated by using the backup function (manually or automatically). Configuration rollback is applied in the following situations: z the current configurations are wrong; and there are too many wrong configurations to locate or to correct one by one. Rolling back the current configuration to...
Page 954
1-12 configuring parameters for saving the current running configuration before the current running configuration is saved manually or automatically, the file path and filename prefix must be configured. After that, the system saves the current running configuration with the specified filename (file...
Page 955
1-13 z the saving and rollback operations are executed only on the master. To make the configuration rollback take effect on the new master after an active/standby switchover, execute the archive configuration location command to specify the path and filename prefix of the saved configuration file o...
Page 956
1-14 saving the current running configuration manually automatic saving of the current running configuration occupies system resources, and frequent saving greatly affects system performance. Therefore, if the system configuration does not change frequently, you are recommended to disable the automa...
Page 957
1-15 specifying a startup configuration file for the next system startup a startup configuration file is the configuration file to be used at the next system startup. You can specify a configuration file as the startup configuration file to be used at the next system startup in the following two way...
Page 958
1-16 before the backup operation, you should: z ensure that the server is reachable, the server is enabled with tftp service, and the client has permission to read and write. Z use the display startup command (in user view) to see whether you have set the startup configuration file. If the file is s...
Page 959
1-17 to do… use the command… remarks restore the startup configuration file to be used at the next system startup restore startup-configuration from src-addr src-filename required available in user view z the restore operation restores the main startup configuration file. Z before restoring a config...
Page 960: Ftp Configuration
2-1 2 ftp configuration when configuring ftp, go to these sections for information you are interested in: z ftp overview z configuring the ftp client z configuring the ftp server z displaying and maintaining ftp ftp overview introduction to ftp the file transfer protocol (ftp) is an application laye...
Page 961
2-2 table 2-1 configuration when the device serves as the ftp client device configuration remarks device (ftp client) use the ftp command to establish the connection to the remote ftp server if the remote ftp server supports anonymous ftp, the device can log in to it directly; if not, the device mus...
Page 962: Configuring The Ftp Client
2-3 configuring the ftp client establishing an ftp connection to access an ftp server, an ftp client must establish a connection with the ftp server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in ftp client vie...
Page 963
2-4 z if no primary ip address is configured on the specified source interface, no ftp connection can be established. Z if you use the ftp client source command to first configure the source interface and then the source ip address of the transmitted packets, the newly configured source ip address w...
Page 964
2-5 to do… use the command… remarks view the detailed information of the files/directories on the ftp server dir [ remotefile [ localfile ] ] optional view the names of the files/directories on the ftp server ls [ remotefile [ localfile ] ] optional download a file from the ftp server get remotefile...
Page 965
2-6 ftp client configuration example single device upgrade network requirements z as shown in figure 2-2 , use device as an ftp client and pc as the ftp server. Their ip addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads a star...
Page 966
2-7 [ftp] put config.Cfg back-config.Cfg 227 entering passive mode (10,1,1,1,4,2). 125 ascii mode data connection already open, transfer starting for /config.Cfg. 226 transfer complete. Ftp: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # specify newest.Bin as the main startup ...
Page 967
2-8 configuration procedure if the available memory space of the device is not enough, use the fixdisk command to clear the memory or use the delete /unreserved file-url command to delete the files not in use and then perform the following operations. # log in to the server through ftp. Ftp 10.1.1.1...
Page 968: Configuring The Ftp Server
2-9 reboot the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Configuri...
Page 969
2-10 to do… use the command… remarks manually release the ftp connection established with the specified username free ftp user username optional available in user view configuring authentication and authorization on the ftp server to allow an ftp user to access certain directories on the ftp server,...
Page 970
2-11 ftp server configuration example single device upgrade network requirements z as shown in figure 2-4 , use device as an ftp server, and the pc as the ftp client. Their ip addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between device and pc. Z pc keeps the update...
Page 971
2-12 6 -rw- 478164 apr 26 2000 14:52:35 s5120ei_505.Btm 7 -rw- 368 apr 26 2000 12:04:04 patch_xxx.Bin 8 -rw- 2337 apr 26 2000 14:16:48 sfp.Cfg 9 -rw- 2195 apr 26 2000 14:10:41 5120ei.Cfg 15240 kb total (11004 kb free) delete /unreserved flash:/sfp.Cfg 2) configure the pc (ftp client) # log in to the...
Page 972
2-13 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Irf system upgr...
Page 973
2-14 [sysname] ftp server enable [sysname] quit # check files on your device. Remove those redundant to ensure adequate space for the startup file to be uploaded. Dir directory of flash:/ 0 -rw- 10471471 sep 18 2008 02:45:15 s5120eih3c-d501.Bin 1 -rw- 9989823 jul 14 2008 19:30:46 s5120eih3cd_b57.Bin...
Page 974
2-15 # copy the startup file newest.Bin to the root directory of the storage medium on a slave (with the member id 2). Copy newest.Bin slot2#flash:/ # specify newest.Bin as the main startup file to be used at the next startup for all the member devices. Boot-loader file newest.Bin slot all main this...
Page 975: Tftp Configuration
3-1 3 tftp configuration when configuring tftp, go to these sections for information you are interested in: z tftp overview z configuring the tftp client z displaying and maintaining the tftp client z tftp client configuration example tftp overview introduction to tftp the trivial file transfer prot...
Page 976: Configuring The Tftp Client
3-2 when the device serves as the tftp client, you need to perform the following configuration: table 3-1 configuration when the device serves as the tftp client device configuration remarks device (tftp client) z configure the ip address and routing function, and ensure that the route between the d...
Page 977
3-3 follow these steps to configure the tftp client: to do… use the command… remarks enter system view system-view — control the access to the tftp servers from the device through acl tftp-server [ ipv6] acl acl-number optional by default, the access to the tftp servers from the device is not contro...
Page 978
3-4 tftp client configuration example single device upgrade network requirements z as shown in figure 3-2 , use a pc as the tftp server and device as the tftp client. Their ip addresses are 1.2.1.1/16 and 1.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads a ...
Page 979
3-5 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Irf system upgra...
Page 980
3-6 z download application file newest.Bin from pc to the root directory of the storage medium on the master. Tftp 1.2.1.1 get newest.Bin z download application file newest.Bin from pc to the root directory of the storage medium on a slave (with the member id 2). Tftp 1.2.1.1 get newest.Bin slot2#fl...
Page 981: Table of Contents
I table of contents 1 http configuration···································································································································1-1 http overview················································································································...
Page 982: Http Configuration
1-1 1 http configuration when configuring http, go to these sections for information you are interested in: z http overview z enabling the http service z http configuration z associating the http service with an acl z displaying and maintaining http http overview the hypertext transfer protocol (htt...
Page 983
1-2 follow these steps to enable the http service: to do… use the command… remarks enter system view system-view — enable the http service ip http enable required enabled by default. Configuring the port number of the http service configuration of the port number of the http service can reduce the a...
Page 984: Http Configuration Example
1-3 displaying and maintaining http to do… use the command… remarks display information about http display ip http available in any view http configuration example network requirements as shown in figure 1-1 , filter users logging in through web interface according to the source ip addresses, implem...
Page 985
1-1.
Page 986: Https Configuration
2-1 2 https configuration when configuring https, go to these sections for information you are interested in: z https overview z https configuration task list z associating the https service with an ssl server policy z enabling the https service z associating the https service with a certificate att...
Page 987: Enabling The Https Service
2-2 associating the https service with an ssl server policy you need to associate the https service with a created ssl server policy before enabling the https service. Follow these steps to associate the https service with an ssl server policy: to do… use the command… remarks enter system view syste...
Page 988: Control Policy
2-3 z after the https service is enabled, you can use the display ip https command to view the state of the https service and verify the configuration. Z enabling of the https service will trigger an ssl handshake negotiation process. During the process, if the local certificate of the device alread...
Page 989: Https Configuration Example
2-4 to do… use the command… remarks enter system view system-view — configure the port number of the https service ip https port port-number optional by default, the port number of the https service is 443. If you execute the ip https port command for multiple times, the last configured port number ...
Page 990
2-5 z configure device as the https server and apply a certificate for device. Z apply a certificate for the https client host for device to authenticate it. The name of the ca (certificate authority) that issues certificate to device is new-ca. Z in this configuration example, windows server serves...
Page 991
2-6 # configure an ssl server policy myssl, specify pki domain 1 for it, and enable the ssl server to perform certificate-based authentication of the client. [device] ssl server-policy myssl [device-ssl-server-policy-myssl] pki-domain 1 [device-ssl-server-policy-myssl] client-verify enable [device-s...
Page 992: Table of Contents
I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...
Page 993: Snmp Configuration
1-1 1 snmp configuration when configuring snmp, go to these sections for information you are interested in: z snmp overview z snmp configuration z configuring snmp logging z snmp trap configuration z displaying and maintaining snmp z snmp configuration example z snmp logging configuration example sn...
Page 994
1-2 snmp protocol version currently, snmp agents support snmpv1, snmpv2c and snmpv3. Z snmpv1 uses community name for authentication, which defines the relationship between an snmp nms and an snmp agent. Snmp packets with community names that did not pass the authentication on the device will simply...
Page 995: Snmp Configuration
1-3 figure 1-2 mib tree a 2 6 1 5 2 1 1 2 1 b snmp configuration as configurations for snmpv3 differ substantially from those of snmpv1 and snmpv2c, their snmp functionalities is introduced separately below. Follow these steps to configure snmpv3: to do… use the command… remarks enter system view sy...
Page 996
1-4 to do… use the command… remarks configure the maximum size of an snmp packet that can be received or sent by an snmp agent snmp-agent packet max-size byte -count optional 1,500 bytes by default configure the engine id for a local snmp agent snmp-agent local-engineid engineid optional company id ...
Page 998: Snmp Trap Configuration
1-6 z logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable snmp logging. Z the size of snmp logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record c...
Page 999
1-7 to enable an interface to send linkup/linkdown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ sta...
Page 1000
1-8 to do… use the command… remarks configure the holding time of the traps in the queue snmp-agent trap life seconds optional 120 seconds by default z an extended linkup/linkdown trap is the standard linkup/linkdown trap (defined in rfc) appended with interface description and interface type inform...
Page 1001: Snmp Configuration Example
1-9 snmp configuration example network requirements z the nms connects to the agent, a switch, through an ethernet. Z the ip address of the nms is 1.1.1.2/24. Z the ip address of the vlan interface on the switch is 1.1.1.1/24. Z the nms monitors and manages the agent using snmpv2c. The agent reports...
Page 1002
1-10 with snmpv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the nms. The configurations on the agent and the nms must match. Snmp logging configuration example netwo...
Page 1003
1-11 # enable snmp logging on the agent to log the get and set operations of the nms. [sysname] snmp-agent log get-operation [sysname] snmp-agent log set-operation z the following log information is displayed on the terminal when the nms performs the get operation to the agent. %jan 1 02:49:40:566 2...
Page 1004: Mib Style Configuration
2-1 2 mib style configuration h3c private mib involves two styles, h3c compatible mib and h3c new mib. In the h3c compatible mib style, the device sysoid is under the h3c’s enterprise id 25506, and the private mib is under the enterprise id 2011. In the h3c new mib style, both the device sysoid and ...
Page 1005: Table of Contents
I table of contents 1 rmon configuration ·································································································································1-1 rmon overview ················································································································...
Page 1006: Rmon Configuration
1-1 1 rmon configuration when configuring rmon, go to these sections for information you are interested in: z rmon overview z configuring rmon z displaying and maintaining rmon z rmon configuration example rmon overview this section covers these topics: z introduction z rmon groups introduction remo...
Page 1007
1-2 rmon groups among the ten rmon groups defined by rmon specifications (rfc 1757), the device supports the event group, alarm group, history group and statistics group. Besides, h3c also defines and implements the private alarm group, which enhances the functions of the alarm group. This section d...
Page 1008: Configuring Rmon
1-3 if the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group the history group periodically collects statistics on data at interfaces and saves the statistics in the history...
Page 1010: Rmon Configuration Example
1-5 displaying and maintaining rmon to do… use the command… remarks display rmon statistics display rmon statistics [ interface-type interface-number ] available in any view display the rmon history control entry and history sampling information display rmon history [ interface-type interface-number...
Page 1011
1-6 etherstatsbroadcastpkts : 56 , etherstatsmulticastpkts : 34 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 etherstatsfragments : 0 , etherstatsjabbers : 0 etherstatscrcalignerrors : 0 , etherstatscollisions : 0 etherstatsdropevents (insufficient resources): 0 packets received according...
Page 1012: Table of Contents
I table of contents 1 mac address table configuration ··········································································································1-1 introduction to mac address table·······································································································...
Page 1013
1-1 1 mac address table configuration when configuring mac address table management, go to these sections for information you are interested in: z configuring mac address table z mac address table configuration example z mac information configuration z mac information configuration example z interfa...
Page 1014
1-2 when receiving a frame destined for mac-source, the device then looks up the mac address table and forwards it from port 1. To adapt to network changes, mac address table entries need to be constantly updated. Each dynamically learned mac address table entry has a life period, that is, an aging ...
Page 1015
1-3 figure 1-1 forward frames using the mac address table configuring mac address table the mac address table management configuration tasks include: z configuring mac address table entries z configuring the aging timer for dynamic mac address entries z configuring the mac learning limit these confi...
Page 1016
1-4 configuring the aging timer for dynamic mac address entries the mac address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted. Set the aging timer appropriately: a long aging interval may cause the mac address table to ret...
Page 1017
1-5 z in the layer 2 aggregate interfaces view, you can’t configure the mac learning limit. Z when a port is the member of the aggregation group, in ethernet port view, you can’t configure the mac learning limit displaying and maintaining mac address table to do… use the command… remarks display mac...
Page 1018
1-6.
Page 1019: Overview
2-1 2 mac information configuration when configuring mac information, go to these sections for information you are interested in: z overview z configuring mac information z mac information configuration example overview introduction to mac information to monitor a network, you need to monitor users ...
Page 1020
2-2 enabling mac information on an interface follow these steps to enable mac information on an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable mac information on the interface mac-address information ...
Page 1021
2-3 to do… use the command… remarks enter system view system-view — configure the mac information queue length mac-address information queue-length value optional 50 by default setting the mac information queue length to 0 indicates that the device sends a syslog or trap message to the network manag...
Page 1022
2-4 [device] mac-address information mode syslog # enable mac information on gigabitethernet 1/0/1 [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] mac-address information enable added [device-gigabitethernet1/0/1] mac-address information enable deleted [device-gigabitethernet1...
Page 1023: Table of Contents
1-1 table of contents 1 system maintaining and debugging········································································································1-1 system maintaining and debugging overview ·······················································································1-1 int...
Page 1024
1-1 1 system maintaining and debugging when maintaining and debugging the system, go to these sections for information you are interested in: z system maintaining and debugging overview z system maintaining and debugging z system maintaining example system maintaining and debugging overview introduc...
Page 1025
1-2 2) the first hop (the layer 3 device that first receives the packet) responds by sending a ttl-expired icmp message to the source, with its ip address encapsulated. In this way, the source device can get the address of the first layer 3 device. 3) the source device sends a packet with a ttl valu...
Page 1028: Table of Contents
I table of contents 1 information center configuration············································································································1-1 information center overview ··········································································································...
Page 1029: Information Center Overview
1-1 1 information center configuration when configuring information center, go to these sections for information you are interested in: z information center configuration z configuring information center z displaying and maintaining information center z information center configuration examples info...
Page 1030
1-2 eight levels of system information the information is classified into eight levels by severity. The severity levels in the descending order are emergency, alert, critical, error, warning, notice, informational and debug. When the system information is output by level, the information with severi...
Page 1031
1-3 information channel number default channel name default output destination note 4 logbuffer log buffer receives log and debugging information, a buffer inside the router for recording information. 5 snmpagent snmp module receives trap information 6 channel6 not specified receives log, trap, and ...
Page 1032
1-4 table 1-3 default output rules for different output destinations log trap debug output destinati on modules allowed enabled/ disabled severity enabled/ disabled severity enabled/ disabled severity console default (all modules) enabled warning enabled debug enabled debug monitor terminal default ...
Page 1033
1-5 what follows is a detailed explanation of the fields involved: int_16 (priority) the priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges fro...
Page 1034
1-6 z if the timestamp starts with a %, the information is log information z if the timestamp starts with a #, the information is trap information z if the timestamp starts with a *, the information is debugging information source this field indicates the source of the information, such as the sourc...
Page 1039
1-11 outputting system information to the snmp module the snmp module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the snmp module. To monitor the device running status, trap information is usually sent to the snmp n...
Page 1040
1-12 follow these steps to enable synchronous information output: to do… use the command… remarks enter system view system-view — enable synchronous information output info-center synchronous required disabled by default z if system information, such as log information, is output before you input an...
Page 1042
1-14 [sysname] info-center enable # specify the host with ip address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # disable the o...
Page 1043
1-15 be aware of the following issues while editing file /etc/syslog.Conf: z comments must be on a separate line and begin with the # sign. Z no redundant spaces are allowed after the file name. Z the logging facility name and the information level specified in the /etc/syslog.Conf file must be iden...
Page 1044
1-16 # disable the output of log, trap, and debugging information of all modules on channel loghost. [sysname] info-center source default channel loghost debug state off log state off trap state off as the default system configurations for different channels are different, you need to disable the ou...
Page 1045
1-17 # syslogd -r & ensure that the syslogd process is started with the -r option on a linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting log information to the console network requirements z log information with a severity...
Page 1046
1-18 # enable the display of log information on a terminal. (optional, this function is enabled by default.) terminal monitor % current terminal monitor is on terminal logging % current terminal logging is on after the above configuration takes effect, if the specified module generates log informati...
Page 1047: Table of Contents
I table of contents 1 poe configuration ·····································································································································1-1 poe overview ··············································································································...
Page 1048: Poe Configuration
1-1 1 poe configuration when configuring poe, go to these sections for information you are interested in: z poe overview z poe configuration task list z configuring the poe interface z configuring poe power management z configuring the poe monitoring function z upgrading pse processing software onli...
Page 1049: Poe Configuration Task List
1-2 a pd is a device accepting power from the pse. There are standard pds and nonstandard pds. A standard pd refers to the one that complies with ieee 802.3af. The pd that is being powered by the pse can be connected to other power supply units for redundancy backup. Protocol specification the proto...
Page 1050
1-3 z spare cables modes: pse uses the twisted pairs (4, 5, 7 and 8) of category-3/5 cables, which are spare during data transmission, to power the pd. S5120-ei series switches only support for signal mode. Configuring a poe interface through the command line to do… use the command… remarks enter sy...
Page 1051
1-4 follow these steps to configure poe interfaces through a poe configuration file: to do… use the command… remarks enter system view system-view — create a poe configuration file and enter poe configuration file view poe-profile profile-name [ index ] required enable poe for the poe interface poe ...
Page 1052
1-5 configuring poe power management configuring pd power management the power priority of a pd depends on the priority of the poe interface. The priority levels of poe interfaces include critical, high and low in descending order. Power supply to a pd is subject to pd power management policies. All...
Page 1054
1-7 this mode deletes the pse processing software and reloads it. When the pse processing software is damaged (in this case, you can execute none of poe commands successfully), you can upgrade the pse software processing software in full mode to restore the pse function. Online pse processing softwa...
Page 1055: Poe Configuration Example
1-8 displaying and maintaining poe to do… use the command… remarks display the mapping between id, module, and member id of all pses. Display poe device display the power state and information of the specified poe interface display poe interface [ interface-type interface-number ] display the power ...
Page 1056: Troubleshooting Poe
1-9 figure 1-1 network diagram for poe configuration procedure # enable poe on gigabitethernet 1/0/1, gigabitethernet 1/0/2, gigabitethernet 1/0/11, and gigabitethernet 1/0/12. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] poe enable [sysname-gigabitethernet1/0...
Page 1057
1-10 z the priority of the poe interface is already set. Solution : z in the first case, you can solve the problem by increasing the maximum pse power, or by reducing the maximum power of the poe interface when the guaranteed remaining power of the pse cannot be modified. Z in the second case, you s...
Page 1058: Table of Contents
I table of contents 1 hotfix configuration ··································································································································1-1 hotfix overview············································································································...
Page 1059: Hotfix Configuration
1-1 1 hotfix configuration when configuring hotfix, go to these sections for information you are interested in: z hotfix overview z hotfix configuration task list z displaying and maintaining hotfix z hotfix configuration examples hotfix overview hotfix is a fast and cost-effective method to repair ...
Page 1060
1-2 install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run , patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the deactive state, the patches turn to the...
Page 1061
1-3 figure 1-2 patches are not loaded to the memory patch area currently, the system patch area supports up to 200 patches. Deactive state patches in the deactive state have been loaded to the memory patch area but have not run in the system yet. Suppose that there are seven patches in the patch fil...
Page 1062
1-4 figure 1-4 patches are activated running state after you confirm the running of the active patches, the state of the patches will become running and will be in the running state after system reboot. For the five patches in figure 1-4 , if you confirm the running the first three patches, their st...
Page 1063: Configuration Prerequisites
1-5 configuration prerequisites patches are released per device model type. Before patching the system, you need to save the appropriate patch files to the storage media of the device using ftp or tftp. When saving the patch files, note that: z the patch files match the device model and software ver...
Page 1064
1-6 z the patch matches the device type and software version. Z the patch install command changes the patch file location specified with the patch location command to the directory specified by the patch-location argument of the patch install command. Step-by-step patch installation step-by-step pat...
Page 1065
1-7 set the file transfer mode to binary mode before using ftp or tftp to upload/download patch files to/from the flash of the device. Otherwise, patch file cannot be parsed properly. Follow the steps below to load a patch file: to do… use the command… remarks enter system view system-view — load th...
Page 1066
1-8 one-step patch uninstallation you can use the undo patch install command to uninstall patches from all the member devices. The patches then turn to the idle state. This equals the execution of the commands patch deactive and patch delete on each member device. Follow these steps to uninstall the...
Page 1067
1-9 displaying and maintaining hotfix to do… use the command… remarks display the patch information display patch information available in any view hotfix configuration examples hotfix configuration example (single device) network requirements z the software running on device is of some problem, and...
Page 1068
1-10 do you want to continue running patches after reboot? [y/n]:y installing patches........ Installation completed, and patches will continue to run after reboot. Hotfix configuration example (irf device) network requirements z irf refers to an irf in this example and it consists of two irf device...
Page 1069
1-11 [device] patch install flash: patches will be installed. Continue? [y/n]:y do you want to continue running patches after reboot? [y/n]:y installing patches........ Installation completed, and patches will continue to run after reboot..
Page 1070: Table of Contents
I table of contents 1 nqa configuration ····································································································································1-1 nqa overview ···············································································································...
Page 1071: Nqa Configuration
1-1 1 nqa configuration when configuring nqa, go to these sections for information you are interested in: z nqa overview z nqa configuration task list z configuring the nqa server z enabling the nqa client z creating an nqa test group z configuring an nqa test group z configuring the collaboration f...
Page 1072
1-2 collaboration with other modules is triggered. The implementation of collaboration is shown in figure 1-1 . Figure 1-1 implementation of collaboration the collaboration here involves three parts: the application modules, the track module, and the detection modules. Z the detection modules monito...
Page 1073
1-3 basic concepts of nqa test group before performing an nqa test, you need to create an nqa test group, and configure nqa test parameters such as test type, destination address and destination port. Each test group has an administrator name and operation tag, which can uniquely define a test group...
Page 1074: Nqa Configuration Task List
1-4 nqa test operation an nqa test operation is as follows: 1) the nqa client constructs packets with the specified type, and sends them to the peer device; 2) upon receiving the packet, the peer device replies with a response with a timestamp. 3) the nqa client computes the packet loss rate and rtt...
Page 1075: Configuring The Nqa Server
1-5 task remarks configuring optional parameters common to an nqa test group optional scheduling an nqa test group required configuring the nqa server before performing tcp, udp echo, udp jitter or voice tests, you need to configure the nqa server on the peer device. The nqa server makes a response ...
Page 1076
1-6 if you execute the nqa entry command to enter the test group view with test type configured, you will enter the test type view of the test group directly. Configuring an nqa test group configuring an icmp echo test an icmp echo test is used to test reachability of the destination host according ...
Page 1077
1-7 to do… use the command… remarks configure the source ip address of a probe request source ip ip-address optional by default, no source ip address is specified. If no source ip address is specified, but the source interface is specified, the ip address of the source interface is taken as the sour...
Page 1078
1-8 to do… use the command… remarks configure common optional parameters see configuring optional parameters common to an nqa test group optional z as dhcp test is a process to simulate address allocation in dhcp, the ip address of the interface performing the dhcp test will not be changed. Z after ...
Page 1080
1-10 to do… use the command… remarks configure the test type as http and enter test type view type http required configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. The destination ip addr...
Page 1081
1-11 delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets. The procedure of a udp jitter test is as follows: z the source sends packets at regular intervals to the destination port. Z the destination affixes a...
Page 1082
1-12 to do… use the command… remarks configure the number of packets sent in a udp jitter probe probe packet-number packet-number optional 10 by default. Configure the interval for sending packets in a udp jitter probe probe packet-interval packet-interval optional 20 milliseconds by default. Config...
Page 1083
1-13 to do… use the command… remarks configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. Specify the source port number for a probe request in a test operation source port port-number opti...
Page 1084
1-14 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be consistent with port number of the listening service configured on the nqa server. ...
Page 1085
1-15 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be the port number of the listening service configured on the nqa server. Configure th...
Page 1086
1-16 interval for the source to send these two successive packets, and thus the network status can be analyzed. The voice parameter values that indicate voip network status can also be calculated in a voice test, including: z calculated planning impairment factor (icpif): measures attenuation of voi...
Page 1087
1-17 to do… use the command… remarks configure the advantage factor for calculating mos and icpif values advantage-factor factor optional by default, the advantage factor is 0. Specify the source ip address for the requests in a test operation source ip ip-address optional by default, no source ip a...
Page 1088
1-18 configuration prerequisites enable the dlsw function on the peer device before dlsw test. Configuring a dlsw test follow these steps to configure a dlsw test: to do… use the command… remarks enter system view system-view — enter nqa test group view nqaentry admin-name operation-tag — configure ...
Page 1089: Configuring Trap Delivery
1-19 to do… use the command… remarks create a track object and associate it with the specified collaboration object of the nqa test group track entry-number nqa entry admin-name operation-tag reaction item-num required not created by default. Z you cannot modify the content of a reaction entry using...
Page 1090
1-20 configuring the nqa statistics function nqa puts the nqa tests completed in a specified interval into one group, and calculates the statistics of the test results of the group. These statistics form a statistics group. You can use the display nqa statistics command to view information of the st...
Page 1092: Scheduling An Nqa Test Group
1-22 scheduling an nqa test group with this configuration, you can set the start time and test duration for a test group to perform nqa tests. The start time can take a specific value or can be now, which indicates that a test is started immediately; the test duration can take a specific value or ca...
Page 1093: Nqa Configuration Examples
1-23 displaying and maintaining nqa to do… use the command… remarks display history records of nqa test operation information display nqa history [ admin-name operation-tag ] display the results of the last nqa test display nqa result [ admin-name operation-tag ] display the statistics of a type of ...
Page 1094
1-24 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 2/5/3 square-sum of round trip time: 96 last succeeded probe time: 2007-08-23 15:00:01.2 extended results: packet lost in test: 0%...
Page 1095
1-25 [switcha-nqa-admin-test] type dhcp [switcha-nqa-admin-test-dhcp] operation interface vlan-interface 2 [switcha-nqa-admin-test-dhcp] quit # enable dhcp test. [switcha] nqa schedule admin test start-time now lifetime forever # disable dhcp test after the test begins for a period of time. [switcha...
Page 1096
1-26 [devicea] nqa entry admin test [devicea-nqa-admin-test] type ftp [devicea-nqa-admin-test-ftp] destination ip 10.2.2.2 [devicea-nqa-admin-test-ftp] source ip 10.1.1.1 [devicea-nqa-admin-test-ftp] operation put [devicea-nqa-admin-test-ftp] username admin [devicea-nqa-admin-test-ftp] password syst...
Page 1097
1-27 figure 1-6 network diagram for the http tests configuration procedure # create an http test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type http [devicea-nqa-admin-test-http] destination ip 10.2.2.2 [devicea-nqa-admin-test-ht...
Page 1098
1-28 udp jitter test configuration example network requirements use the nqa udp jitter function to test the delay jitter of packet transmission between device a and device b. Figure 1-7 network diagram for udp jitter tests configuration procedure 1) configure device b. # enable the nqa server and co...
Page 1099
1-29 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 udp-jitter results: rtt number: 10 min positive sd: 4 min positive ds: 1 max positive sd: 21 max positive ds: 28 positive sd number: 5 positive ds number: 4 positive sd ...
Page 1100
1-30 min positive sd: 3 min positive ds: 1 max positive sd: 30 max positive ds: 79 positive sd number: 186 positive ds number: 158 positive sd sum: 2602 positive ds sum: 1928 positive sd average: 13 positive ds average: 12 positive sd square sum: 45304 positive ds square sum: 31682 min negative sd: ...
Page 1101
1-31 system-view [deviceb] snmp-agent sys-info version all [deviceb] snmp-agent community read public [deviceb] snmp-agent community write private 2) configurations on device a. # create an snmp query test group and configure related test parameters. System-view [devicea] nqa entry admin test [devic...
Page 1102
1-32 figure 1-9 network diagram for tcp tests configuration procedure 1) configure device b. # enable the nqa server and configure the listening ip address as 10.2.2.2 and port number as 9000. System-view [deviceb] nqa server enable [deviceb] nqa server tcp-connect 10.2.2.2 9000 2) configure device ...
Page 1103
1-33 nqa entry(admin admin, tag test) history record(s): index response status time 1 13 succeeded 2007-11-22 10:27:25.1 udp echo test configuration example network requirements use the nqa udp echo function to test the round trip time between device a and device b. The port number is 8000. Figure 1...
Page 1104
1-34 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 # display the history of udp echo tests. [devicea] display nqa history admin test nqa entry(admin admin, t...
Page 1105
1-35 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 1000 receive response times: 1000 min/max/average round trip time: 31/1328/33 square-sum of round trip time: 2844813 last succeeded probe time: 2008-06-13 09:49:31.1 extended results: packet lo...
Page 1106
1-36 min/max/average round trip time: 15/1328/32 square-sum of round trip time: 7160528 extended results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due...
Page 1107
1-37 dlsw test configuration example network requirements use the nqa dlsw function to test the response time of the dlsw device. Figure 1-12 network diagram for the dlsw tests configuration procedure # create a dlsw test group and configure related test parameters. System-view [devicea] nqa entry a...
Page 1108
1-38 nqa collaboration configuration example network requirements as shown in figure 1-13 , configure a static route to switch c on switch a, with switch b as the next hop. Associate the static route, track entry, and nqa test group to verify whether static route is active in real time. Figure 1-13 ...
Page 1109
1-39 [switcha] track 1 nqa entry admin test reaction 1 5) verify the configuration. # on switch a, display information about all the track entries. [switcha] display track all track id: 1 status: positive notification delay: positive 0, negative 0 (in seconds) reference object: nqa entry: admin test...
Page 1110
1-40 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 the above information shows that the next hop 10.2.1.1 of the static route is not reachable, and the status of the track entry is negative. The static route does not work..
Page 1111: Table of Contents
I table of contents 1 ntp configuration ·····································································································································1-1 ntp overview ··············································································································...
Page 1112: Ntp Configuration
1-1 1 ntp configuration when configuring ntp, go to these sections for information you are interested in: z ntp overview z ntp configuration task list z configuring the operation modes of ntp z configuring optional parameters of ntp z configuring access-control rights z configuring ntp authenticatio...
Page 1113
1-2 z the clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accuracy decreases as the stratum number increases. A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. Z the local clock o...
Page 1114
1-3 advantages of ntp z ntp uses a stratum to describe the clock precision, and is able to synchronize time among all devices within the network. Z ntp supports access control and md5 authentication. Z ntp can unicast, multicast or broadcast protocol messages. How ntp works figure 1-1 shows the basi...
Page 1115
1-4 up to now, device a has sufficient information to calculate the following two important parameters: z the roundtrip delay of ntp message: delay = (t4–t1) – (t3-t2) = 2 seconds. Z time difference between device a and device b: offset = ((t2-t1) + (t3-t4))/2 = 1 hour. Based on these parameters, de...
Page 1116
1-5 z stratum: an 8-bit integer indicating the stratum level of the local clock, with the value ranging from 1 to 16. The clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a refer...
Page 1117
1-6 in this mode, a client can be synchronized to a server, but not vice versa. Symmetric peers mode figure 1-4 symmetric peers mode a device working in the symmetric active mode periodically sends clock synchronization messages, with the mode field in the message set to 1 (symmetric active); the de...
Page 1118: Ntp Configuration Task List
1-7 multicast mode figure 1-6 multicast mode network client server after receiving the first multicast message, the client sends a request clock synchronization message exchange (mode 3 and mode 4) periodically multicasts clock synchronization messages (mode 5) calculates the network delay between c...
Page 1119
1-8 configuring the operation modes of ntp devices can implement clock synchronization in one of the following modes: z client/server mode z symmetric mode z broadcast mode z multicast mode for the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; fo...
Page 1120
1-9 z in the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the ip address of the local clock. Z when the source interface for ntp messages is specified by the source-interface argument, the source ip address of the n...
Page 1121
1-10 configuring ntp broadcast mode the broadcast server periodically sends ntp broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in ntp broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadc...
Page 1122
1-11 configuring a multicast client to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter the interface used to receive ntp multicast messages. Configure the device to work in the ntp multicast client mode ntp-service mul...
Page 1123
1-12 following these steps to specify the source interface for ntp messages: to do… use the command… remarks enter system view system-view — specify the source interface for ntp messages ntp-service source-interface interface-type interface-number required by default, no source interface is specifie...
Page 1124
1-13 configuring access-control rights with the following command, you can configure the ntp service access-control right to the local device. There are four access-control rights, as follows: z query : control query permitted. This level of right permits the peer devices to perform control query to...
Page 1125
1-14 configuring ntp authentication the ntp authentication feature should be enabled for a system running ntp in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with ...
Page 1127: Ntp Configuration Examples
1-16 the procedure of configuring ntp authentication on a server is the same as that on a client, and the same authentication key must be configured on both the server and client sides. Displaying and maintaining ntp to do… use the command… remarks view the information of ntp service status display ...
Page 1128
1-17 root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 utc jan 1 1900 (00000000.00000000) # specify switch a as the ntp server of switch b so that switch b is synchronized to switch a. System-view [switchb] ntp-service unicast-server 1.0.1.11 # view t...
Page 1129
1-18 figure 1-8 network diagram for ntp symmetric peers mode configuration switch a switch b switch c 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configuration on device b: # specify device a as the ntp server of device b. System-...
Page 1130
1-19 reference clock id: 3.0.1.32 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: -21.1982 ms root delay: 15.00 ms root dispersion: 775.15 ms peer dispersion: 34.29 ms reference time: 15:22:47.083 utc sep 19 2005 (c6d95647.153f7ced) as shown above, de...
Page 1131
1-20 configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configuration on switch c: # configure switch c to work in the broadcast server mode and send broadcast messages through vlan-interface 2. [switchc] interface vlan-interface 2 [switchc-vlan-interface2] ntp-service bro...
Page 1132
1-21 configuring ntp multicast mode network requirements as shown in figure 1-10 , switch c functions as the ntp server for multiple devices on different network segments and synchronizes the time among multiple devices. To realize this requirement, perform the following configurations: z the local ...
Page 1133
1-22 figure 1-10 network diagram for ntp multicast mode configuration configuration procedure 1) configure ip addresses for interfaces (omitted) 2) configuration on switch c: # configure switch c to work in the multicast server mode and send multicast messages through vlan-interface 2. System-view [...
Page 1134
1-23 as shown above, switch d has been synchronized to switch c, and the clock stratum level of switch d is 3, while that of switch c is 2. # view the ntp session information of switch d, which shows that an association has been set up between switch d and switch c. [switchd-vlan-interface2] display...
Page 1135
1-24 peer dispersion: 34.30 ms reference time: 16:02:49.713 utc sep 19 2005 (c6d95f6f.B6872b02) as shown above, switch a has been synchronized to switch c, and the clock stratum level of switch a is 3, while that of switch c is 2. # view the ntp session information of switch a, which shows that an a...
Page 1136
1-25 [switchb] ntp-service reliable authentication-keyid 42 # specify switch a as the ntp server. [switchb] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 before switch b can synchronize its clock to that of switch a, you need to enable ntp authentication for switch a. Perform the follo...
Page 1137
1-26 z switch c works in the broadcast server mode and sends out broadcast messages from vlan-interface 2. Z switch d works in the broadcast client mode and receives broadcast messages through vlan-interface 2. Z ntp authentication is enabled on both switch c and switch d. Figure 1-12 network diagra...
Page 1138
1-27 [switchd-vlan-interface2] display ntp-service status clock status: synchronized clock stratum: 4 reference clock id: 3.0.1.31 nominal frequency: 64.0000 hz actual frequency: 64.0000 hz clock precision: 2^7 clock offset: 0.0000 ms root delay: 31.00 ms root dispersion: 8.31 ms peer dispersion: 34...
Page 1139: Table of Contents
I table of contents 1 cluster management configuration·········································································································1-1 cluster management overview··············································································································...
Page 1140: Cluster Management Overview
1-1 1 cluster management configuration when configuring cluster management, go to these sections for information you are interested in: z cluster management overview z cluster configuration task list z configuring the management device z configuring the member devices z configuring access between th...
Page 1141
1-2 figure 1-1 network diagram for a cluster as shown in figure 1-1 , the device configured with a public ip address and performs the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to a c...
Page 1142
1-3 introduction to ndp ndp is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. Ndp works in the following ways: z a device running ndp periodically sends ndp packets to its neighbors. An nd...
Page 1143
1-4 then forwards the ntdp topology collection request after its prior port forwards the ntdp topology collection request. Cluster management maintenance 1) adding a candidate device to a cluster you should specify the management device before creating a cluster. The management device discovers and ...
Page 1144
1-5 member device which is in disconnect state will be added to the cluster. After that, the state of the member device locally and on the management device will be changed to active. Besides, a member device informs the management device using handshake packets when there is a neighbor topology cha...
Page 1145
1-6 complete these tasks to configure a cluster: task remarks enabling ndp globally and for specific ports optional configuring ndp parameters optional enabling ntdp globally and for specific ports optional configuring ntdp parameters optional manually collecting topology information optional enabli...
Page 1146
1-7 z disabling the ndp and ntdp functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed, but will influence the normal operation of the cluster. Z when both the cluster function and the 802.1x function (or the mac address authentic...
Page 1147
1-8 configuring ndp parameters a port enabled with ndp periodically sends ndp packets to its neighbors. If no ndp information from the neighbor is received when the holdtime times out, the corresponding entry is removed from the ndp table. Follow these steps to configure ndp parameters: to do… use t...
Page 1148
1-9 of the devices in a specified range, thus avoiding unlimited topology collection. After the interval for collecting topology information is configured, the device collects the topology information at this interval. To avoid network congestion caused by large amounts of topology responses receive...
Page 1149
1-10 enabling the cluster function to do… use the command… remarks enter system view system-view — enable the cluster function globally cluster enable optional enabled by default. Establishing a cluster before establishing a cluster, you need to specify the management vlan, and you cannot modify the...
Page 1150
1-11 enabling management vlan auto-negotiation the management vlan limits the cluster management range. If the device discovered by the management device does not belong to the management vlan, meaning the cascade ports and the ports connecting with the management device do not allow the packets fro...
Page 1151
1-12 0180-c200-000a, cluster management packets cannot traverse these devices. For a cluster to work normally in this case, you can modify the destination mac address of a cluster management protocol packet without changing the current networking. The management device periodically sends mac address...
Page 1152: Member Devices
1-13 removing a member device to do… use the command… remarks enter system view system-view — enter cluster view cluster — remove a member device from the cluster delete-member member-number [ to-black-list ] required rebooting a member device to do… use the command… remarks enter system view system...
Page 1153
1-14 the member devices through the management device. You can manage member devices in a cluster through switching from the operation interface of the management device to that of a member device or configure the management device by switching from the operation interface of a member device to that...
Page 1154
1-15 to do… use the command… remarks add a candidate device to the cluster administrator-address mac-address name name required configuring advanced cluster functions this section covers these topics: z configuring topology management z configuring interaction for a cluster z snmp configuration sync...
Page 1156
1-17 to do… use the command… remarks configure the nm interface of the management device nm-interface vlan-interface vlan-interface -id optional to isolate management protocol packets of a cluster from packets outside the cluster, you are recommended to configure to prohibit packets from the managem...
Page 1157
1-18 z the snmp-related configurations are retained when a cluster is dismissed or the member devices are removed from the whitelist. Z for information about snmp, refer to snmp configuration in the system volume. Configuring web user accounts in batches configuring web user accounts in batches enab...
Page 1158
1-19 displaying and maintaining cluster management to do… use the command… remarks display ndp configuration information display ndp [ interface interface-list ] display the global ntdp information display ntdp display the device information collected through ntdp display ntdp device-list [ verbose ...
Page 1159
1-20 figure 1-4 network diagram for cluster management configuration configuration procedure 1) configure the member device switch a # enable ndp globally and for port gigabitethernet 1/0/1. System-view [switcha] ndp enable [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] ndp...
Page 1160
1-21 [switchb-gigabitethernet1/0/3] quit # configure the period for the receiving device to keep ndp packets as 200 seconds. [switchb] ndp timer aging 200 # configure the interval to send ndp packets as 70 seconds. [switchb] ndp timer hello 70 # enable ntdp globally and for ports gigabitethernet 1/0...
Page 1161
1-22 restore topology from local flash file,for there is no base topology. (please confirm in 30 seconds, default no). (y/n) n # enable management vlan auto-negotiation. [abc_0.Switchb-cluster] management-vlan synchronization enable # configure the holdtime of the member device information as 100 se...
Page 1162: Table of Contents
I table of contents 1 irf configuration ······································································································································1-1 irf overview ·············································································································...
Page 1163: Irf Configuration
1-1 1 irf configuration among s5120-ei series switches, s5120-28c-ei, s5120-52c-ei, s5120-28c-pwr-ei, and s5120-52c-pwr-ei switches support irf. When configuring irf, go to these sections for information you are interested in: z irf overview z irf working process z irf configuration task list z irf ...
Page 1164: Irf Basic Concepts
1-2 z powerful network expansion capability. By adding member devices, the number of irf ports and network bandwidth of the irf system can be easily expanded. Each member device has its own cpu and they can process and forward protocol packets independently; therefore, the processing capability of t...
Page 1165: Irf Working Process
1-3 typically, an ethernet interface or optical port forwards service packets to the network. When bound to an irf port, it acts as a physical irf port and forwards packets among member devices. Packets that can be forwarded include irf-related negotiation packets, and service packets that need to b...
Page 1166
1-4 z one-port 10 ge xfp interface module z dual-port 10 ge xfp interface module z short-haul dual-port 10 ge cx4 interface module z dual-port 10 ge sfp+ interface module for the details of the interface modules, refer to h3c s5120-ei series ethernet switches installation manual. You can connect phy...
Page 1167
1-5 z daisy chain connection: given a device, its irf-port 1 is connected to irf-port 2 of another device, and its irf-port 2 is connected to irf-port 1 of a third one; devices are connected to form a single straight connection, as shown in figure 1-5 . Z ring connection: given a device, its irf-por...
Page 1168
1-6 figure 1-6 irf port correspondence based on the type and number of the interface module inserted on switch a, you can adopt one of the following typical correspondences to establish an irf connection. Z the dual-port 10 ge cx4 interface module is used in the following examples to introduce corre...
Page 1169
1-7 figure 1-8 correspondence in non-aggregate mode for two interface modules when two dual-port interface modules are installed, if the correspondence is not in the aggregate mode, you can bind an irf port to any physical irf port ( figure 1-8 only shows one possibility). However, you must ensure t...
Page 1170
1-8 if one dual-port interface module and one single-port interface module are installed, you can bind two physical irf ports on the dual-port interface module to the irf port in aggregate mode, and bind the physical irf port on the single-port interface module to the other irf port in non-aggregate...
Page 1171
1-9 z the precision of the system up-time is six minutes. For example, if two devices with the same priority values reboot one after another within six minutes, they will have the same system up-time and the last role election principle will be followed, that is, the one with the lowest bridge mac a...
Page 1172
1-10 figure 1-10 automatic numbering for a daisy chain connection device a memberid=1 memberid=1 memberid=1 memberid=1 device b device c device d device a (slave) memberid=2 memberid=1 memberid=3 memberid=4 device b (master) device c (slave) device d (slave) suppose device b is elected as the master...
Page 1173
1-11 the front panel is numbered 0, and subslots of the two expansion slots on the rear panel are numbered 1 and 2 from left to right. Z interface serial number is dependent on the number of interfaces supported by the device. View the silkscreen on the interface card for the number of supported int...
Page 1174
1-12 ... %created dir flash:/test. Dir directory of flash:/ 0 -rw- 10105088 apr 26 2000 13:44:57 test.Bin 1 -rw- 2445 apr 26 2000 15:18:19 config.Cfg 2 drw- - jul 14 2008 15:20:35 test 30861 kb total (20961 kb free) 2) to create and access the test folder under the root directory of the flash on irf...
Page 1175: Irf Configuration Task List
1-13 all slaves execute the same saving operation to make the initial configuration files of all devices consistent. Through the real-time synchronization, all devices in the irf keep the same configuration file. If the master fails, all the other devices can execute various functions according to t...
Page 1176: Irf Configuration
1-14 complete the following tasks to configure irf: task remarks configuring irf ports required setting a member id for a device optional specifying a priority for an irf member required specifying the preservation time of irf bridge mac address optional enabling auto upgrade of boot files optional ...
Page 1177
1-15 z the above configuration takes effect after the reboot of the device. Z an irf port that is bound with multiple physical irf ports is an aggregation irf port, which increases the bandwidth and reliability on the irf port. If you specify multiple physical irf ports with the port-list argument, ...
Page 1178
1-16 z the above setting takes effect after the reboot of the device. Z you can use the display irf configuration command to view the current member id of the device and the member id will be used after the device reboot. Z in an irf, member ids are not only used to identify devices, but also used t...
Page 1179
1-17 called the irf bridge mac address. Typically, an irf uses the bridge mac address of the master device as the irf bridge mac address. You are recommended to configure the preservation time of irf bridge mac address properly, otherwise, network problems will occur: z if a master leaves an irf to ...
Page 1180
1-18 from the master automatically, reboots with the new boot file, and joins the irf again. If the downloaded boot file and the local file have duplicate file names, the local file is overwritten. Follow these steps to enable auto upgrade of boot files in an irf: to do… use the command… remarks ent...
Page 1181: Logging In to An Irf
1-19 logging in to an irf logging in to the master after an irf is formed, you can access the console of the irf system through the aux or console port of any member device. Configure an ip address for the vlan interface of a member device and make sure that the route is reachable, and then you can ...
Page 1182: Irf Configuration Examples
1-20 displaying and maintaining irf to do… use the command… remarks display related information of the irf display irf available in any view display topology information of the irf display irf topology available in any view display the pre-configurations of all members of the irf (the pre-configurat...
Page 1183
1-21 warning: renumbering the switch number may result in configuration change or loss. Continue?[y/n]:y [switch2] irf member 1 irf-port 1 port 2 [switch2] irf member 1 irf-port 2 port 3 # configure switch 3. System-view [switch3] irf member 1 renumber 3 warning: renumbering the switch number may re...
Page 1184: Table of Contents
I table of contents 1 automatic configuration ··························································································································1-1 introduction to automatic configuration·························································································...
Page 1185: Automatic Configuration
1-1 1 automatic configuration when configuring automatic configuration, go to these sections for information you are interested in: z introduction to automatic configuration z typical networking of automatic configuration z how automatic configuration works introduction to automatic configuration au...
Page 1186
1-2 name of the tftp server from a dhcp response, the device can also resolve the domain name of the tftp server to the ip address of the tftp server through the dns server. If the dhcp server, tftp server, dns server, and the device that performs automatic configuration are not in the same segment,...
Page 1187
1-3 figure 1-2 work flow of automatic configuration start the device without loading the configuration file the interface obtains parameters through dhcp is the tftp server address contained in the parameters? Yes no yes no unicast a tftp request to obtain the configuration file yes yes broadcast a ...
Page 1188
1-4 z the configuration file name is saved in the option 67 or file field of the dhcp response. The device first resolves the option 67 field; if this field contains the configuration file name, the device does not resolve the file field; otherwise, it resolves the file field. Z temporary configurat...
Page 1189
1-5 you need to configure a client id (when a device works as the dhcp client, it uses the client id as its id) of the static binding when you configure manual address allocation. Therefore, you need to obtain the client id in this way: start the device that performs automatic configuration, enable ...
Page 1190
1-6 obtaining the configuration file figure 1-3 obtain the configuration file is the configuration file contained in the dhcp response? Obtain the network intermediate file search the domain name corresponding to the ip address in the network intermediate file yes obtain the specified configuration ...
Page 1191
1-7 z if the ip address and the domain name of the tftp server are not contained in the dhcp response or they are illegitimate, the device broadcasts a tftp request to the tftp server. Z when broadcasting a tftp request, the device obtains the configuration file from the tftp server who responds the...