- DL manuals
- H3C
- Switch
- S5120-SI Series
- Configuration Manual
H3C S5120-SI Series Configuration Manual
Summary of S5120-SI Series
Page 1
H3c s5120-si series ethernet switches layer 3 ip services configuration guide hangzhou h3c technologies co., ltd. Http://www.H3c.Com.
Page 2
Copyright © 2003-2010, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , i...
Page 3
Preface the h3c s5120-si documentation set includes 13 configuration guides, which describe the software features for the h3c s5120-si series ethernet switches and guide you through the software configuration procedures. These configuration guides also provide configuration examples to help you appl...
Page 4
4 conventions this section describes the conventions used in this documentation set. Command conventions convention description boldface bold text represents commands and keywords that you enter literally as shown. Italic italic text represents arguments that you replace with actual values. [ ] squa...
Page 5
5 network topology icons convention description represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or layer 3 switch. Represents a generic switch, such as a layer 2 or layer 3 switch, or a router that supports layer 2 for...
Page 6
6 about the h3c s5120-si documentation set category documents purposes product description and specifications marketing brochures describe product specifications and benefits. Technology white papers provide an in-depth description of software features and technologies. Card datasheets describe card...
Page 7
7 obtaining documentation you can access the most up-to-date h3c product documentation on the world wide web at http://www.H3c.Com . Click the links on the top navigation bar to obtain different categories of product documentation: [technical support & documents > technical documents] – provides har...
Page 8
8 table of contents preface ·········································································································································································· 3 audience ··························································································...
Page 9
9 arp detection configuration example ii ·············································································································· 27 configuring periodic sending of gratuitous arp packets ··························································································...
Page 10
10 configuring dhcp snooping to support option 82 ·························································································· 50 displaying and maintaining dhcp snooping ············································································································· 52 dh...
Page 11
11 arp configuration arp overview arp function arp is used to resolve an ip address into a physical address, such as an ethernet mac address. In an ethernet lan, when a device sends data to another device, it uses arp to translate the destination ip address to the corresponding mac address. Arp mess...
Page 12
12 • target protocol address: this field specifies the protocol address of the device the message is being sent to. Arp address resolution process suppose that host a and host b are on the same subnet and host a sends a packet to host b, as shown in figure 2. The resolution process is as follows: 1....
Page 13
13 arp table after obtaining the mac address for the destination host, the device puts the ip-to-mac mapping into its own arp table. This mapping is used for forwarding packets with the same destination in future. An arp table contains arp entries, which fall into one of two categories: dynamic or s...
Page 14
14 to do… use the command… remarks 2. Configure a permanent static arp entry arp static ip-address mac-address vlan-id interface-type interface-number required no permanent static arp entry is configured by default. 3. Configure a non- permanent static arp entry arp static ip-address mac-address req...
Page 15
15 enabling arp entry check the arp entry check function controls whether the switch can learn multicast mac addresses. • when arp entry check is enabled, the switch cannot learn any arp entry with a multicast mac address, and you are not allowed to configure a static arp entry with a multicast mac ...
Page 16
16 configuration procedure configure switch create vlan 10. System-view [switch] vlan 10 [switch-vlan10] quit add interface gigabitethernet 1/0/1 to vlan 10. [switch] interface gigabitethernet 1/0/1 [switch-gigabitethernet1/0/1] port access vlan 10 [switch-gigabitethernet1/0/1] quit create interface...
Page 17
17 to do… use the command… remarks 1. Enter system view system-view — 2. Enable the device to send gratuitous arp packets when receiving arp requests from another network segment gratuitous-arp-sending enable required by default, a device cannot send gratuitous arp packets when receiving arp request...
Page 18
18 arp attack defense configuration although arp is easy to implement, it can be vulnerable to network attacks. Arp attacks and viruses can be a threat to lan security. However, the device provides multiple features to detect and prevent such attacks. Configuring arp active acknowledgement introduct...
Page 19
19 configuring source mac address based arp attack detection introduction with this feature enabled, the device checks the source mac address of arp packets delivered to the cpu. It detects an attack when one mac address sends more arp packets in five seconds than the configured threshold. The detec...
Page 20
20 configuring protected mac addresses you can specify certain mac addresses, such as that of a gateway or important servers, as protected mac addresses. A protected mac address is excluded from arp attack detection. It will not trigger an alarm or filtering even when it sends more arp packets than ...
Page 22
22 figure 4 man-in-the-middle attack switch host a host b ip_ a mac_ a ip_b mac_b ip_c mac_c host c forged arp reply forged arp reply arp detection mechanism with arp detection enabled for a specific vlan, arp messages arrived on any interface in the vlan are redirected to the cpu to have their mac ...
Page 23
23 • the device, upon receiving an arp packet from an arp untrusted port, compares the arp packet against the 802.1x security entries. ○ if an entry with identical source ip and mac addresses, port index, and vlan id is found, the arp packet is considered valid. ○ if an entry with no matching ip add...
Page 24
24 to do… use the command… remarks 3. Enable arp detection for the vlan arp detection enable required disabled by default. That is, arp detection based on dhcp snooping entries/802.1x security entries/static ip-to-mac bindings is not enabled by default. 4. Return to system view quit — 5. Enter ether...
Page 25
25 • ip: checks both the source and destination ip addresses in an arp packet. The all-zero, all-one or multicast ip addresses are considered invalid and the corresponding packets are discarded. With this object specified, the source and destination ip addresses of arp replies, and the source ip add...
Page 26
26 figure 5 network diagram for arp detection configuration dhcp client host a switch a host b gateway dhcp server ge1/0/1 ge1/0/3 ge1/0/2 vlan 10 dhcp snooping 10.1.1.6 0001-0203-0607 configuration procedure • add all the ports on switch a to vlan 10 (the configuration procedure is not shown). • co...
Page 27
27 [switcha] arp detection validate dst-mac ip src-mac after the preceding configurations are completed, when arp packets arrive at interfaces gigabitethernet 1/0/1 and gigabitethernet 1/0/2, their mac and ip addresses are checked, and then the packets are checked against the ip-to-mac binding and f...
Page 28
28 [switcha-gigabitethernet1/0/2] quit add local access user test. [switcha] local-user test [switcha-luser-test] service-type lan-access [switcha-luser-test] password simple test [switcha-luser-test] quit enable arp detection for vlan 10. [switcha] vlan 10 [switcha-vlan10] arp detection enable conf...
Page 29
29 • this feature takes effect only when the link of the enabled interface goes up and an ip address has been assigned to the interface. • if you change the interval for sending gratuitous arp packets, the configuration is effective at the next sending interval..
Page 30
30 ip addressing configuration ip addressing overview ip address classes ip addressing uses a 32-bit address to identify each host on a network. An example is 00001000000000010000000100000001 in binary, which can also be written as 10.1.1.1 in the easier- to-read dotted decimal notation (in which ea...
Page 31
31 class address range remarks d 224.0.0.0 to 239.255.255.255 multicast addresses. E 240.0.0.0 to 255.255.255.255 reserved for future use except for the broadcast address 255.255.255.255. Special ip addresses the following ip addresses are for special use, and they cannot be used as host ip addresse...
Page 32
32 before being subnetted. (65,534 is 2 16 – 2, the two deducted addresses being the broadcast address and the network address.) when the first 9 bits of the host-id are used to break the class b network down into 512 (2 9 ) subnets, only 7 bits remain to use for the host-id in each subnet, and, in ...
Page 33
33 dhcp relay agent configuration introduction to dhcp relay agent application environment via a relay agent, dhcp clients can communicate with a dhcp server on another subnet to obtain configuration parameters. Dhcp clients on different subnets can contact the same dhcp server rather than having a ...
Page 34
34 figure 10 dhcp relay agent work process as shown in figure 10, the dhcp relay agent works as follows: 1. After receiving a dhcp-discover or dhcp-request broadcast message from a dhcp client, the dhcp relay agent fills the giaddr field of the message with its ip address and forwards the message to...
Page 35
35 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… user-defined forward the message after replacing the original option 82 with the user-defined option 82. No option 82 — normal forward the message after adding the option 82 padded in normal format. ...
Page 36
36 the address pool of the subnet to which the ip address of the dhcp relay agent belongs must be configured on the dhcp server. Otherwise, the dhcp client cannot obtain a correct ip address via the dhcp relay agent. Correlating a dhcp server group with a relay agent interface this is a required tas...
Page 37
37 with this feature enabled, the dhcp relay agent can dynamically record clients’ ip-to-mac bindings after the clients obtain ip addresses through dhcp. The feature also supports static bindings, so you can configure static ip-to-mac bindings on the dhcp relay agent, enabling users to access extern...
Page 38
38 to configure dynamic binding update interval: to do… use the command… remarks 1. Enter system view system-view — 2. Enable periodic refresh of dynamic client entries dhcp relay security refresh enable optional enabled by default. 3. Configure binding update interval dhcp relay security tracker { ...
Page 39
39 configuring the dhcp relay agent to support option 82 prerequisites complete the following tasks first, before configuring the dhcp relay agent to support option 82. • enabling dhcp • enabling the dhcp relay agent on the specified interface • correlating a dhcp server group with relay agent inter...
Page 40
40 • to support option 82, related configuration is required on both the dhcp server and relay agent. • if the handling strategy of the dhcp relay agent is configured as replace, you need to configure a padding format for option 82. If the handling strategy is keep or drop, you need not configure an...
Page 41
41 relay agent is deployed to forward messages between dhcp clients and the dhcp server. Vlan- interface 1 on the dhcp relay agent (switch a) connects to the network where dhcp clients reside. The ip address of vlan-interface 1 is 10.10.1.1/24 and the ip address of vlan-interface 2 is 10.1.1.2/24. F...
Page 42
42 dhcp relay agent option 82 support configuration example network requirements • as shown in figure 11 on page 41, enable option 82 on the dhcp relay agent (switch a). • configure the handling strategy for dhcp requests containing option 82 as replace. • configure the padding content for the circu...
Page 43
43 analysis some problems may occur with the dhcp relay agent or server configuration. Enable debugging and execute the display command on the dhcp relay agent to view the debugging information and interface state information for locating the problem. Solution check that: • dhcp is enabled on the dh...
Page 44
44 dhcp client configuration • when multiple vlan interfaces with the same mac address use dhcp for ip address acquisition via a relay agent, the dhcp server cannot be a windows 2000 server or windows 2003 server. Introduction to dhcp client with the dhcp client enabled on an interface, the interfac...
Page 45
45 displaying and maintaining the dhcp client to do… use the command… remarks display specified configuration information display dhcp client [ verbose ] [ interface interface-type interface-number ] available in any view dhcp client configuration example network requirements as shown in figure 12, ...
Page 46
46 dhcp snooping configuration • the dhcp snooping-enabled device must be either between the dhcp client and relay agent, or between the dhcp client and server. It does not work if it is between the dhcp relay agent and dhcp server. Dhcp snooping overview function of dhcp snooping as a dhcp security...
Page 47
47 • ports that connect to dhcp clients • vlans to which the ports belong application environment of trusted ports configuring a trusted port connected to a dhcp server figure 13 configure trusted and untrusted ports as shown in figure 13, a dhcp snooping device’s port that is connected to an author...
Page 48
48 figure 14 configure trusted ports in a cascaded network table 3 describes roles of the ports shown in figure 14. Table 3 roles of ports device untrusted port trusted port disabled from recording binding entries trusted port enabled to record binding entries switch a ge1/0/1 ge1/0/3 ge1/0/2 switch...
Page 49
49 table 4 dhcp snooping and option 82 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… option 82 drop random drop the message. Keep random forward the message without changing option 82. Replace normal forward the message after replacing the orig...
Page 50
50 • you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted port and the port connected to the dhcp client must be in the same vlan. • you can specify layer 2 ethernet interfaces and layer 2 aggregate interf...
Page 53
53 figure 15 network diagram for dhcp snooping configuration configuration procedure enable dhcp snooping. System-view [switchb] dhcp-snooping specify gigabitethernet 1/0/1 as trusted. [switchb] interface gigabitethernet 1/0/1 [switchb-gigabitethernet1/0/1] dhcp-snooping trust [switchb-gigabitethern...
Page 54
54 [switchb-gigabitethernet1/0/1] quit configure gigabitethernet 1/0/2 to support option 82. [switchb] interface gigabitethernet 1/0/2 [switchb-gigabitethernet1/0/2] dhcp-snooping information enable [switchb-gigabitethernet1/0/2] dhcp-snooping information strategy replace [switchb-gigabitethernet1/0...
Page 55
55 bootp client configuration • if several vlan interfaces sharing the same mac address obtain ip addresses through a bootp relay agent, the bootp server cannot be a windows 2000 server or windows 2003 server. Introduction to bootp client bootp application after you specify an interface of a device ...
Page 56
56 • rfc 951: bootstrap protocol (bootp) • rfc 2132: dhcp options and bootp vendor extensions • rfc 1542: clarifications and extensions for the bootstrap protocol configuring an interface to dynamically obtain an ip address through bootp to configure an interface to dynamically obtain an ip address:...
Page 57
57 figure 16 network diagram for bootp wins server 10.1.1.4/25 client switch b client dns server 10.1.1.2/25 dhcp server vlan-int1 10.1.1.1/25 vlan-int1 gateway a 10.1.1.126/25 configuration procedure the following describes only the configuration on switch b serving as a client. Configure vlan-inte...
Page 58
58 ip performance optimization configuration ip performance optimization overview in some network environments, you can adjust the ip parameters to achieve best network performance. Ip performance optimization configuration includes: • enabling the device to receive and forward directed broadcasts •...
Page 59
59 enabling forwarding of directed broadcasts to a directly connected network if a device is enabled to receive directed broadcasts, the device will determine whether to forward them according to the configuration on the outgoing interface. To enable the device to forward directed broadcasts: to do…...
Page 60
60 to enable the syn cookie feature: to do... Use the command... Remarks 1. Enter system view system-view — 2. Enable the syn cookie feature tcp syn-cookie enable required disabled by default. • when you enable the syn cookie feature, it will not function if md5 authentication is enabled. However, i...
Page 61
61 • with protection against naptha attack enabled, the device periodically checks and records the number of tcp connections in each state. • with protection against naptha attack enabled, if the device detects that the number of tcp connections in a state exceeds the maximum number, the device cons...
Page 62
62 advantages of sending icmp error packets 1. Sending icmp timeout packets if the device received an ip packet with a timeout error, it drops the packet and sends an icmp timeout packet to the source. The device will send an icmp timeout packet under the following conditions: ○ if the device finds ...
Page 63
63 to do… use the command… remarks 2. Enable sending of icmp timeout packets ip ttl-expires enable required disabled by default. 3. Enable sending of icmp destination unreachable packets ip unreachables enable required disabled by default. The device stops sending “ttl timeout” icmp error packets if...
Page 64
64 obtaining support for your product register your product warranty and other service benefits start from the date of purchase, so it is important to register your product quickly to ensure you get full use of the warranty and other service benefits available to you. Warranty and other service bene...
Page 65
65 access software downloads software updates are the bug fix / maintenance releases for the version of software initially purchased with the product. In order to access these software updates you must first register your product on the web site at http://www.H3cnetworks.Com, go to support, product ...
Page 66
66 acronyms # a b c d e f g h i k l m n o p q r s t u v w x z acronym full spelling # return 10ge ten-gigabitethernet 3des triple data encryption standard a return aaa authentication, authorization and accounting abc activity based costing abr area border router ac alternating current ack acknowledg...
Page 67
67 acronym full spelling at apple talk atm asynchronous transfer mode aux auxiliary (port) avf active virtual forwarder b return bagg bridge aggregation bas broadband access server bc bearer control bdr backup designated router be best effort bfd bidirectional forwarding detection bgp border gateway...
Page 68
68 acronym full spelling ccm continuity check message cdp cisco discovery protocol ce customer edge; customer edge device cf-card compact flash card cfd connectivity fault detection cfi canonical format indicator cfm configuration file management; connectivity fault management chap challenge handsha...
Page 69
69 acronym full spelling dba dynamic bandwidth allocation dce data circuit-terminal equipment dd database description ddn digital data network des data encryption standard dhcp dynamic host configuration protocol diffserv differentiated service dis designated intermediate system dlci data link conne...
Page 70
70 acronym full spelling ef expedited forwarding egp exterior gateway protocol eoam ethernet operation, administration, and maintenance epon ethernet passive optical network es end system es-is end system-intermediate system f return fcoe fabric channel over ethernet fc forwarding class fcs frame ch...
Page 71
71 acronym full spelling gvrp garp vlan registration protocol h return ha high availability habp hw authentication bypass protocol hdlc high-level data link control hec header error control hgmp hw group management protocol hgmpv2 hw group management protocol version 2 hmac hash-based message authen...
Page 72
72 acronym full spelling igp interior gateway protocol iih is-to-is hello protocol data unit ilm incoming label map ils internet locator service imc intelligent management center in intelligent network intserv integrated service ip internet protocol ipc inter-process communication ipng ip next gener...
Page 73
73 acronym full spelling lacpdu link aggregation control protocol data unit lan local area network lapb link access procedure, balanced lb loopback lbm loopback message lbr loopback reply lcp link control protocol ldap lightweight directory access protocol ldp label distribution protocol ler label e...
Page 74
74 acronym full spelling ltm lintrace message ltr linktrace reply message lvf listening virtual forwarder m return ma maintenance association mac media access control mad multi-active detection mafv mac-based auth-fail vlan man metropolitan area network maxbc max bandwidth constraints mbgp multicast...
Page 75
75 acronym full spelling mpm multicast port management msc mobile switching center msdp multicast source discovery protocol msoh multiplex section overhead mst multiple spanning tree msti multi-spanning tree instance mstp multiple spanning tree protocol mt multicast tunnel mtbf mean time between fai...
Page 76
76 acronym full spelling nqa network quality analyzer ns neighbor solicitation nsap network service access point nsc netstream collector n-sel nsap selector nsr non-stop routing nssa not-so-stubby area ntdp neighbor topology discovery protocol ntk need to know ntp network time protocol o return oaa ...
Page 77
77 acronym full spelling pbr policy-based route pcb printed circuit board pcm pulse code modulation pd powered device, prefix delegation or pure data pdu protocol data unit pe provider edge, provider edge device pgv port-based guest vlan php penultimate hop popping phy physical layer pim protocol in...
Page 78
78 acronym full spelling pvid permitted vlan id pvst per-vlan spanning tree pw pseudo wires pxe pre-boot execution environment q return qacl qos/acl qinq 802.1q in 802.1q qos quality of service qqic querier's query interval code qrv querier's robustness variable r return ra registration authority; r...
Page 79
79 acronym full spelling rrppd rapid ring protection protocol data unit rs router solicitation rsa revest-shamir-adleman algorithm rsb reservation state block rsoh regenerator section overhead rstp rapid spanning tree protocol rsvp resource reservation protocol rsvp-te resource reservation protocol ...
Page 80
80 acronym full spelling smb standby main board smtp simple mail transfer protocol snap sub network access point snmp simple network management protocol snp sequence number packet snpa sub-network points of attachment soh section overhead sonet synchronous optical network soo site-of-origin sp stric...
Page 81
81 acronym full spelling tcp transmission control protocol tcn topology change notification tdma time division multiple access te traffic engineering tedb traffic engineering database tftp trivial file transfer protocol tls transparent lan service tlv type-length-value tos type of service tp traffic...
Page 82
82 acronym full spelling vos virtual operate system vpdn virtual private dial-up network vpdn virtual private data network vpi virtual path identifier vpls virtual private local switch vpn virtual private network vrid virtual router id vrrp virtual router redundancy protocol vsi virtual switch inter...
Page 83
83 index address assigning to interface (ip addressing) ................ 32 address resolution (arp) ..................................... 12 aging time (arp) ............................................... 14 application bootp ......................................................... 55 relay agent...
Page 84
84 configuring (bootp) ................................. 55, 56 configuring (dhcp) .................................. 44, 45 enabling on interface (dhcp) ......................... 44 concept relay agent fundamentals (dhcp) ..................... 33 configuring active acknowledgement (arp) ..............
Page 85
85 correlating server group with relay agent interface ................................................................ 36 creating static binding .................................... 36 displaying client ............................................. 45 displaying relay agent configuration ............
Page 86
86 subnetting ..................................................... 31 ip performance optimization configuration ................................................. 58 configuring icmp error packet sending ............. 61 configuring protection against naptha attacks ...60 configuring tcp attributes ...
Page 87
87 configuring detection based on 802.1x security entries (arp) ............................................... 22 configuring detection based on dhcp snooping entries for a vlan (arp) .............................. 22 configuring detection based on specified objects (arp) .............................
Page 88
88 configuring basic functions (dhcp) ................... 49 configuring option 82 support (dhcp) ....... 50, 53 function (dhcp) .............................................46 support for option 82 (dhcp) ......................... 48 special(ip addresses) .......................................... ...