- DL manuals
- H3C
- Switch
- S5500-SI Series
- Operation Manual
H3C S5500-SI Series Operation Manual - Configuring Sflow
1-2
3) When the sFlow packet buffer overflows or the one-second timer expires, the sFlow agent sends
sFlow packets to the specified sFlow collector.
Configuring sFlow
The sFlow feature enables the remote sFlow collector to monitor the network and analyze sFlow packet
statistics.
Follow these steps to configure sFlow:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Specify the IP address of the
sFlow agent
sflow agent ip ip-address
Required
Not configured by default.
Specify the IP address and port
number of the sFlow collector
sflow collector ip ip-address
[ port port-num ]
Required
Not specified by default.
Set the counter sampling
interval at which the sFlow
agent collects the statistics of
sFlow enabled ports
sflow interval interval-time
Optional
20 seconds by default.
Enter Ethernet port view
interface interface-type
interface-number
—
Specify the sFlow version
sflow version { 4 | 5 }
Optional
5 by default.
Enable sFlow in the inbound or
outbound direction
sflow enable { inbound |
outbound }
Required
Not enabled by default.
Specify the sFlow sampling
mode
sflow sampling-mode
{ determine | random }
Optional
random by default.
Currently, the determine mode
is not supported on S5500-SI
series Ethernet switches.
Specify the number of packets
out of which the port will sample
a packet
sflow sampling-rate rate
Optional
200000 by default.
z
The sFlow agent and sFlow collector must not have the same IP address.
z
Currently, you can specify at most two sFlow collectors on on S5500-SI Series Ethernet Switchs.
Displaying and Maintaining sFlow
To do…
Use the command…
Remarks
Display sFlow configuration information
display sflow
Available in any view
Summary of S5500-SI Series
Page 1
H3c s5500-si series ethernet switches operation manual hangzhou h3c technologies co., ltd. Http://www.H3c.Com manual version: 20090930-c-1.01 product version: release 2202.
Page 2
Copyright © 2009, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , irf, n...
Page 3: About This Manual
About this manual organization h3c s5500-si series ethernet switches operation manual is organized as follows: volume features 00-product overview product overview acronyms ethernet interface link aggregation port isolation mstp lldp vlan gvrp qinq 01-access volume bpdu tunneling port mirroring ip a...
Page 5
Related documentation in addition to this manual, each h3c s5500-si series ethernet switch documentation set includes the following: manual description h3c s5500-si complete series ethernet switches installation manual it introduces the installation procedure, commissioning, maintenance and monitori...
Page 6: Table of Contents
I table of contents 1 obtaining the documentation ··················································································································1-1 cd-roms shipped with the devices ···································································································...
Page 7: Obtaining The Documentation
1-1 1 obtaining the documentation h3c technologies co., ltd. Provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways: z cd-roms shipped ...
Page 8: Product Features
2-1 2 product features introduction to product h3c s5500-si series ethernet switches are gigabit ethernet switching products developed by hangzhou h3c technologies co., ltd. The s5500-si series switches have abundant service features. They are designed as distribution and access devices for intranet...
Page 9
2-2 volume features login basic system configuration device management file system management http snmp rmon mac address table management system maintaining and debugging information center poe hotfix nqa ntp cluster management stack management 08-system volume automatic configuration.
Page 10: Features
3-1 3 features the following sections provide an overview of the main features of each module supported by the s5500-si series. Access volume table 3-1 features in access volume features description ethernet interface this document describes: z combo port configuration z basic ethernet interface con...
Page 11
3-2 features description lldp lldp enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the network management system detects and determines the conditions of the communications links. This document describes: z introduction to lldp z perfor...
Page 12: Ip Services Volume
3-3 ip services volume table 3-2 features in the ip services volume features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the internet. This document describes: z introduction to ip addresses z ip address configuration arp ...
Page 13: Ip Routing Volume
3-4 features description dual stack a network node that supports both ipv4 and ipv6 is called a dual stack node. A dual stack node configured with an ipv4 address and an ipv6 address can have both ipv4 and ipv6 packets transmitted. This document describes: z dual stack overview z dual stack configur...
Page 14: Multicast Volume
3-5 multicast volume table 3-4 features in multicast volume features description multicast overview this document describes the main concepts in multicast: z introduction to multicast z multicast models z multicast architecture z multicast packets forwarding mechanism igmp snooping running at the da...
Page 15: Security Volume
3-6 security volume table 3-6 features in the security volume features description aaa authentication, authorization and accounting (aaa) provide a uniform framework used for configuring these three security functions to implement the network security management. This document describes: z introduct...
Page 16: High Availability Volume
3-7 features description ssh2.0 ssh ensures secure login to a remote device in a non-secure network environment. By encryption and strong authentication, it protects the device against attacks. This document describes: z configuring asymmetric keys z configuring the device as an ssh server z configu...
Page 17
3-8 features description rrpp rrpp is a link layer protocol designed for ethernet rings. Rrpp can prevent broadcast storms caused by data loops when an ethernet ring is healthy, and rapidly restore the communication paths between the nodes after a link is disconnected on the ring. This document desc...
Page 18: System Volume
3-9 system volume table 3-8 features in the system volume features description login upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describes: z how to log in to your ethernet switch z introduction to the user interface and c...
Page 19
3-10 features description snmp simple network management protocol (snmp) offers a framework to monitor network devices through tcp/ip protocol suite. This document describes: z snmp overview z basic snmp function configuration z snmp log configuration z trap configuration z mib style configuration r...
Page 20
3-11 features description hotfix hotfix is a fast, cost-effective method to fix software defects of the device without interrupting the running services. This document describes: z hotfix overview z one-step patch installation z step-by-step patch installation z step-by-step patch uninstallation z o...
Page 21: Appendix A Acronyms
A-1 appendix a acronyms # a b c d e f g h i k l m n o p q r s t u v w x z acronyms full spelling # return 10ge ten-gigabitethernet a return aaa authentication, authorization and accounting abc activity based costing abr area border router ac alternating current ack acknowledgement acl access control...
Page 22
A-2 acronyms full spelling bgp border gateway protocol bims branch intelligent management system bootp bootstrap protocol bpdu bridge protocol data unit bri basic rate interface bsr bootstrap router bt bittorrent bt burst tolerance c return ca call appearance ca certificate authority car committed a...
Page 23
A-3 acronyms full spelling cv connectivity verification d return dar deeper application recognition dce data circuit-terminal equipment dd database description ddn digital data network dhcp dynamic host configuration protocol dis designated is dlci data link connection identifier dldp device link de...
Page 24
A-4 acronyms full spelling fdi forward defect indication fec forwarding equivalence class ffd fast failure detection fg forwarding group fib forwarding information base fifo first in first out fqdn full qualified domain name fr frame relay frr fast reroute frtt fairness round trip time ft functional...
Page 25
A-5 acronyms full spelling ibm international business machines icmp internet control message protocol icmpv6 internet control message protocol for ipv6 id identification/identity ieee institute of electrical and electronics engineers ietf internet engineering task force igmp internet group managemen...
Page 26
A-6 acronyms full spelling lacpdu link aggregation control protocol data unit lan local area network lcp link control protocol ldap lightweight directory access protocol ldp label distribution protocol ler label edge router lfib label forwarding information base lib label information base llc link l...
Page 27
A-7 acronyms full spelling mld-snooping multicast listener discovery snooping mmc meet-me conference modem modulator-demodulator mp multilink ppp mp-bgp multiprotocol extensions for bgp-4 mpe middle-level pe mp-group multilink point to point protocol group mpls multiprotocol label switching mplsfw m...
Page 28
A-8 acronyms full spelling npdu network protocol data unit npe network provider edge nqa network quality analyzer nsap network service access point nsc netstream collector n-sel nsap selector nssa not-so-stubby area ntdp neighbor topology discovery protocol ntp network time protocol o return oam ope...
Page 29
A-9 acronyms full spelling pop point of presence pos packet over sdh ppp point-to-point protocol pptp point to point tunneling protocol ppvpn provider-provisioned virtual private network pq priority queuing prc primary reference clock pri primary rate interface ps protection switching pse power sour...
Page 30
A-10 acronyms full spelling rpt rendezvous point tree rrpp rapid ring protection protocol rsb reservation state block rsoh regenerator section overhead rstp rapid spanning tree protocol rsvp resource reservation protocol rtcp real-time transport control protocol rte route table entry rtp real-time t...
Page 31
A-11 acronyms full spelling spt shortest path tree ssh secure shell ssm synchronization status marker ssm source-specific multicast st shared tree stm-1 sdh transport module -1 stm-16 sdh transport module -16 stm-16c sdh transport module -16c stm-4c sdh transport module -4c stp spanning tree protoco...
Page 32
A-12 acronyms full spelling vci virtual channel identifier ve virtual ethernet vfs virtual file system vlan virtual local area network vll virtual leased lines vod video on demand voip voice over ip vos virtual operate system vpdn virtual private dial-up network vpdn virtual private data network vpi...
Page 33: Access Volume Organization
Access volume organization manual version 20090930-c-1.01 product version release 2202 organization the access volume is organized as follows: features description ethernet interface this document describes: z combo port configuration z basic ethernet interface configuration z configuring flow contr...
Page 34
Features description mstp mstp is used to eliminate loops in a lan. It is compatible with stp and rstp. This document describes: z introduction to mstp z configuring mstp lldp lldp enables a device to maintain and manage its own and its immediate neighbor’s device information, based on which the net...
Page 35: Table of Contents
I table of contents 1 ethernet interface configuration ·············································································································1-1 ethernet interface configuration ···································································································...
Page 36
1-1 1 ethernet interface configuration ethernet interface configuration combo port configuration introduction to combo port a combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a combo port, the electrical port and th...
Page 37
1-2 z auto-negotiation mode (auto). Interfaces operating in this mode determine their duplex mode through auto-negotiation. Similarly, if you configure the transmission rate for an ethernet interface by using the speed command with the auto keyword specified, the transmission rate is determined thro...
Page 38
1-3 figure 1-1 an application diagram of auto-negotiation transmission rate as shown in figure 1-1, the network card transmission rate of the server group (server 1, server 2, and server 3) is 1000 mbps, and the transmission rate of gigabitethernet 1/0/4, which provides access to the external networ...
Page 39
1-4 follow these steps to enable flow control on an ethernet interface: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number — enable flow control flow-control required disabled by default configuring the suppression ...
Page 41
1-6 the storm suppression ratio settings configured for an ethernet interface may get invalid if you enable the storm constrain for the interface. For information about the storm constrain function, see configuring the storm constrain function on an ethernet interface . Follow these steps to set sto...
Page 42
1-7 to do… use the command… remarks set the interval for collecting statistics on the ethernet port flow-interval interval optional by default, the interval for collecting port statistics is 300 seconds. Enabling forwarding of jumbo frames due to tremendous amount of traffic occurring on an ethernet...
Page 43
1-8 to do… use the command… remarks enter system view system-view — enable global loopback detection loopback-detection enable required disabled by default configure the interval for port loopback detection loopback-detection interval-time time optional 30 seconds by default enter ethernet interface...
Page 44
1-9 signals; pin 3 and pin 6 are used for transmitting signals. To enable normal communication, you should connect the local transmit pins to the remote receive pins. Therefore, you should configure the mdi mode depending on the cable types. Z normally, the auto mode is recommended. The other two mo...
Page 45
1-10 periodically and takes corresponding actions (that is, blocking or shutting down the interface and sending trap messages and logs) when the traffic detected exceeds the threshold. Alternatively, you can configure the storm suppression function to control a specific type of traffic. As the funct...
Page 46
1-11 to do… use the command… remarks specify to send log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher than the upper threshold storm-constrain enable log optional by default, the system sends log when the traffic detected exceeds t...
Page 48: Table of Contents
I table of contents 1 link aggregation configuration ··············································································································1-1 overview ····························································································································...
Page 49: Overview
1-1 1 link aggregation configuration when configuring link aggregation, go to these sections for information you are interested in: z overview z link aggregation configuration task list z configuring an aggregation group z configuring an aggregate interface z configuring a load sharing mode for load...
Page 50
1-2 z selected: a selected port can forward user traffic. Z unselected: an unselected port cannot forward user traffic. The rate of an aggregate interface is the sum of the selected member ports’ rates. The duplex mode of an aggregate interface is consistent with that of the selected member ports. N...
Page 51
1-3 z when a marker response protocol data unit (pdu) is received from the peer or the timer expires, the device starts to redistribute service traffic on all the new link aggregation member ports in selected state. Currently, the s5500-si series ethernet switches support returning marker response p...
Page 52
1-4 link aggregation modes depending on the link aggregation procedure, link aggregation operates in one of the following two modes: z static aggregation mode z dynamic aggregation mode static aggregation mode lacp is disabled on the member ports in a static aggregation group. In a static aggregatio...
Page 53
1-5 z compare the system id (comprising the system lacp priority and the system mac address) of the actor with that of the partner. The system with the lower lacp priority wins out. If they are the same, compare the system mac addresses. The system with the smaller mac address wins out. Z compare th...
Page 54
1-6 task remarks shutting down an aggregate interface optional configuring a load sharing mode for load-sharing link aggregation groups optional configuring an aggregation group z the following ports cannot be assigned to an aggregation group: stack ports, rrpp-enabled ports, mac address authenticat...
Page 55
1-7 configuring a dynamic aggregation group follow these steps to configure a layer 2 dynamic aggregation group: to do... Use the command... Remarks enter system view system-view — set the system lacp priority lacp system-priority system-priority optional by default, the system lacp priority is 3276...
Page 56
1-8 z removing a dynamic aggregate interface also removes the corresponding aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group. Z to guarantee a successful dynamic aggregation, ensure that the peer ports of the ports aggregated at one ...
Page 58
1-10 traffic as needed. For example, for layer 3 traffic, you can use ip addresses as hash keys for load sharing calculation. You can configure a global load sharing mode for all link aggregation groups or a load sharing mode specific to a link aggregation group as needed. Configuring the global loa...
Page 59
1-11 currently, when you configure load-balancing link aggregation groups in layer 2 aggregate interface view, the switch supports configuring hash keys in the following modes: z use a source ip address, a source mac address, or a destination mac address alone as a hash key. Z combine a destination ...
Page 60
1-12 z reference port: select a port as the reference port from the ports that are in up state and with the same class-two configurations as the corresponding aggregate interface. The selection order is as follows: full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duple...
Page 61
1-13 [devicea-gigabitethernet1/0/2] quit [devicea] interface gigabitethernet 1/0/3 [devicea-gigabitethernet1/0/3] port link-aggregation group 1 2) configure device b follow the same configuration procedure performed on device a to configure device b. Layer 2 dynamic aggregation configuration example...
Page 62
1-14 [devicea-gigabitethernet1/0/3] port link-aggregation group 1 2) configure device b follow the same configuration procedure performed on device a to configure device b. Layer 2 aggregation load sharing mode configuration example network requirements as shown in figure 1-3 , device a is connectio...
Page 63
1-15 # assign ports gigabitethernet 1/0/3 and gigabitethernet 1/0/4 to aggregation group 2. [devicea] interface gigabitethernet 1/0/3 [devicea-gigabitethernet1/0/3] port link-aggregation group 2 [devicea-gigabitethernet1/0/3] quit [devicea] interface gigabitethernet 1/0/4 [devicea-gigabitethernet1/0...
Page 64: Table of Contents
I table of contents 1 port isolation configuration ·····················································································································1-1 introduction to port isolation ·································································································...
Page 65: Port Isolation Configuration
1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z introduction to port isolation z configuring the isolation group z displaying and maintaining isolation groups z port isolation configuration example introduction to port...
Page 66
1-2 displaying and maintaining isolation groups to do… use the command… remarks display the isolation group information display port-isolate group available in any view port isolation configuration example network requirements z users host a, host b, and host c are connected to gigabitethernet 1/0/1...
Page 67
1-3 uplink port support: no group id: 1 group members: gigabitethernet1/0/1 gigabitethernet1/0/2 gigabitethernet1/0/3.
Page 68: Table of Contents
I table of contents 1 mstp configuration ··································································································································1-1 overview ····················································································································...
Page 69: Mstp Configuration
1-1 1 mstp configuration when configuring mstp, go to these sections for information you are interested in: z overview z introduction to stp z introduction to rstp z introduction to mstp z mstp configuration task list z configuring mstp z displaying and maintaining mstp z mstp configuration example ...
Page 70
1-2 z topology change notification (tcn) bpdus, used for notifying the concerned devices of network topology changes, if any. Basic concepts in stp root bridge a tree network must have a root; hence the concept of root bridge was introduced in stp. There is one and only one root bridge in the entire...
Page 71
1-3 figure 1-1 a schematic diagram of designated bridges and designated ports all the ports on the root bridge are designated ports. Path cost path cost is a reference value used for link selection in stp. By calculating path costs, stp selects relatively robust links and blocks redundant links, and...
Page 72
1-4 for simplicity, the descriptions and examples below involve only four fields of configuration bpdus: z root bridge id (represented by device priority) z root path cost (related to the rate of the link connecting the port) z designated bridge id (represented by device priority) z designated port ...
Page 73
1-5 initially, each stp-enabled device on the network assumes itself to be the root bridge, with the root bridge id being its own device id. By exchanging configuration bpdus, the devices compare their root bridge ids to elect the device with the smallest root bridge id as the root bridge. Z selecti...
Page 74
1-6 figure 1-2 network diagram for the stp algorithm ap1 ap2 device a with priority 0 device b with priority 1 device c with priority 2 bp1 bp2 cp1 cp2 5 10 4 z initial state of each device table 1-4 shows the initial state of each device. Table 1-4 initial state of each device device port name bpdu...
Page 75
1-7 device comparison process bpdu of port after comparison z port bp1 receives the configuration bpdu of device a {0, 0, 0, ap1}. Device b finds that the received configuration bpdu is superior to the configuration bpdu of the local port {1, 0, 1, bp1}, and updates the configuration bpdu of bp1. Z ...
Page 76
1-8 device comparison process bpdu of port after comparison after comparison: z because the root path cost of cp2 (9) (root path cost of the bpdu (5) plus path cost corresponding to cp2 (4)) is smaller than the root path cost of cp1 (10) (root path cost of the bpdu (0) + path cost corresponding to c...
Page 77: Introduction to Rstp
1-9 z if a path becomes faulty, the root port on this path will no longer receive new configuration bpdus and the old configuration bpdus will be discarded due to timeout. In this case, the device will generate a configuration bpdu with itself as the root and send out the bpdus and tcn bpdus. This t...
Page 78: Introduction to Mstp
1-10 introduction to mstp why mstp weaknesses of stp and rstp stp does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge ...
Page 79
1-11 basic concepts in mstp figure 1-4 basic concepts in mstp cst region a0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region b0 vlan 1 mapped to instance 1 vlan 2 mapped to instance 2 other vlans mapped to cist region c0 vlan 1 mapped to instance 1 vlan 2 and...
Page 80
1-12 vlan-to-instance mapping table as an attribute of an mst region, the vlan-to-instance mapping table describes the mapping relationships between vlans and mstis. In figure 1-4 , for example, the vlan-to-instance mapping table of region a0 is as follows: vlan 1 is mapped to msti 1, vlan 2 to msti...
Page 81
1-13 during mstp calculation, a boundary port’s role on an msti is consistent with its role on the cist. But that is not true with master ports. A master port on mstis is a root port on the cist. Roles of ports mstp calculation involves these port roles: root port, designated port, master port, alte...
Page 82
1-14 port states in mstp, port states fall into the following three: z forwarding: the port learns mac addresses and forwards user traffic; z learning: the port learns mac addresses but does not forward user traffic; z discarding: the port neither learns mac addresses nor forwards user traffic. When...
Page 83: Mstp Configuration Task List
1-15 z within an mst region, the packet is forwarded along the corresponding msti. Z between two mst regions, the packet is forwarded along the cst. Implementation of mstp on devices mstp is compatible with stp and rstp. Stp and rstp protocol packets can be recognized by devices running mstp and use...
Page 84
1-16 task remarks enabling the mstp feature required configuring an mst region required configuring the work mode of an mstp device optional configuring the timeout factor optional configuring the maximum port rate optional configuring ports as edge ports optional configuring path costs of ports opt...
Page 85: Configuring Mstp
1-17 configuring mstp configuring an mst region make the following configurations on the root bridge and on the leaf nodes separately. Follow these steps to configure an mst region: to do... Use the command... Remarks enter system view system-view — enter mst region view stp region-configuration — c...
Page 86
1-18 configuring the root bridge or a secondary root bridge mstp can determine the root bridge of a spanning tree through mstp calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge using the commands provided by the system. Note that: z a device...
Page 87
1-19 z after specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z alternatively, you can also configure the current device as the root bridge by setting the priority of the device to 0. For the device priority configuration, ref...
Page 88
1-20 z after configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device. Z during root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest mac address will be selected as the root bridge of the span...
Page 89
1-21 z based on the network diameter you configured, mstp automatically sets an optimal hello time, forward delay, and max age for the device. Z the configured network diameter is effective for the cist only, and not for mstis. Each mst region is considered as a device. Z the network diameter must b...
Page 90
1-22 to do... Use the command... Remarks configure the max age timer stp timer max-age time optional 2,000 centiseconds (20 seconds) by default z the length of the forward delay time is related to the network diameter of the switched network. Typically, the larger the network diameter is, the longer...
Page 91
1-23 to do... Use the command... Remarks enter system view system-view — configure the timeout factor of the device stp timer-factor factor required 3 by default configuring the maximum port rate the maximum rate of a port refers to the maximum number of bpdus the port can send within each hello tim...
Page 92
1-24 to do... Use the command... Remarks enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure the current por...
Page 93
1-25 table 1-7 link speed vs. Path cost link speed duplex state 802.1d-1998 802.1t private standard 0 — 65535 200,000,000 200,000 10 mbps single port aggregate link 2 ports aggregate link 3 ports aggregate link 4 ports 100 100 100 100 2,000,000 1,000,000 666,666 500,000 2,000 1,800 1,600 1,400 100 m...
Page 94
1-26 z if you change the standard that the device uses in calculating the default path cost, the port path cost value set through the stp cost command will be invalid. Z when the path cost of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. If you use 0...
Page 95
1-27 z when the priority of a port is changed, mstp will re-calculate the role of the port and initiate a state transition. Z generally, a lower priority value indicates a higher priority. If you configure the same priority value for all the ports on a device, the specific priority of a port depends...
Page 96
1-28 z dot1s :802.1s-compliant standard format, and z legacy :compatible format by default, the packet format recognition mode of a port is auto, namely the port automatically distinguishes the two mstp packet formats, and determines the format of packets it will send based on the recognized format....
Page 98
1-30 by then, you can perform an mcheck operation to force the port to migrate to the mstp (or rstp) mode. You can perform mcheck on a port through the following two approaches, which lead to the same result. Performing mcheck globally follow these steps to perform global mcheck: to do... Use the co...
Page 99
1-31 before enabling digest snooping, ensure that associated devices of different vendors are interconnected and run mstp. Configuring the digest snooping feature you can enable digest snooping only on a device that is connected to a third-party device that uses its private key to calculate the conf...
Page 100
1-32 digest snooping configuration example 1) network requirements z device a and device b connect to device c, a third-party device, and all these devices are in the same region. Z enable digest snooping on device a and device b so that the three devices can communicate with one another. Figure 1-6...
Page 101
1-33 figure 1-7 shows the rapid state transition mechanism on mstp designated ports. Figure 1-7 rapid state transition of an mstp designated port figure 1-8 shows rapid state transition of an rstp designated port. Figure 1-8 rapid state transition of an rstp designated port root port designated port...
Page 102
1-34 to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface or port group view enter port group view port-group manual port-group-name required use either command...
Page 103
1-35 configuration prerequisites mstp has been correctly configured on the device. Enabling bpdu guard for access layer devices, the access ports generally connect directly with user terminals (such as pcs) or file servers. In this case, the access ports are configured as edge ports to allow rapid t...
Page 104
1-36 follow these steps to enable root guard: to do... Use the command... Remarks enter system view system-view — enter ethernet interface view, or layer 2 aggregate interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manu...
Page 105
1-37 with the tc-bpdu guard function, you can set the maximum number of immediate forwarding address entry flushes that the switch can perform within a certain period of time after receiving the first tc-bpdu. For tc-bpdus received in excess of the limit, the switch performs forwarding address entry...
Page 106: Mstp Configuration Example
1-38 displaying and maintaining mstp to do... Use the command... Remarks view information about abnormally blocked ports display stp abnormal-port available in any view view information about ports blocked by stp protection functions display stp down-port available in any view view the historical in...
Page 107
1-39 figure 1-10 network diagram for mstp configuration g e 1/ 0/ 1 g e 1/0 /1 g e 1/ 0/ 1 g e 1/0 /1 configuration procedure 1) vlan and vlan member port configuration create vlan 10, vlan 20, and vlan 30 on device a and device b respectively, create vlan 10, vlan 20, and vlan 40 on device c, and c...
Page 108
1-40 system-view [deviceb] stp region-configuration [deviceb-mst-region] region-name example [deviceb-mst-region] instance 1 vlan 10 [deviceb-mst-region] instance 3 vlan 30 [deviceb-mst-region] instance 4 vlan 40 [deviceb-mst-region] revision-level 0 # activate mst region configuration. [deviceb-mst...
Page 109
1-41 # activate mst region configuration. [deviced-mst-region] active region-configuration [deviced-mst-region] quit # enable mstp globally. [deviced] stp enable 6) verifying the configurations you can use the display stp brief command to display brief spanning tree information on each device after ...
Page 110
1-42 3 gigabitethernet1/0/2 alte discarding none 4 gigabitethernet1/0/3 root forwarding none based on the above information, you can draw the msti corresponding to each vlan, as shown in figure 1-11 . Figure 1-11 mstis corresponding to different vlans.
Page 111: Table of Contents
I table of contents 1 lldp configuration···································································································································1-1 overview ····················································································································...
Page 112: Lldp Configuration
1-1 1 lldp configuration when configuring lldp, go to these sections for information you are interested in: z overview z lldp configuration task list z performing basic lldp configuration z configuring cdp compatibility z configuring lldp trapping z displaying and maintaining lldp z lldp configurati...
Page 113
1-2 figure 1-1 ethernet ii-encapsulated lldp frame format the fields in the frame are described in table 1-1 : table 1-1 description of the fields in an ethernet ii-encapsulated lldp frame field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0...
Page 114
1-3 field description source mac address the mac address of the sending port. If the port does not have a mac address, the mac address of the sending bridge is used. Type the snap type for the upper layer protocol. It is 0xaaaa-0300-0000-88cc for lldp. Data lldpdu. Fcs frame check sequence, a 32-bit...
Page 115
1-4 type description remarks port description port description of the sending port. System name assigned name of the sending device. System description description of the sending device. System capabilities identifies the primary functions of the sending device and the primary functions that have be...
Page 116
1-5 management. In addition, lldp-med tlvs make deploying voice devices in ethernet easier. Lldp-med tlvs are shown in table 1-6 : table 1-6 lldp-med tlvs type description lldp-med capabilities allows a med endpoint to advertise the supported lldp-med tlvs and its device type. Network policy allows ...
Page 117: Lldp Configuration Task List
1-6 how lldp works transmitting lldp frames an lldp-enabled port operating in txrx mode or tx mode sends lldp frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by lldp frames at times of frequent local d...
Page 118
1-7 lldp-related configurations made in ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Performing basic lldp configuration enabling lldp to make lldp take effect on certain ports, you need to enabl...
Page 119
1-8 setting the lldp re-initialization delay when lldp operating mode changes on a port, the port initializes the protocol state machines after a certain delay. By adjusting the lldp re-initialization delay, you can avoid frequent initializations caused by frequent lldp operating mode changes on a p...
Page 120
1-9 configuring the management address and its encoding format lldp encodes management addresses in numeric or character string format in management address tlvs. By default, management addresses are encoded in numeric format. If a neighbor encoded its management address in character string format, ...
Page 121
1-10 to do… use the command… remarks set the lldpdu transmit interval lldp timer tx-interval interval optional 30 seconds by default set lldpdu transmit delay lldp timer tx-delay delay optional 2 seconds by default set the number of lldp frames sent each time fast lldpdu transmission is triggered. L...
Page 122
1-11 lldp-cdp (cdp is short for the cisco discovery protocol) packets use only snap encapsulation. Configuring cdp compatibility for detailed information about voice vlan, refer to vlan configuration in the access volume. You need to enable cdp compatibility for your device to work with cisco ip pho...
Page 123: Configuring Lldp Trapping
1-12 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number enter ethernet interface view or port group view enter port group view port-group manual port-group-name required use either command. Configure cdp-compatible lldp to operate in txrx mode lld...
Page 125
1-14 [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] lldp enable [switcha-gigabitethernet1/0/1] lldp admin-status rx [switcha-gigabitethernet1/0/1] quit [switcha] interface gigabitethernet 1/0/2 [switcha-gigabitethernet1/0/2] lldp enable [switcha-gigabitethernet1/0/2] lldp a...
Page 126
1-15 admin status : rx_only trap flag : no roll time : 0s number of neighbors : 1 number of med neighbors : 0 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 3 as the sample output shows, gigabitethernet 1/0/1 of switch a connects a med device, and gigabi...
Page 127
1-16 number of sent optional tlv : 0 number of received unknown tlv : 0 as the sample output shows, gigabitethernet 1/0/2 of switch a does not connect any neighboring devices. Cdp-compatible lldp configuration example network requirements as shown in figure 1-5 : z gigabitethernet 1/0/1 and gigabite...
Page 128
1-17 [switcha-gigabitethernet1/0/1] lldp admin-status txrx [switcha-gigabitethernet1/0/1] lldp compliance admin-status cdp txrx [switcha-gigabitethernet1/0/1] quit [switcha] interface gigabitethernet 1/0/2 [switcha-gigabitethernet1/0/2] lldp enable [switcha-gigabitethernet1/0/2] lldp admin-status tx...
Page 129: Table of Contents
I table of contents 1 vlan configuration ··································································································································1-1 introduction to vlan ········································································································...
Page 130: Vlan Configuration
1-1 1 vlan configuration when configuring vlan, go to these sections for information you are interested in: z introduction to vlan z configuring basic vlan settings z configuring basic settings of a vlan interface z port-based vlan configuration z mac-based vlan configuration z protocol-based vlan c...
Page 131
1-2 2) confining broadcast traffic within individual vlans. This reduces bandwidth waste and improves network performance. 3) improving lan security. By assigning user groups to different vlans, you can isolate them at layer 2. To enable communication between vlans, routers or layer 3 switches are r...
Page 132
1-3 z the ethernet ii encapsulation format is used here. Besides the ethernet ii encapsulation format, other encapsulation formats, including 802.2 llc, 802.2 snap, and 802.3 raw, are also supported by ethernet. The vlan tag fields are also added to frames encapsulated in these formats for vlan iden...
Page 133
1-4 z as the default vlan, vlan 1 cannot be created or removed. Z you cannot manually create or remove vlans reserved for special purposes. Z dynamic vlans cannot be removed with the undo vlan command. Z a vlan with a qos policy applied cannot be removed. Z for isolate-user-vlans or secondary vlans,...
Page 134
1-5 before creating a vlan interface for a vlan, create the vlan first. Port-based vlan configuration introduction to port-based vlan port-based vlans group vlan members by port. A port forwards traffic for a vlan only after it is assigned to the vlan. Port link type you can configure the link type ...
Page 135
1-6 z do not set the voice vlan as the default vlan of a port in automatic voice vlan assignment mode. Otherwise, the system prompts error information. For information about voice vlan, refer to voice vlan configuration . Z the local and remote ports must use the same default vlan id for the traffic...
Page 136
1-7 2) in interface or port group view follow these steps to assign an access port (in interface view) or multiple access ports (in port group view) to a vlan: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number ente...
Page 137
1-8 follow these steps to assign a trunk port to one or multiple vlans: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter i...
Page 138
1-9 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number enter layer-2 aggregate interface view interface bridge-aggregation interface-number enter interface view or port group view enter port group view port-group ma...
Page 139: Mac-Based Vlan Configuration
1-10 mac-based vlan configuration introduction to mac-based vlan mac-based vlans group vlan members by mac address. They are mostly used in conjunction with security technologies such as 802.1x to provide secure, flexible network access for terminal devices. Mac-based vlan implementation with mac-ba...
Page 140
1-11 z mac-based vlans are available only on hybrid ports. Z because mac-based dynamic port assignment is mainly configured on the downlink ports of the user access devices, do not enable this function together with link aggregation. Z with mstp enabled, if the mst instance for the corresponding vla...
Page 141
1-12 protocol-based vlans are only applicable on hybrid ports. In this approach, inbound packets are assigned to different vlans based on their protocol types and encapsulation formats. The protocols that can be used for vlan assignment include ip, ipx, and appletalk (at). The encapsulation formats ...
Page 142
1-13 to do… use the command… remarks enter port group view port-group manual port-group-name current port. Z in port group view, the subsequent configurations apply to all ports in the port group. Z in layer-2 aggregate interface view, the subsequent configurations apply to the layer-2 aggregate int...
Page 143
1-14 ip subnet-based vlan configuration introduction in this approach, packets are assigned to vlans based on their source ip addresses and subnet masks. A port configured with ip subnet-based vlans assigns a received untagged packet to a vlan based on the source address of the packet. This feature ...
Page 144
1-15 after you configure a command on a layer-2 aggregate interface, the system starts applying the configuration to the aggregate interface and its aggregation member ports. If the system fails to do that on the aggregate interface, it stops applying the configuration to the aggregation member port...
Page 145: Vlan Configuration Example
1-16 vlan configuration example network requirements z device a connects to device b through a trunk port gigabitethernet 1/0/1; z the default vlan id of gigabitethernet 1/0/1 is 100; z gigabitethernet 1/0/1 allows packets from vlan 2, vlan 6 through vlan 50, and vlan 100 to pass through. Figure 1-4...
Page 146
1-17 display interface gigabitethernet 1/0/1 gigabitethernet1/0/1 current state: up ip packet frame type: pktfmt_ethnt_2, hardware address: 001e-c16f-ae68 description: gigabitethernet1/0/1 interface loopback is not set media type is twisted pair port hardware type is 1000_base_t unknown-speed mode, ...
Page 147: Overview
2-1 2 isolate-user-vlan configuration when configuring an isolate-user vlan, go to these sections for information you are interested in: z overview z configuring isolate-user-vlan z displaying and maintaining isolate-user-vlan z isolate-user-vlan configuration example overview an isolate-user-vlan a...
Page 148
2-2 3) assign non-trunk ports to the isolate-user-vlan and ensure that at least one port takes the isolate-user-vlan as its default vlan; 4) assign non-trunk ports to each secondary vlan and ensure that at least one port in a secondary vlan takes the secondary vlan as its default vlan; 5) associate ...
Page 149
2-3 displaying and maintaining isolate-user-vlan to do... Use the command... Remarks display the mapping between an isolate-user-vlan and its secondary vlan(s) display isolate-user-vlan [ isolate-user-vlan-id ] available in any view isolate-user-vlan configuration example network requirements z conn...
Page 150
2-4 [deviceb] vlan 2 [deviceb-vlan2] port gigabitethernet 1/0/2 [deviceb-vlan2] quit # associate the isolate-user-vlan with the secondary vlans. [deviceb] isolate-user-vlan 5 secondary 2 to 3 2) configure device c # configure the isolate-user-vlan. System-view [devicec] vlan 6 [devicec-vlan6] isolat...
Page 151
2-5 gigabitethernet 1/0/2 gigabitethernet 1/0/5 vlan id: 3 vlan type: static isolate-user-vlan type : secondary route interface: not configured description: vlan 0003 name: vlan 0003 tagged ports: none untagged ports: gigabitethernet 1/0/1 gigabitethernet 1/0/5.
Page 152: Voice Vlan Configuration
3-1 3 voice vlan configuration when configuring a voice vlan, go to these sections for information you are interested in: z overview z configuring a voice vlan z displaying and maintaining voice vlan z voice vlan configuration overview a voice vlan is configured specially for voice traffic. After as...
Page 153
3-2 z in general, as the first 24 bits of a mac address (in binary format), an oui address is a globally unique identifier assigned to a vendor by ieee. Oui addresses mentioned in this document, however, are different from those in common sense. Oui addresses in this document are used by the system ...
Page 154
3-3 voice vlan assignment mode voice traffic type port link type access: not supported trunk: supported if the default vlan of the connecting port exists and is not the voice vlan and the connecting port belongs to the default vlan tagged voice traffic hybrid: supported if the default vlan of the co...
Page 155: Configuring A Voice Vlan
3-4 table 3-3 how a voice vlan-enable port processes packets in security/normal mode voice vlan working mode packet type packet processing mode untagged packets packets carrying the voice vlan tag if the source mac address of a packet matches an oui address configured for the device, it is forwarded...
Page 156
3-5 to do... Use the command... Remarks enable voice vlan on the port voice vlan vlan-id enable required not enabled by default z an s5500-si switch supports up to eight voice vlans globally. Z a protocol-based vlan on a hybrid port can process only untagged inbound packets, whereas the voice vlan i...
Page 157
3-6 z an s5500-si switch supports up to eight voice vlans globally. Z you can configure different voice vlans on different ports at the same time. However, one port can be configured with only one voice vlan, and this voice vlan must be a static vlan that already exists on the device. Z voice vlan i...
Page 158
3-7 figure 3-1 network diagram for automatic voice vlan assignment mode configuration device a device b ge1/0/1 ge1/0/1 ip phone b 010-1002 mac: 0011-2200-0001 mask: ffff-ff00-0000 0755-2002 ge1/0/2 ip phone a 010-1001 mac: 0011-1100-0001 mask: ffff-ff00-0000 internet pc a mac: 0022-1100-0002 pc b m...
Page 159
3-8 [devicea-gigabitethernet1/0/2] voice vlan 3 enable verification # display the oui addresses, oui address masks, and description strings supported currently. Display voice vlan oui oui address mask description 0001-e300-0000 ffff-ff00-0000 siemens phone 0003-6b00-0000 ffff-ff00-0000 cisco phone 0...
Page 160
3-9 configuration procedure # configure the voice vlan to operate in security mode. (optional. A voice vlan operates in security mode by default.) system-view [devicea] voice vlan security enable # add a recognizable oui address 0011-2200-0000. [devicea] voice vlan mac-address 0011-2200-0000 mask ff...
Page 161
3-10 ----------------------------------------------- gigabitethernet1/0/1 2 manual.
Page 162: Table of Contents
I table of contents 1 gvrp configuration ··································································································································1-1 introduction to gvrp ········································································································...
Page 163: Gvrp Configuration
1-1 1 gvrp configuration the garp vlan registration protocol (gvrp) is a garp application. It functions based on the operating mechanism of garp to maintain and propagate dynamic vlan registration information for the gvrp devices on the network. When configuring gvrp, go to these sections for inform...
Page 164
1-2 z hold timer –– when a garp application entity receives the first registration request, it starts a hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one join message. This helps you save bandwidth. Z join timer –– a garp participant send...
Page 165
1-3 garp message format figure 1-1 garp message format figure 1-1 illustrates the garp message format. Table 1-1 describes the garp message fields. Table 1-1 description on the garp message fields field description value protocol id protocol identifier for garp 1 message one or multiple messages, ea...
Page 166: Gvrp Configuration Task List
1-4 about active vlan members and through which port they can be reached. It thus ensures that all gvrp participants on a bridged lan maintain the same vlan registration information. The vlan registration information propagated by gvrp includes both manually configured local static entries and dynam...
Page 167: Configuring Garp Timers
1-5 to do… use the command… remarks enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface view, or port-group view enter port-group view port-group manual port-group-name required perform...
Page 168
1-6 to do… use the command… remarks enter ethernet or layer 2 aggregate interface view interface interface-type interface-number enter ethernet interface view, layer 2 aggregate interface view, or port-group view enter port-group view port-group manual port-group-name required perform either of the ...
Page 169: Gvrp Configuration Examples
1-7 to do… use the command… remarks display the current gvrp state display gvrp state interface interface-type interface-number vlan vlan-id available in any view display statistics about gvrp display gvrp statistics [ interface interface-list ] available in any view display the global gvrp state di...
Page 170
1-8 [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [deviceb-gigabitethernet1/0/1] port link-type trunk [deviceb-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on trunk port gigabitet...
Page 171
1-9 [devicea-gigabitethernet1/0/1] quit # create vlan 2 (a static vlan). [devicea] vlan 2 2) configure device b # enable gvrp globally. System-view [deviceb] gvrp # configure port gigabitethernet 1/0/1 as a trunk port, allowing all vlans to pass through. [deviceb] interface gigabitethernet 1/0/1 [de...
Page 172
1-10 [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all # enable gvrp on gigabitethernet 1/0/1 and set the gvrp registration type to forbidden on the port. [devicea-gigabitethernet1/0/1] gvrp [device...
Page 173: Table of Contents
I table of contents 1 qinq configuration ···································································································································1-1 introduction to qinq ·······································································································...
Page 174: Qinq Configuration
1-1 1 qinq configuration when configuring qinq, go to these sections for information you are interested in: z introduction to qinq z qinq configuration task list z configuring basic qinq z configuring selective qinq z configuring the tpid value in vlan tags z qinq configuration examples throughout t...
Page 175
1-2 figure 1-1 schematic diagram of the qinq feature network service provider network vlan 1~10 vlan 1~10 vlan 1~20 vlan 1~20 vlan 3 vlan 3 vlan 4 vlan 4 customer network a customer network a customer network b customer network b as shown in figure 1-1 , customer network a has cvlans 1 through 10, w...
Page 176
1-3 figure 1-2 single-tagged frame structure vs. Double-tagged ethernet frame structure the default maximum transmission unit (mtu) of an interface is 1500 bytes. The size of an outer vlan tag is 4 bytes. Therefore, you are recommended to increase the mtu of each interface on the service provider ne...
Page 177
1-4 figure 1-3 vlan tag structure of an ethernet frame the device determines whether a received frame carries a svlan tag or a cvlan tag by checking the corresponding tpid value. Upon receiving a frame, the device compares the configured tpid value with the value of the tpid field in the frame. If t...
Page 178: Qinq Configuration Task List
1-5 qinq configuration task list table 1-2 qinq configuration task list configuration task remarks configuring basic qinq optional configuring selective qinq configuring an outer vlan tagging policy optional configuring the tpid value in vlan tags optional z qinq requires configurations only on the ...
Page 179: Qinq Configuration Examples
1-6 condition are handled with selective qinq on this port first, and the left frames are handled with basic qinq. Follow these steps to configure an outer vlan tagging policy: to do... Use the command... Remarks enter system view system-view — enter ethernet or layer-2 aggregate interface view inte...
Page 180
1-7 z customer a1, customer a2, customer b1 and customer b2 are edge devices on the customer network. Z third-party devices with a tpid value of 0x8200 are deployed between provider a and provider b. Make configuration to achieve the following: z frames of vlan 200 through vlan 299 can be exchanged ...
Page 181
1-8 [providera] interface gigabitethernet 1/0/2 [providera-gigabitethernet1/0/2] port link-type hybrid [providera-gigabitethernet1/0/2] port hybrid pvid vlan 50 [providera-gigabitethernet1/0/2] port hybrid vlan 50 untagged # enable basic qinq on gigabitethernet 1/0/2. [providera-gigabitethernet1/0/2...
Page 182
1-9 configure the third-party devices between provider a and provider b as follows: configure the port connecting gigabitethernet 1/0/3 of provider a and that connecting gigabitethernet 1/0/3 of provider b to allow tagged frames of vlan 10 and 50 to pass through. Comprehensive selective qinq configu...
Page 183
1-10 [providera] interface gigabitethernet 1/0/1 [providera-gigabitethernet1/0/1] port link-type hybrid [providera-gigabitethernet1/0/1] port hybrid vlan 1000 2000 untagged # tag cvlan 10 frames with svlan 1000. [providera-gigabitethernet1/0/1] qinq vid 1000 [providera-gigabitethernet1/0/1-vid-1000]...
Page 184
1-11 [providerb-gigabitethernet1/0/2] port link-type hybrid [providerb-gigabitethernet1/0/2] port hybrid vlan 2000 untagged # tag cvlan 20 frames with svlan 2000. [providerb-gigabitethernet1/0/2] qinq vid 2000 [providerb-gigabitethernet1/0/2-vid-2000] raw-vlan-id inbound 20 # set the tpid value in t...
Page 185: Table of Contents
I table of contents 1 bpdu tunneling configuration················································································································1-1 introduction to bpdu tunneling ·······································································································...
Page 186: Bpdu Tunneling Configuration
1-1 1 bpdu tunneling configuration when configuring bpdu tunneling, go to these sections for information you are interested in: z introduction to bpdu tunneling z configuring bpdu tunneling z bpdu tunneling configuration examples introduction to bpdu tunneling as a layer 2 tunneling technology, bpdu...
Page 187
1-2 3) the encapsulated layer 2 protocol packet (called bridge protocol data unit, bpdu) is forwarded to pe 2 at the other end of the service provider network, which decapsulates the packet, restores the original destination mac address of the packet, and then sends the packet to user a network 2. D...
Page 188
1-3 to allow each network to calculate an independent spanning tree with stp, bpdu tunneling was introduced. Bpdu tunneling delivers the following benefits: z bpdus can be transparently transmitted. Bpdus of the same customer network can be broadcast in a specific vlan across the service provider ne...
Page 189: Configuring Bpdu Tunneling
1-4 configuring bpdu tunneling configuration prerequisites z before configuring bpdu tunneling for a protocol, enable the protocol in the customer network first. Z assign the port on which you want to enable bpdu tunneling on the pe device and the connected port on the ce device to the same vlan. Z ...
Page 190
1-5 enabling bpdu tunneling for a protocol in layer 2 aggregate interface view follow these steps to enable bpdu tunneling for a protocol in layer 2 aggregate interface view: to do… use the command… remarks enter system view system-view — enter layer 2 aggregate interface view interface bridge-aggre...
Page 191
1-6 it is required that, after the configuration, ce 1 and ce 2 implement consistent spanning tree calculation across the service provider network, and that the destination multicast mac address carried in bpdus be 0x0100-0ccd-cdd0. Figure 1-3 network diagram for configuring bpdu tunneling for stp c...
Page 192
1-7 bpdu tunneling for pvst configuration example network requirements as shown in figure 1-4 : z ce 1 and ce 2 are edges devices on the geographically dispersed network of user a; pe 1 and pe 2 are edge devices on the service provider network. Z all ports that connect service provider devices and c...
Page 193
1-8 [pe2] interface gigabitethernet 1/0/2 [pe2-gigabitethernet1/0/2] port link-type trunk [pe2-gigabitethernet1/0/2] port trunk permit vlan all # disable stp on gigabitethernet1/0/2, and then enable bpdu tunneling for stp and pvst on it. [pe2-gigabitethernet1/0/2] undo stp enable [pe2-gigabitetherne...
Page 194: Table of Contents
I table of contents 1 port mirroring configuration ····················································································································1-1 introduction to port mirroring ··································································································...
Page 195: Port Mirroring Configuration
1-1 1 port mirroring configuration when configuring port mirroring, go to these sections for information you are interested in: z introduction to port mirroring z configuring local port mirroring z configuring remote port mirroring z displaying and maintaining port mirroring z port mirroring configu...
Page 196
1-2 figure 1-1 local port mirroring implementation pc mirroring port monitor port data monitoring device mirroring port how the device processes packets monitor port traffic mirrored to remote port mirroring remote port mirroring can mirror all packets but protocol packets. Remote port mirroring is ...
Page 197
1-3 z destination device the destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group. When receiving a packet, the destination device compares the vlan id carried in the packet with the id of the probe vlan configured in the r...
Page 198
1-4 z a local port mirroring group takes effect only after its mirroring and monitor ports are configured. Z to ensure operation of your device, do not enable stp, mstp, or rstp on the monitor port. Z a port mirroring group can have multiple mirroring ports, but only one monitor port. Z a mirroring ...
Page 200
1-6 z to remove the vlan configured as a remote probe vlan, you must remove the remote probe vlan with undo mirroring-group remote-probe vlan command first. Removing the probe vlan can invalidate the remote source mirroring group. Z you are recommended to use a remote probe vlan exclusively for the ...
Page 201
1-7 when configuring the monitor port, use the following guidelines: z the port can belong to only the current mirroring group. Z disable these functions on the port: stp, mstp, and rstp. Z you are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring ...
Page 202
1-8 figure 1-3 network diagram for local port mirroring configuration switch c data monitoring device r&d department switch a switch b ge1/0/2 ge1/0/1 ge1/0/3 marketing department configuration procedure configure switch c. # create a local port mirroring group. System-view [switchc] mirroring-group...
Page 203
1-9 as shown in figure 1-4 , the administrator wants to monitor the packets sent from department 1 and 2 through the data monitoring device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: z use switch a as the source device, switch b as the inte...
Page 204
1-10 [switcha-gigabitethernet1/0/3] port link-type trunk [switcha-gigabitethernet1/0/3] port trunk permit vlan 2 2) configure switch b (the intermediate device). # configure port gigabitethernet 1/0/1 as a trunk port and configure the port to permit the packets of vlan 2. System-view [switchb] inter...
Page 205: Manual Version
Ip services volume organization manual version 20090930-c-1.01 product version release 2202 organization the ip services volume is organized as follows: features description ip address an ip address is a 32-bit address allocated to a network interface on a device that is attached to the internet. Th...
Page 206
Features description udp helper udp helper functions as a relay agent that converts udp broadcast packets into unicast packets and forwards them to a specified server. This document describes: z udp helper overview z udp helper configuration ipv6 basics internet protocol version 6 (ipv6), also calle...
Page 207: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 208: Ip Addressing Configuration
1-1 1 ip addressing configuration when assigning ip addresses to interfaces on your device, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying and maintaining ip addressing ip addressing overview this section covers these topi...
Page 209
1-2 table 1-1 ip address classes and ranges class address range remarks a 0.0.0.0 to 127.255.255.255 the ip address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packe...
Page 210: Configuring Ip Addresses
1-3 in the absence of subnetting, some special addresses such as the addresses with the net id of all zeros and the addresses with the host id of all ones, are not assignable to hosts. The same is true for subnetting. When designing your network, you should note that subnetting is somewhat a tradeof...
Page 211
1-4 z the primary ip address you assigned to the interface can overwrite the old one if there is any. Z you cannot assign secondary ip addresses to an interface that has bootp or dhcp configured. Z the primary and secondary ip addresses you assign to the interface can be located on the same network ...
Page 212
1-5 ping 172.16.1.2 ping 172.16.1.2: 56 data bytes, press ctrl_c to break reply from 172.16.1.2: bytes=56 sequence=1 ttl=255 time=25 ms reply from 172.16.1.2: bytes=56 sequence=2 ttl=255 time=27 ms reply from 172.16.1.2: bytes=56 sequence=3 ttl=255 time=26 ms reply from 172.16.1.2: bytes=56 sequence...
Page 213: Table of Contents
I table of contents 1 arp configuration·····································································································································1-1 arp overview················································································································...
Page 214: Arp Configuration
1-1 this document is organized as follows: z arp configuration z proxy arp configuration 1 arp configuration when configuring arp, go to these sections for information you are interested in: z arp overview z configuring arp z configuring gratuitous arp z displaying and maintaining arp arp overview a...
Page 215
1-2 hardware address length field is "6”. For an ip(v4) address, the value of the protocol address length field is “4”. Z op: operation code. This field specifies the type of arp message. The value “1” represents an arp request and “2” represents an arp reply. Z sender hardware address: this field s...
Page 216
1-3 which the target ip address is the ip address of host b. After obtaining the mac address of host b, the gateway sends the packet to host b. Arp table after obtaining the mac address for the destination host, the device puts the ip-to-mac mapping into its own arp table. This mapping is used for f...
Page 217: Configuring Arp
1-4 configuring arp configuring a static arp entry a static arp entry is effective when the device works normally. However, when a vlan or vlan interface to which a static arp entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unres...
Page 218
1-5 to do… use the command… remarks enter system view system-view — set the aging time for dynamic arp entries arp timer aging aging-time optional 20 minutes by default. Enabling the arp entry check the arp entry check function disables the device from learning multicast mac addresses. With the arp ...
Page 219: Configuring Gratuitous Arp
1-6 configuring gratuitous arp introduction to gratuitous arp a gratuitous arp packet is a special arp packet, in which the sender ip address and the target ip address are both the ip address of the sender, the sender mac address is the mac address of the sender, and the target mac address is the br...
Page 220
1-7 clearing arp entries from the arp table may cause communication failures..
Page 221: Proxy Arp Configuration
2-1 2 proxy arp configuration when configuring proxy arp, go to these sections for information you are interested in: z proxy arp overview z enabling proxy arp z displaying and maintaining proxy arp proxy arp overview if a host sends an arp request for the mac address of another host that actually r...
Page 222: Enabling Proxy Arp
2-2 you can solve the problem by enabling proxy arp on switch. After that, switch can reply to the arp request from host a with the mac address of vlan-interface 1, and forward packets sent from host a to host b. In this case, switch seems to be a proxy of host b. A main advantage of proxy arp is th...
Page 223
2-3 to do… use the command… remarks enable local proxy arp local-proxy-arp enable required disabled by default. Displaying and maintaining proxy arp to do… use the command… remarks display whether proxy arp is enabled display proxy-arp [ interface vlan-interface vlan-id ] available in any view displ...
Page 224
2-4 [switch-vlan-interface1] quit [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.20.99 255.255.255.0 [switch-vlan-interface2] proxy-arp enable [switch-vlan-interface2] quit local proxy arp configuration example in case of port isolation network requirements z host a ...
Page 225
2-5 # configure an ip address of vlan-interface 2. System-view [switcha] vlan 2 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 192.168.10.100 255.255.0.0 the ping operation from host a to host b is unsuccessfu...
Page 226
2-6 [switchb-vlan2] port gigabitethernet 1/0/2 [switchb-vlan2] quit [switchb] vlan 3 [switchb-vlan3] port gigabitethernet 1/0/3 [switchb-vlan3] quit [switchb] vlan 5 [switchb-vlan5] port gigabitethernet 1/0/1 [switchb-vlan5] isolate-user-vlan enable [switchb-vlan5] quit [switchb] isolate-user-vlan 5...
Page 227: Table of Contents
I table of contents 1 dhcp overview··········································································································································1-1 introduction to dhcp ······································································································...
Page 228
Ii prerequisites····································································································································4-5 configuring dhcp snooping to support option 82 ········································································4-5 displaying and maintainin...
Page 229: Dhcp Overview
1-1 this document is organized as follows: z dhcp overview z dhcp relay agent configuration z dhcp client configuration z dhcp snooping configuration z bootp client configuration 1 dhcp overview introduction to dhcp the fast expansion and growing complexity of networks result in scarce ip addresses ...
Page 230: Dhcp Address Allocation
1-2 dhcp address allocation allocation mechanisms dhcp supports three mechanisms for ip address allocation. Z manual allocation: the network administrator assigns an ip address to a client like a www server, and dhcp conveys the assigned address to the client. Z automatic allocation: dhcp assigns a ...
Page 231: Dhcp Message Format
1-3 z after receiving the dhcp-ack message, the client probes whether the ip address assigned by the server is in use by broadcasting a gratuitous arp packet. If the client receives no response within a specified time, the client can use this ip address. Otherwise, the client sends a dhcp-decline me...
Page 232: Dhcp Options
1-4 z secs: filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. Currently this field is reserved and set to 0. Z flags: the leftmost bit is defined as the broadcast (b) flag. If this flag is set to 0, the dhcp server sent a reply back...
Page 233
1-5 z option 121: classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that the requesting client should add to its routing table. Z option 33: static route option. It specifies a list of classful static routes (the d...
Page 234
1-6 figure 1-6 format of the value field of the acs parameter sub-option z the value field of the service provider identifier sub-option contains the service provider identifier. Z figure 1-7 shows the format of the value field of the pxe server address sub-option. Currently, the value of the pxe se...
Page 235
1-7 figure 1-8 sub-option 1 in normal padding format z sub-option 2: padded with the mac address of the dhcp relay agent interface or the mac address of the dhcp snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that...
Page 236: Protocols and Standards
1-8 z sub-option 1: ip address of the primary network calling processor, which is a server serving as the network calling control source and providing program downloads. Z sub-option 2: ip address of the backup network calling processor that dhcp clients will contact when the primary one is unreacha...
Page 237
2-1 2 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z dhcp relay agent configuration task list z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent confi...
Page 238
2-2 figure 2-1 dhcp relay agent application ip network dhcp server dhcp relay agent dhcp client dhcp client dhcp client dhcp client no matter whether a relay agent exists or not, the dhcp server and client interact with each other in a similar way (see section dynamic ip address allocation process )...
Page 239
2-3 if a client’s requesting message has… handling strategy padding format the dhcp relay agent will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal format...
Page 240
2-4 follow these steps to enable dhcp: to do… use the command… remarks enter system view system-view — enable dhcp dhcp enable required disabled by default. Enabling the dhcp relay agent on an interface with this task completed, upon receiving a dhcp request from the enabled interface, the relay age...
Page 241
2-5 to do… use the command… remarks correlate the dhcp server group with the current interface dhcp relay server-select group-id required by default, no interface is correlated with any dhcp server group. Z you can specify up to twenty dhcp server groups on the relay agent and eight dhcp server addr...
Page 242
2-6 z the dhcp relay address-check enable command is independent of other commands of the dhcp relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands are used. Z the dhcp relay address-check enable command only checks ip and m...
Page 243
2-7 follow these steps to enable unauthorized dhcp server detection: to do… use the command… remarks enter system view system-view — enable unauthorized dhcp server detection dhcp relay server-detect required disabled by default. With the unauthorized dhcp server detection enabled, the device puts a...
Page 244
2-8 configuring the dhcp relay agent to support option 82 follow these steps to configure the dhcp relay agent to support option 82: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the relay agent to support opti...
Page 246
2-10 configuration procedure # specify ip addresses for the interfaces (omitted). # enable dhcp. System-view [switcha] dhcp enable # add dhcp server 10.1.1.1 into dhcp server group 1. [switcha] dhcp relay server-group 1 ip 10.1.1.1 # enable the dhcp relay agent on vlan-interface 1. [switcha] interfa...
Page 247
2-11 # enable the dhcp relay agent to support option 82, and perform option 82-related configurations. [switcha-vlan-interface1] dhcp relay information enable [switcha-vlan-interface1] dhcp relay information strategy replace [switcha-vlan-interface1] dhcp relay information circuit-id string company0...
Page 248: Dhcp Client Configuration
3-1 3 dhcp client configuration when configuring the dhcp client, go to these sections for information you are interested in: z introduction to dhcp client z enabling the dhcp client on an interface z displaying and maintaining the dhcp client z dhcp client configuration example z the dhcp client co...
Page 249
3-2 z an interface can be configured to acquire an ip address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one. Z after the dhcp client is enabled on an interface, no secondary ip address is configurable for the interface. Z if the ip ...
Page 250
3-3 system-view [switchb] interface vlan-interface 1 [switchb-vlan-interface1] ip address dhcp-alloc.
Page 251: Dhcp Snooping Configuration
4-1 4 dhcp snooping configuration when configuring dhcp snooping, go to these sections for information you are interested in: z dhcp snooping overview z configuring dhcp snooping basic functions z configuring dhcp snooping to support option 82 z displaying and maintaining dhcp snooping z dhcp snoopi...
Page 252
4-2 recording ip-to-mac mappings of dhcp clients dhcp snooping reads dhcp-request messages and dhcp-ack messages from trusted ports to record dhcp snooping entries, including mac addresses of clients, ip addresses obtained by the clients, ports that connect to dhcp clients, and vlans to which the po...
Page 253
4-3 figure 4-2 configure trusted ports in a cascaded network table 4-1 describes roles of the ports shown in figure 4-2 . Table 4-1 roles of ports device untrusted port trusted port disabled from recording binding entries trusted port enabled to record binding entries switch a ge1/0/1 ge1/0/3 ge1/0/...
Page 254
4-4 if a client’s requesting message has… handling strategy padding format the dhcp snooping device will… drop random drop the message. Keep random forward the message without changing option 82. Normal forward the message after replacing the original option 82 with the option 82 padded in normal fo...
Page 255
4-5 z you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted port and the port connected to the dhcp client must be in the same vlan. Z you can specify layer 2 ethernet interfaces and layer 2 aggregate inter...
Page 258
4-8 [switchb-gigabitethernet1/0/1] dhcp-snooping trust [switchb-gigabitethernet1/0/1] quit dhcp snooping option 82 support configuration example network requirements z as shown in figure 4-3 , enable dhcp snooping and option 82 support on switch b. Z configure the handling strategy for dhcp requests...
Page 259: Bootp Client Configuration
5-1 5 bootp client configuration while configuring a bootp client, go to these sections for information you are interested in: z introduction to bootp client z configuring an interface to dynamically obtain an ip address through bootp z displaying and maintaining bootp client configuration z bootp c...
Page 260: Through Bootp
5-2 because a dhcp server can interact with a bootp client, you can use the dhcp server to configure an ip address for the bootp client, without any bootp server. Obtaining an ip address dynamically a dhcp server can take the place of the bootp server in the following dynamic ip address acquisition....
Page 261
5-3 displaying and maintaining bootp client configuration to do… use the command… remarks display related information on a bootp client display bootp client [ interface interface-type interface-number ] available in any view bootp client configuration example network requirement as shown in figure 5...
Page 262: Table of Contents
I table of contents 1 dns configuration·····································································································································1-1 dns overview················································································································...
Page 263: Dns Configuration
1-1 1 dns configuration when configuring dns, go to these sections for information you are interested in: z dns overview z configuring the dns client z configuring the dns proxy z displaying and maintaining dns z dns configuration examples z troubleshooting dns configuration this document only cover...
Page 264
1-2 3) the dns server looks up the corresponding ip address of the domain name in its dns database. If no match is found, it sends a query to a higher level dns server. This process continues until a result, whether successful or not, is returned. 4) the dns client returns the resolution result to t...
Page 265
1-3 if an alias is configured for a domain name on the dns server, the device can resolve the alias into the ip address of the host. Dns proxy introduction to dns proxy a dns proxy forwards dns requests and replies between dns clients and a dns server. As shown in figure 1-2 , a dns client sends a d...
Page 266: Configuring The Dns Client
1-4 configuring the dns client configuring static domain name resolution follow these steps to configure static domain name resolution: to do… use the command… remarks enter system view system-view –– configure a mapping between a host name and ip address in the static name resolution table ip host ...
Page 267: Configuring The Dns Proxy
1-5 configuring the dns proxy follow these steps to configure the dns proxy: to do… use the command… remarks enter system view system-view — enable dns proxy dns proxy enable required disabled by default. Displaying and maintaining dns to do… use the command… remarks display the static domain name r...
Page 268
1-6 56 data bytes, press ctrl_c to break reply from 10.1.1.2: bytes=56 sequence=1 ttl=128 time=1 ms reply from 10.1.1.2: bytes=56 sequence=2 ttl=128 time=4 ms reply from 10.1.1.2: bytes=56 sequence=3 ttl=128 time=3 ms reply from 10.1.1.2: bytes=56 sequence=4 ttl=128 time=2 ms reply from 10.1.1.2: by...
Page 269
1-7 in figure 1-5 , right click forward lookup zones, select new zone, and then follow the instructions to create a new zone named com. Figure 1-5 create a zone # create a mapping between the host name and ip address. Figure 1-6 add a host in figure 1-6 , right click zone com, and then select new ho...
Page 270
1-8 figure 1-7 add a mapping between domain name and ip address 2) configure the dns client # enable dynamic domain name resolution. System-view [sysname] dns resolve # specify the dns server 2.1.1.2. [sysname] dns server 2.1.1.2 # configure com as the name suffix. [sysname] dns domain com 3) config...
Page 271
1-9 dns proxy configuration example network requirements z specify switch a as the dns server of switch b (the dns client). Z switch a acts as a dns proxy. The ip address of the real dns server is 4.1.1.1. Z switch b implements domain name resolution through switch a. Figure 1-8 network diagram for ...
Page 272
1-10 # specify the dns server 2.1.1.2. [switchb] dns server 2.1.1.2 4) configuration verification # execute the ping host.Com command on switch b to verify that the communication between the switch and the host is normal and that the corresponding destination ip address is 3.1.1.1. [switchb] ping ho...
Page 273: Table of Contents
I table of contents 1 ip performance optimization configuration···························································································1-1 ip performance overview ······················································································································...
Page 274: Ip Performance Overview
1-1 1 ip performance optimization configuration when optimizing ip performance, go to these sections for information you are interested in: z ip performance overview z enabling reception and forwarding of directed broadcasts to a directly connected network z configuring tcp optional parameters z con...
Page 275
1-2 enabling forwarding of directed broadcasts to a directly connected network follow these steps to enable the device to forward directed broadcasts: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable the interface...
Page 276
1-3 [switcha-vlan-interface3] quit [switcha] interface vlan-interface 2 [switcha-vlan-interface2] ip address 2.2.2.2 24 # enable vlan-interface 2 to forward directed broadcasts. [switcha-vlan-interface2] ip forward-broadcast z configure switch b # enable switch b to receive directed broadcasts. Syst...
Page 277
1-4 actual length of the finwait timer = (configured length of the finwait timer – 75) + configured length of the synwait timer configuring icmp to send error packets sending error packets is a major function of icmp. In case of network abnormalities, icmp packets are usually sent by the network or ...
Page 278
1-5 z if the source uses “strict source routing" to send packets, but the intermediate device finds that the next hop specified by the source is not directly connected, the device will send the source a “source routing failure” icmp error packet. Z when forwarding a packet, if the mtu of the sending...
Page 279
1-6 displaying and maintaining ip performance optimization to do… use the command… remarks display current tcp connection state display tcp status display tcp connection statistics display tcp statistics display udp statistics display udp statistics display statistics of ip packets display ip statis...
Page 280: Table of Contents
I table of contents 1 udp helper configuration ························································································································1-1 introduction to udp helper ······································································································...
Page 281: Udp Helper Configuration
1-1 1 udp helper configuration when configuring udp helper, go to these sections for information you are interested in: z introduction to udp helper z configuring udp helper z displaying and maintaining udp helper z udp helper configuration examples udp helper can be currently configured on vlan int...
Page 282
1-2 to do… use the command… remarks enter interface view interface interface-type interface-number — specify the destination server to which udp packets are to be forwarded udp-helper server ip-address required no destination server is specified by default. Z the udp helper enabled device cannot for...
Page 283
1-3 figure 1-1 network diagram for udp helper configuration configuration procedure the following configuration assumes that a route from switch a to the network segment 10.2.0.0/16 is available. # enable udp helper. System-view [switcha] udp-helper enable # enable the forwarding broadcast packets w...
Page 284: Table of Contents
I table of contents 1 ipv6 basics configuration ························································································································1-1 ipv6 overview ··················································································································...
Page 285: Ipv6 Basics Configuration
1-1 1 ipv6 basics configuration when configuring ipv6 basics, go to these sections for information you are interested in: z ipv6 overview z ipv6 basics configuration task list z configuring basic ipv6 functions z configuring ipv6 ndp z configuring pmtu discovery z configuring ipv6 tcp properties z c...
Page 286
1-2 the ipv4 address size, the basic ipv6 header size is 40 bytes and is only twice the ipv4 header size (excluding the options field). Figure 1-1 comparison between ipv4 packet header format and basic ipv6 packet header format adequate address space the source and destination ipv6 addresses are bot...
Page 287
1-3 enhanced neighbor discovery mechanism the ipv6 neighbor discovery protocol is implemented through a group of internet control message protocol version 6 (icmpv6) messages that manage the information exchange between neighbor nodes on the same link. The group of icmpv6 messages takes the place of...
Page 288
1-4 z anycast address: an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the target interface is nearest to the source, according to a routing protocol’s measure of dis...
Page 289
1-5 multicast address ipv6 multicast addresses listed in table 1-2 are reserved for special purpose. Table 1-2 reserved ipv6 multicast addresses address application ff01::1 node-local scope all nodes multicast address ff02::1 link-local scope all nodes multicast address ff01::2 node-local scope all ...
Page 290
1-6 z duplicate address detection z router/prefix discovery and address autoconfiguration z redirection table 1-3 lists the types and functions of icmpv6 messages used by the ndp. Table 1-3 types and functions of icmpv6 messages icmpv6 message number function used to acquire the link-layer address o...
Page 291
1-7 2) after receiving the ns message, node b judges whether the destination address of the packet is its solicited-node multicast address. If yes, node b learns the link-layer address of node a, and then unicasts an na message containing its link-layer address. 3) node a acquires the link-layer add...
Page 292
1-8 2) the router returns an ra message containing information such as prefix information option. (the router also regularly sends an ra message.) 3) the node automatically generates an ipv6 address and other information for its interface according to the address prefix and other configuration param...
Page 293
1-9 1) the source host uses its mtu to send packets to the destination host. 2) if the mtu supported by a forwarding interface is smaller than the packet size, the forwarding device will discard the packet and return an icmpv6 error packet containing the interface mtu to the source host. 3) after re...
Page 294
1-10 task remarks configuring icmpv6 packet sending optional configuring ipv6 dns client optional configuring basic ipv6 functions enabling ipv6 before performing ipv6-related configurations, you need to enable ipv6. Otherwise, an interface cannot forward ipv6 packets even if it has an ipv6 address ...
Page 295: Configuring Ipv6 Ndp
1-11 to do... Use the command... Remarks automatically generate a link-local address for the interface ipv6 address auto link-local configure an ipv6 link-local address manually assign a link-local address for the interface ipv6 address ipv6-address link-local optional by default, after an ipv6 site...
Page 297
1-13 table 1-4 parameters in an ra message and their descriptions parameters description cur hop limit when sending an ipv6 packet, a host uses the value to fill the cur hop limit field in ipv6 headers. The value is also filled into the cur hop limit field in response messages of a device. Prefix in...
Page 298
1-14 to do… use the command… remarks disable the ra message suppression undo ipv6 nd ra halt required by default, ra messages are suppressed. Configure the maximum and minimum intervals for sending ra messages ipv6 nd ra interval max-interval-value min-interval-value optional by default, the maximum...
Page 299: Configuring Pmtu Discovery
1-15 configuring the maximum number of attempts to send an ns message for dad an interface sends a neighbor solicitation (ns) message for duplicate address detection after acquiring an ipv6 address. If the interface does not receive a response within a specified time (determined by the ipv6 nd ns re...
Page 300
1-16 follow these steps to configure the aging time for dynamic pmtus: to do… use the command… remarks enter system view system-view — configure the aging time for dynamic pmtus ipv6 pathmtu age age-time optional 10 minutes by default. Configuring ipv6 tcp properties the ipv6 tcp properties you can ...
Page 302: Configuring Ipv6 Dns Client
1-18 configuring ipv6 dns client configuring static ipv6 domain name resolution configuring static ipv6 domain name resolution is to establish the mapping between a host name and an ipv6 address. When using such applications as telnet, you can directly input a host name and the system will resolve t...
Page 303
1-19 displaying and maintaining ipv6 basics configuration to do… use the command… remarks display dns suffix information display dns domain [ dynamic ] display ipv6 dynamic domain name cache information display dns ipv6 dynamic-host display ipv6 dns server information display dns ipv6 server [ dynam...
Page 304: Ipv6 Configuration Example
1-20 the display dns domain command is the same as the one of ipv4 dns. For details about the commands, refer to dns commands in the ip services volume. Ipv6 configuration example network requirements z host, switch a and switch b are directly connected through ethernet ports. Add the ethernet ports...
Page 305
1-21 z configure switch b # enable ipv6. System-view [switchb] ipv6 # configure an aggregatable global unicast address for vlan-interface 2. [switchb] interface vlan-interface 2 [switchb-vlan-interface2] ipv6 address 3001::2/64 # configure an ipv6 static route with destination ip address 2001::/64 a...
Page 306
1-22 reasmreqds: 0 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 47 outrequests: 89 outforwdatagrams: 48 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 6 inmcastnotmembers: 25747 outmcastpkts: 48 inaddrerrors: 0 indiscards: ...
Page 307
1-23 reasmoks: 0 infragdrops: 0 infragtimeouts: 0 outfragfails: 0 inunknownprotos: 0 indelivers: 159 outrequests: 1012 outforwdatagrams: 35 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 79 inmcastnotmembers: 65 outmcastpkts: 938 inaddrerrors: 0 indiscards: 0 outdiscard...
Page 308
1-24 outfragfails: 0 inunknownprotos: 0 indelivers: 117 outrequests: 83 outforwdatagrams: 0 innoroutes: 0 intoobigerrors: 0 outfragoks: 0 outfragcreates: 0 inmcastpkts: 28 inmcastnotmembers: 0 outmcastpkts: 7 inaddrerrors: 0 indiscards: 0 outdiscards: 0 # ping switch a and switch b on host, and ping...
Page 309
1-25 troubleshooting ipv6 basics configuration symptom the peer ipv6 address cannot be pinged. Solution z use the display current-configuration command in any view or the display this command in system view to verify that ipv6 is enabled. Z use the display ipv6 interface command in any view to verif...
Page 310: Table of Contents
I table of contents 1 dual stack configuration··························································································································1-1 dual stack overview·············································································································...
Page 311: Dual Stack Configuration
1-1 1 dual stack configuration when configuring dual stack, go to these sections for information you are interested in: z dual stack overview z configuring dual stack dual stack overview dual stack is the most direct approach to making ipv6 nodes compatible with ipv4 nodes. The best way for an ipv6 ...
Page 313: Table of Contents
I table of contents 1 sflow configuration ··································································································································1-1 sflow overview··············································································································...
Page 314: Sflow Configuration
1-1 1 sflow configuration when configuring sflow, go to these sections for information you are interested in: z sflowoverview z configuring sflow z displaying and maintaining sflow z sflow configuration example z troubleshooting sflow configuration sflow overview introduction to sflow sampled flow (...
Page 315: Configuring Sflow
1-2 3) when the sflow packet buffer overflows or the one-second timer expires, the sflow agent sends sflow packets to the specified sflow collector. Configuring sflow the sflow feature enables the remote sflow collector to monitor the network and analyze sflow packet statistics. Follow these steps t...
Page 316: Sflow Configuration Example
1-3 sflow configuration example network requirements z host a and server are connected to switch through gigabitethernet 1/0/1 and gigabitethernet 1/0/2 respectively. Z host b works as an sflow collector with ip address 3.3.3.2 and port number 6343, and is connected to switch through gigabitethernet...
Page 317
1-4 collector ip:3.3.3.2 port:6343 interval(s): 30 sflow port information: interface direction rate mode status eth1/1 in/out 100000 random active troubleshooting sflow configuration the remote sflow collector cannot receive sflow packets symptom the remote sflow collector cannot receive sflow packe...
Page 318: Manual Version
Ip routing volume organization manual version 20090930-c-1.01 product version release 2202 organization the ip routing volume is organized as follows: features description ip routing overview this document describes: z introduction to ip routing and routing table z routing protocol overview static r...
Page 319: Table of Contents
I table of contents 1 ip routing overview··································································································································1-1 ip routing and routing table·································································································...
Page 320: Ip Routing Overview
1-1 1 ip routing overview go to these sections for information you are interested in: z ip routing and routing table z routing protocol overview z displaying and maintaining a routing table the term “router” in this document refers to a router in a generic sense or a layer 3 switch. Ip routing and r...
Page 321
1-2 z ip address of the next hop: specifies the address of the next router on the path. If only the outbound interface is configured, its address will be the ip address of the next hop. Z priority for the route. Routes to the same destination but having different nexthops may have different prioriti...
Page 322: Routing Protocol Overview
1-3 routing protocol overview static routing and dynamic routing static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. Its major drawback is that you must perform routing configuration again whenever the network topolo...
Page 324: Table of Contents
I table of contents 1 static routing configuration····················································································································1-1 introduction ·····················································································································...
Page 325: Static Routing Configuration
1-1 1 static routing configuration when configuring a static route, go to these sections for information you are interested in: z introduction z configuring a static route z detecting reachability of the static route’s nexthop z displaying and maintaining static routes z static route configuration e...
Page 326: Configuring A Static Route
1-2 z the network administrator can configure a default route with both destination and mask being 0.0.0.0. The router forwards any packet whose destination address fails to match any entry in the routing table to the next hop of the default static route. Z some dynamic routing protocols, such as ri...
Page 328
1-4 network requirements to detect the reachability of a static route's nexthop through a track entry, you need to create a track first. For detailed track configuration procedure, refer to track configuration in the high availability volume. Configuration procedure follow these steps to detect the ...
Page 329
1-5 static route configuration example basic static route configuration example network requirements the ip addresses and masks of the switches and hosts are shown in the following figure. Static routes are required for interconnection between any two hosts. Figure 1-1 network diagram for static rou...
Page 330
1-6 destination/mask proto pre cost nexthop interface 0.0.0.0/0 static 60 0 1.1.4.2 vlan500 1.1.2.0/24 direct 0 0 1.1.2.3 vlan300 1.1.2.3/32 direct 0 0 127.0.0.1 inloop0 1.1.4.0/30 direct 0 0 1.1.4.1 vlan500 1.1.4.1/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/3...
Page 331
1-7 1 2 3 1 ms trace complete..
Page 332: Table of Contents
I table of contents 1 rip configuration ······································································································································1-1 rip overview ·············································································································...
Page 333: Rip Configuration
1-1 1 rip configuration the term “router” in this document refers to a router in a generic sense or a layer 3 switch. When configuring rip, go to these sections for information you are interested in: z rip overview z configuring rip basic functions z configuring rip route control z configuring rip n...
Page 334
1-2 z egress interface: packet outgoing interface. Z metric: cost from the local router to the destination. Z route time: time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. Z route tag: identifies a route, used in a routing policy t...
Page 335
1-3 ripv1, a classful routing protocol, supports message advertisement via broadcast only. Ripv1 protocol messages do not carry mask information, which means it can only recognize routing information of natural networks such as class a, b, c. That is why ripv1 does not support discontiguous subnets....
Page 336
1-4 ripv2 message format the format of ripv2 message is similar to ripv1. Figure 1-2 shows it. Figure 1-2 ripv2 message format the differences from ripv1 are stated as following. Z version: version of rip. For ripv2 the value is 0x02. Z route tag: route tag. Z ip address: destination ip address. It ...
Page 337
1-5 z rfc 1723 only defines plain text authentication. For information about md5 authentication, refer to rfc 2453 “rip version 2”. Z with ripv1, you can configure the authentication mode in interface view. However, the configuration will not take effect because ripv1 does not support authentication...
Page 338
1-6 z if you make some rip configurations in interface view before enabling rip, those configurations will take effect after rip is enabled. Z rip runs only on the interfaces residing on the specified networks. Therefore, you need to specify the network after enabling rip to validate rip on a specif...
Page 340
1-8 to do… use the command… remarks enter system view system-view –– enter interface view interface interface-type interface-number –– define an inbound additional routing metric rip metricin [ route-policy route-policy-name ]value optional 0 by default define an outbound additional routing metric r...
Page 341
1-9 you need to disable ripv2 route automatic summarization before advertising a summary route on an interface. Disabling host route reception sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources. In ...
Page 343
1-11 to do… use the command… remarks enter system view system-view –– enter rip view rip [ process-id ] –– configure a priority for rip preference [ route-policy route-policy-name ] value optional 100 by default configuring rip route redistribution if a router runs rip and other routing protocols, y...
Page 345
1-13 to do… use the command… remarks enter interface view interface interface-type interface-number — enable poison reverse rip poison-reverse required disabled by default enabling zero field check on incoming ripv1 messages some fields in the ripv1 message must be zero. These fields are called zero...
Page 346
1-14 configuring ripv2 message authentication in a network requiring high security, you can configure this task to implement ripv2 message validity check and authentication. Ripv2 supports two authentication modes: plain text and md5. In plain text authentication, the authentication information is s...
Page 347
1-15 z you need not use the peer ip-address command when the neighbor is directly connected; otherwise the neighbor may receive both the unicast and multicast (or broadcast) of the same routing information. Z if a specified neighbor is not directly connected, you need to disable source address check...
Page 349
1-17 # configure switch a. [switcha] rip [switcha-rip-1] network 192.168.1.0 [switcha-rip-1] network 172.16.0.0 [switcha-rip-1] network 172.17.0.0 # configure switch b. [switchb] rip [switchb-rip-1] network 192.168.1.0 [switchb-rip-1] network 10.0.0.0 # display the rip routing table of switch a. [sw...
Page 350
1-18 since the routing information advertised by ripv1 has a long aging time, it will still exist until it ages out after ripv2 is configured. Configuring rip route redistribution network requirements as shown in the following figure: z two rip processes are running on switch b, which communicates w...
Page 351
1-19 [switchb] rip 200 [switchb-rip-200] network 12.0.0.0 [switchb-rip-200] version 2 [switchb-rip-200] undo summary [switchb-rip-200] quit # enable rip 200 and specify rip version 2 on switch c. System-view [switchc] rip 200 [switchc-rip-200] network 12.0.0.0 [switchc-rip-200] network 16.0.0.0 [swi...
Page 352
1-20 [switchb] acl number 2000 [switchb-acl-basic-2000] rule deny source 10.2.1.1 0.0.0.255 [switchb-acl-basic-2000] rule permit [switchb-acl-basic-2000] quit [switchb] rip 200 [switchb-rip-200] filter-policy 2000 export rip 100 # display the routing table of switch c. [switchc] display ip routing-t...
Page 353
1-21 [switcha-rip-1] network 1.0.0.0 [switcha-rip-1] version 2 [switcha-rip-1] undo summary [switcha-rip-1] quit # configure switch b. System-view [switchb] rip 1 [switchb-rip-1] network 1.0.0.0 [switchb-rip-1] version 2 [switchb-rip-1] undo summary # configure switch c. System-view [switchb] rip 1 ...
Page 354: Troubleshooting Rip
1-22 [switcha-vlan-interface200] display rip 1 database 1.0.0.0/8, cost 0, classfulsumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 th...
Page 355: Table of Contents
I table of contents 1 ipv6 static routing configuration ···········································································································1-1 introduction to ipv6 static routing··································································································...
Page 356
1-1 1 ipv6 static routing configuration when configuring ipv6 static routing, go to these sections for information you are interested in: z introduction to ipv6 static routing z configuring an ipv6 static route z displaying and maintaining ipv6 static routes z ipv6 static routing configuration examp...
Page 357
1-2 z enabling ipv6 packet forwarding z ensuring that the neighboring nodes are ipv6 reachable configuring an ipv6 static route follow these steps to configure an ipv6 static route: to do… use the commands… remarks enter system view system-view — configure an ipv6 static route ipv6 route-static ipv6...
Page 358
1-3 configuration procedure 1) configure the ipv6 addresses of all vlan interfaces (omitted) 2) configure ipv6 static routes. # configure the default ipv6 static route on switcha. System-view [switcha] ipv6 route-static :: 0 4::2 # configure two ipv6 static routes on switchb. System-view [switchb] i...
Page 359
1-4 reply from 3::1 bytes=56 sequence=1 hop limit=254 time = 63 ms reply from 3::1 bytes=56 sequence=2 hop limit=254 time = 62 ms reply from 3::1 bytes=56 sequence=3 hop limit=254 time = 62 ms reply from 3::1 bytes=56 sequence=4 hop limit=254 time = 63 ms reply from 3::1 bytes=56 sequence=5 hop limi...
Page 360: Table of Contents
I table of contents 1 ripng configuration··································································································································1-1 introduction to ripng ·······································································································...
Page 361: Ripng Configuration
1-1 1 ripng configuration when configuring ripng, go to these sections for information you are interested in: z introduction to ripng z configuring ripng basic functions z configuring ripng route control z tuning and optimizing the ripng network z displaying and maintaining ripng z ripng configurati...
Page 362
1-2 each ripng router maintains a routing database, including route entries of all reachable destinations. A route entry contains the following information: z destination address: ipv6 address of a host or a network. Z next hop address: ipv6 address of a neighbor along the path to the destination. Z...
Page 363
1-3 figure 1-3 ipv6 prefix rte format ipv6 prefix (16 octets) route tag prefix length metric 0 7 15 31 z ipv6 prefix: destination ipv6 address prefix. Z route tag: route tag. Z prefix len: length of the ipv6 address prefix. Z metric: cost of a route. Ripng packet processing procedure request packet ...
Page 364
1-4 z configure an ip address for each interface, and make sure all nodes are reachable to one another. Configuration procedure follow these steps to configure the basic ripng functions: to do… use the command… remarks enter system view system-view –– create a ripng process and enter ripng view ripn...
Page 365
1-5 the inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route’s metric is changed. Follow these steps to configure an inbound/outbound additional routing metric: to do… use the command… remarks enter system view system-vie...
Page 366
1-6 configuring a ripng route filtering policy you can reference a configured ipv6 acl or prefix list to filter received/advertised routing information as needed. For filtering outbound routes, you can also specify a routing protocol from which to filter routing information redistributed. Follow the...
Page 367
1-7 tuning and optimizing the ripng network this section describes how to tune and optimize the performance of the ripng network as well as applications under special network environments. Before tuning and optimizing the ripng network, complete the following tasks: z configure a network layer addre...
Page 368
1-8 same interface to prevent routing loops between neighbors. Follow these steps to configure split horizon: to do… use the command… remarks enter system view system-view –– enter interface view interface interface-type interface-number –– enable the split horizon function ripng split-horizon optio...
Page 369: Ripng Configuration Example
1-9 displaying and maintaining ripng to do… use the command… remarks display configuration information of a ripng process display ripng [ process-id ] available in any view display routes in the ripng database display ripng process-id database available in any view display the routing information of...
Page 370
1-10 [switchb] interface vlan-interface 200 [switchb-vlan-interface200] ripng 1 enable [switchb-vlan-interface200] quit [switchb] interface vlan-interface 100 [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # configure switch c. System-view [switchc] ripng 1 [switchc-ripn...
Page 371
1-11 via fe80::200:2ff:fe64:8904, cost 2, tag 0, a, 31 sec dest 5::/64, via fe80::200:2ff:fe64:8904, cost 2, tag 0, a, 31 sec dest 3::/64, via fe80::200:2ff:fe64:8904, cost 1, tag 0, a, 31 sec 3) configure switch b to filter incoming and outgoing routes. [switchb] acl ipv6 number 2000 [switchb-acl6-...
Page 372: Table of Contents
I table of contents 1 route policy configuration ······················································································································1-1 introduction to route policy ····································································································...
Page 373: Route Policy Configuration
1-1 1 route policy configuration a route policy is used on a router for route filtering and attributes modification when routes are received, advertised, or redistributed. When configuring route policy, go to these sections for information you are interested in: z introduction to route policy z rout...
Page 374: Defining Filters
1-2 an ip prefix list is configured to match the destination address of routing information. Moreover, you can use the gateway option to allow only routing information from certain routers to be received. For gateway option information, refer to rip commands in the ip routing volume. An ip prefix li...
Page 375
1-3 defining an ip-prefix list define an ipv4 prefix list identified by name, an ipv4 prefix list can comprise multiple items. Each item specifies a prefix range to match and is identified by an index number. An item with a smaller index number is matched first. If one item is matched, the ip prefix...
Page 376: Configuring A Route Policy
1-4 if all items are set to the deny mode, no routes can pass the ipv6 prefix list. Therefore, you need to define the permit :: 0 less-equal 128 item following multiple deny items to allow other ipv6 routing information to pass. For example, the following configuration filters routes 2000:1::/48, 20...
Page 377
1-5 z if a route policy node has the permit keyword specified, routing information matching all the if-match clauses of the node will be handled using the apply clauses of this node, without needing to match against the next node. If routing information does not match the node, it will go to the nex...
Page 378
1-6 z the if-match clauses of a route policy node are in logic and relationship, namely, routing information has to satisfy all its if-match clauses before being executed with its apply clauses. Z you can specify no or multiple if-match clauses for a route policy node. If no if-match clause is speci...
Page 379
1-7 displaying and maintaining the route policy to do… use the command… remarks display ipv4 prefix list statistics display ip ip-prefix [ ip-prefix-name ] display ipv6 prefix list statistics display ip ipv6-prefix [ ipv6-prefix-name ] display route policy information display route-policy [ route-po...
Page 380
1-8 [switcha-acl-basic-2000] rule deny source 30.0.0.0 0.255.255.255 [switcha-acl-basic-2000] rule permit source any [switcha-acl-basic-2000] quit # redistribute static routes. [switcha] rip [switcha-rip-1] import-route static # apply acl 2000 to filter the routing information to be advertised to sw...
Page 381
1-9 figure 1-2 network diagram for route policy application to route redistribution configuration procedure 1) configure switch a. # configure ipv6 addresses for vlan-interface 100 and vlan-interface 200. System-view [switcha] ipv6 [switcha] interface vlan-interface 100 [switcha-vlan-interface100] i...
Page 382
1-10 [switchb-vlan-interface100] ripng 1 enable [switchb-vlan-interface100] quit # enable ripng. [switchb] ripng # display ripng routing table information. [switchb-ripng-1] display ripng 1 route route flags: a - aging, s - suppressed, g - garbage-collect --------------------------------------------...
Page 383: Manual Version
Ip multicast volume organization manual version 20090930-c-1.01 product version release 2202 organization the ip multicast volume is organized as follows: features description multicast overview this document describes the main concepts in multicast: z introduction to multicast z multicast models z ...
Page 384: Table of Contents
I table of contents 1 multicast overview ····································································································································1-1 introduction to multicast ·································································································...
Page 385: Multicast Overview
1-1 1 multicast overview this manual chiefly focuses on the ip multicast technology and device operations. Unless otherwise stated, the term “multicast” in this document refers to ip multicast. Introduction to multicast as a technique coexisting with unicast and broadcast, the multicast technique ef...
Page 386
1-2 figure 1-1 unicast transmission source receiver receiver receiver host a host b host c host d host e packets for host b packets for host d packets for host e ip network assume that host b, host d and host e need the information. A separate transmission channel needs to be established from the in...
Page 387
1-3 figure 1-2 broadcast transmission assume that only host b, host d, and host e need the information. If the information is broadcast to the subnet, host a and host c also receive it. In addition to information security issues, this also causes traffic flooding on the same subnet. Therefore, broad...
Page 388
1-4 figure 1-3 multicast transmission the multicast source (source in the figure) sends only one copy of the information to a multicast group. Host b, host d and host e, which are receivers of the information, need to join the multicast group. The routers on the network duplicate and forward the inf...
Page 389: Multicast Models
1-5 for a better understanding of the multicast concept, you can assimilate multicast transmission to the transmission of tv programs, as shown in table 1-1 . Table 1-1 an analogy between tv transmission and multicast transmission tv transmission multicast transmission a tv station transmits a tv pr...
Page 390: Multicast Architecture
1-6 asm model in the asm model, any sender can send information to a multicast group as a multicast source, and numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of ...
Page 391
1-7 multicast addresses to allow communication between multicast sources and multicast group members, network-layer multicast addresses, namely, multicast ip addresses must be provided. In addition, a technique must be available to map multicast ip addresses to link-layer multicast mac addresses. Ip...
Page 392
1-8 address description 224.0.0.7 shared tree (st) routers 224.0.0.8 st hosts 224.0.0.9 routing information protocol version 2 (ripv2) routers 224.0.0.11 mobile agents 224.0.0.12 dynamic host configuration protocol (dhcp) server/relay agent 224.0.0.13 all protocol independent multicast (pim) routers...
Page 393
1-9 bit description t z when set to 0, it indicates that this address is an ipv6 multicast address permanently-assigned by iana z when set to 1, it indicates that this address is a transient, or dynamically assigned ipv6 multicast address z scope: 4 bits, indicating the scope of the ipv6 internetwor...
Page 394
1-10 the high-order four bits of a multicast ipv4 address are 1110, indicating that this address is a multicast address, and only 23 bits of the remaining 28 bits are mapped to a mac address, so five bits of the multicast ipv4 address are lost. As a result, 32 multicast ipv4 addresses map to the sam...
Page 395
1-11 figure 1-8 positions of layer 3 multicast protocols 1) multicast management protocols typically, the internet group management protocol (igmp) or multicast listener discovery protocol (mld) is used between hosts and layer 3 multicast devices directly connected with the hosts. These protocols de...
Page 396
1-12 figure 1-9 position of layer 2 multicast protocols source receiver receiver ipv4/ipv6 multicast packets igmp snooping /mld snooping multicast vlan /ipv6 multicast vlan 1) igmp snooping/mld snooping running on layer 2 devices, internet group management protocol snooping (igmp snooping) and multi...
Page 397: Table of Contents
I table of contents 1 igmp snooping configuration ·················································································································1-1 igmp snooping overview···············································································································...
Page 398: Igmp Snooping Configuration
1-1 1 igmp snooping configuration when configuring igmp snooping, go to the following sections for information you are interested in: z igmp snooping overview z igmp snooping configuration task list z displaying and maintaining igmp snooping z igmp snooping configuration examples z troubleshooting i...
Page 399
1-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in igmp snooping igmp snooping related ports as shown in figure 1-2 , router a connects to the multicast so...
Page 400
1-3 aging timers for dynamic ports in igmp snooping and related messages and actions table 1-1 aging timers for dynamic ports in igmp snooping and related messages and actions timer description message before expiry action after expiry dynamic router port aging timer for each dynamic router port, th...
Page 401
1-4 when receiving a membership report a host sends an igmp report to the igmp querier in the following circumstances: z upon receiving an igmp query, a multicast group member host responds with an igmp report. Z when intended to join a multicast group, a host sends an igmp report to the igmp querie...
Page 402
1-5 upon receiving the igmp leave message from a host, the igmp querier resolves the multicast group address in the message and sends an igmp group-specific query to that multicast group through the port that received the leave message. Upon receiving the igmp group-specific query, the switch forwar...
Page 403
1-6 z configurations made in igmp snooping view are effective for all vlans, while configurations made in vlan view are effective only for ports belonging to the current vlan. For a given vlan, a configuration made in igmp snooping view is effective only if the same configuration is not made in vlan...
Page 404
1-7 z igmp snooping must be enabled globally before it can be enabled in a vlan. Z when you enable igmp snooping in a specified vlan, this function takes effect for the ports in this vlan only. Configuring the version of igmp snooping by configuring an igmp snooping version, you actually configure t...
Page 405
1-8 configuring aging timers for dynamic ports if the switch receives no igmp general queries or pim hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no igmp reports for a multicast group o...
Page 406
1-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 407
1-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 408
1-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-typeinterface-number enter ethernet port/layer 2 aggregate...
Page 409
1-12 it is meaningless to configure an igmp snooping querier in a multicast network running igmp. Although an igmp snooping querier does not take part in igmp querier elections, it may affect igmp querier elections because it sends igmp general queries with a low source ip address. Configuring igmp ...
Page 410
1-13 to do... Use the command... Remarks configure the maximum response time to igmp general queries igmp-snooping max-response-time interval optional 10 seconds by default configure the igmp last-member query interval igmp-snooping last-member-query-interval interval optional 1 second by default in...
Page 411
1-14 before configuring an igmp snooping policy, prepare the following data: z acl rule for multicast group filtering z the maximum number of multicast groups that can pass the ports configuring a multicast group filter on an igmp snooping–enabled switch, the configuration of a multicast group allow...
Page 412
1-15 if this feature is disabled on a port, the port can be connected with both multicast sources and multicast receivers. Configuring multicast source port filtering globally follow these steps to configure multicast source port filtering globally: to do... Use the command... Remarks enter system v...
Page 413
1-16 to do... Use the command... Remarks enable the function of dropping unknown multicast data igmp-snooping drop-unknown required disabled by default configuring igmp report suppression when a layer 2 device receives an igmp report from a multicast group member, the device forwards the message to ...
Page 414
1-17 z when the number of multicast groups a port has joined reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the igmp snooping forwarding table, and the hosts on this port need to join the multicast groups again. Z if you have configu...
Page 415
1-18 configuring multicast group replacement on a port or a group of ports follow these steps to configure multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/laye...
Page 416
1-19 igmp snooping configuration examples configuring group policy and simulated joining network requirements z as shown in figure 1-3 , router a connects to the multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Z igmpv2 is required on router a, igmp snoop...
Page 417
1-20 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and enabl...
Page 418
1-21 ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:0100-5e01-0101 host port(s):total 2 port. Ge1/0/3 ge1/...
Page 419
1-22 network diagram figure 1-4 network diagram for static port configuration source 1.1.1.1/24 router a igmp querier ge1/0/1 10.1.1.1/24 ge1/0/2 1.1.1.2/24 switch a switch c switch b ge1/0/1 g e 1 /0 /2 g e 1 /0 /3 g e 1 /0 /1 ge1/0/2 g e 1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e 1...
Page 420
1-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] igmp-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable igmp snooping globally. Syst...
Page 421
1-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): attribute: host port host port(s):total...
Page 422
1-25 igmp snooping querier configuration network requirements z as shown in figure 1-5 , in a layer 2–only network environment, two multicast sources source 1 and source 2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1 respectively, host a and host c are receivers of multicast group...
Page 423
1-26 # enable the igmp-snooping querier function in vlan 100 [switcha-vlan100] igmp-snooping querier # set the source ip address of igmp general queries and group-specific queries to 192.168.1.1 in vlan 100. [switcha-vlan100] igmp-snooping general-query source-ip 192.168.1.1 [switcha-vlan100] igmp-s...
Page 424
1-27 troubleshooting igmp snooping configuration switch fails in layer 2 multicast forwarding symptom a switch fails to implement layer 2 multicast forwarding. Analysis igmp snooping is not enabled. Solution 1) enter the display current-configuration command to view the running status of igmp snoopi...
Page 425: Table of Contents
I table of contents 1 multicast vlan configuration··················································································································1-1 introduction to multicast vlan······································································································...
Page 426: Multicast Vlan Configuration
1-1 1 multicast vlan configuration when configuring multicast vlan, go to these sections for information you are interested in: z introduction to multicast vlan z multicast vlan configuration task list z configuring sub-vlan-based multicast vlan z configuring port-based multicast vlan z displaying a...
Page 427
1-2 figure 1-2 sub-vlan-based multicast vlan source router a igmp querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (multicast vlan) after the configuration, igmp snooping manages router ports in the multicast vlan an...
Page 428
1-3 z for information about igmp snooping, router ports, and member ports, refer to igmp snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Multicast vlan configuration task list complete the following tasks to conf...
Page 429
1-4 z the vlan to be configured as a multicast vlan must exist. Z the vlans to be configured as sub-vlans of the multicast vlan must exist and must not be sub-vlans of another multicast vlan. Z the total number of sub-vlans of a multicast vlan must not exceed 63. Configuring port-based multicast vla...
Page 431
1-6 configuring multicast vlan ports in port view or port group view follow these steps to configure multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as a multicast vlan and enter multicast vlan view m...
Page 432
1-7 z configure the sub-vlan-based multicast vlan feature so that router a just sends multicast data to switch a through the multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Network diagram figure 1-4 network diagram for sub-vlan-based multicast ...
Page 433
1-8 [switcha-vlan2] port gigabitethernet 1/0/2 [switcha-vlan2] quit the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable igmp snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabiteth...
Page 434
1-9 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 0 port. Ip group(s):the following ip group(s) match to one mac group. Ip group address:224.1.1.1 (0.0.0.0, 224.1.1.1): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:0100-5e01-0101 host ...
Page 435
1-10 port-based multicast vlan configuration network requirements z as shown in figure 1-5 , router a connects to a multicast source (source) through gigabitethernet 1/0/1, and to switch a through gigabitethernet 1/0/2. Z igmpv2 is required on router a. Igmpv2 snooping is required on switch a. Route...
Page 436
1-11 [routera-gigabitethernet1/0/1] quit [routera] interface gigabitethernet 1/0/2 [routera-gigabitethernet1/0/2] pim dm [routera-gigabitethernet1/0/2] igmp enable 3) configure switch a # enable igmp snooping globally. System-view [switcha] igmp-snooping [switcha-igmp-snooping] quit # create vlan 10...
Page 437
1-12 total 1 multicast-vlan(s) multicast vlan 10 subvlan list: no subvlan port list: ge1/0/2 ge1/0/3 ge1/0/4 # view the igmp snooping multicast group information on switch a. [switcha] display igmp-snooping group total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic ...
Page 438: Table of Contents
I table of contents 1 mld snooping configuration···················································································································1-1 mld snooping overview ···············································································································...
Page 439: Mld Snooping Configuration
1-1 1 mld snooping configuration when configuring mld snooping, go to these sections for information you are interested in: z mld snooping overview z mld snooping configuration task list z displaying and maintaining mld snooping z mld snooping configuration examples z troubleshooting mld snooping ml...
Page 440
1-2 z reducing layer 2 broadcast packets, thus saving network bandwidth. Z enhancing the security of multicast traffic. Z facilitating the implementation of per-host accounting. Basic concepts in mld snooping mld snooping related ports as shown in figure 1-2 , router a connects to the multicast sour...
Page 441
1-3 z whenever mentioned in this document, a router port is a router-connecting port on the switch, rather than a port on a router. Z unless otherwise specified, router/member ports mentioned in this document include static and dynamic ports. Z on an mld snooping-enabled switch, the ports that recei...
Page 442
1-4 general queries the mld querier periodically sends mld general queries to all hosts and routers (ff02::1) on the local subnet to find out whether ipv6 multicast group members exist on the subnet. Upon receiving an mld general query, the switch forwards it through all ports in the vlan except the...
Page 443
1-5 z if the forwarding table entry does not exist or if the outgoing port list does not contain the port, the switch discards the mld done message instead of forwarding it to any port. Z if the forwarding table entry exists and the outgoing port list contains the port, the switch forwards the mld d...
Page 444
1-6 task remarks configuring an ipv6 multicast group filter optional configuring ipv6 multicast source port filtering optional configuring mld report suppression optional configuring maximum multicast groups that can be joined on a port optional configuring an mld snooping policy configuring ipv6 mu...
Page 445
1-7 to do... Use the command... Remarks enter vlan view vlan vlan-id — enable mld snooping in the vlan mld-snooping enable required disabled by default z mld snooping must be enabled globally before it can be enabled in a vlan. Z when you enable mld snooping in a specified vlan, this function takes ...
Page 446
1-8 z configure the corresponding port groups before configuring mld snooping port functions, prepare the following data: z aging time of dynamic router ports, z aging timer of dynamic member ports, and z ipv6 multicast group and ipv6 multicast source addresses configuring aging timers for dynamic p...
Page 447
1-9 follow these steps to configure static ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach configure ...
Page 448
1-10 follow these steps to configure simulated joining: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregate port view or port group view port-group manual port-group-name required use either approach conf...
Page 449
1-11 configuring fast leave processing on a port or a group of ports follow these steps to configure fast leave processing on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet port/layer 2 aggregat...
Page 450
1-12 to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — enable the mld snooping querier mld-snooping querier required disabled by default it is meaningless to configure an mld snooping querier in an ipv6 multicast network running mld. Although an mld s...
Page 451
1-13 configuring mld queries and responses in a vlan follow these steps to configure mld queries and responses in a vlan to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id — configure mld query interval mld-snooping query-interval interval optional 125 s...
Page 452
1-14 configuring an mld snooping policy configuration prerequisites before configuring an mld snooping policy, complete the following tasks: z enable mld snooping in the vlan before configuring an mld snooping policy, prepare the following data: z ipv6 acl rule for ipv6 multicast group filtering z t...
Page 453
1-15 to do... Use the command... Remarks configure an ipv6 multicast group filter mld-snooping group-policy acl6-number [ vlan vlan-list ] required by default, no group filter is configured on the current port, that is, hosts on this port can join any valid ipv6 multicast group. Configuring ipv6 mul...
Page 454
1-16 configuring mld report suppression when a layer 2 device receives an mld report from an ipv6 multicast group member, the layer 2 device forwards the message to the layer 3 device directly connected with it. Thus, when multiple members belonging to an ipv6 multicast group exist on the layer 2 de...
Page 455
1-17 z when the number of ipv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the mld snooping forwarding table, and the hosts on this port need to join ipv6 multicast groups again. Z if ...
Page 456
1-18 configuring ipv6 multicast group replacement on a port or a group of ports follow these steps to configure ipv6 multicast group replacement on a port or a group of ports: to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter ethernet...
Page 457
1-19 mld snooping configuration examples configuring ipv6 group policy and simulated joining network requirements z as shown in figure 1-3 , router a connects to the ipv6 multicast source through gigabitethernet 1/0/2 and to switch a through gigabitethernet 1/0/1. Router a is the mld querier on the ...
Page 458
1-20 [routera-gigabitethernet1/0/2] pim ipv6 dm [routera-gigabitethernet1/0/2] quit 3) configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign gigabitethernet 1/0/1 through gigabitethernet 1/0/4 to this vlan, and ena...
Page 459
1-21 ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 2 port. Ge1/0/3 (d) ( 00:03:23 ) ge1/0/4 (d) ( 00:04:10 ) mac group(s): mac group address:3333-0000-1001 host port(s):total 2 port. Ge1/0/3 ge1/0/4 as shown above, gigabitethernet 1/0/3 and gigabitethernet 1/0/4...
Page 460
1-22 network diagram figure 1-4 network diagram for static port configuration source 1::1/64 router a mld querier ge1/0/1 2001::1/64 ge1/0/2 1::2/64 switch a switch c switch b ge1/0/1 g e 1 /0 /2 g e 1 /0 /3 g e 1 /0 /1 ge1/0/2 g e 1 /0 /1 ge1/0/2 host c host b host a receiver receiver g e 1 /0 /3 g...
Page 461
1-23 [switcha-vlan100] quit # configure gigabitethernet 1/0/3 to be a static router port. [switcha] interface gigabitethernet 1/0/3 [switcha-gigabitethernet1/0/3] mld-snooping static-router-port vlan 100 [switcha-gigabitethernet1/0/3] quit 4) configure switch b # enable mld snooping globally. System...
Page 462
1-24 vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Ge1/0/1 (d) ( 00:01:30 ) ge1/0/3 (s) ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): attribute: host port host port(s):total 1 po...
Page 463
1-25 mld snooping querier configuration network requirements z as shown in figure 1-5 , in a layer-2-only network environment, two multicast sources source 1 and source 2 send ipv6 multicast data to multicast groups ff1e::101 and ff1e::102 respectively, host a and host c are receivers of multicast g...
Page 464: Troubleshooting Mld Snooping
1-26 [switchb] ipv6 [switchb] mld-snooping [switchb-mld-snooping] quit # create vlan 100, add gigabitethernet 1/0/1 through gigabitethernet 1/0/4 into vlan 100. [switchb] vlan 100 [switchb-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/4 # enable the mld snooping feature in vlan 100. [sw...
Page 465
1-27 configured ipv6 multicast group policy fails to take effect symptom although an ipv6 multicast group policy has been configured to allow hosts to join specific ipv6 multicast groups, the hosts can still receive ipv6 multicast data addressed to other groups. Analysis z the ipv6 acl rule is incor...
Page 466: Table of Contents
I table of contents 1 ipv6 multicast vlan configuration ·········································································································1-1 introduction to ipv6 multicast vlan ···································································································...
Page 467
1-1 1 ipv6 multicast vlan configuration when configuring ipv6 multicast vlan, go to these sections for information you are interested in: z introduction to ipv6 multicast vlan z ipv6 multicast vlan configuration task list z configuring ipv6 sub-vlan-based ipv6 multicast vlan z configuring port-based...
Page 468
1-2 figure 1-2 sub-vlan-based ipv6 multicast vlan source router a mld querier vlan 2 vlan 3 vlan 4 switch a receiver host a receiver host b receiver host c ipv6 multicast packets vlan 2 vlan 3 vlan 4 vlan 10 (ipv6 multicast vlan) after the configuration, mld snooping manages router ports in the ipv6...
Page 469
1-3 z for information about mld snooping, router ports, and member ports, refer to mld snooping configuration in the ip multicast volume. Z for information about vlan tags, refer to vlan configuration in the access volume. Ipv6 multicast vlan configuration task list complete the following tasks to c...
Page 470
1-4 to do… use the command… remarks configure the specified vlan(s) as sub-vlan(s) of the ipv6 multicast vlan subvlan vlan-list required by default, an ipv6 multicast vlan has no sub-vlans. Z the vlan to be configured as an ipv6 multicast vlan must exist. Z the vlans to be configured as the sub-vlan...
Page 471
1-5 to do... Use the command... Remarks enter system view system-view — interface interface-type interface-number enter port view or port group view port-group manual port-group-name required use either approach. Configue the user port link type as hybrid port link-type hybrid required access by def...
Page 472
1-6 configure ipv6 multicast vlan ports in terface view or port group view follow these steps to configure ipv6 multicast vlan ports in port view or port group view: to do… use this command… remarks enter system view system-view — configure the specified vlan as an ipv6 multicast vlan and enter ipv6...
Page 473
1-7 z configure the sub-vlan-based ipv6 multicast vlan feature so that router a just sends ipv6 multicast data to switch a through the ipv6 multicast vlan and switch a forwards the traffic to the receivers that belong to different user vlans. Figure 1-4 network diagram for sub-vlan-based ipv6 multic...
Page 474
1-8 the configuration for vlan 3 and vlan 4 is similar to the configuration for vlan 2. # create vlan 10, assign gigabitethernet 1/0/1 to this vlan and enable mld snooping in the vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10]...
Page 475
1-9 ip group(s):the following ip group(s) match to one mac group. Ip group address:ff1e::101 (::, ff1e::101): host port(s):total 1 port. Ge1/0/3 (d) mac group(s): mac group address:3333-0000-0101 host port(s):total 1 port. Ge1/0/3 vlan(id):4. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac gr...
Page 476
1-10 z switch a’s gigabitethernet 1/0/1 belongs to vlan 10, gigabitethernet 1/0/2 through gigabitethernet 1/0/4 belong to vlan 2 through vlan 4 respectively, and host a through host c are attached to gigabitethernet 1/0/2 through gigabitethernet 1/0/4 of switch a. Z the ipv6 multicast source sends i...
Page 477
1-11 # create vlan 10, assign gigabitethernet 1/0/1 to vlan 10, and enable mld snooping in this vlan. [switcha] vlan 10 [switcha-vlan10] port gigabitethernet 1/0/1 [switcha-vlan10] mld-snooping enable [switcha-vlan10] quit # create vlan 2 and enable mld snooping in the vlan. [switcha] vlan 2 [switch...
Page 478
1-12 total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):10. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Ge1/0/1 (d) ip group(s):the following ip group(s) match to one mac grou...
Page 479: Qos Volume Organization
Qos volume organization manual version 20090930-c-1.01 product version release 2202 organization the qos volume is organized as follows: features description qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. In a ...
Page 480: Table of Contents
I table of contents 1 qos overview ············································································································································1-1 introduction to qos ·····································································································...
Page 481
Ii configuration example ····················································································································4-5 displaying and maintaining traffic policing, gts, and line rate ··························································4-5 5 congestion management confi...
Page 482
Iii uncolored priority mapping tables ·······························································································11-2 appendix c introduction to packet precedences ·················································································11-3 ip precedence and dscp values·...
Page 483: Qos Overview
1-1 1 qos overview this chapter covers the following topics: z introduction to qos z introduction to qos service models z qos techniques overview introduction to qos for network traffic, the quality of service (qos) involves bandwidth, delay, and packet loss rate during traffic forwarding process. I...
Page 484: Qos Techniques Overview
1-2 however, the inter-serv model imposes extremely high requirements on devices. In a network with heavy data traffic, the inter-serv model imposes very great pressure on the storage and processing capabilities of devices. On the other hand, the inter-serv model is poor in scalability, and therefor...
Page 485
1-3 z congestion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of traffic by dropping packets..
Page 486: Qos Configuration Approaches
2-1 2 qos configuration approaches this chapter covers the following topics: z qos configuration approach overview z configuring a qos policy qos configuration approach overview two approaches are available for you to configure qos: policy-based and non policy-based. Some qos features can be configu...
Page 487: Configuring A Qos Policy
2-2 configuring a qos policy figure 2-1 shows how to configure a qos policy. Figure 2-1 qos policy configuration procedure defining a class to define a class, you need to specify a name for it and then configure match criteria in class view. Follow these steps to define a class: to do… use the comma...
Page 489
2-4 form description service-dot1p 8021p-list specifies to match packets by 802.1p priority of the service provider network. The 8021p-list argument is a list of cos values in the range of 0 to 7. Even though you can provide up to eight space-separated cos values for this argument, the s5500-si swit...
Page 490
2-5 defining a policy in a policy, you can define multiple class-behavior associations. A behavior is performed for the associated class of packets. In this way, various qos features can be implemented. Follow these steps to associate a class with a behavior in a policy: to do… use the command… rema...
Page 491
2-6 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 492
2-7 z if a user profile is active, the qos policy, except acls referenced in the qos policy, applied to it cannot be configured or removed. If the user profile is being used by online users, the referenced acls cannot be modified either. Z the qos policies applied in user profile view support only t...
Page 493
2-8.
Page 494: Priority Mapping Overview
3-1 3 priority mapping configuration when configuring priority mapping, go to these sections for information you are interested in: z priority mapping overview z priority mapping configuration tasks z configuring priority mapping z displaying and maintaining priority mapping z priority mapping confi...
Page 495
3-2 the default priority mapping tables (as shown in appendix b default priority mapping tables ) are available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority mapping table cannot meet your requirements, you can modify the priority mapping table as r...
Page 496
3-3 figure 3-1 priority mapping procedure for an ethernet packet which priority is trusted on the port? Receive a packet on a port use the port priority as the 802.1p priority for priority mapping n look up the dot1p-dp and dot1p-lp mapping tables mark the packet with local precedence and drop prece...
Page 497: Configuring Priority Mapping
3-4 task remarks configuring a priority mapping table optional configuring the priority trust mode on a port optional configuring the port priority of a port optional configuring priority mapping configuring a priority mapping table follow these steps to configure an uncolored priority mapping table...
Page 498
3-5 to do… use the command… remarks trust the port priority undo qos trust display the priority trust mode configuration on the port display qos trust interface [ interface-type interface-number ] optional available in any view configuring the port priority of a port you can change the port priority...
Page 499
3-6 network requirements as shown in figure 3-2 , the enterprise network of a company interconnects all departments through device. The network is described as follows: z the marketing department connects to gigabitethernet 1/0/1 of device, which sets the 802.1p priority of traffic from the marketin...
Page 500
3-7 figure 3-2 network diagram for priority mapping table and priority marking configuration configuration procedure 1) configure trusting port priority # set the port priority of gigabitethernet 1/0/1 to 3. System-view [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] qos prior...
Page 501
3-8 3) configure priority marking # mark the http traffic of the management department, marketing department, and r&d department to the internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured above to map the 802.1p priorities to local precedence values 6,...
Page 502
4-1 4 traffic policing and line rate configuration when configuring traffic policing and line rate, go to these sections for information you are interested in: z traffic policing and line rate overview z configuring traffic policing z configuring the line rate z displaying and maintaining traffic po...
Page 503
4-2 complicated evaluation you can set two token buckets (referred to as the c bucket and e bucket respectively) in order to evaluate more complicated conditions and implement more flexible regulation policies. For example, traffic policing uses four parameters: z cir: rate at which tokens are put i...
Page 504: Configuring Traffic Policing
4-3 z marking a conforming packet or a non-conforming packet with a new dscp precedence value and forwarding the packet. Line rate the line rate of a physical interface specifies the maximum rate for forwarding packets (including critical packets). Line rate also uses token buckets for traffic contr...
Page 505
4-4 to do… use the command… remarks create a behavior and enter behavior view traffic behavior behavior-name — configure a traffic policing action car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ pir peak-information-rate ] [ green action ] [ red action ] [...
Page 506: Configuring The Line Rate
4-5 configuring the line rate configuration procedure follow these steps to configure the line rate: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group...
Page 507
5-1 5 congestion management configuration when configuring hardware congestion management, go to these sections for information you are interested in: z congestion management overview z congestion management configuration approaches z configuring congestion management z displaying and maintaining co...
Page 508
5-2 queuing algorithm addresses a particular network traffic problem and which algorithm is used affects bandwidth resource assignment, delay, and jitter significantly. The s5500-si series support the following four queue scheduling methods: z scheduling all queues with the strict priority (sp) algo...
Page 509
5-3 figure 5-3 schematic diagram for wrr queuing assume there are eight output queues on a port. Wrr assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 mbps port, you can configure the weight valu...
Page 510
5-4 z short packets and long packets are fairly scheduled: if there are both long packets and short packets in queues, statistically the short packets should be scheduled preferentially to reduce the jitter between packets as a whole. Compared with fq, wfq takes weights into account when determining...
Page 511
5-5 task remarks configuring wfq queuing optional configuring sp+wrr queues optional configuring congestion management configuring sp queuing configuration procedure follow these steps to configure sp queuing: to do… use the command… remarks enter system view system-view — enter interface view inter...
Page 512
5-6 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 513
5-7 to do… use the command… remarks group view enter port group view port-group manual port-group-name settings in port group view take effect on all ports in the port group. Enable wfq queuing qos wfq required by default, all the ports adopt the wrr queue scheduling algorithm, with the weight value...
Page 514
5-8 to do… use the command… remarks enter interface view interface interface-type interface-number enter interface view or port group view enter port group view port-group manual port-group-name use either command settings in interface view take effect on the current interface; settings in port grou...
Page 515
5-9 displaying and maintaining congestion management to do… use the command… remarks display wrr queue configuration information display qos wrr interface [ interface-type interface-number ] display sp queue configuration information display qos sp interface [ interface-type interface-number ] displ...
Page 516: Traffic Filtering Overview
6-1 6 traffic filtering configuration when configuring traffic filtering, go to these sections for information you are interested in: z traffic filtering overview z configuring traffic filtering z traffic filtering configuration example traffic filtering overview you can filter in or filter out a cl...
Page 517
6-2 to do… use the command… remarks display the traffic filtering configuration display traffic behavior user-defined [ behavior-name ] optional available in any view with filter deny configured for a traffic behavior, the other actions (except class-based accounting) in the traffic behavior do not ...
Page 518
6-3 # apply the policy named policy to the incoming traffic of gigabitethernet 1/0/1. [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] qos apply policy policy inbound.
Page 519: Priority Marking Overview
7-1 7 priority marking configuration when configuring priority marking, go to these sections for information you are interested in: z priority marking overview z configuring priority marking z priority marking configuration example priority marking overview priority marking can be used together with...
Page 520
7-2 to do… use the command… remarks set the ip precedence for packets remark ip-precedence ip-precedence-value optional set the local precedence for packets remark local-precedence local-precedence optional exit behavior view quit — create a policy and enter policy view qos policy policy-name — asso...
Page 521
7-3 figure 7-1 network diagram for priority marking configuration internet host a host b device data server 192.168.0.1/24 mail server 192.168.0.2/24 file server 192.168.0.3/24 ge1/0/1 ge1/0/2 configuration procedure # create advanced acl 3000, and configure a rule to match packets with destination ...
Page 522
7-4 [device] traffic behavior behavior_dbserver [device-behavior-behavior_dbserver] remark local-precedence 4 [device-behavior-behavior_dbserver] quit # create a behavior named behavior_mserver, and configure the action of setting the local precedence value to 3 for the behavior. [device] traffic be...
Page 523: Traffic Redirecting Overview
8-1 8 traffic redirecting configuration when configuring traffic redirecting, go to these sections for information you are interested in: z traffic redirecting overview z configuring traffic redirecting traffic redirecting overview traffic redirecting traffic redirecting is the action of redirecting...
Page 524
8-2 to do… use the command… remarks exit policy view quit — to an interface applying the qos policy to an interface — apply the qos policy to a vlan applying the qos policy to a vlan — z generally, the action of redirecting traffic to the cpu, the action of redirecting traffic to an interface, and t...
Page 525: Traffic Mirroring Overview
9-1 9 traffic mirroring configuration when configuring traffic mirroring, go to these sections for information you are interested in: z traffic mirroring overview z configuring traffic mirroring z displaying and maintaining traffic mirroring z traffic mirroring configuration examples traffic mirrori...
Page 526
9-2 to do… use the command… remarks specify the destination interface for traffic mirroring mirror-to interface interface-type interface-number required exit behavior view quit — create a policy and enter policy view qos policy policy-name — associate the class with the traffic behavior in the qos p...
Page 527
9-3 to do… use the command… remarks display qos policy configuration information display qos policy user-defined [ policy-name [ classifier tcl-name ]] available in any view traffic mirroring configuration examples example for mirroring traffic to an interface network requirements on the network as ...
Page 528
9-4 [sysname] qos policy 1 [sysname-policy-1] classifier 1 behavior 1 [sysname-policy-1] quit # apply the qos policyto the incoming traffic of gigabitethernet 1/0/1. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] qos apply policy 1 inbound after the configurations, you can ...
Page 529
10-1 10 class-based accounting configuration when configuring class-based accounting, go to these sections for information you are interested in: z class-based accounting overview z configuring class-based accounting z displaying and maintaining traffic accounting z class-based accounting configurat...
Page 530
10-2 displaying and maintaining traffic accounting after completing the configuration above, you can verify the configuration with the display qos policy interface, or display qos vlan-policy command depending on the occasion where the qos policy is applied. Class-based accounting configuration exam...
Page 531
10-3 # display traffic statistics to verify the configuration. [devicea] display qos policy interface gigabitethernet 1/0/1 interface: gigabitethernet1/0/1 direction: inbound policy: policy classifier: classifier_1 operator: and rule(s) : if-match acl 2000 behavior: behavior_1 accounting enable: 58 ...
Page 532: Appendix
11-1 11 appendix this chapter covers the following appendixes: z appendix a acronym z appendix b default priority mapping tables z appendix c introduction to packet precedences appendix a acronym table 11-1 appendix a acronym acronym full spelling af assured forwarding be best effort car committed a...
Page 533
11-2 acronym full spelling pe provider edge phb per-hop behavior pir peak information rate pq priority queuing qos quality of service red random early detection rsvp resource reservation protocol rtp real time protocol sla service level agreement te traffic engineering tos type of service tp traffic...
Page 534
11-3 input priority value dot1p-lp mapping dot1p-dp mapping 2 1 0 3 3 0 4 4 0 5 5 0 6 6 0 7 7 0 table 11-3 the default dscp-lp, dscp-dp, dscp-dot1p, and dscp-exp priority mapping tables input priority value dscp-dp mapping dscp-dot1p mapping dscp drop precedence (dp) 802.1p priority (dot1p) 0 to 7 0...
Page 535
11-4 table 11-4 description on ip precedence ip precedence (decimal) ip precedence (binary) description 0 000 routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash-override 5 101 critical 6 110 internet 7 111 network table 11-5 description on dscp values dscp value (decimal) dscp value (bin...
Page 536
11-5 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where layer 3 header analysis is not needed and qos must be assured at layer 2. Figure 11-2 an ethernet frame with an 802.1q tag header as shown in figure 11-2 , the 4-byte 802.1q tag header consists o...
Page 537: Table of Contents
I table of contents 1 user profile configuration ························································································································1-1 user profile overview ·········································································································...
Page 538: User Profile Configuration
1-1 1 user profile configuration when configuring user profile, go to these sections for information you are interested in: z user profile overview z user profile configuration z displaying and maintaining user profile user profile overview user profile provides a configuration template to save pred...
Page 539
1-2 creating a user profile configuration prerequisites before creating a user profile, you need to configure authentication parameters. User profile supports 802.1x authentications. You need to perform the related configurations (for example, username, password, authentication scheme, domain and bi...
Page 540
1-3 z when a user profile is active, you cannot configure or remove the qos policy applied to it. Z the qos policies applied in user profile view support only the remark, car, and filter actions. Z do not apply an empty qos policy in user profile view, because even if you can do that, the user profi...
Page 541: Security Volume Organization
Security volume organization manual version 20090930-c-1.01 product version release 2202 organization the security volume is organized as follows: features description aaa authentication, authorization and accounting (aaa) provide a uniform framework used for configuring these three security functio...
Page 542
Features description port security port security is a mac address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and mac authentication. This document describes: z enabling port security z setting the maximum number of secure mac add...
Page 543: Table of Contents
I table of contents 1 aaa configuration ····································································································································1-1 introduction to aaa ········································································································...
Page 544
Ii specifying the hwtacacs authorization servers·······································································1-32 specifying the hwtacacs accounting servers ··········································································1-33 setting the shared key for hwtacacs packets···········...
Page 545: Aaa Configuration
1-1 1 aaa configuration when configuring aaa, go to these sections for information you are interested in: z introduction to aaa z introduction to radius z introduction to hwtacacs z protocols and standards z aaa configuration task list z configuring aaa z configuring radius z configuring hwtacacs z ...
Page 546: Introduction to Radius
1-2 requirements. For example, you can use the hwtacacs server for authentication and authorization, and the radius server for accounting. The three security functions are described as follows: z authentication: identifies remote users and judges whether a user is legal. Z authorization: grants diff...
Page 547
1-3 figure 1-2 radius server components z users: stores user information such as the usernames, passwords, applied protocols, and ip addresses. Z clients: stores information about radius clients, such as the shared keys and ip addresses. Z dictionary: stores information about the meanings of radius ...
Page 548
1-4 the following is how radius operates: 1) the host initiates a connection request carrying the username and password to the radius client. 2) having received the username and password, the radius client sends an authentication request (access-request) to the radius server, with the user password ...
Page 549
1-5 table 1-1 main values of the code field code packet type description 1 access-request from the client to the server. A packet of this type carries user information for the server to authenticate the user. It must contain the user-name attribute and can optionally contain the attributes of nas-ip...
Page 550
1-6 table 1-2 radius attributes no. Attribute no. Attribute 1 user-name 45 acct-authentic 2 user-password 46 acct-session-time 3 chap-password 47 acct-input-packets 4 nas-ip-address 48 acct-output-packets 5 nas-port 49 acct-terminate-cause 6 service-type 50 acct-multi-session-id 7 framed-protocol 51...
Page 551
1-7 no. Attribute no. Attribute 36 login-lat-group 83 tunnel-preference 37 framed-appletalk-link 84 arap-challenge-response 38 framed-appletalk-network 85 acct-interim-interval 39 framed-appletalk-zone 86 acct-tunnel-packets-lost 40 acct-status-type 87 nas-port-id 41 acct-delay-time 88 framed-pool 4...
Page 552: Introduction to Hwtacacs
1-8 introduction to hwtacacs hw terminal access controller access control system (hwtacacs) is an enhanced security protocol based on tacacs (rfc 1492). Similar to radius, it uses a client/server model for information exchange between nas and hwtacacs server. Hwtacacs is mainly used to provide aaa s...
Page 553
1-9 figure 1-6 basic message exchange process of hwtacacs for a telnet user host hwtacacs client hwtacacs server 1) the user logs in 2) start-authentication packet 3) authentication response requesting the username 4) request for username 5) the user inputs the username 6) authentication continuance...
Page 554: Protocols and Standards
1-10 12) the hwtacacs client sends the user authorization request packet to the hwtacacs server. 13) the hwtacacs server sends back the authorization response, indicating that the user is authorized now. 14) knowing that the user is now authorized, the hwtacacs client pushes the configuration interf...
Page 555
1-11 aaa configuration task list task remarks creating an isp domain required configuring isp domain attributes optional configuring aaa authentication methods for an isp domain required for local authentication, refer to configuring local user attributes . For radius authentication, refer to config...
Page 556: Configuring Aaa
1-12 hwtacacs configuration task list task remarks creating a hwtacacs scheme required specifying the hwtacacs authentication servers required specifying the hwtacacs authorization servers optional specifying the hwtacacs accounting servers optional setting the shared key for hwtacacs packets requir...
Page 557
1-13 for the nas, each user belongs to an isp domain. Up to 16 isp domains can be configured on a nas. If a user does not provide the isp domain name, the system considers that the user belongs to the default isp domain. Follow these steps to create an isp domain: to do… use the command… remarks ent...
Page 558
1-14 a self-service radius server, for example, imc, is required for the self-service server localization function to work. With the self-service function, a user can manage and control his or her accounting information or card number. A server with self-service software is a self-service server. Co...
Page 560
1-16 authorization can work only after radius authentication is successful, and the authorization information is carried in the access-accept message. Hwtacacs authorization is separate from hwtacacs authentication, and the authorization information is carried in the authorization response after suc...
Page 561
1-17 z the authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specific access mode. Z radius authorization is special in that it takes effect only when the radius authorization scheme is the same as the radius auth...
Page 562
1-18 follow these steps to configure aaa accounting methods for an isp domain: to do… use the command… remarks enter system view system-view — create an isp domain and enter isp domain view domain isp-name required enable the accounting optional feature accounting optional optional disabled by defau...
Page 563
1-19 z with the accounting optional command configured, a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails. Z the local accounting is not used for accounting implementation, but tog...
Page 565
1-21 z local authentication checks the service types of a local user. If the service types are not available, the user cannot pass authentication. Z in the authentication method that requires the username and password, including local authentication, radius authentication and hwtacacs authentication...
Page 567
1-23 when there are users online, you cannot modify radius parameters other than the retransmission ones and the timers. Creating a radius scheme before performing other radius configurations, follow these steps to create a radius scheme and enter radius scheme view: to do… use the command… remarks ...
Page 568
1-24 z it is recommended to specify only the primary radius authentication/authorization server if backup is not required. Z if both the primary and secondary authentication/authorization servers are specified, the secondary one is used when the primary one is unreachable. Z in practice, you may spe...
Page 569
1-25 z it is recommended to specify only the primary radius accounting server if backup is not required. Z if both the primary and secondary accounting servers are specified, the secondary one is used when the primary one is not reachable. Z in practice, you can specify two radius servers as the pri...
Page 570
1-26 to retransmit the radius request. If the number of transmission attempts exceeds the specified limit but it still receives no response, it considers that the authentication has failed. Follow these steps to set the upper limit of radius request retransmission attempts: to do… use the command… r...
Page 571
1-27 when both the primary and secondary servers are available, the device sends request packets to the primary server. Once the primary server fails, the primary server turns into the state of block, and the device turns to the secondary server. In this case: z if the secondary server is available,...
Page 573
1-29 z primary server quiet timer (timer quiet): if the primary server is not reachable, its state changes to blocked, and the device will turn to the specified secondary server. If the secondary server is reachable, the device starts this timer and communicates with the secondary server. After this...
Page 574
1-30 this task allows you to configure the ip address of a security policy server. If the security policy server and the radius server reside on the same host, you can omit this task. When the device receives a control packet from the security policy server, it checks whether the source ip address o...
Page 576
1-32 to do… use the command… remarks specify the primary hwtacacs authentication server primary authentication ip-address [ port-number ] specify the secondary hwtacacs authentication server secondary authentication ip-address [ port-number ] required configure at least one of the commands no authen...
Page 577
1-33 z it is recommended to specify only the primary hwtacacs authorization server if backup is not required. Z if both the primary and secondary authorization servers are specified, the secondary one is used when the primary one is not reachable. Z the ip addresses of the primary and secondary auth...
Page 578
1-34 setting the shared key for hwtacacs packets when using a hwtacacs server as an aaa server, you can set a key to secure the communications between the device and the hwtacacs server. The hwtacacs client and hwtacacs server use the md5 algorithm to encrypt packets exchanged between them and a sha...
Page 579
1-35 z if a hwtacacs server does not support a username with the domain name, you can configure the device to remove the domain name before sending the username to the server. Z the nas-ip command in hwtacacs scheme view is only for the current hwtacacs scheme, while the hwtacacs nas-ip command in s...
Page 581
1-37 [switch] hwtacacs scheme hwtac [switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [switch-hwtacacs-hwtac] primary accounting 10.1.1.1 49 [switch-hwtacacs-hwtac] key authentication expert [switch-hwtacacs-hwtac] key authorization ...
Page 582
1-38 figure 1-8 configure aaa by separate servers for telnet users configuration procedure # configure the ip addresses of various interfaces (omitted). # enable the telnet server on the switch. System-view [switch] telnet server enable # configure the switch to use aaa for telnet users. [switch] us...
Page 583
1-39 [switch-isp-bbb] quit # configure the default aaa methods for all types of users. [switch] domain bbb [switch-isp-bbb] authentication default local [switch-isp-bbb] authorization default hwtacacs-scheme hwtac [switch-isp-bbb] accounting default radius-scheme imc when telneting into the switch, ...
Page 584
1-40 z specify the ports for authentication and accounting as 1812 and 1813 respectively z select device management service as the service type z select h3c as the access device type z select the access device from the device list or manually add the device with the ip address of 10.1.1.2 z click ok...
Page 585
1-41 figure 1-11 add an account for device management 2) configure the switch # configure the ip address of vlan interface 2, through which the ssh user accesses the switch. System-view [switch] interface vlan-interface 2 [switch-vlan-interface2] ip address 192.168.1.70 255.255.255.0 [switch-vlan-in...
Page 586: Troubleshooting Aaa
1-42 [switch-radius-rad] primary authentication 10.1.1.1 1812 [switch-radius-rad] primary accounting 10.1.1.1 1813 [switch-radius-rad] key authentication expert [switch-radius-rad] key accounting expert [switch-radius-rad] user-name-format with-domain [switch-radius-rad] quit # configure the aaa met...
Page 587
1-43 4) the port numbers of the radius server for authentication, authorization and accounting are being used by other applications. Solution: check that: 1) the communication links between the nas and the radius server work well at both physical and link layers. 2) the ip address of the radius serv...
Page 588: Table of Contents
I table of contents 1 802.1x configuration·································································································································1-1 802.1x overview··············································································································...
Page 589: 802.1X Configuration
1-1 1 802.1x configuration when configuring 802.1x, go to these sections for information you are interested in: z 802.1x overview z configuring 802.1x z configuring an 802.1x guest vlan z configuring an auth-fail vlan z displaying and maintaining 802.1x z 802.1x configuration example z guest vlan an...
Page 590
1-2 architecture of 802.1x 802.1x operates in the typical client/server model and defines three entities: client, device, and server, as shown in figure 1-1 . Figure 1-1 architecture of 802.1x z client: an entity to be authenticated by the device residing on the same lan. A client is usually a user-...
Page 591
1-3 authorized state and unauthorized state the device uses the authentication server to authenticate a client trying to access the lan and controls the status of the controlled port depending on the authentication result, putting the controlled port in the authorized state or unauthorized state, as...
Page 592
1-4 figure 1-3 eapol frame format z pae ethernet type: protocol type. It takes the value 0x888e. Z protocol version: version of the eapol protocol supported by the eapol frame sender. Z type: type of the eapol frame. Table 1-1 lists the types that the device currently supports. Table 1-1 types of ea...
Page 593
1-5 figure 1-5 format of the data field in an eap request/response packet z identifier: allows matching of responses with requests. Z length: length of the eap packet, including the code, identifier, length, and data fields, in bytes. Z data: content of the eap packet. This field is zero or more byt...
Page 594
1-6 unsolicited triggering of a client a client initiates authentication by sending an eapol-start frame to the device. The destination address of the frame is 01-80-c2-00-00-03, the multicast address specified by the ieee 802.1x protocol. Some devices in the network may not support multicast packet...
Page 595
1-7 figure 1-8 message exchange in eap relay mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge radius access-request (eap-response / identity) radius access-challenge (eap-request / md5 challenge) radius a...
Page 596
1-8 9) when receiving the radius access-request packet, the radius server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a radius access-accept packet. 10...
Page 597
1-9 figure 1-9 message exchange in eap termination mode eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge handshake request [ eap-request / identity ] handshake response [ eap-response / identity ] eapol-logoff...
Page 598
1-10 z handshake timer (handshake-period): after a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online. If the device receives no response after sending the allowed maximum number of handshake requests, it considers t...
Page 599
1-11 the assigned vlan neither changes nor affects the configuration of a port. However, as the assigned vlan has higher priority than the initial vlan of the port, it is the assigned vlan that takes effect after a user passes authentication. After the user goes offline, the port returns to the init...
Page 600
1-12 if a user of a port in the guest vlan initiates authentication process but fails the authentication, the device will add the user to the auth-fail vlan of the port configured for the port, if any. If no auth-fail vlan is configured, the device will keep the user in the guest vlan. If a user of ...
Page 601: Configuring 802.1X
1-13 command. If the device does not receive any response from an online user after the device has sent the handshake packet for the maximum number of times, which is set by the dot1x retry command, the device will set the user state to offline. The online user handshake security function helps prev...
Page 603
1-15 will take effect instead of that specified on the device. The re-authentication interval assignment varies by server type. Refer to the specific authentication server implementation for further details. Configuring 802.1x for a port enabling 802.1x for a port follow these steps to enable 802.1x...
Page 604
1-16 information about the user-name-format command, refer to aaa commands in the security volume. Z if the username of a client contains the version number or one or more blank spaces, you can neither retrieve information nor disconnect the client by using the username. However, you can use items s...
Page 605
1-17 to do… use the command… remarks dot1x guest-vlan vlan-id z different ports can be configured with different guest vlans, but a port can be configured with only one guest vlan. Z if you configure both 802.1x authentication and mac authentication on a port and specify an mgv for each authenticati...
Page 606: 802.1X Configuration Example
1-18 to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number — configure the auth-fail vlan for the port dot1x auth-fail vlan authfail-vlan-id required by default, a port is configured with no auth-fail vlan. Z different...
Page 607
1-19 z set the shared key for the device to exchange packets with the authentication server as name, and that for the device to exchange packets with the accounting server as money. Z specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the radius server...
Page 608
1-20 [device-radius-radius1] primary accounting 10.1.1.2 # configure the ip addresses of the secondary authentication and accounting radius servers. [device-radius-radius1] secondary authentication 10.1.1.2 [device-radius-radius1] secondary accounting 10.1.1.1 # specify the shared key for the device...
Page 609
1-21 guest vlan and vlan assignment configuration example network requirements as shown in figure 1-11 : z a host is connected to port gigabitethernet 1/0/2 of the device and must pass 802.1x authentication to access the internet. Gigabitethernet 1/0/2 is in vlan 1. Z the authentication server runs ...
Page 610
1-22 figure 1-12 network diagram with the port in the guest vlan figure 1-13 network diagram when the client passes authentication configuration procedure z the following configuration procedure uses many aaa/radius commands. For detailed configuration of these commands, refer to aaa configuration i...
Page 611
1-23 [device-radius-2000] primary authentication 10.11.1.1 1812 [device-radius-2000] primary accounting 10.11.1.1 1813 [device-radius-2000] key authentication abc [device-radius-2000] key accounting abc [device-radius-2000] user-name-format without-domain [device-radius-2000] quit # configure authen...
Page 612
1-24 z enable 802.1x authentication on port gigabitethernet 1/0/1 of the device, and configure acl 3000. After the host passes 802.1x authentication, the radius server assigns acl 3000 to port gigabitethernet 1/0/1. As a result, the host can access the internet but cannot access the ftp server, whos...
Page 613
1-25 pinging 10.0.0.1 with 32 bytes of data: request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: packets: sent = 4, received = 0, lost = 4 (100% loss) c:\>.
Page 614: Ead Fast Deployment Overview
2-1 2 802.1x-based ead fast deployment configuration when configuring ead fast deployment, go to these sections for information you are interested in: z ead fast deployment overview z configuring ead fast deployment z displaying and maintaining ead fast deployment z ead fast deployment configuration...
Page 615
2-2 configuring ead fast deployment currently, mac authentication and port security cannot work together with ead fast deployment. Once mac authentication or port security is enabled globally, the ead fast deployment is disabled automatically. Configuration prerequisites z enable 802.1x globally. Z ...
Page 616
2-3 configuring the ie redirect url follow these steps to configure the ie redirect url: to do… use the command… remarks enter system view system-view — configure the ie redirect url dot1x url url-string required no redirect url is configured by default. The redirect url and the freely accessible ne...
Page 617
2-4 ead fast deployment configuration example network requirements as shown in figure 2-1 , the host is connected to the device, and the device is connected to the freely accessible network segment and outside network. It is required that: z before successful 802.1 authentication, the host using ie ...
Page 618
2-5 c:\>ping 192.168.2.3 pinging 192.168.2.3 with 32 bytes of data: reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time reply from 192.168.2.3: bytes=32 time ping statistics for 192.168.2.3: packets: sent = 4, received = 4, lost = 0 (0% l...
Page 619: Table of Contents
I table of contents 1 habp configuration ··································································································································1-1 introduction to habp·········································································································...
Page 620: Habp Configuration
1-1 1 habp configuration when configuring habp, go to these sections for the information you are interested in: z introduction to habp z configuring habp z displaying and maintaining habp z habp configuration example introduction to habp the hw authentication bypass protocol (habp) is used to enable...
Page 621: Configuring Habp
1-2 figure 1-1 network diagram for habp application internet switch b switch c authenticator supplicant switch a supplicant supplicant switch d switch e authentication server habp is a link layer protocol that works above the mac layer. It is built on the client-server model. Generally, the habp ser...
Page 622: Habp Configuration Example
1-3 to do… use the command… remarks configure habp to work in server mode habp server vlan vlan-id required habp works in client mode by default. Set the interval to send habp requests habp timer interval optional 20 seconds by default configuring an habp client configure the habp client function on...
Page 623
1-4 figure 1-2 network diagram for habp configuration configuration procedure 1) configure switch a # enable habp. System-view [switcha] habp enable # configure habp to work in server mode, allowing habp packets to be transmitted in vlan 2. [switcha] habp server vlan 2 # set the interval to send hab...
Page 624: Table of Contents
I table of contents 1 mac authentication configuration··········································································································1-1 mac authentication overview ············································································································...
Page 625: Mac Authentication Overview
1-1 1 mac authentication configuration when configuring mac authentication, go to these sections for information you are interested in: z mac authentication overview z related concepts z configuring mac authentication z displaying and maintaining mac authentication z mac authentication configuration...
Page 626: Related Concepts
1-2 related concepts mac authentication timers the following timers function in the process of mac authentication: z offline detect timer: at this interval, the device checks to see whether there is traffic from a user. Once detecting that there is no traffic from a user within this interval, the de...
Page 627
1-3 acl assigning acls assigned by an authorization server are referred to as authorization acls, which are designed to control access to network resources. If the radius server is configured with authorization acls, the device will permit or deny data flows traversing through the port through which...
Page 628: Configuring A Guest Vlan
1-4 to do… use the command… remarks set the quiet timer mac-authentication timer quiet quiet-value optional 60 seconds by default set the server timeout timer mac-authentication timer server-timeout server-timeout-value optional 100 seconds by default configure the username and password for mac auth...
Page 629
1-5 z different ports can be configured with different guest vlans, but a port can be configured with only one guest vlan. Z if you configure both the 802.1x authentication mgv and the mac authentication mgv on a port, only the 802.1x authentication mgv will take effect. For description on 802.1x au...
Page 630
1-6 configuration procedure 1) configure mac authentication on the device # add a local user, setting the username and password as 00-e0-fc-12-34-56, the mac address of the user. System-view [device] local-user 00-e0-fc-12-34-56 [device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56 [dev...
Page 631
1-7 mac address authentication is enabled authenticate success: 1, failed: 0 current online user number is 1 mac addr authenticate state auth index 00e0-fc12-3456 mac_authenticator_success 29 radius-based mac authentication configuration example network requirements as illustrated in figure 1-2 , a ...
Page 632
1-8 [device-radius-2000] quit # specify the aaa schemes for the isp domain. [device] domain 2000 [device-isp-2000] authentication default radius-scheme 2000 [device-isp-2000] authorization default radius-scheme 2000 [device-isp-2000] accounting default radius-scheme 2000 [device-isp-2000] quit # ena...
Page 633
1-9 acl assignment configuration example network requirements as shown in figure 1-3 , a host is connected to port gigabitethernet 1/0/1 of the switch and must pass mac authentication to access the internet. Z specify to use the mac address of a user as the username and password for mac authenticati...
Page 634
1-10 # create an isp domain and specify the aaa schemes. [sysname] domain 2000 [sysname-isp-2000] authentication default radius-scheme 2000 [sysname-isp-2000] authorization default radius-scheme 2000 [sysname-isp-2000] accounting default radius-scheme 2000 [sysname-isp-2000] quit # configure acl 300...
Page 635: Table of Contents
I table of contents 1 portal configuration ··································································································································1-1 portal overview············································································································...
Page 636: Portal Configuration
1-1 1 portal configuration when configuring portal, go to these sections for information you are interested in: z portal overview z portal configuration task list z displaying and maintaining portal z portal configuration examples z troubleshooting portal portal overview this section covers these to...
Page 637
1-2 z resource access limit: a user passing identity authentication can access only network resources like the anti-virus server or os patch server, which are called the restricted resources. Only users passing security authentication can access more network resources, which are called the unrestric...
Page 638
1-3 security policy server server that interacts with portal clients and access devices for security authentication and resource authorization. The above five components interact in the following procedure: 1) when an unauthenticated user enters a website address in the address bar of the ie to acce...
Page 639
1-4 authentication. This solves the problem about ip address planning and allocation and proves to be useful. For example, a service provider can allocate public ip addresses to broadband users only when they access networks beyond the residential community network. Layer 3 authentication layer 3 po...
Page 640
1-5 direct authentication/layer 3 authentication process figure 1-2 direct authentication/layer 3 authentication process the direct authentication/layer 3 authentication process is as follows: 1) a portal user initiates an authentication request through http. When the http packet arrives at the acce...
Page 641
1-6 re-dhcp authentication process figure 1-3 re-dhcp authentication process authentication/ accounting server authentication client portal server access device 6) authentication succeeds security policy server 12) security authentication 13) authorization 7) the user obtains a new ip address 8) dis...
Page 642: Basic Portal Configuration
1-7 task remarks basic portal configuration required configuring a portal-free rule optional configuring an authentication subnet optional logging out users optional specifying a mandatory authentication domain optional basic portal configuration configuration prerequisites the portal feature provid...
Page 644: Logging Out Users
1-9 z if you specify both a vlan and an interface in a portal-free rule, the interface must belong to the vlan. Z you cannot configure two or more portal-free rules with the same filtering conditions. Otherwise, the system prompts that the rule already exists. Z no matter whether portal authenticati...
Page 645
1-10 specifying a mandatory authentication domain after you specify a mandatory authentication domain for an interface, the device will use the mandatory authentication domain for authentication, authorization, and accounting (aaa) of the portal users on the interface, ignoring the domain names carr...
Page 647
1-12 the following takes imc as an example to describe the basic configurations required on the portal server. The imc version is imc plat 3.20-f2603p01 or imc uam 3.60-c6201. # configure the portal server. Log in to the imc management platform and select the service tab. Then, select portal service...
Page 648
1-13 z type the device name switch. Z type the ip address of the interface on the switch for connecting the user. Z type the key, which must be the same as that configured on the switch. Z set whether to enable ip address reallocation. Direction portal authentication is used in this example, and the...
Page 649
1-14 figure 1-9 port group configuration # select service parameters > validate system configuration from the navigation tree to make the previous configurations take effect. Configure the switch: 2) configure a radius scheme # create a radius scheme named rs1 and enter its view. System-view [switch...
Page 650
1-15 # configure dm1 as the default isp domain for all users. Then, if a user enters the username without the isp domain at login, the authentication and accounting methods of the default domain will be used for the user. [switch] domain default enable dm1 4) configure portal authentication # config...
Page 651
1-16 z for re-dhcp authentication, you need to configure a public address pool (20.20.20.0/24, in this example) and a private address pool (10.0.0.0/24, in this example) on the dhcp server. The configuration steps are omitted. For dhcp configuration information, refer to dhcp configuration in the ip...
Page 652
1-17 [switch] domain default enable dm1 3) configure portal authentication # configure the portal server as follows: z name: newpt z ip address: 192.168.0.111 z key: portal z port number: 50100 z url: http://192.168.0.111/portal. [switch] portal server newpt ip 192.168.0.111 key portal port 50100 ur...
Page 653
1-18 figure 1-11 configure layer 3 portal authentication switch a host vlan-int4 20.20.20.1/24 portal server 192.168.0.111/24 radius server 192.168.0.112/24 vlan-int2 192.168.0.100/24 switch b vlan-int4 20.20.20.2/24 vlan-int2 8.8.8.1/24 8.8.8.2/24 configuration procedure z you need to configure ip ...
Page 654
1-19 # configure the isp domain to use radius scheme rs1. [switcha-isp-dm1] authentication portal radius-scheme rs1 [switcha-isp-dm1] authorization portal radius-scheme rs1 [switcha-isp-dm1] accounting portal radius-scheme rs1 [switcha-isp-dm1] quit # configure dm1 as the default isp domain for all ...
Page 655
1-20 figure 1-12 configure direct portal authentication with extended functions switch host 2.2.2.2/24 gateway : 2.2.2.1/24 vlan-int100 2.2.2.1/24 vlan-int2 192.168.0.100/24 portal server 192.168.0.111/24 192.168.0.112/24 security policy server 192.168.0.113/24 radius server configuration procedure ...
Page 656
1-21 [switch] domain dm1 # configure the isp domain to use radius scheme rs1. [switch-isp-dm1] authentication portal radius-scheme rs1 [switch-isp-dm1] authorization portal radius-scheme rs1 [switch-isp-dm1] accounting portal radius-scheme rs1 [switch-isp-dm1] quit # configure dm1 as the default isp...
Page 657
1-22 configuring re-dhcp portal authentication with extended functions network requirements z the host is directly connected to the switch and the switch is configured for re-dhcp authentication. The host is assigned with an ip address through the dhcp server. Before portal authentication, the host ...
Page 658
1-23 1) configure a radius scheme # create a radius scheme named rs1 and enter its view. System-view [switch] radius scheme rs1 # set the server type for the radius scheme. When using the imc server, you need set the server type to extended. [switch-radius-rs1] server-type extended # specify the pri...
Page 659
1-24 [switch-acl-adv-3001] rule permit ip [switch-acl-adv-3001] quit 4) configure portal authentication # configure the portal server as follows: z name: newpt z ip address: 192.168.0.111 z key: portal z port number: 50100 z url: http://192.168.0.111/portal. [switch] portal server newpt ip 192.168.0...
Page 660
1-25 configuration procedure z you need to configure ip addresses for the devices as shown in figure 1-14 and ensure that routes are available between devices. Z perform configurations on the radius server to ensure that the user authentication and accounting functions can work normally. Configure s...
Page 661: Troubleshooting Portal
1-26 on the security policy server, you need to specify acl 3000 as the isolation acl and acl 3001 as the security acl. [switcha] acl number 3000 [switcha-acl-adv-3000] rule permit ip destination 192.168.0.0 0.0.0.255 [switcha-acl-adv-3000] rule deny ip [switcha-acl-adv-3000] quit [switcha] acl numb...
Page 662
1-27 z use the portal server command to modify the key on the access device or modify the key for the access device on the portal server to ensure that the keys are consistent. Incorrect server port number on the access device symptom after a user passes the portal authentication, you cannot force t...
Page 663: Table of Contents
I table of contents 1 port security configuration······················································································································1-1 introduction to port security····································································································...
Page 664: Port Security Configuration
1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z introduction to port security z port security configuration task list z displaying and maintaining port security z port security configuration examples z troubleshooting po...
Page 665
1-2 port security features ntk the need to know (ntk) feature checks the destination mac addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic. Intrusion protection the intrusion protection ...
Page 666
1-3 security mode description features userloginsecure in this mode, a port performs 802.1x authentication of users in portbased mode and services only one user passing 802.1x authentication. Userloginwithoui similar to the userloginsecure mode, a port in this mode performs 802.1x authentication of ...
Page 667
1-4 z currently, port security supports two authentication methods: 802.1x and mac authentication. Different port security modes employ different authentication methods or different combinations of authentication methods. Z the maximum number of users a port supports is the lesser of the maximum num...
Page 668: Enabling Port Security
1-5 port security configuration task list complete the following tasks to configure port security: task remarks enabling port security required setting the maximum number of secure mac addresses optional setting the port security mode required configuring ntk configuring intrusion protection configu...
Page 669
1-6 z for detailed 802.1x configuration, refer to 802.1x configuration in the security volume. Z for detailed mac-based authentication configuration, refer to mac authentication configuration in the security volume. Setting the maximum number of secure mac addresses with port security enabled, more ...
Page 670
1-7 z with port security disabled, you can configure the port security mode, but your configuration does not take effect. Z you cannot change the port security mode of a port when any user is present on the port. Z before configuring the port to operate in autolearn mode, set the maximum number of s...
Page 671
1-8 configuring port security features configuring ntk the need to know (ntk) feature checks the destination mac addresses in outbound frames to allow frames to be forwarded to only devices passing authentication. The ntk feature supports three modes: z ntkonly: forwards only frames destined for aut...
Page 673
1-10 configuration prerequisites z enable port security z set the maximum number of secure mac addresses allowed on the port z set the port security mode to autolearn configuration procedure follow these steps to configure a secure mac address: to do… use the command… remarks enter system view syste...
Page 674
1-11 displaying and maintaining port security to do… use the command… remarks display port security configuration information, operation information, and statistics about one or more ports or all ports display port-security [ interface interface-list ] available in any view display information about...
Page 675
1-12 # configure the port to be silent for 30 seconds after the intrusion protection feature is triggered. [switch-gigabitethernet1/0/1] port-security intrusion-mode disableport-temporarily [switch-gigabitethernet1/0/1] quit [switch] port-security timer disableport 30 2) verify the configuration aft...
Page 676
1-13 ifindex: 9437207 port: 9437207 mac addr: 0.2.0.0.0.21 vlan id: 1 ifadminstatus: 1 in addition, you will see that the port security feature has disabled the port if you issue the following command: [switch-gigabitethernet1/0/1] display interface gigabitethernet 1/0/1 gigabitethernet1/0/1 current...
Page 677
1-14 figure 1-2 network diagram for configuring the userloginwithoui mode configuration procedure z the following configuration steps cover some aaa/radius configuration commands. For details about the commands, refer to aaa configuration in the security volume. Z configurations on the host and radi...
Page 678
1-15 [switch] dot1x authentication-method chap 3) configure port security # enable port security. [switch] port-security enable # add five oui values. [switch] port-security oui 1234-0100-1111 index 1 [switch] port-security oui 1234-0200-1111 index 2 [switch] port-security oui 1234-0300-1111 index 3...
Page 679
1-16 self-service = disabled use the following command to view the port security configuration information: display port-security interface gigabitethernet 1/0/1 equipment port-security is enabled trap is disabled disableport timeout: 20s oui value: index is 1, oui value is 123401 index is 2, oui va...
Page 680
1-17 eapol packet: tx 16331, rx 102 sent eap request/identity packets : 16316 eap request/challenge packets: 6 eap success packets: 4, fail packets: 5 received eapol start packets : 6 eapol logoff packets: 2 eap response/identity packets : 80 eap response/challenge packets: 6 error packets: 0 1. Aut...
Page 681
1-18 2) configure port security # enable port security. System-view [switch] port-security enable # configure a mac authentication user, setting the user name and password to aaa and 123456 respectively. [switch] mac-authentication user-name-format fixed account aaa password simple 123456 # set the ...
Page 682
1-19 use the following command to view 802.1x authentication information: display dot1x interface gigabitethernet 1/0/1 equipment 802.1x protocol is enabled chap authentication is enabled ead quick deploy is disabled configuration: transmit period 30 s, handshake period 15 s quiet period 60 s, quiet...
Page 683
1-20 troubleshooting port security cannot set the port security mode symptom cannot set the port security mode. [switch-gigabitethernet1/0/1] port-security port-mode autolearn error:when we change port-mode, we should first change it to norestrictions, then change it to the other. Analysis for a por...
Page 684
1-21 analysis changing port security mode is not allowed when an 802.1x-authenticated or mac authenticated user is online. Solution use the cut command to forcibly disconnect the user from the port before changing the port security mode. [switch-gigabitethernet1/0/1] quit [switch] cut connection int...
Page 685: Table of Contents
I table of contents 1 ip source guard configuration················································································································1-1 ip source guard overview ············································································································...
Page 686: Ip Source Guard Overview
1-1 1 ip source guard configuration when configuring ip source guard, go to these sections for information you are interested in: z ip source guard overview z configuring a static binding entry z configuring dynamic binding function z displaying and maintaining ip source guard z ip source guard conf...
Page 689
1-4 [switcha-gigabitethernet1/0/2] user-bind ip-address 192.168.0.3 mac-address 0001-0203-0405 [switcha-gigabitethernet1/0/2] quit # configure port gigabitethernet 1/0/1 of switch a to allow only ip packets with the source mac address of 00-01-02-03-04-06 and the source ip address of 192.168.0.1 to ...
Page 690
1-5 for detailed configuration of a dhcp server, refer to dhcp configuration in the ip service volume. Network diagram figure 1-2 network diagram for configuring dynamic binding function configuration procedure 1) configure switch a # configure dynamic binding function on port gigabitethernet 1/0/1....
Page 691
1-6 [switcha-gigabitethernet1/0/1] display dhcp-snooping dhcp snooping is enabled. The client binding table for all untrusted ports. Type : d--dynamic , s--static type ip address mac address lease vlan interface ==== =============== ============== ============ ==== ================= d 192.168.0.1 00...
Page 692: Table of Contents
I table of contents 1 ssh2.0 configuration································································································································1-1 ssh2.0 overview···············································································································...
Page 693: Ssh2.0 Configuration
1-1 1 ssh2.0 configuration when configuring ssh2.0, go to these sections for information you are interested in: z ssh2.0 overview z configuring the device as an ssh server z configuring the device as an ssh client z displaying and maintaining ssh z ssh server configuration examples z ssh client conf...
Page 694
1-2 stages description session request after passing authentication, the client sends a session request to the server. Interaction after the server grants the request, the client and server start to communicate with each other. Version negotiation 1) the server opens port 22 to listen to connection ...
Page 695
1-3 before the negotiation, the server must have already generated a dsa or rsa key pair, which is not only used for generating the session key, but also used by the client to authenticate the identity of the server. For details about dsa and rsa key pairs, refer to public key configuration in the s...
Page 696
1-4 session request after passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. After successfully processing the request, the server sends back to the client an ssh_smsg_success packet and goes on to the inte...
Page 698
1-6 to do… use the command… remarks enter system view system-view — enter user interface view of one or more user interfaces user-interface vty number [ ending-number ] — set the login authentication mode to scheme authentication-mode scheme [ command-authorization ] required by default, the authent...
Page 699
1-7 z you are recommended to configure a client public key by importing it from a public key file. Z you can configure at most 20 client pubic keys on an ssh server. Configuring a client public key manually follow these steps to configure the client public key manually: to do… use the command… remar...
Page 701
1-9 z enabling the ssh server to be compatible with ssh1 client z setting the server key pair update interval, applicable to users using ssh1 client z setting the ssh user authentication timeout period z setting the maximum number of ssh authentication attempts setting the above parameters can help ...
Page 703
1-11 to do... Use the command… remarks configure the server public key refer to configuring a client public key required the method of configuring server public key on the client is similar to that of configuring client public key on the server. Specify the host public key name of the server ssh cli...
Page 705
1-13 [switch-ui-vty0-4] protocol inbound ssh [switch-ui-vty0-4] quit # create local user client001, and set the user command privilege level to 3 [switch] local-user client001 [switch-luser-client001] password simple aabbcc [switch-luser-client001] service-type ssh [switch-luser-client001] authoriza...
Page 706
1-14 figure 1-2 ssh client configuration interface in the window shown in figure 1-2 , click open. If the connection is normal, you will be prompted to enter the username and password. After entering the correct username (client001) and password (aabbcc), you can enter the configuration interface. W...
Page 707
1-15 [switch] public-key local create dsa [switch] ssh server enable # configure an ip address for vlan interface 1. This address will serve as the destination of the ssh connection. [switch] interface vlan-interface 1 [switch-vlan-interface1] ip address 192.168.1.40 255.255.255.0 [switch-vlan-inter...
Page 708
1-16 figure 1-4 generate a client key pair 1) while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in figure 1-5 . Otherwise, the process bar stops moving and the key pair generating process will be stopped..
Page 709
1-17 figure 1-5 generate a client key pair 2) after the key pair is generated, click save public key and specify the file name as key.Pub to save the public key. Figure 1-6 generate a client key pair 3).
Page 710
1-18 likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click yes and enter the name of the file for saving the key (private in this case). Figure 1-7 generate a client key pair 4) after generating...
Page 711
1-19 select connection/ssh/auth from the navigation tree.The following window appears. Click browse… to bring up the file selection window, navigate to the private key file and click ok. Figure 1-9 ssh client configuration interface 2) in the window shown in figure 1-9 , click open. If the connectio...
Page 712
1-20 # create rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server enable # create an ip address for vlan interface 1, which the ssh client will use as the destination for ssh connection. [switch...
Page 713
1-21 after you enter the correct username, you can log into switch b successfully. Z if the client does not support first-time authentication, you need to perform the following configurations. # disable first-time authentication. [switcha] undo ssh client first-time # configure the host public key o...
Page 714
1-22 when switch acts as client for publickey authentication network requirements z as shown in figure 1-11 , switch a (the ssh client) needs to log into switch b (the ssh server) through the ssh protocol. Z publickey authentication is used, and the public key algorithm is dsa. Figure 1-11 switch ac...
Page 715
1-23 # specify the authentication type for user client002 as publickey, and assign the public key switch001 to the user. [switchb] ssh user client002 service-type stelnet authentication-type publickey assign publickey switch001 2) configure the ssh client # configure an ip address for vlan interface...
Page 716: Sftp Service
2-1 2 sftp service when configuring sftp, go to these sections for information you are interested in: z sftp overview z configuring an sftp server z configuring an sftp client z sftp client configuration example z sftp server configuration example sftp overview the secure file transfer protocol (sft...
Page 717: Configuring An Sftp Client
2-2 when the device functions as the sftp server, only one client can access the sftp server at a time. If the sftp client uses winscp, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server. Configuring the sftp connec...
Page 719
2-4 to do… use the command… remarks create a new directory on the remote sftp server mkdir remote-path optional delete a directory from the sftp server rmdir remote-path& optional working with sftp files sftp file operations include: z changing the name of a file z downloading a file z uploading a f...
Page 721
2-6 # generate rsa and dsa key pairs and enable the ssh server. System-view [switchb] public-key local create rsa [switchb] public-key local create dsa [switchb] ssh server enable # enable the sftp server. [switchb] sftp server enable # configure an ip address for vlan interface 1, which the ssh cli...
Page 722
2-7 [switcha] quit after generating key pairs on a client, you need to transmit the saved public key file to the server through ftp or tftp and have the configuration on the server done before continuing configuration of the client. # establish a connection to the remote sftp server and enter sftp c...
Page 723
2-8 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 config.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 sep 01 06:55 pub drwxrwxrwx 1 noone nogroup...
Page 724
2-9 authentication with the username being client002 and the password being aabbcc. The username and password are saved on the switch. Figure 2-2 network diagram for sftp server configuration configuration procedure 1) configure the sftp server # generate rsa and dsa key pairs and enable the ssh ser...
Page 725
2-10 z there are many kinds of ssh client software. The following takes the psftp of putty version 0.58 as an example. Z the psftp supports only password authentication. # establish a connection with the remote sftp server. Run the psftp.Exe to launch the client interface as shown in figure 2-3 , an...
Page 726: Table of Contents
I table of contents 1 pki configuration ······································································································································1-1 introduction to pki·······································································································...
Page 727: Pki Configuration
1-1 1 pki configuration when configuring pki, go to these sections for information you are interested in: z introduction to pki z pki configuration task list z displaying and maintaining pki z pki configuration examples z troubleshooting pki introduction to pki this section covers these topics: z pk...
Page 728
1-2 level. The root ca has a ca certificate signed by itself while each lower level ca has a ca certificate signed by the ca at the next higher level. Crl an existing certificate may need to be revoked when, for example, the user name changes, the private key leaks, or the user stops the business. R...
Page 729
1-3 ca a ca is a trusted authority responsible for issuing and managing digital certificates. A ca issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing crls. Ra a registration authority (ra) is an extended part of a ca or an independen...
Page 730: Pki Configuration Task List
1-4 2) the ra reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the ca. 3) the ca verifies the digital signature, approves the application, and issues a certificate. 4) the ra receives the certificate from the ca, sends it to th...
Page 731
1-5 the configuration of an entity dn must comply with the ca certificate issue policy. You need to determine, for example, which entity dn parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity dn: to do… use the co...
Page 732: Configuring A Pki Domain
1-6 configuring a pki domain before requesting a pki certificate, an entity needs to be configured with some enrollment information, which is referred to as a pki domain. A pki domain is intended only for convenience of reference by other applications like ike and ssl, and has only local significanc...
Page 735
1-9 z if a pki domain already has a local certificate, creating an rsa key pair will result in inconsistency between the key pair and the certificate. To generate a new rsa key pair, delete the local certificate and then issue the public-key local create command. For information about the public-key...
Page 736
1-10 z if a pki domain already has a ca certificate, you cannot retrieve another ca certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new ca certificate, use the pki delete-certificate ...
Page 737: Deleting A Certificate
1-11 to do… use the command… remarks enter system view system-view — enter pki domain view pki domain domain-name — disable crl checking crl check disable required enabled by default return to system view quit — retrieve the ca certificate refer to retrieving a certificate manually required verify t...
Page 740
1-14 z subject dn: dn information of the ca, including the common name (cn), organization unit (ou), organization (o), and country (c). The other attributes may be left using the default values. # configure extended attributes. After configuring the basic attributes, you need to perform configuratio...
Page 741
1-15 generating keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++ z apply for certificates # retrieve the ca certificate and save it locally. [switch] pki retrieval-certifi...
Page 742
1-16 not after : jan 8 09:26:53 2008 gmt subject: cn=switch subject public key info: public key algorithm: rsaencryption rsa public key: (1024 bit) modulus (1024 bit): 00d67d50 41046f6a 43610335 ca6c4b11 f8f89138 e4e905bd 43953ba2 623a54c0 ea3cb6e0 b04649ce c9cddd38 34015970 981e96d9 ff4f7b73 a51556...
Page 743
1-17 figure 1-3 request a certificate from a ca running windows 2003 server configuration procedure 1) configure the ca server z install the certificate server suites from the start menu, select control panel > add or remove programs, and then select add/remove windows components > certificate servi...
Page 744
1-18 # configure the url of the registration server in the format of http://host:port/ certsrv/mscep/mscep.Dll, where host:port indicates the ip address and port number of the ca server. [switch-pki-domain-torsa] certificate request url http://4.4.4.1:8080/certsrv/mscep/mscep.Dll # set the registrat...
Page 745
1-19 data: version: 3 (0x2) serial number: 48fa0fd9 00000000 000c signature algorithm: sha1withrsaencryption issuer: cn=ca server validity not before: nov 21 12:32:16 2007 gmt not after : nov 21 12:42:16 2008 gmt subject: cn=switch subject public key info: public key algorithm: rsaencryption rsa pub...
Page 746
1-20 configuring a certificate attribute-based access control policy network requirements z the client accesses the remote http security (https) server through the https protocol. Z ssl is configured to ensure that only legal clients log into the https server. Z create a certificate attribute-based ...
Page 747: Troubleshooting Pki
1-21 # create certificate attribute group mygroup2 and add two attribute rules. The first rule defines that the fqdn of the alternative subject name does not include the string of apple, and the second rule defines that the dn of the certificate issuer name includes the string aabbcc. [switch] pki c...
Page 748
1-22 failed to request a local certificate symptom failed to request a local certificate. Analysis possible reasons include these: z the network connection is not proper. For example, the network cable may be damaged or loose. Z no ca certificate has been retrieved. Z the current key pair has been b...
Page 749: Table of Contents
I table of contents 1 ssl configuration ·····································································································································1-1 ssl overview ··············································································································...
Page 750: Ssl Configuration
1-1 1 ssl configuration when configuring ssl, go to these sections for information you are interested in: z ssl overview z ssl configuration task list z displaying and maintaining ssl z troubleshooting ssl ssl overview secure sockets layer (ssl) is a security protocol providing secure connection ser...
Page 751: Ssl Configuration Task List
1-2 z for details about symmetric key algorithms, asymmetric key algorithm rsa and digital signature, refer to public key configuration in the security volume. Z for details about pki, certificate, and ca, refer to pki configuration in the security volume. Ssl protocol stack as shown in figure 1-2 ,...
Page 752
1-3 configuring an ssl server policy an ssl server policy is a set of ssl parameters for a server to use when booting up. An ssl server policy takes effect only after it is associated with an application layer protocol, http protocol, for example. Configuration prerequisites when configuring an ssl ...
Page 753
1-4 z if you enable client authentication here, you must request a local certificate for the client. Z currently, ssl mainly comes in these versions: ssl 2.0, ssl 3.0, and tls 1.0, where tls 1.0 corresponds to ssl 3.1. When the device acts as an ssl server, it can communicate with clients running ss...
Page 754
1-5 [device] pki domain 1 [device-pki-domain-1] ca identifier ca1 [device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.Dll [device-pki-domain-1] certificate request from ra [device-pki-domain-1] certificate request entity en [device-pki-domain-1] quit # create the local ...
Page 755: Troubleshooting Ssl
1-6 configuration prerequisites if the ssl server is configured to authenticate the ssl client, when configuring the ssl client policy, you need to specify the pki domain to be used for obtaining the certificate of the client. Therefore, before configuring an ssl client policy, you must configure a ...
Page 756
1-7 analysis ssl handshake failure may result from the following causes: z no ssl server certificate exists, or the certificate is not trusted. Z the server is expected to authenticate the client, but the ssl client has no certificate or the certificate is not trusted. Z the cipher suites used by th...
Page 757: Table of Contents
I table of contents 1 public key configuration··························································································································1-1 asymmetric key algorithm overview·······························································································...
Page 758: Public Key Configuration
1-1 1 public key configuration when configuring public keys, go to these sections for information you are interested in: z asymmetric key algorithm overview z configuring the local asymmetric key pair z configuring the public key of a peer z displaying and maintaining public keys z public key config...
Page 759
1-2 z encryption/decryption: the information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality. Z digital signature: the information encrypted with a sender's private key can be decrypted by anyone...
Page 760
1-3 z configuration of the public-key local create command can survive a reboot. Z the public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key. Z the length of an rsa key modulus is in the range ...
Page 761
1-4 z import it from the public key file: the system automatically converts the public key to a string coded using the pkcs (public key cryptography standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through ftp or tftp. Z if you cho...
Page 762
1-5 public key configuration examples configuring the public key of a peer manually network requirements device a is authenticated by device b when accessing device b, so the public key of device a should be configured on device b in advance. In this example: z rsa is used. Z the host public key of ...
Page 763
1-6 ===================================================== time of key pair created: 09:50:07 2007/08/07 key name: server_key key type: rsa encryption key ===================================================== key code: 307c300d06092a864886f70d0101010500036b003068026100999089e7aee9802002d9eb2d0433b87b...
Page 764
1-7 z the host public key of device a is imported from the public key file to device b. Figure 1-3 network diagram for importing the public key of a peer from a public key file configurtion procedure 1) create key pairs on device a and export the host public key # create rsa key pairs on device a. S...
Page 765
1-8 [devicea] public-key local export rsa ssh2 devicea.Pub [devicea] quit 2) enable the ftp server function on device b # enable the ftp server function, create an ftp user with the username ftp and password 123. System-view [deviceb] ftp server enable [deviceb] local-user ftp [deviceb-luser-ftp] pa...
Page 766: Table of Contents
I table of contents 1 acl overview ············································································································································1-1 introduction to acl ·····································································································...
Page 767
Ii configuring a basic ipv6 acl·················································································································3-1 configuration prerequisites ·············································································································3-1 configurati...
Page 768: Acl Overview
1-1 1 acl overview in order to filter traffic, network devices use sets of rules, called access control lists (acls), to identify and handle packets. When configuring acls, go to these chapters for information you are interested in: z acl overview z ipv4 acl configuration z ipv6 acl configuration un...
Page 769: Introduction to Ipv4 Acl
1-2 z when an acl is assigned to a piece of hardware and referenced by a qos policy for traffic classification, the switch does not take action according to the traffic behavior definition on a packet that does not match the acl. Z when an acl is referenced by a piece of software to control telnet, ...
Page 770
1-3 the name of an ipv4 acl must be unique among ipv4 acls. However, an ipv4 acl and an ipv6 acl can share the same name. Ipv4 acl match order an acl may consist of multiple rules, which specify different matching criteria. These criteria may have overlapping or conflicting parts. The match order is...
Page 771: Introduction to Ipv6 Acl
1-4 3) if the numbers of ones in the destination mac address masks are the same, compare packets against the one configured first. The comparison of a packet against acl rules stops immediately after a match is found. The packet is then processed as per the rule. Ipv4 acl step meaning of the step th...
Page 772
1-5 z effective period of an ipv6 acl ipv6 acl classification ipv6 acls, identified by acl numbers, fall into three categories, as shown in table 1-2 . Table 1-2 ipv6 acl categories category acl number matching criteria basic ipv6 acl 2000 to 2999 source ipv6 address advanced ipv6 acl 3000 to 3999 s...
Page 773
1-6 1) look at the protocol type field in the rules first. A rule with no limit to the protocol type (that is, configured with the ipv6 keyword) has the lowest precedence. Rules each of which has a single specified protocol type are of the same precedence level. Compare packets against the rule with...
Page 774: Ipv4 Acl Configuration
2-1 2 ipv4 acl configuration when configuring an ipv4 acl, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv4 acl z configuring an advanced ipv4 acl z configuring an ethernet frame header acl z copying an ipv4 acl z displaying and maintaini...
Page 775: Configuring A Basic Ipv4 Acl
2-2 on the day or days of the week only within the specified period. For example, to create a time range that is active from 12:00 to 14:00 on wednesdays between january 1, 2004 00:00 and december 31, 2004 23:59, you may use the time-range test 12:00 to 14:00 wednesday from 00:00 01/01/2004 to 23:59...
Page 777
2-4 system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule deny source 1.1.1.1 0 # verify the configuration. [sysname-acl-basic-2000] display acl 2000 basic acl 2000, named -none-, 1 rule, acl's step is 5 rule 0 deny source 1.1.1.1 0 (5 times matched) configuring an advanced ipv4 acl ad...
Page 778
2-5 to do… use the command… remarks set the rule numbering step step step-value optional 5 by default configure a description for the advanced ipv4 acl description text optional by default, an advanced ipv4 acl has no acl description. Configure a rule description rule rule-id comment text optional b...
Page 779
2-6 configuring an ethernet frame header acl ethernet frame header acls match packets based on layer 2 protocol header fields such as source mac address, destination mac address, 802.1p priority (vlan priority), and link layer protocol type. They are numbered in the range 4000 to 4999. Configuration...
Page 780: Copying An Ipv4 Acl
2-7 note that: z you can only modify the existing rules of an acl that uses the match order of config. When modifying a rule of such an acl, you may choose to change just some of the settings, in which case the other settings remain the same. Z you cannot create a rule with, or modify a rule to have...
Page 782
2-9 configuration procedure 1) create a time range for office hours # create a periodic time range spanning 8:00 to 18:00 in working days. System-view [switch] time-range trname 8:00 to 18:00 working-day 2) define an acl to control access to the salary query server # configure a rule to control acce...
Page 783
2-10 [switch] interface gigabitethernet 1/0/2 [switch-gigabitethernet1/0/2] qos apply policy p_rd inbound [switch-gigabitethernet1/0/2] quit # apply qos policy p_market to interface gigabitethernet 1/0/3. [switch] interface gigabitethernet 1/0/3 [switch-gigabitethernet1/0/3] qos apply policy p_marke...
Page 784: Ipv6 Acl Configuration
3-1 3 ipv6 acl configuration when configuring ipv6 acls, go to these sections for information you are interested in: z creating a time range z configuring a basic ipv6 acl z configuring an advanced ipv6 acl z copying an ipv6 acl z displaying and maintaining ipv6 acls z ipv6 acl configuration example...
Page 785
3-2 to do… use the command… remarks configure a description for the basic ipv6 acl description text optional by default, a basic ipv6 acl has no acl description. Configure a rule description rule rule-id comment text optional by default, an ipv6 acl rule has no rule description. Note that: z you can...
Page 786
3-3 advanced ipv6 acls are numbered in the range 3000 to 3999. Compared with basic ipv6 acls, they allow of more flexible and accurate filtering. Configuration prerequisites if you want to reference a time range in a rule, define it with the time-range command first. Configuration procedure follow t...
Page 787: Copying An Ipv6 Acl
3-4 z when the acl match order is auto, a newly created rule will be inserted among the existing rules in the depth-first match order. Note that the ids of the rules still remain the same. Z you can modify the match order of an ipv6 acl with the acl ipv6 number acl6-number [ name acl6-name ] match-o...
Page 789
3-6 [switch-acl6-basic-2000] quit # configure class c_rd for packets matching ipv6 acl 2000. [switch] traffic classifier c_rd [switch-classifier-c_rd] if-match acl ipv6 2000 [switch-classifier-c_rd] quit # configure traffic behavior b_rd to deny matching packets. [switch] traffic behavior b_rd [swit...
Page 790: Filtering Ethernet Frames
4-1 4 acl application for packet filtering when applying an acl for packet filtering, go to these sections for information you are interested in: z filtering ethernet frames z filtering ipv4 packets z filtering ipv6 packets z acl application example you can apply an acl to the inbound direction of a...
Page 792: Acl Application Example
4-3 follow the steps to set the intervals for packet filtering statistics so that the device outputs packet filtering statistics at the end of every interval: to do… use the command… remarks enter system view system-view — set the interval for ipv4 packet filtering statistics acl logging frequence f...
Page 793
4-4 [devicea] acl number 2009 # create a basic ipv4 acl rule to deny packets sourced from 192.168.1.2/32 during time range study. [devicea-acl-basic-2009] rule permit source 192.168.1.2 0 time-range study [devicea-acl-basic-2009] rule deny source any time-range study [devicea-acl-basic-2009] quit # ...
Page 794: Table of Contents
I table of contents 1 arp attack protection configuration······································································································1-1 arp attack protection overview ··········································································································...
Page 795
1-1 1 arp attack protection configuration when configuring arp attack protection, go to these sections for information you are interested in: z configuring arp defense against ip packet attacks z configuring arp packet rate limit z configuring source mac address based arp attack detection z configur...
Page 796
1-2 task remarks configuring source mac address based arp attack detection optional configure this function on gateways (recommended). Configuring arp packet source mac address consistency check optional configure this function on gateways (recommended). Configuring arp active acknowledgement option...
Page 797
1-3 configuring arp source suppression follow these steps to configure arp source suppression: to do… use the command… remarks enter system view system-view — enable arp source suppression arp source-suppression enable required disabled by default. Set the maximum number of packets with the same sou...
Page 799
1-5 displaying and maintaining source mac address based arp attack detection to do… use the command… remarks display attacking entries detected display arp anti-attack source-mac [ interface interface-type interface-number] available in any view configuring arp packet source mac address consistency ...
Page 800: Configuring Arp Detection
1-6 configuring arp detection introduction the arp detection feature is mainly configured on an access device to allow only the arp packets of authorized clients to be forwarded, hence preventing user spoofing and gateway spoofing. Arp detection includes arp detection based on specified objects, and...
Page 801
1-7 to do… use the command… remarks configure the port as a trusted port on which arp detection does not apply arp detection trust optional the port is an untrusted port by default. Enabling arp detection based on static ip source guard binding entries/dhcp snooping entries/802.1x security entries/o...
Page 802
1-8 to do… use the command… remarks enable arp detection for the vlan arp detection enable required disabled by default. That is, arp detection based on static ip source guard binding entries/dhcp snooping entries/802.1x security entries/oui mac addresses is not enabled by default. Return to system ...
Page 803
1-9 figure 1-1 network diagram for arp detection configuration configuration procedure 1) add all the ports on switch b to vlan 10, and configure the ip address of vlan-interface 10 on switch a. (omitted) 2) configure switch a as a dhcp server # configure dhcp address pool 0. System-view [switcha] d...
Page 804
1-10 [switchb-gigabitethernet1/0/3] quit # enable the checking of the mac addresses and ip addresses of arp packets. [switchb] arp detection validate dst-mac ip src-mac after the preceding configurations are complete, when arp packets arrive at interfaces gigabitethernet1/0/2 and gigabitethernet1/0/...
Page 805
1-11 [switchb] dot1x [switchb] interface gigabitethernet 1/0/1 [switchb-gigabitethernet1/0/1] dot1x [switchb-gigabitethernet1/0/1] quit [switchb] interface gigabitethernet 1/0/2 [switchb-gigabitethernet1/0/2] dot1x [switchb-gigabitethernet1/0/2] quit # add local access user test. [switchb] local-use...
Page 806
1-12 to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable arp automatic scanning arp scan [ start-ip-address to end-ip-address ] required return to system view quit — enable fixed arp arp fixup optional z ip addresses...
Page 807
1-13 to do… use the command… remarks enable arp gateway protection for a specified gateway arp filter source ip-address required disabled by default. Z you can enable arp gateway protection for up to eight gateways on a port. Z commands arp filter source and arp filter binding cannot be both configu...
Page 808: Configuring Arp Filtering
1-14 after the above configuration is complete, switch b will discard the arp packets whose source ip address is that of the gateway. Configuring arp filtering introduction to prevent gateway spoofing and user spoofing, the arp filtering feature controls the forwarding of arp packets on a port as fo...
Page 809
1-15 figure 1-4 network diagram for arp filtering configuration switch a switch b host a host b ge1/0/1 ge1/0/3 ge1/0/2 configuration procedure # configure arp filtering on switch b. System-view [switchb] interface gigabitethernet 1/0/1 [switchb-gigabitethernet 1/0/1] arp filter binding 10.1.1.2 000...
Page 810: Manual Version
High availability volume organization manual version 20090930-c-1.01 product version release 2202 organization the high availability volume is organized as follows: features description smart link smart link is a solution for active-standby link redundancy backup and rapid transition in dual-uplink ...
Page 811
Features description dldp in the use of fibers, link errors, namely unidirectional links, are likely to occur. Dldp is designed to detect such errors. This document describes: z dldp introduction z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting t...
Page 812: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-2 smart link overview ············································································································...
Page 813: Smart Link Configuration
1-2 1 smart link configuration when configuring smart link, go to these sections for information that you are interested in: z smart link overview z configuring a smart link device z configuring an associated device z displaying and maintaining smart link z smart link configuration examples smart li...
Page 814
1-3 for more information about stp and rrpp, refer to mstp configuration in the access volume and rrpp configuration in the high availability volum. Smart link is a feature developed to address the slow convergence issue with stp. It provides link redundancy as well as fast convergence in a dual upl...
Page 815
1-4 receive control vlan the receive control vlan is used for receiving and processing flush messages. When link switchover occurs, the devices (such as device a, device b, and device e in figure 1-1 ) receive and process flush messages in the receive control vlan and refresh their mac address forwa...
Page 816
1-5 configured with role preemption, ge1/0/1 takes over to forward traffic as soon as the former master link recovers, while ge1/0/2 is automatically blocked and placed in the standby state. Load sharing mechanism a ring network may carry traffic of multiple vlans. Smart link can forward traffic of ...
Page 817
1-6 a loop may occur on the network during the time when stp is disabled but smart link has not yet taken effect on a port. Configuring protected vlans for a smart link group follow these steps to configure the protected vlans for a smart link group: to do… use the command… remarks enter system view...
Page 819
1-8 z the control vlan configured for a smart link group must be different from that configured for any other smart link group. Z make sure that the configured control vlan already exists, and assign the smart link group member ports to the control vlan. Z do not remove the control vlan. Otherwise, ...
Page 820
1-9 follow these steps to enable the receiving of flush messages: to do… use the command… remarks enter system view system-view — enter ethernet interface view or layer 2 aggregate interface view interface interface-type interface-number — configure the control vlans for receiving flush messages sma...
Page 821
1-10 to do... Use the command… remarks display information about the received flush messages display smart-link flush available in any view clear the statistics about flush messages reset smart-link statistics available in user view smart link configuration examples single smart link group configura...
Page 822
1-11 # disable stp on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 separately, and configure them as trunk ports that permit vlans 1 through 30. [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port link-type trunk [devicec-gi...
Page 823
1-12 [deviced-gigabitethernet1/0/2] quit # create smart link group 1 and configure all vlans mapped to mstis 0 through 2 as the protected vlans. [deviced] smart-link group 1 [deviced-smlk-group1] protected-vlan reference-instance 0 to 2 # configure gigabitethernet 1/0/1 as the master port and gigabi...
Page 824
1-13 [devicee] interface gigabitethernet 1/0/2 [devicee-gigabitethernet1/0/2] port link-type trunk [devicee-gigabitethernet1/0/2] port trunk permit vlan 1 to 30 [devicee-gigabitethernet1/0/2] smart-link flush enable [devicee-gigabitethernet1/0/2] quit [devicee] interface gigabitethernet 1/0/3 [devic...
Page 825
1-14 receiving interface of the last flush packet : gigabitethernet1/0/3 receiving time of the last flush packet : 16:25:21 2009/02/21 device id of the last flush packet : 000f-e23d-5af0 control vlan of the last flush packet : 1 multiple smart link groups load sharing configuration example network r...
Page 826
1-15 [devicec-gigabitethernet1/0/1] port link-type trunk [devicec-gigabitethernet1/0/1] port trunk permit vlan 1 to 200 [devicec-gigabitethernet1/0/1] quit [devicec] interface gigabitethernet 1/0/2 [devicec-gigabitethernet1/0/2] undo stp enable [devicec-gigabitethernet1/0/2] port link-type trunk [de...
Page 827
1-16 [deviceb-gigabitethernet1/0/1] port trunk permit vlan 1 to 200 [deviceb-gigabitethernet1/0/1] smart-link flush enable control-vlan 10 101 [deviceb-gigabitethernet1/0/1] quit [deviceb] interface gigabitethernet 1/0/2 [deviceb-gigabitethernet1/0/2] port link-type trunk [deviceb-gigabitethernet1/0...
Page 828
1-17 # display the smart link group configuration on device c. [devicec] display smart-link group all smart link group 1 information: device id: 000f-e23d-5af0 preemption mode: role control vlan: 10 protected vlan: reference instance 0 member role state flush-count last-flush-time ------------------...
Page 829: Table of Contents
I table of contents 1 monitor link configuration ······················································································································1-1 overview ························································································································...
Page 830: Monitor Link Configuration
1-1 1 monitor link configuration when configuring monitor link, go to these sections for information you are interested in: z overview z configuring monitor link z displaying and maintaining monitor link z monitor link configuration example overview monitor link is a port collaboration function. Mon...
Page 831: Configuring Monitor Link
1-2 configuring monitor link configuration prerequisites before assigning a port to a monitor link group, make sure the port is not the member port of any aggregation group or service loopback group. Configuration procedure follow these steps to configure monitor link: to do… use the command… remark...
Page 833
1-4 [devicec-gigabitethernet1/0/2] quit # create smart link group 1 and configure the smart link group to protect all the vlans mapped to mstis 0 through 15 for smart link group 1. [devicec] smart-link group 1 [devicec-smlk-group1]protected-vlan reference-instance 0 to 15 # configure gigabitethernet...
Page 834
1-5 # enable flush message receiving on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 separately. [deviced] interface gigabitethernet 1/0/1 [deviced-gigabitethernet1/0/1] smart-link flush enable [deviced-gigabitethernet1/0/1] quit [deviced] interface gigabitethernet 1/0/2 [deviced-gigabitethernet1...
Page 835: Table of Contents
I table of contents 1 rrpp configuration ··································································································································1-1 rrpp overview ···············································································································...
Page 836: Rrpp Configuration
1-1 1 rrpp configuration when configuring rrpp, go to these sections for information you are interested in: z rrpp overview z rrpp configuration task list z creating an rrpp domain z configuring control vlans z configuring protected vlans z configuring rrpp rings z activating an rrpp domain z config...
Page 837
1-2 basic concepts in rrpp figure 1-1 rrpp networking diagram rrpp domain the interconnected devices with the same domain id and control vlans constitute an rrpp domain. An rrpp domain contains the following elements: primary ring, subring, control vlan, master node, transit node, primary port, seco...
Page 838
1-3 ip address configuration is prohibited on the control vlan interfaces. 2) data vlan a data vlan is a vlan dedicated to transferring data packets. Both rrpp ports and non-rrpp ports can be assigned to a data vlan. Node each device on an rrpp ring is referred to as a node. The role of a node is co...
Page 839
1-4 common port and edge port the ports connecting the edge node and assistant-edge node to the primary ring are common ports. The ports connecting the edge node and assistant-edge node only to the subrings are edge ports. As shown in figure 1-1 , device b and device c lie on ring 1 and ring 2. Devi...
Page 840
1-5 rrppdus of subrings are transmitted as data packets in the primary ring, while rrppdus of the primary ring can only be transmitted within the primary ring. Rrpp timers when rrpp checks the link state of an ethernet ring, the master node sends hello packets out the primary port according to the h...
Page 841
1-6 while sending common-flush-fdb packet to instruct all the transit nodes, the edge nodes and the assistant-edge nodes to update their own mac entries and arp/nd entries. After each node updates its own entries, traffic is switched to the normal link. Ring recovery the master node may find the rin...
Page 842
1-7 typical rrpp networking here are several typical networking applications. Single ring as shown in figure 1-2 , there is only a single ring in the network topology. In this case, you only need to define an rrpp domain. Figure 1-2 schematic diagram for a single-ring network tangent rings as shown ...
Page 843
1-8 figure 1-4 schematic diagram for an intersecting-ring network dual homed rings as shown in figure 1-5 , there are two or more rings in the network topology and two similar common nodes between rings. In this case, you only need to define an rrpp domain, and configure one ring as the primary ring...
Page 844: Rrpp Configuration Task List
1-9 figure 1-6 schematic diagram for a single-ring load balancing network domain 1 ring 1 device a device b device d device c domain 2 intersecting-ring load balancing in an intersecting-ring network, you can also achieve load balancing by configuring multiple domains. As shown in figure 1-7 , ring ...
Page 845: Creating An Rrpp Domain
1-10 complete the following tasks to configure rrpp: task remarks creating an rrpp domain required perform this task on all nodes in the rrpp domain. Configuring control vlans required perform this task on all nodes in the rrpp domain. Configuring protected vlans required perform this task on all no...
Page 846: Configuring Control Vlans
1-11 configuring control vlans before configuring rrpp rings in an rrpp domain, configure the same control vlans for all nodes in the rrpp domain first. Perform this configuration on all nodes in the rrpp domain to be configured. Follow these steps to configure control vlans: to do… use the command…...
Page 847: Configuring Rrpp Rings
1-12 configuring rrpp rings when configuring an rrpp ring, you must make some configurations on the ports connecting each node to the rrpp ring before configuring the nodes. Z rrpp ports, that is, ports connecting devices to an rrpp ring, must be layer-2 ge ports, layer-2 xge ports, or layer-2 aggre...
Page 849
1-14 to do… use the command… remarks enter system view system-view — enter rrpp domain view rrpp domain domain-id — specify the current device as a transit node of the ring, and specify the primary port and the secondary port ring ring-id node-mode transit [ primary-port interface-type interface-num...
Page 850: Activating An Rrpp Domain
1-15 activating an rrpp domain to activate an rrpp domain on the current device, enable the rrpp protocol and rrpp rings for the rrpp domain on the current device. Perform this operation on all nodes in the rrpp domain. Follow these steps to activate an rrpp domain: to do… use the command… remarks e...
Page 851
1-16 z the fail timer value must be equal to or greater than three times the hello timer value. Z to avoid temporary loops when the primary ring fails in a dual-homed-ring network, ensure that the difference between the fail timer value on the master node of the subring and that on the master node o...
Page 852: Rrpp Configuration Examples
1-17 displaying and maintaining rrpp to do… use the command… remarks display brief rrpp information display rrpp brief display rrpp group configuration information display rrpp ring-group [ ring-group-id ] display detailed rrpp information display rrpp verbose domain domain-id [ ring ring-id ] displ...
Page 853
1-18 system-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] link-delay 0 [devicea-gigabitethernet1/0/1] undo stp enable [devicea-gigabitethernet1/0/1] port link-type trunk [devicea-gigabitethernet1/0/1] port trunk permit vlan all [devicea-gigabitethernet1/0/1] qos trust...
Page 854
1-19 [deviceb-gigabitethernet1/0/2] qos trust dot1p [deviceb-gigabitethernet1/0/2] quit # create rrpp domain 1, configure vlan 4092 as the primary control vlan of rrpp domain 1, and configure the vlans mapped to mstis 0 through 16 as the protected vlans of rrpp domain 1. [deviceb] rrpp domain 1 [dev...
Page 855
1-20 figure 1-9 network diagram for intersecting rings configuration configuration procedure 1) configuration on device a # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, a...
Page 856
1-21 [devicea-rrpp-domain1] quit # enable rrpp. [devicea] rrpp enable 2) configuration on device b # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1, gigabitethernet 1/0/2, and gigabitethernet 1/0/3 as zero, disable stp, configure the ports as trunk ports, and ...
Page 857
1-22 # enable rrpp. [deviceb] rrpp enable 3) configuration on device c # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1, gigabitethernet 1/0/2, and gigabitethernet 1/0/3 as zero, disable stp, configure the ports as trunk ports, and assign them to all vlans, an...
Page 858
1-23 [devicec] rrpp enable 4) configuration on device d # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, and assign them to all vlans, and configure them to trust the 802.1...
Page 859
1-24 [devicee] interface gigabitethernet 1/0/2 [devicee-gigabitethernet1/0/2] link-delay 0 [devicee-gigabitethernet1/0/2] undo stp enable [devicee-gigabitethernet1/0/2] port link-type trunk [devicee-gigabitethernet1/0/2] port trunk permit vlan all [devicee-gigabitethernet1/0/2] qos trust dot1p [devi...
Page 860
1-25 figure 1-10 network diagram for intersecting-ring load balancing configuration configuration procedure 1) configuration on device a # create vlans 10 and 20, map vlan 10 to msti 1 and vlan 20 to msti 2, and activate mst region configuration. System-view [devicea] vlan 10 [devicea-vlan10] quit [...
Page 861
1-26 [devicea-gigabitethernet1/0/2] link-delay 0 [devicea-gigabitethernet1/0/2] undo stp enable [devicea-gigabitethernet1/0/2] port link-type trunk [devicea-gigabitethernet1/0/2] undo port trunk permit vlan 1 [devicea-gigabitethernet1/0/2] port trunk permit vlan 10 20 [devicea-gigabitethernet1/0/1] ...
Page 862
1-27 # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, remove them from vlan 1, and assign them to vlan 10 and vlan 20, and configure them to trust the 802.1p precedence of ...
Page 863
1-28 [deviceb-rrpp-domain1] protected-vlan reference-instance 1 # configure device b as a transit node of primary ring 1 in rrpp domain 1, with gigabitethernet 1/0/1 as the primary port and gigabitethernet 1/0/2 as the secondary port, and enable ring 1. [deviceb-rrpp-domain1] ring 1 node-mode transi...
Page 864
1-29 vlan 1, and assign them to vlan 10 and vlan 20, and configure them to trust the 802.1p precedence of the received packets. [devicec] interface gigabitethernet 1/0/1 [devicec-gigabitethernet1/0/1] link-delay 0 [devicec-gigabitethernet1/0/1] undo stp enable [devicec-gigabitethernet1/0/1] port lin...
Page 865
1-30 # configure device c as the transit node of primary ring 1 in rrpp domain 1, with gigabitethernet 1/0/1 as the primary port and gigabitethernet 1/0/2 as the secondary port, and enable ring 1. [devicec-rrpp-domain1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-port gigab...
Page 866
1-31 [deviced] interface gigabitethernet 1/0/1 [deviced-gigabitethernet1/0/1] link-delay 0 [deviced-gigabitethernet1/0/1] undo stp enable [deviced-gigabitethernet1/0/1] port link-type trunk [deviced-gigabitethernet1/0/1] undo port trunk permit vlan 1 [deviced-gigabitethernet1/0/1] port trunk permit ...
Page 867
1-32 [devicee-vlan20] quit [devicee] stp region-configuration [devicee-mst-region] instance 2 vlan 20 [devicee-mst-region] active region-configuration [devicee-mst-region] quit # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero,...
Page 868
1-33 [devicef-mst-region] active region-configuration [devicef-mst-region] quit # configure the suppression time of physical-link-state changes on gigabitethernet 1/0/1 and gigabitethernet 1/0/2 as zero, disable stp, configure the two ports as trunk ports, remove them from vlan 1, and assign them to...
Page 869: Troubleshooting
1-34 8) verification after the configuration, you can use the display command to view rrpp configuration and operational information on each device. Troubleshooting symptom: when the link state is normal, the master node cannot receive hello packets, and the master node unblocks the secondary port. ...
Page 870: Table of Contents
I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...
Page 871: Dldp Configuration
1-1 1 dldp configuration when performing dldp configuration, go to these sections for information you are interested in: z overview z dldp configuration task list z enabling dldp z setting dldp mode z setting the interval for sending advertisement packets z setting the delaydown timer z setting the ...
Page 872
1-2 figure 1-2 unidirectional fiber link: a fiber not connected or disconnected device a device b pc ge1/0/50 ge1/0/50 ge1/0/51 ge1/0/51 dldp introduction device link detection protocol (dldp) can detect the link status of a fiber cable or twisted pair. On detecting a unidirectional link, dldp can s...
Page 873
1-3 state indicates… disable a port enters this state when: z a unidirectional link is detected. Z the contact with the neighbor in enhanced mode gets lost. In this state, the port does not receive or send packets other than dldpdus. Delaydown a port in the active, advertisement, or probe dldp link ...
Page 874
1-4 dldp timer description delaydown timer a device in the active, advertisement, or probe dldp link state transits to delaydown state rather than removes the corresponding neighbor entry and transits to the inactive state when it detects a port-down event. When a device transits to this state, the ...
Page 875
1-5 figure 1-3 a case for enhanced dldp mode z in normal dldp mode, only fiber cross-connected unidirectional links (as shown in figure 1-1 ) can be detected. Z in enhanced dldp mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in figure 1-1 ). The...
Page 876
1-6 table 1-4 dldp packet types and dldp states dldp state type of dldp packets sent active advertisement packet with rsy tag advertisement normal advertisement packet probe probe packet disable disable packet and recoverprobe packet when a device transits from a dldp state other than inactive state...
Page 877
1-7 packet type processing procedure if the corresponding neighbor entry does not exist, creates the neighbor entry, triggers the entry timer, and transits to probe state. If the neighbor information it carries conflicts with the corresponding locally maintained neighbor entry, drops the packet. Ech...
Page 878: Dldp Configuration Task List
1-8 the dldp down port sends out a recoverprobe packet, which carries only information about the local port, every two seconds. Upon receiving the recoverprobe packet, the remote end returns a recoverecho packet. Upon receiving the recoverecho packet, the local port checks whether neighbor informati...
Page 879: Enabling Dldp
1-9 z to ensure unidirectional links can be detected, make sure these settings are the same on the both sides: dldp state (enabled/disabled), the interval for sending advertisement packets, authentication mode, and password. Z keep the interval for sending advertisement packets adequate to enable un...
Page 880: Setting The Delaydown Timer
1-10 setting the interval for sending advertisement packets you can set the interval for sending advertisement packets to enable unidirectional links to be detected in time. Follow these steps to set the interval for sending advertisement packets: to do… use the command… remarks enter system view sy...
Page 881: Resetting Dldp State
1-11 z manual mode. This mode applies to networks with low performance, where normal links may be treated as unidirectional links. It protects service packet transmission against false unidirectional links. In this mode, dldp only detects unidirectional links and generates log and traps. The operati...
Page 882
1-12 user-defined port shutdown mode. To enable the port to perform dldp detect again, you can reset the dldp state of the port in one of the following methods: z if the port is shut down with the shutdown command manually, use the undo shutdown command on the port. Z if the port is shut down by dld...
Page 883: Dldp Configuration Example
1-13 to do… use the command… remarks clear the statistics on dldp packets passing through a port reset dldp statistics [interface-type interface-number ] available in user view dldp configuration example dldp configuration example network requirements z device a and device b are connected through tw...
Page 884: Troubleshooting
1-14 [devicea] dldp work-mode enhance # set the port shutdown mode as auto mode. [devicea] dldp unidirectional-shutdown auto # enable dldp globally. [devicea] dldp enable # check the information about dldp. [devicea] display dldp dldp global status : enable dldp interval : 6s dldp work-mode : enhanc...
Page 885
1-15 analysis: the problem can be caused by the following. Z the intervals for sending advertisement packets on device a and device b are not the same. Z dldp authentication modes/passwords on device a and device b are not the same. Solution: make sure the interval for sending advertisement packets,...
Page 886: Table of Contents
I table of contents 1 ethernet oam configuration ····················································································································1-1 ethernet oam overview ·············································································································...
Page 887: Ethernet Oam Configuration
1-1 1 ethernet oam configuration when configuring the ethernet oam function, go to these sections for information you are interested in: z ethernet oam overview z ethernet oam configuration task list z configuring basic ethernet oam functions z configuring link monitoring z enabling oam remote loopb...
Page 888
1-2 figure 1-1 formats of different types of ethernet oampdus the fields in an oampdu are described as follows: table 1-1 description of the fields in an oampdu field description dest addr destination mac address of the ethernet oampdu. It is a slow protocol multicast address 0180c2000002. As slow p...
Page 889
1-3 table 1-2 functions of different types of oampdus oampdu type function information oampdu used for transmitting state information of an ethernet oam entity (including the information about the local device and remote devices, and customized information) to the remote ethernet oam entity and main...
Page 890
1-4 z oam connections can be initiated only by oam entities operating in active oam mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. Z no oam connection can be established between oam entities operating in passive oam mode. After an etherne...
Page 891
1-5 z the system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this...
Page 892: Configuring Link Monitoring
1-6 task remarks configuring basic ethernet oam functions required configuring errored symbol event detection optional configuring errored frame event detection optional configuring errored frame period event detection optional configuring link monitoring configuring errored frame seconds event dete...
Page 893
1-7 configuring errored symbol event detection an errored symbol event occurs when the number of detected symbol errors over a specific detection interval exceeds the predefined threshold. Follow these steps to configure errored symbol event detection: to do… use the command… remarks enter system vi...
Page 894: Enabling Oam Remote Loopback
1-8 follow these steps to configure errored frame seconds event detection: to do… use the command… remarks enter system view system-view — configure the errored frame seconds event detection interval oam errored-frame-seconds period period-value optional 60 second by default configure the errored fr...
Page 895
1-9 z ethernet oam remote loopback is available only after the ethernet oam connection is established and can be performed only by the ethernet oam entities operating in active ethernet oam mode. Z remote loopback is available only on full-duplex links that support remote loopback at both ends. Z et...
Page 896
1-10 figure 1-2 network diagram for ethernet oam configuration configuration procedure 1) configure device a # configure gigabitethernet 1/0/1 to operate in passive ethernet oam mode and enable ethernet oam for it. System-view [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] ...
Page 897
1-11 you can use the display oam link-event command to display the statistics about ethernet oam link events and use the display oam critical-event command to display the ethernet oam configuration information. For example: # display the statistics of ethernet oam critical link events on all the por...
Page 898: Table of Contents
I table of contents 1 connectivity fault detection configuration ···························································································1-1 overview ···································································································································...
Page 899: Overview
1-1 1 connectivity fault detection configuration when configuring cfd, go to these sections for information you are interested in: z overview z cfd configuration task list z basic configuration tasks z configuring cc on meps z configuring lb on meps z configuring lt on meps z displaying and maintain...
Page 900
1-2 figure 1-1 two nested mds cfd exchanges messages and performs operations on a per-domain basis. By planning mds properly in a network, you can use cfd to locate failure points rapidly. Maintenance association a maintenance association (ma) is a set of maintenance points (mps) in a md. An ma is i...
Page 901
1-3 figure 1-2 outward-facing mep figure 1-3 inward-facing mep z mip a mip is internal to an md. It cannot send cfd packets actively; however, it can handle and respond to cfd packets. The ma and md that a mip belongs to define the vlan attribute and level of the packets received. By cooperating wit...
Page 902
1-4 figure 1-4 levels of mps basic functions of cfd cfd works effectively only in properly-configured networks. Its functions, which are implemented through the mps, include: z continuity check (cc); z loopback (lb) z linktrace (lt) continuity check continuity check is responsible for checking the c...
Page 903: Cfd Configuration Task List
1-5 source mep can identify the path to the destination mep. Note that ltms are multicast frames while ltrs are unicast frames. Protocols and standards the cfd function is implemented in accordance with ieee p802.1ag. Cfd configuration task list for cfd to work effectively, you should first design t...
Page 904
1-6 based on the network design, you should configure meps or the rules for generating mips on each device. However, before doing this you must first configure the service instance. Configuring service instance a service instance is indicated by an integer to represent an ma in an md. The md and ma ...
Page 905: Configuring Cc On Meps
1-7 to do... Use the command... Remarks configure a remote mep for a mep in the same service instance cfd remote-mep remote-mep-id service-instance instance-id mep mep-id required no remote mep is configured for a mep by default. Enable the mep cfd mep service-instance instance-id mep mep-id enable ...
Page 906: Configuring Lb On Meps
1-8 configuration prerequisites before configuring this function, you should first complete the mep configuration. Configuring procedure follow these steps to configure cc on a mep: to do... Use the command... Remarks enter system view system-view — configure the interval field value in the ccm mess...
Page 908: Cfd Configuration Examples
1-10 displaying and maintaining cfd to do... Use the command... Remarks display cfd status display cfd status available in any view display md configuration information display cfd md available in any view display ma configuration information display cfd ma [ [ma-name] md md-name ] available in any ...
Page 909
1-11 figure 1-5 network diagram for md configuration configuration procedure 1) configuration on device a (configuration on device e is the same as that on device a) system-view [devicea] cfd enable [devicea] cfd md md_a level 5 [devicea] cfd ma ma_md_a md md_a vlan 100 [devicea] cfd service-instanc...
Page 910
1-12 z decide the remote mep for each mep, and enable these meps. According to the network diagram as shown in figure 1-6 , perform the following configurations: z in md_a, there are three edge ports: gigabitethernet 1/0/1 on device a, gigabitethernet 1/0/3 on device d and gigabitethernet 1/0/4 on d...
Page 911
1-13 [deviced-gigabitethernet1/0/3] cfd remote-mep 1001 service-instance 1 mep 4002 [deviced-gigabitethernet1/0/3] cfd remote-mep 5001 service-instance 1 mep 4002 [deviced-gigabitethernet1/0/3] cfd mep service-instance 1 mep 4002 enable [deviced-gigabitethernet1/0/3] cfd cc service-instance 1 mep 40...
Page 912
1-14 configuration procedure 1) configure device b system-view [deviceb] cfd mip-rule explicit service-instance 1 2) configure device c system-view [devicec] cfd mip-rule default service-instance 2 after the above operation, you can use the display cfd mp command to verify your configuration. Config...
Page 913: Table of Contents
I table of contents 1 track configuration···································································································································1-1 track overview ·············································································································...
Page 914: Track Configuration
1-1 1 track configuration when configuring track, go to these sections for information you are interested in: z track overview z track configuration task list z configuring collaboration between the track module and the detection modules z configuring collaboration between the track module and the a...
Page 915: Detection Modules
1-2 at present, the detection modules that can collaborate with the track module is the network quality analyzer (nqa). Refer to nqa configuration in the system volume for details of nqa. Collaboration between the track module and the application modules you can establish the collaboration between t...
Page 916: Application Modules
1-3 configuring collaboration between the track module and the application modules configuring track-static routing collaboration you can check the validity of a static route in real time by establishing collaboration between track and static routing. If you specify the next hop but not the egress i...
Page 918
1-5 # configure reaction entry 1, specifying that five consecutive probe failures trigger the static routing-track-nqa collaboration. [switcha-nqa-admin-test-icmp-echo] reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only [switcha-nqa-admin-test-icmp-echo] quit...
Page 919
1-6 # display the routing table of switch a. [switcha] display ip routing-table routing tables: public destinations : 4 routes : 4 destination/mask proto pre cost nexthop interface 10.2.1.0/24 direct 0 0 10.2.1.2 vlan3 10.2.1.2/32 direct 0 0 127.0.0.1 inloop0 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0...
Page 920: System Volume Organization
System volume organization manual version 20090930-c-1.01 product version release 2202 organization the system volume is organized as follows: features description login upon logging into a device, you can configure user interface properties and manage the system conveniently. This document describe...
Page 921
Features description file system management a major function of the file system is to manage storage devices, mainly including creating the file system, creating, deleting, modifying and renaming a file or a directory and opening a file. This document describes: z file system management z configurat...
Page 922
Features description poe the power over ethernet (poe) feature enables the power sourcing equipment (pse) to feed powered devices (pds) from ethernet ports through twisted pair cables. This document describes: z poe overview z configuring the poe interface z configuring poe power management z config...
Page 923
Features description stack management a stack is a set of network devices. Administrators can group multiple network devices into a stack and manage them as a whole. Therefore, stack management can help reduce customer investments and simplify network management. This document describes: z stack con...
Page 924: Table of Contents
I table of contents 1 logging in to an ethernet switch ············································································································1-1 logging in to an ethernet switch ····································································································...
Page 925
Ii specifying source ip address/interface for telnet packets····································································6-1 displaying the source ip address/interface specified for telnet packets ··············································6-2 7 controlling login users·····················...
Page 926
1-1 1 logging in to an ethernet switch when logging in to an ethernet switch, go to these sections for information you are interested in: z logging in to an ethernet switch z introduction to user interface z specifying source for telnet packets z controlling login users logging in to an ethernet swi...
Page 927
1-2 users and user interfaces a device can support one aux ports and multiple ethernet interfaces, and thus multiple user interfaces are supported. These user interfaces do not associate with specific users. Z when the user initiates a connection request, based on the login type the system automatic...
Page 928
1-3 to do… use the command… remarks display the information about the current user interface/all user interfaces display users [ all ] you can execute this command in any view. Display the physical attributes and configuration of the current/a specified user interface display user-interface [ type n...
Page 929: Introduction
2-1 2 logging in through the console port when logging in through the console port, go to these sections for information you are interested in: z introduction z setting up the connection to the console port z console port login configuration z console port login configuration with authentication mod...
Page 930
2-2 z if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows 3.X or hyperterminal in windows 9x/windows 2000/windows xp) and perform the configuration shown in figure 2-2 through figure 2-4 for the connection to be created. Normally, the para...
Page 931
2-3 figure 2-4 set port parameters terminal window z turn on the switch. The user will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after the user presses the enter key. Z you can then configure the switch or check t...
Page 933: None
2-5 authentication mode configuration description configure to authenticate users using the local password password set the local password refer to console port login configuration with authentication mode being password for details. Configure to authenticate users locally or remotely configure the ...
Page 934
2-6 z the timeout time of the aux user interface is 6 minutes. Network diagram figure 2-5 network diagram for aux user interface configuration (with the authentication mode being none) configuration procedure # enter system view. System-view # enter aux user interface view. [sysname] user-interface ...
Page 935: Password
2-7 console port login configuration with authentication mode being password configuration procedure follow these steps to perform console port login configuration (with authentication mode being password): to do… use the command… remarks enter system view system-view — enter aux user interface view...
Page 936
2-8 network diagram figure 2-6 network diagram for aux user interface configuration (with the authentication mode being password) configuration procedure # enter system view. System-view # enter aux user interface view. [sysname] user-interface aux 0 # specify to authenticate the user logging in thr...
Page 937: Scheme
2-9 console port login configuration with authentication mode being scheme configuration procedure follow these steps to perform console port login configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter aux user interface view use...
Page 938
2-10 note that, when you log in to an ethernet switch using the scheme authentication mode, your access rights depend on your user level defined in the aaa scheme. When the local authentication mode is used, the user levels are specified using the authorization-attribute level level command. When th...
Page 939
2-11 # create a local user named guest and enter local user view. [sysname] local-user guest # set the authentication password to 123456 (in plain text). [sysname-luser-guest] password simple 123456 # set the service type to terminal. [sysname-luser-guest] service-type terminal [sysname-luser-guest]...
Page 940: Logging In Through Telnet
3-1 3 logging in through telnet/ssh logging in through telnet when logging in through telnet, go to these sections for information you are interested in: z introduction z telnet connection establishmenttelnet connection establishment z telnet login configuration with authentication mode being none z...
Page 941
3-2 [sysname] telnet server enable [sysname] interface vlan-interface 1 [sysname-vlan-interface1] ip address 202.38.160.92 255.255.255.0 step 2: before telnet users can log in to the switch, corresponding configurations should have been performed on the switch according to different authentication m...
Page 942
3-3 z a telnet connection will be terminated if you delete or modify the ip address of the vlan interface in the telnet session. Z by default, commands of level 0 are available to telnet users authenticated by password. Refer to basic system configuration in the system volume for information about c...
Page 943
3-4 table 3-2 common telnet configuration configuration remarks enter system view system-view — make the switch to operate as a telnet server telnet server enable by default, a switch does not operate as a telnet server enter one or more vty user interface views user-interface vty first-number [ las...
Page 944
3-5 table 3-3 telnet login configuration tasks when different authentication modes are adopted task description telnet login configuration with authentication mode being none configure not to authenticate users logging in user interfaces telnet login configuration with authentication mode being pass...
Page 945
3-6 figure 3-4 network diagram for telnet configuration (with the authentication mode being none) 3) configuration procedure # enter system view, and enable the telnet service. System-view [sysname] telnet server enable # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure no...
Page 946
3-7 configuration example 1) network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: z authenticate users logging in to vty 0 using the local password. Z set the local password to 123456 (in plain text). Z comm...
Page 947
3-8 telnet login configuration with authentication mode being scheme configuration procedure follow these steps to perform telnet configuration (with authentication mode being scheme): to do… use the command… remarks enter system view system-view — enter one or more vty user interface views user-int...
Page 948
3-9 for more information about aaa, radius, and hwtacacs, see aaa configuration in the security volume. Configuration example 1) network requirements assume that you are a level 3 aux user and want to perform the following configuration for telnet users logging in to vty 0: z configure the name of t...
Page 949: Logging In Through Ssh
3-10 # configure telnet protocol is supported. [sysname-ui-vty0] protocol inbound telnet # set the maximum number of lines the screen can contain to 30. [sysname-ui-vty0] screen-length 30 # set the maximum number of commands the history command buffer can store to 20. [sysname-ui-vty0] history-comma...
Page 950: Management System
4-1 4 logging in through web-based network management system introduction an s5500-si series switch has a built-in web server. You can log in to an s5500-si series switch through a web browser and manage and maintain the switch intuitively by interacting with the built-in web server. To log in to an...
Page 951: Displaying Web Users
4-2 to do… use the command… remarks configure the authorization attributes for the local user authorization-attribute level level optional by default, no authorization attribute is configured for a local user. Specify the service types for the local user service-type telnet optional by default, no s...
Page 952
4-3 step 4: log in to the switch through ie. Launch ie on the web-based network management terminal (your pc) and enter the ip address of the management vlan interface of the switch (here it is http://10.153.17.82). (make sure the route between the web-based network management terminal and the switc...
Page 953: Logging In Through Nms
5-1 5 logging in through nms when logging in through nms, go to these sections for information you are interested in: z introduction z connection establishment using nms introduction you can also log in to a switch through an nms (network management station), and then configure and manage the switch...
Page 954: Introduction
6-1 6 specifying source for telnet packets when specifying source ip address/interface for telnet packets, go to these sections for information you are interested in: z introduction z specifying source ip address/interface for telnet packets z displaying the source ip address/interface specified for...
Page 956: Controlling Login Users
7-1 7 controlling login users when controlling login users, go to these sections for information you are interested in: z introduction z controlling telnet users z controlling network management users by source ip addresses introduction multiple ways are available for controlling different types of ...
Page 959
7-4 [sysname] acl number 2000 match-order config [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [sysname-acl-basic-2000] rule 3 deny source any [sysname-acl-basic-2000] quit # apply the acl. [sysname] user-interface vty 0 4...
Page 961
7-6 controlling web users by source ip addresses the s5500-si series ethernet switches support web-based remote management, which allows web users to access the switches using the http protocol. By referencing access control lists (acls), you can control the access of web users to the switches. Prer...
Page 962
7-7 figure 7-3 configure an acl to control the access of http users to the switch switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # create a basic acl. System-view [sysname] acl number 2030 match-order config [sysname-acl-basic-2030] rule 1 permit source 10.110.10...
Page 963: Table of Contents
I table of contents 1 basic configurations·································································································································1-1 configuration display ·······································································································...
Page 964: Basic Configurations
1-1 1 basic configurations while performing basic configurations of the system, go to these sections for information you are interested in: z configuration display z basic configurations z cli features configuration display to avoid duplicate configuration, you can use the display commands to view t...
Page 965
1-2 z configuring the device name z configuring the system clock z enabling/disabling the display of copyright information z configuring a banner z configuring cli hotkeys z configuring user privilege levels and command levels z displaying and maintaining basic configurations entering/exiting system...
Page 967
1-4 configuration system clock displayed by the display clock command example if the original system clock is not in the daylight saving time range, the original system clock is displayed. Configure: clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2 display: 01:00:00 utc sat 01/01/2005 3 if...
Page 968
1-5 configuration system clock displayed by the display clock command example if the value of "date-time"±"zone-offset" is not in the summer-time range, "date-time"±"zone-offset" is displayed. Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:...
Page 969
1-6 to do… use the command… remarks disable the display of copyright information undo copyright-info enable required enabled by default. Configuring a banner introduction to banners banners are prompt information displayed by the system when users are connected to the device, perform login authentic...
Page 970
1-7 follow these steps to configure a banner: to do… use the command… remarks enter system view system-view — configure the banner to be displayed at login (available for modem login users) header incoming text optional configure the banner to be displayed at login authentication header login text o...
Page 971
1-8 hotkey function ctrl+f moves the cursor one character to the right. Ctrl+h deletes the character to the left of the cursor. Ctrl+k terminates an outgoing connection. Ctrl+n displays the next command in the history command buffer. Ctrl+p displays the previous command in the history command buffer...
Page 972
1-9 the command alias function well meets the users’ requirements for preferred form of frequently used commands, and thus facilitates network configurations as well as respects users' usage habits. Follow these steps to configure command aliases: to do… use the command… remarks enter system view sy...
Page 973
1-10 level privilege description 1 monitor includes commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the device is restarted, the commands at this level will be restored to the default settings. Commands at ...
Page 974
1-11 to do… use the command… remarks using remote authentication (radius, hwtacacs, and ldap authentication s) configure user level on the authentication server z for remote authentication, if you do not configure the user level, the user level depends on the default configuration of the authenticat...
Page 975
1-12 to do… use the command… remarks configure the authentication type for ssh users as publickey for the details, refer to ssh2.0 configuration in the security volume. Required if users adopt the ssh login mode, and only username, instead of password is needed at authentication. After the configura...
Page 976
1-13 by default, when users telnet to the device, they can only use the following commands after passing the authentication: ? User view commands: cluster run cluster command display display current system information ping ping function quit exit from current command view ssh2 establish a secure she...
Page 977
1-14 reauthentication, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configure system parameters; after switching the user privilege level to 0, the user can only execute some simple commands, like ping and tracert, and only ...
Page 978
1-15 to do… use the command… remarks enter system view system-view — configure the command level in a specified view command-privilege level level view view command required refer to table 1-3 for the default settings. You are recommended to use the default command level or modify the command level ...
Page 979: Cli Features
1-16 z for the detailed description of the display users command, refer to login commands in the system volume. Z support for the display configure-user and display current-configuration command depends on the device model. Z the display commands discussed above are for the global configuration. Ref...
Page 980
1-17 to obtain the desired help information, you can: 1) enter ? In any view to access all the commands in this view and brief description about them as well. ? User view commands: backup backup next startup-configuration file to tftp server boot-loader set boot loader bootrom update/read/backup/res...
Page 981
1-18 first.). If you repeatedly press tab, all the keywords starting with the letter that you enter are displayed in cycles. Synchronous information output synchronous information output refers to the feature that if the user’s input is interrupted by system output, then after the completion of syst...
Page 982
1-19 when editing the command line, you can use other shortcut keys (for details, see table 1-2 ) besides the shortcut keys defined in table 1-4 , or you can define shortcut keys by yourself. (for details, see configuring cli hotkeys .) cli display by filtering the output information, you can find t...
Page 984
1-21 character meaning remarks \bcharacter2 used to match character1character2. Character1 can be any character except number, letter or underline, and \b equals [^a-za-z0-9_]. For example, \ba can match -a, with - represents character1, and a represents character2; while \ba cannot match “2a” or “b...
Page 985
1-22 table 1-6 display functions action function press space when information display pauses continues to display information of the next screen page. Press enter when information display pauses continues to display information of the next line. Press ctrl+c when information display pauses stops the...
Page 986
1-23 command line error information the commands are executed only if they have no syntax error. Otherwise, error information is reported. Table 1-7 lists some common errors. Table 1-7 common command line errors error information cause the command was not found. The keyword was not found. Parameter ...
Page 987: Table of Contents
I table of contents 1 device management ··································································································································1-1 device management overview ···································································································...
Page 988: Device Management
1-1 1 device management when configuring device management, go to these sections for information you are interested in: z device management overview z device management configuration task list z configuring the exception handling method z rebooting a device z configuring the scheduled automatic exec...
Page 989: Rebooting A Device
1-2 z maintain: the system maintains the current situation, and does not take any measure to recover itself. Therefore, you need to recover the system manually, such as reboot the system. Sometimes, it is difficult for the system to recover, or some prompts that are printed during the failure are lo...
Page 990
1-3 z device reboot may result in the interruption of the ongoing services. Use these commands with caution. Z before device reboot, use the save command to save the current configurations. For details about the save command, refer to file system configuration in the system volume. Z before device r...
Page 991: Upgrading Device Software
1-4 characters need to be input, the system automatically inputs a default character string, or inputs an empty character string when there is no default character string. Z for the commands used to switch user interfaces, such as telnet, ftp, and ssh2, the commands used to switch views, such as sys...
Page 992: Disabling Boot Rom Access
1-5 2) upgrading the boot rom program through command lines. 3) reboot the device to make the specified boot rom program take effect. Follow these steps to upgrade the boot rom program: to do… use the command… remarks enter system view system-view — enable the validity check function when upgrading ...
Page 993
1-6 whether you press ctrl+b or not, the system does not enter the boot rom menu, but enters the command line configuration interface directly. In addition, you need to set the boot rom access password when you enter the boot rom menu for the first time to protect the boot rom against operations of ...
Page 994
1-7 to do… use the command… remarks clear the 16-bit interface indexes saved but not used in the current system reset unused porttag required available in user view. A confirmation is required when you execute this command. If you fail to make a confirmation within 30 seconds or enter n to cancel th...
Page 995
1-8 to do… use the command… remarks display key parameters of the pluggable transceiver(s) display transceiver interface [ interface-type interface-number ] available for all pluggable transceivers. Display part of the electrical label information of the anti-spoofing transceiver(s) customized by h3...
Page 996
1-9 to do… use the command… remarks display electrical label information of the device display device manuinfo available in any view display the temperature information of devices display environment available in any view display the operating state of fans in a device display fan fan-id available i...
Page 997
1-10 figure 1-2 network diagram for remote scheduled automatic upgrade configuration procedure 1) configuration on the ftp server (note that configurations may vary with different types of servers) z set the access parameters for the ftp client (including enabling the ftp server function, setting th...
Page 998
1-11 [ftp] get auto-update.Txt # download file new-config.Cfg on the ftp server. [ftp]get new-config.Cfg # download file soft-version2.Bin on the ftp server. [ftp] binary [ftp] get soft-version2.Bin [ftp] bye # modify the extension of file auto-update.Txt as .Bat. Rename auto-update.Txt auto-update....
Page 999: Table of Contents
I table of contents 1 file system management configuration ·································································································1-1 file system management ·····················································································································...
Page 1000: File System Management
1-1 1 file system management configuration when configuring file system management, go to these sections for information you are interested in: z file system management z configuration file management z displaying and maintaining device configuration file system management this section covers these ...
Page 1001
1-2 format description length example drive:/[path]/file- name specifies a file in the specified storage medium on the device. Drive represents the storage medium name. The s5500-si series switches use flashes as their storage media. 1 to 135 characters flash:/test/a.Cfg: indicates that a file named...
Page 1002
1-3 z the directory to be removed must be empty, meaning that before you remove a directory, you must delete all the files and the subdirectory under this directory. For file deletion, refer to the delete command; for subdirectory deletion, refer to the rmdir command. Z after you execute the rmdir c...
Page 1003
1-4 copying a file to do… use the command… remarks copy a file copy fileurl-source fileurl-dest required available in user view moving a file to do… use the command… remarks move a file move fileurl-source fileurl-dest required available in user view deleting a file to do… use the command… remarks m...
Page 1004
1-5 to do… use the command… remarks delete the file under the current directory and in the recycle bin reset recycle-bin [ /force ] required available in user view batch operations a batch file is a set of executable commands. Executing a batch file equals executing the commands in the batch file on...
Page 1005
1-6 when you format a storage medium, all the files stored on it are erased and cannot be restored. In particular, if there is a startup configuration file on the storage medium, formatting the storage medium results in loss of the startup configuration file. Setting file system prompt modes the fil...
Page 1006
1-7 0 drw- - feb 16 2006 15:28:14 mytest 15240 kb total (2521 kb free) # return to the upper directory. Cd .. # display the current working directory. Pwd flash: configuration file management the device provides the configuration file management function with a user-friendly command line interface (...
Page 1007
1-8 coexistence of multiple configuration files multiple configuration files can be stored on a storage medium of a device. You can save the configuration used in different environments as different configuration files. In this case, when the device moves between these networking environments, you j...
Page 1008
1-9 the fast saving mode is suitable for environments where power supply is stable. The safe mode, however, is preferred in environments where stable power supply is unavailable or remote maintenance is involved. Follow the steps below to save the current configuration: to do… use the command… remar...
Page 1009
1-10 a configuration file must use .Cfg as its extension name and the startup configuration file must be saved under the root directory of the storage medium. Backing up the startup configuration file the backup function allows you to copy the startup configuration file to be used at the next system...
Page 1012: Ftp Configuration
2-1 2 ftp configuration when configuring ftp, go to these sections for information you are interested in: z ftp overview z configuring the ftp client z configuring the ftp server z displaying and maintaining ftp ftp overview introduction to ftp the file transfer protocol (ftp) is an application laye...
Page 1013
2-2 table 2-1 configuration when the device serves as the ftp client device configuration remarks device (ftp client) use the ftp command to establish the connection to the remote ftp server if the remote ftp server supports anonymous ftp, the device can log in to it directly; if not, the device mus...
Page 1014: Configuring The Ftp Client
2-3 configuring the ftp client establishing an ftp connection to access an ftp server, an ftp client must establish a connection with the ftp server. Two ways are available to establish a connection: using the ftp command to establish the connection directly; using the open command in ftp client vie...
Page 1015
2-4 z if no primary ip address is configured on the specified source interface, no ftp connection can be established. Z if you use the ftp client source command to first configure the source interface and then the source ip address of the transmitted packets, the newly configured source ip address w...
Page 1016
2-5 to do… use the command… remarks exit the current directory and enter the upper level directory cdup optional view the detailed information of the files/directories on the ftp server dir [ remotefile [ localfile ] ] optional view the names of the files/directories on the ftp server ls [ remotefil...
Page 1017
2-6 ftp client configuration example network requirements z as shown in figure 2-2 , use device as an ftp client and pc as the ftp server. Their ip addresses are 10.2.1.1/16 and 10.1.1.1/16 respectively. An available route exists between device and pc. Z device downloads a startup file from pc for d...
Page 1018: Configuring The Ftp Server
2-7 226 transfer complete. Ftp: 3494 byte(s) sent in 5.646 second(s), 618.00 byte(s)/sec. [ftp] bye # specify newest.Bin as the main startup file to be used at the next startup. Boot-loader file newest.Bin main # reboot the device, and the startup file is updated at the system reboot. Reboot the sta...
Page 1020
2-9 z for more information about the local-user, password, service-type ftp, and authorization-attribute commands, refer to aaa commands in the security volume. Z when the device serves as the ftp server, if the client is to perform the write operations (upload, delete, create, and delete for exampl...
Page 1021
2-10 dir directory of flash:/ 0 drw- - dec 07 2005 10:00:57 filename 1 drw- - jan 02 2006 14:27:51 logfile 2 -rw- 1216 jan 02 2006 14:28:59 config.Cfg 3 -rw- 1216 jan 02 2006 16:27:26 back.Cfg 15240 kb total (2511 kb free) delete /unreserved flash:/back.Cfg 2) configure the pc (ftp client) # log in ...
Page 1022
2-11 the startup file used for the next startup must be saved under the root directory of the storage medium. You can copy or move a file to the root directory of the storage medium. For the details of the boot-loader command, refer to device management commands in the system volume. Displaying and ...
Page 1023: Tftp Configuration
3-1 3 tftp configuration when configuring tftp, go to these sections for information you are interested in: z tftp overview z configuring the tftp client z displaying and maintaining the tftp client z tftp client configuration example tftp overview introduction to tftp the trivial file transfer prot...
Page 1024: Configuring The Tftp Client
3-2 when the device serves as the tftp client, you need to perform the following configuration: table 3-1 configuration when the device serves as the tftp client device configuration remarks device (tftp client) z configure the ip address and routing function, and ensure that the route between the d...
Page 1025
3-3 follow these steps to configure the tftp client: to do… use the command… remarks enter system view system-view — use an acl to control the device’s access to tftp servers tftp-server [ ipv6] acl acl-number optional by default, no acl is used to control the device’s access to tftp servers. Config...
Page 1026
3-4 z device downloads a startup file from pc for upgrading and uploads a configuration file named config.Cfg to pc for backup. Figure 3-2 smooth upgrading using the tftp client function configuration procedure 1) configure pc (tftp server), the configuration procedure is omitted. Z on the pc, enabl...
Page 1027: Table of Contents
I table of contents 1 http configuration···································································································································1-1 http overview················································································································...
Page 1028: Http Configuration
1-1 1 http configuration when configuring http, go to these sections for information you are interested in: z http overview z enabling the http service z http configuration z associating the http service with an acl z displaying and maintaining http http overview the hypertext transfer protocol (htt...
Page 1029
1-2 follow these steps to enable the http service: to do… use the command… remarks enter system view system-view — enable the http service ip http enable required configuring the port number of the http service configuration of the port number of the http service can reduce the attacks from illegal ...
Page 1030: Https Configuration
2-1 2 https configuration when configuring https, go to these sections for information you are interested in: z https overview z https configuration task list z associating the https service with an ssl server policy z enabling the https service z associating the https service with a certificate att...
Page 1031: Enabling The Https Service
2-2 configuration task remarks configuring the port number of the https service optional associating the https service with an acl optional associating the https service with an ssl server policy you need to associate the https service with a created ssl server policy before enabling the https servi...
Page 1032: Control Policy
2-3 z after the https service is enabled, you can use the display ip https command to view the state of the https service and verify the configuration. Z enabling of the https service will trigger an ssl handshake negotiation process. During the process, if the local certificate of the device alread...
Page 1033: Https Configuration Example
2-4 to do… use the command… remarks enter system view system-view — configure the port number of the https service ip https port port-number optional by default, the port number of the https service is 443. If you execute the ip https port command for multiple times, the last configured port number ...
Page 1034
2-5 figure 2-1 network diagram for https configuration configuration procedure perform the following configurations on device: 1) apply for a certificate for device # configure a pki entity. System-view [device] pki entity en [device-pki-entity-en] common-name http-server1 [device-pki-entity-en] fqd...
Page 1035
2-6 # configure certificate access control policy myacp and create a control rule. [device] pki certificate access-control-policy myacp [device-pki-cert-acp-myacp] rule 1 permit mygroup1 [device-pki-cert-acp-myacp] quit 4) reference an ssl server policy # associate the https service with the ssl ser...
Page 1036: Table of Contents
I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...
Page 1037: Snmp Configuration
1-1 1 snmp configuration when configuring snmp, go to these sections for information you are interested in: z snmp overview z snmp configuration z configuring snmp logging z snmp trap configuration z displaying and maintaining snmp z snmp configuration example z snmp logging configuration example sn...
Page 1038
1-2 snmp protocol version currently, snmp agents support snmpv3 and are compatible with snmpv1 and snmpv2c. Z snmpv1 uses community name for authentication, which defines the relationship between an snmp nms and an snmp agent. Snmp packets with community names that did not pass the authentication on...
Page 1039: Snmp Configuration
1-3 figure 1-2 mib tree a 2 6 1 5 2 1 1 2 1 b snmp configuration as configurations for snmpv3 differ substantially from those of snmpv1 and snmpv2c, their snmp functionalities is introduced separately below. Follow these steps to configure snmpv3: to do… use the command… remarks enter system view sy...
Page 1040
1-4 to do… use the command… remarks configure the maximum size of an snmp packet that can be received or sent by an snmp agent snmp-agent packet max-size byte-count optional 1,500 bytes by default configure the engine id for a local snmp agent snmp-agent local-engineid engineid optional company id a...
Page 1042: Snmp Trap Configuration
1-6 z logs occupy storage space of the device, thus affecting the performance of the device. Therefore, it is recommended to disable snmp logging. Z the size of snmp logs cannot exceed that allowed by the information center, and the total length of the node field and value field of each log record c...
Page 1043
1-7 to enable an interface to send linkup/linkdown traps when its state changes, you need to enable the trap function of interface state changes on an interface and globally. Use the enable snmp trap updown command to enable the trap function on an interface, and use the snmp-agent trap enable [ sta...
Page 1044
1-8 to do… use the command… remarks configure the holding time of the traps in the queue snmp-agent trap life seconds optional 120 seconds by default z an extended linkup/linkdown trap is the standard linkup/linkdown trap (defined in rfc) appended with interface description and interface type inform...
Page 1045: Snmp Configuration Example
1-9 snmp configuration example network requirements z the nms connects to the agent, a switch, through an ethernet. Z the ip address of the nms is 1.1.1.2/24. Z the ip address of the vlan interface on the switch is 1.1.1.1/24. Z the nms monitors and manages the agent using snmpv2c. The agent reports...
Page 1046
1-10 with snmpv2c, the user needs to specify the read only community, the read and write community, the timeout time, and number of retries. The user can inquire and configure the device through the nms. The configurations on the agent and the nms must match. Snmp logging configuration example netwo...
Page 1047
1-11 # enable snmp logging on the agent to log the get and set operations of the nms. [sysname] snmp-agent log get-operation [sysname] snmp-agent log set-operation z the following log information is displayed on the terminal when the nms performs the get operation to the agent. %jan 1 02:49:40:566 2...
Page 1048: Mib Style Configuration
2-1 2 mib style configuration h3c private mib involves two styles, h3c compatible mib and h3c new mib. In the h3c compatible mib style, the device sysoid is under the h3c’s enterprise id 25506, and the private mib is under the enterprise id 2011. In the h3c new mib style, both the device sysoid and ...
Page 1049: Table of Contents
I table of contents 1 rmon configuration ·································································································································1-1 rmon overview ················································································································...
Page 1050: Rmon Configuration
1-1 1 rmon configuration when configuring rmon, go to these sections for information you are interested in: z rmon overview z configuring rmon z displaying and maintaining rmon z rmon configuration example rmon overview this section covers these topics: z introduction z rmon groups introduction remo...
Page 1051
1-2 rmon groups among the ten rmon groups defined by rmon specifications (rfc 1757), the device supports the event group, alarm group, history group and statistics group. Besides, h3c also defines and implements the private alarm group, which enhances the functions of the alarm group. This section d...
Page 1052: Configuring Rmon
1-3 if the count result overpasses the same threshold multiple times, only the first one can cause an alarm event. That is, the rising alarm and falling alarm are alternate. History group the history group periodically collects statistics on data at interfaces and saves the statistics in the history...
Page 1054: Rmon Configuration Example
1-5 displaying and maintaining rmon to do… use the command… remarks display rmon statistics display rmon statistics [ interface-type interface-number ] available in any view display the rmon history control entry and history sampling information display rmon history [ interface-type interface-number...
Page 1055
1-6 etherstatsbroadcastpkts : 56 , etherstatsmulticastpkts : 34 etherstatsundersizepkts : 0 , etherstatsoversizepkts : 0 etherstatsfragments : 0 , etherstatsjabbers : 0 etherstatscrcalignerrors : 0 , etherstatscollisions : 0 etherstatsdropevents (insufficient resources): 0 packets received according...
Page 1056: Table of Contents
I table of contents 1 mac address table management configuration···················································································1-1 introduction to mac address table ········································································································1-1 how a m...
Page 1057
1-1 1 mac address table management configuration when configuring mac address table management, go to these sections for information you are interested in: z configuring mac address table management z mac address table management configuration example z mac information configuration z mac informatio...
Page 1058
1-2 when receiving a frame destined for mac-source, the device then looks up the mac address table and forwards it from port 1. To adapt to network changes, mac address table entries need to be constantly updated. Each dynamically learned mac address table entry has a life period, that is, an aging ...
Page 1059
1-3 figure 1-1 forward frames using the mac address table configuring mac address table management the mac address table management configuration tasks include: z configuring mac address table entries z configuring the aging timer for dynamic mac address entries z configuring the mac learning limit ...
Page 1060
1-4 configuring the aging timer for dynamic mac address entries the mac address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted. Set the aging timer appropriately: a long aging interval may cause the mac address table to ret...
Page 1062: Overview
2-1 2 mac information configuration when configuring mac information, go to these sections for information you are interested in: z overview z configuring mac information z mac information configuration example overview introduction to mac information to monitor a network, you need to monitor users ...
Page 1063
2-2 enabling mac information on an interface follow these steps to enable mac information on an interface: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — enable mac information on the interface mac-address information ...
Page 1064
2-3 to do… use the command… remarks enter system view system-view — configure the mac information queue length mac-address information queue-length value optional 50 by default setting the mac information queue length to 0 indicates that the device sends a syslog or trap message to the network manag...
Page 1065
2-4 [device] mac-address information mode syslog # enable mac information on gigabitethernet 1/0/1 [device] interface gigabitethernet 1/0/1 [device-gigabitethernet1/0/1] mac-address information enable added [device-gigabitethernet1/0/1] mac-address information enable deleted [device-gigabitethernet1...
Page 1066: Table of Contents
1-1 table of contents 1 system maintaining and debugging········································································································1-1 system maintaining and debugging overview ·······················································································1-1 int...
Page 1067
1-1 1 system maintaining and debugging when maintaining and debugging the system, go to these sections for information you are interested in: z system maintaining and debugging overview z system maintaining and debugging z system maintaining example system maintaining and debugging overview introduc...
Page 1068
1-2 2) the first hop (the layer 3 device that first receives the packet) responds by sending a ttl-expired icmp message to the source, with its ip address encapsulated. In this way, the source device can get the address of the first layer 3 device. 3) the source device sends a packet with a ttl valu...
Page 1071: Table of Contents
I table of contents 1 information center configuration············································································································1-1 information center overview ··········································································································...
Page 1072: Information Center Overview
1-1 1 information center configuration when configuring information center, go to these sections for information you are interested in: z information center configuration z configuring information center z displaying and maintaining information center z information center configuration examples info...
Page 1073
1-2 eight levels of system information the information is classified into eight levels by severity. The severity levels in the descending order are emergency, alert, critical, error, warning, notice, informational and debug. When the system information is output by level, the information with severi...
Page 1074
1-3 information channel number default channel name default output destination note 4 logbuffer log buffer receives log and debugging information, a buffer inside the router for recording information. 5 snmpagent snmp module receives trap information 6 channel6 not specified receives log, trap, and ...
Page 1075
1-4 table 1-3 default output rules for different output destinations log trap debug output destinati on modules allowed enabled/ disabled severity enabled/ disabled severity enabled/ disabled severity console default (all modules) enabled warning enabled debug enabled debug monitor terminal default ...
Page 1076
1-5 what follows is a detailed explanation of the fields involved: int_16 (priority) the priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility name and can be configured when you set the log host parameters. The facility ranges fro...
Page 1077
1-6 z if the timestamp starts with a %, the information is log information z if the timestamp starts with a #, the information is trap information z if the timestamp starts with a *, the information is debugging information source this field indicates the source of the information, such as the sourc...
Page 1082
1-11 outputting system information to the snmp module the snmp module receives the trap information only, and discards the log and debugging information even if you have configured to output them to the snmp module. To monitor the device running status, trap information is usually sent to the snmp n...
Page 1083
1-12 follow these steps to enable synchronous information output: to do… use the command… remarks enter system view system-view — enable synchronous information output info-center synchronous required disabled by default z if system information, such as log information, is output before you input an...
Page 1085
1-14 # specify the host with ip address 1.2.0.1/16 as the log host, use channel loghost to output log information (optional, loghost by default), and use local4 as the logging facility. [sysname] info-center loghost 1.2.0.1 channel loghost facility local4 # disable the output of log, trap, and debug...
Page 1086
1-15 be aware of the following issues while editing file /etc/syslog.Conf: z comments must be on a separate line and begin with the # sign. Z no redundant spaces are allowed after the file name. Z the logging facility name and the information level specified in the /etc/syslog.Conf file must be iden...
Page 1087
1-16 # disable the output of log, trap, and debugging information of all modules on channel loghost. [sysname] info-center source default channel loghost debug state off log state off trap state off as the default system configurations for different channels are different, you need to disable the ou...
Page 1088
1-17 # syslogd -r & ensure that the syslogd process is started with the -r option on a linux log host. After the above configurations, the system will be able to record log information into the log file. Outputting log information to the console network requirements z log information with a severity...
Page 1089
1-18 # enable the display of log information on a terminal. (optional, this function is enabled by default.) terminal monitor % current terminal monitor is on terminal logging % current terminal logging is on after the above configuration takes effect, if the specified module generates log informati...
Page 1090: Table of Contents
I table of contents 1 poe configuration ·····································································································································1-1 poe overview ··············································································································...
Page 1091: Poe Configuration
1-1 1 poe configuration when configuring poe, go to these sections for information you are interested in: z poe overview z poe configuration task list z configuring the poe interface z configuring poe power management z configuring the poe monitoring function z upgrading pse processing software onli...
Page 1092: Poe Configuration Task List
1-2 a pd is a device accepting power from the pse. There are standard pds and nonstandard pds. A standard pd refers to the one that complies with ieee 802.3af. The pd that is being powered by the pse can be connected to other power supply units for redundancy backup. Protocol specification the proto...
Page 1093
1-3 z spare cables modes: pse uses the twisted pairs (4, 5, 7 and 8) of category-3/5 cables, which are spare during data transmission, to power the pd. S5500-si series switches only support for signal mode. Configuring a poe interface through the command line to do… use the command… remarks enter sy...
Page 1094
1-4 follow these steps to configure poe interfaces through a poe configuration file: to do… use the command… remarks enter system view system-view — create a poe configuration file and enter poe configuration file view poe-profile profile-name [ index ] required enable poe for the poe interface poe ...
Page 1095
1-5 configuring poe power management configuring pd power management the power priority of a pd depends on the priority of the poe interface. The priority levels of poe interfaces include critical, high and low in descending order. Power supply to a pd is subject to pd power management policies. All...
Page 1097
1-7 you can power off the device and restart it before upgrading it again. After upgrade, restart the device manually to make the original poe configurations take effect. Follow these steps to upgrade the pse processing software online: to do… use the command… remarks enter system view system-view —...
Page 1098: Poe Configuration Example
1-8 displaying and maintaining poe to do… use the command… remarks display the mapping between id, module, and member id of all pses. Display poe device display the power state and information of the specified poe interface display poe interface [ interface-type interface-number ] display the power ...
Page 1099: Troubleshooting Poe
1-9 figure 1-1 network diagram for poe configuration procedure # enable poe on gigabitethernet 1/0/1, gigabitethernet 1/0/2, gigabitethernet 1/0/11, and gigabitethernet 1/0/12. System-view [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] poe enable [sysname-gigabitethernet1/0...
Page 1100
1-10 z the priority of the poe interface is already set. Solution: z in the first case, you can solve the problem by increasing the maximum pse power, or by reducing the maximum power of the poe interface when the guaranteed remaining power of the pse cannot be modified. Z in the second case, you sh...
Page 1101: Table of Contents
I table of contents 1 hotfix configuration ··································································································································1-1 hotfix overview ···········································································································...
Page 1102: Hotfix Configuration
1-1 1 hotfix configuration when configuring hotfix, go to these sections for information you are interested in: z hotfix overview z hotfix configuration task list z displaying and maintaining hotfix z hotfix configuration examples hotfix overview hotfix is a fast and cost-effective method to repair ...
Page 1103
1-2 install, and uninstall represent operations, corresponding to commands of patch load, patch active, patch run, patch deactive, patch delete, patch install, and undo patch install. For example, if you execute the patch active command for the patches in the deactive state, the patches turn to the ...
Page 1104
1-3 figure 1-2 patches are not loaded to the memory patch area currently, the system patch area supports up to 200 patches. Deactive state patches in the deactive state have been loaded to the memory patch area but have not run in the system yet. Suppose that there are seven patches in the patch fil...
Page 1105
1-4 figure 1-4 patches are activated running state after you confirm the running of the active patches, the state of the patches will become running and will be in the running state after system reboot. For the five patches in figure 1-4 , if you confirm the running the first three patches, their st...
Page 1106: Configuration Prerequisites
1-5 configuration prerequisites patches are released per device model. Before patching the system, you need to save the appropriate patch files to the flash of the switch using ftp or tftp. When saving the patch files, note that: z the patch files match the switch model and software version. If they...
Page 1107
1-6 step-by-step patch installation step-by-step patch installation task list task remarks configuring the patch file location optional loading a patch file required activating patches required confirming running patches optional configuring the patch file location follow these steps to configure th...
Page 1108
1-7 follow the steps below to load a patch file: to do… use the command… remarks enter system view system-view — load the patch file from the flash to the memory patch area patch load required activating patches after you activate a patch, the patch will take effect and is in the test-run stage. Aft...
Page 1109
1-8 you can use the undo patch install command to uninstall all patches from all the boards and oam cpu. The patches then turn to the idle state. This equals the execution of the commands patch deactive and patch delete on each board and oam cpu. Z on a centralized stacking device you can use the un...
Page 1110
1-9 displaying and maintaining hotfix to do… use the command… remarks display the patch information display patch information available in any view hotfix configuration examples hotfix configuration example network requirements z the software running on device is of some problem, and thus hotfixing ...
Page 1111
1-10 installing patches........ Installation completed, and patches will continue to run after reboot..
Page 1112: Table of Contents
I table of contents 1 nqa configuration ····································································································································1-1 nqa overview ···············································································································...
Page 1113: Nqa Configuration
1-1 1 nqa configuration when configuring nqa, go to these sections for information you are interested in: z nqa overview z nqa configuration task list z configuring the nqa server z enabling the nqa client z creating an nqa test group z configuring an nqa test group z configuring the collaboration f...
Page 1114
1-2 collaboration with other modules is triggered. The implementation of collaboration is shown in figure 1-1 . Figure 1-1 implementation of collaboration the collaboration here involves three parts: the application modules, the track module, and the detection modules. Z the detection modules monito...
Page 1115
1-3 basic concepts of nqa test group before performing an nqa test, you need to create an nqa test group, and configure nqa test parameters such as test type, destination address and destination port. Each test group has an administrator name and operation tag, which can uniquely define a test group...
Page 1116: Nqa Configuration Task List
1-4 nqa test operation an nqa test operation is as follows: 1) the nqa client constructs packets with the specified type, and sends them to the peer device; 2) upon receiving the packet, the peer device replies with a response with a timestamp. 3) the nqa client computes the packet loss rate and rtt...
Page 1117: Configuring The Nqa Server
1-5 task remarks configuring optional parameters common to an nqa test group optional scheduling an nqa test group required configuring the nqa server before performing tcp, udp echo, udp jitter or voice tests, you need to configure the nqa server on the peer device. The nqa server makes a response ...
Page 1118
1-6 if you execute the nqa entry command to enter the test group view with test type configured, you will enter the test type view of the test group directly. Configuring an nqa test group configuring an icmp echo test an icmp echo test is used to test reachability of the destination host according ...
Page 1119
1-7 to do… use the command… remarks configure the source ip address of a probe request source ip ip-address optional by default, no source ip address is specified. If no source ip address is specified, but the source interface is specified, the ip address of the source interface is taken as the sour...
Page 1120
1-8 to do… use the command… remarks configure common optional parameters see configuring optional parameters common to an nqa test group optional z as dhcp test is a process to simulate address allocation in dhcp, the ip address of the interface performing the dhcp test will not be changed. Z after ...
Page 1122
1-10 to do… use the command… remarks configure the test type as http and enter test type view type http required configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. The destination ip addr...
Page 1123
1-11 delay jitter refers to the difference between the interval of receiving two packets consecutively and the interval of sending these two packets. The procedure of a udp jitter test is as follows: z the source sends packets at regular intervals to the destination port. Z the destination affixes a...
Page 1124
1-12 to do… use the command… remarks configure the number of packets sent in a udp jitter probe probe packet-number packet-number optional 10 by default. Configure the interval for sending packets in a udp jitter probe probe packet-interval packet-interval optional 20 milliseconds by default. Config...
Page 1125
1-13 to do… use the command… remarks configure the destination address for a test operation destination ip ip-address required by default, no destination ip address is configured for a test operation. Specify the source port number for a probe request in a test operation source port port-number opti...
Page 1126
1-14 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be consistent with port number of the listening service configured on the nqa server. ...
Page 1127
1-15 to do… use the command… remarks configure the destination port destination port port-number required by default, no destination port number is configured for a test operation. The destination port number must be the port number of the listening service configured on the nqa server. Configure th...
Page 1128
1-16 interval for the source to send these two successive packets, and thus the network status can be analyzed. The voice parameter values that indicate voip network status can also be calculated in a voice test, including: z calculated planning impairment factor (icpif): measures attenuation of voi...
Page 1129
1-17 to do… use the command… remarks configure the advantage factor for calculating mos and icpif values advantage-factor factor optional by default, the advantage factor is 0. Specify the source ip address for the requests in a test operation source ip ip-address optional by default, no source ip a...
Page 1130
1-18 configuration prerequisites enable the dlsw function on the peer device before dlsw test. Configuring a dlsw test follow these steps to configure a dlsw test: to do… use the command… remarks enter system view system-view — enter nqa test group view nqaentry admin-name operation-tag — configure ...
Page 1131: Configuring Trap Delivery
1-19 to do… use the command… remarks create a track object and associate it with the specified collaboration object of the nqa test group track entry-number nqa entry admin-name operation-tag reaction item-num required not created by default. Z you cannot modify the content of a reaction entry using...
Page 1132
1-20 configuring the nqa statistics function nqa puts the nqa tests completed in a specified interval into one group, and calculates the statistics of the test results of the group. These statistics form a statistics group. You can use the display nqa statistics command to view information of the st...
Page 1134: Scheduling An Nqa Test Group
1-22 scheduling an nqa test group with this configuration, you can set the start time and test duration for a test group to perform nqa tests. The start time can take a specific value or can be now, which indicates that a test is started immediately; the test duration can take a specific value or ca...
Page 1135: Nqa Configuration Examples
1-23 displaying and maintaining nqa to do… use the command… remarks display history records of nqa test operation information display nqa history [ admin-name operation-tag ] display the results of the last nqa test display nqa result [ admin-name operation-tag ] display the statistics of a type of ...
Page 1136
1-24 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 2/5/3 square-sum of round trip time: 96 last succeeded probe time: 2007-08-23 15:00:01.2 extended results: packet lost in test: 0%...
Page 1137
1-25 [switcha-nqa-admin-test] type dhcp [switcha-nqa-admin-test-dhcp] operation interface vlan-interface 2 [switcha-nqa-admin-test-dhcp] quit # enable dhcp test. [switcha] nqa schedule admin test start-time now lifetime forever # disable dhcp test after the test begins for a period of time. [switcha...
Page 1138
1-26 [devicea] nqa entry admin test [devicea-nqa-admin-test] type ftp [devicea-nqa-admin-test-ftp] destination ip 10.2.2.2 [devicea-nqa-admin-test-ftp] source ip 10.1.1.1 [devicea-nqa-admin-test-ftp] operation put [devicea-nqa-admin-test-ftp] username admin [devicea-nqa-admin-test-ftp] password syst...
Page 1139
1-27 figure 1-6 network diagram for the http tests configuration procedure # create an http test group and configure related test parameters. System-view [devicea] nqa entry admin test [devicea-nqa-admin-test] type http [devicea-nqa-admin-test-http] destination ip 10.2.2.2 [devicea-nqa-admin-test-ht...
Page 1140
1-28 udp jitter test configuration example network requirements use the nqa udp jitter function to test the delay jitter of packet transmission between device a and device b. Figure 1-7 network diagram for udp jitter tests configuration procedure 1) configure device b. # enable the nqa server and co...
Page 1141
1-29 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 udp-jitter results: rtt number: 10 min positive sd: 4 min positive ds: 1 max positive sd: 21 max positive ds: 28 positive sd number: 5 positive ds number: 4 positive sd ...
Page 1142
1-30 min positive sd: 3 min positive ds: 1 max positive sd: 30 max positive ds: 79 positive sd number: 186 positive ds number: 158 positive sd sum: 2602 positive ds sum: 1928 positive sd average: 13 positive ds average: 12 positive sd square sum: 45304 positive ds square sum: 31682 min negative sd: ...
Page 1143
1-31 system-view [deviceb] snmp-agent sys-info version all [deviceb] snmp-agent community read public [deviceb] snmp-agent community write private 2) configurations on device a. # create an snmp query test group and configure related test parameters. System-view [devicea] nqa entry admin test [devic...
Page 1144
1-32 figure 1-9 network diagram for tcp tests configuration procedure 1) configure device b. # enable the nqa server and configure the listening ip address as 10.2.2.2 and port number as 9000. System-view [deviceb] nqa server enable [deviceb] nqa server tcp-connect 10.2.2.2 9000 2) configure device ...
Page 1145
1-33 nqa entry(admin admin, tag test) history record(s): index response status time 1 13 succeeded 2007-11-22 10:27:25.1 udp echo test configuration example network requirements use the nqa udp echo function to test the round trip time between device a and device b. The port number is 8000. Figure 1...
Page 1146
1-34 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due to other errors: 0 packet(s) arrived late: 0 # display the history of udp echo tests. [devicea] display nqa history admin test nqa entry(admin admin, t...
Page 1147
1-35 nqa entry(admin admin, tag test) test results: destination ip address: 10.2.2.2 send operation times: 1000 receive response times: 1000 min/max/average round trip time: 31/1328/33 square-sum of round trip time: 2844813 last succeeded probe time: 2008-06-13 09:49:31.1 extended results: packet lo...
Page 1148
1-36 min/max/average round trip time: 15/1328/32 square-sum of round trip time: 7160528 extended results: packet lost in test: 0% failures due to timeout: 0 failures due to disconnect: 0 failures due to no connection: 0 failures due to sequence error: 0 failures due to internal error: 0 failures due...
Page 1149
1-37 dlsw test configuration example network requirements use the nqa dlsw function to test the response time of the dlsw device. Figure 1-12 network diagram for the dlsw tests configuration procedure # create a dlsw test group and configure related test parameters. System-view [devicea] nqa entry a...
Page 1150
1-38 nqa collaboration configuration example network requirements as shown in figure 1-13 , configure a static route to switch c on switch a, with switch b as the next hop. Associate the static route, track entry, and nqa test group to verify whether static route is active in real time. Figure 1-13 ...
Page 1151
1-39 [switcha] track 1 nqa entry admin test reaction 1 5) verify the configuration. # on switch a, display information about all the track entries. [switcha] display track all track id: 1 status: positive notification delay: positive 0, negative 0 (in seconds) reference object: nqa entry: admin test...
Page 1152
1-40 127.0.0.0/8 direct 0 0 127.0.0.1 inloop0 127.0.0.1/32 direct 0 0 127.0.0.1 inloop0 the above information shows that the next hop 10.2.1.1 of the static route is not reachable, and the status of the track entry is negative. The static route does not work..
Page 1153: Table of Contents
I table of contents 1 ntp configuration ·····································································································································1-1 ntp overview ··············································································································...
Page 1154: Ntp Configuration
1-1 1 ntp configuration when configuring ntp, go to these sections for information you are interested in: z ntp overview z ntp configuration task list z configuring the operation modes of ntp z configuring optional parameters of ntp z configuring access-control rights z configuring ntp authenticatio...
Page 1155
1-2 z ntp can unicast, multicast or broadcast protocol messages. How ntp works figure 1-1 shows the basic workflow of ntp. Device a and device b are interconnected over a network. They have their own independent system clocks, which need to be automatically synchronized through ntp. For an easy unde...
Page 1156
1-3 this is only a rough description of the work mechanism of ntp. For details, refer to rfc 1305. Ntp message format ntp uses two types of messages, clock synchronization message and ntp control message. An ntp control message is used in environments where network management is needed. As it is not...
Page 1157
1-4 z poll: 8-bit signed integer indicating the poll interval, namely the maximum interval between successive messages. Z precision: an 8-bit signed integer indicating the precision of the local clock. Z root delay: roundtrip delay to the primary reference source. Z root dispersion: the maximum erro...
Page 1158
1-5 symmetric peers mode figure 1-4 symmetric peers mode a device working in the symmetric active mode periodically sends clock synchronization messages, with the mode field in the message set to 1 (symmetric active); the device that receives this message automatically enters the symmetric passive m...
Page 1159: Ntp Configuration Task List
1-6 multicast mode figure 1-6 multicast mode network client server after receiving the first multicast message, the client sends a request clock synchronization message exchange (mode 3 and mode 4) periodically multicasts clock synchronization messages (mode 5) calculates the network delay between c...
Page 1160
1-7 configuring the operation modes of ntp devices can implement clock synchronization in one of the following modes: z client/server mode z symmetric mode z broadcast mode z multicast mode for the client/server mode or symmetric mode, you need to configure only clients or symmetric-active peers; fo...
Page 1161
1-8 z in the ntp-service unicast-server command, ip-address must be a unicast address, rather than a broadcast address, a multicast address or the ip address of the local clock. Z when the source interface for ntp messages is specified by the source-interface argument, the source ip address of the n...
Page 1162
1-9 configuring ntp broadcast mode the broadcast server periodically sends ntp broadcast messages to the broadcast address 255.255.255.255. After receiving the messages, the device working in ntp broadcast client mode sends a reply and synchronizes its local clock. For devices working in the broadca...
Page 1163
1-10 configuring a multicast client to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number enter the interface used to receive ntp multicast messages. Configure the device to work in the ntp multicast client mode ntp-service mul...
Page 1164
1-11 following these steps to specify the source interface for ntp messages: to do… use the command… remarks enter system view system-view — specify the source interface for ntp messages ntp-service source-interface interface-type interface-number required by default, no source interface is specifie...
Page 1165
1-12 configuring access-control rights with the following command, you can configure the ntp service access-control right to the local device. There are four access-control rights, as follows: z query: control query permitted. This level of right permits the peer devices to perform control query to ...
Page 1166
1-13 configuring ntp authentication the ntp authentication feature should be enabled for a system running ntp in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with ...
Page 1168: Ntp Configuration Examples
1-15 the procedure of configuring ntp authentication on a server is the same as that on a client, and the same authentication key must be configured on both the server and client sides. Displaying and maintaining ntp to do… use the command… remarks view the information of ntp service status display ...
Page 1169
1-16 reference time: 00:00:00.000 utc jan 1 1900 (00000000.00000000) # specify switch a as the ntp server of switch b so that switch b is synchronized to switch a. System-view [switchb] ntp-service unicast-server 1.0.1.11 # view the ntp status of switch b after clock synchronization. [switchb] displ...
Page 1170
1-17 figure 1-8 network diagram for ntp symmetric peers mode configuration switch a switch b switch c 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 configuration procedure 1) configuration on device b: # specify device a as the ntp server of device b. System-view [deviceb] ntp-service unicast-server 3.0.1.31 ...
Page 1171
1-18 nominal frequency: 100.0000 hz actual frequency: 100.0000 hz clock precision: 2^18 clock offset: -21.1982 ms root delay: 15.00 ms root dispersion: 775.15 ms peer dispersion: 34.29 ms reference time: 15:22:47.083 utc sep 19 2005 (c6d95647.153f7ced) as shown above, device c has been synchronized ...
Page 1172
1-19 system-view [switchc] interface vlan-interface 2 [switchc-vlan-interface2] ntp-service broadcast-server 2) configuration on switch d: # configure switch d to work in the broadcast client mode and receive broadcast messages on vlan-interface 2. System-view [switchd] interface vlan-interface 2 [s...
Page 1173
1-20 z the local clock of switch c is to be used as the master clock, with a stratum level of 2. Z switch c works in the multicast server mode and sends out multicast messages from vlan-interface 2. Z switch a and switch d work in the multicast client mode and receive multicast messages through vlan...
Page 1174
1-21 figure 1-10 network diagram for ntp multicast mode configuration configuration procedure 1) configuration on switch c: # configure switch c to work in the multicast server mode and send multicast messages through vlan-interface 2. System-view [switchc] interface vlan-interface 2 [switchc-vlan-i...
Page 1175
1-22 # view the ntp session information of switch d, which shows that an association has been set up between switch d and switch c. [switchd-vlan-interface2] display ntp-service sessions source reference stra reach poll now offset delay disper ********************************************************...
Page 1176
1-23 as shown above, switch a has been synchronized to switch c, and the clock stratum level of switch a is 3, while that of switch c is 2. # view the ntp session information of switch a, which shows that an association has been set up between switch a and switch c. [switcha-vlan-interface3] display...
Page 1177
1-24 perform the following configuration on switch a: # enable ntp authentication. [switcha] ntp-service authentication enable # set an authentication key. [switcha] ntp-service authentication-keyid 42 authentication-mode md5 anicekey # specify the key as a trusted key. [switcha] ntp-service reliabl...
Page 1178
1-25 figure 1-12 network diagram for configuration of ntp broadcast mode with authentication configuration procedure 1) configuration on switch c: # configure ntp authentication. System-view [switchc] ntp-service authentication enable [switchc] ntp-service authentication-keyid 88 authentication-mode...
Page 1179
1-26 clock precision: 2^7 clock offset: 0.0000 ms root delay: 31.00 ms root dispersion: 8.31 ms peer dispersion: 34.30 ms reference time: 16:01:51.713 utc sep 19 2005 (c6d95f6f.B6872b02) as shown above, switch d has been synchronized to switch c, and the clock stratum level of switch d is 4, while t...
Page 1180: Table of Contents
I table of contents 1 cluster management configuration·········································································································1-1 cluster management overview··············································································································...
Page 1181: Cluster Management Overview
1-1 1 cluster management configuration when configuring cluster management, go to these sections for information you are interested in: z cluster management overview z cluster configuration task list z configuring the management device z configuring the member devices z configuring access between th...
Page 1182
1-2 figure 1-1 network diagram for a cluster as shown in figure 1-1 , the device configured with a public ip address and performs the management function is the management device, the other managed devices are member devices, and the device that does not belong to any cluster but can be added to a c...
Page 1183
1-3 introduction to ndp ndp is used to discover the information about directly connected neighbors, including the device name, software version, and connecting port of the adjacent devices. Ndp works in the following ways: z a device running ndp periodically sends ndp packets to its neighbors. An nd...
Page 1184
1-4 then forwards the ntdp topology collection request after its prior port forwards the ntdp topology collection request. Cluster management maintenance 1) adding a candidate device to a cluster you should specify the management device before creating a cluster. The management device discovers and ...
Page 1185
1-5 member device which is in disconnect state will be added to the cluster. After that, the state of the member device locally and on the management device will be changed to active. Besides, a member device informs the management device using handshake packets when there is a neighbor topology cha...
Page 1186
1-6 complete these tasks to configure a cluster: task remarks enabling ndp globally and for specific ports optional configuring ndp parameters optional enabling ntdp globally and for specific ports optional configuring ntdp parameters optional manually collecting topology information optional enabli...
Page 1187
1-7 z disabling the ndp and ntdp functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed, but will influence the normal operation of the cluster. Z when both the cluster function and the 802.1x function (or the mac address authentic...
Page 1188
1-8 configuring ndp parameters a port enabled with ndp periodically sends ndp packets to its neighbors. If no ndp information from the neighbor is received when the holdtime times out, the corresponding entry is removed from the ndp table. Follow these steps to configure ndp parameters: to do… use t...
Page 1189
1-9 of the devices in a specified range, thus avoiding unlimited topology collection. After the interval for collecting topology information is configured, the device collects the topology information at this interval. To avoid network congestion caused by large amounts of topology responses receive...
Page 1190
1-10 enabling the cluster function to do… use the command… remarks enter system view system-view — enable the cluster function globally cluster enable optional enabled by default. Establishing a cluster before establishing a cluster, you need to specify the management vlan, and you cannot modify the...
Page 1191
1-11 enabling management vlan auto-negotiation the management vlan limits the cluster management range. If the device discovered by the management device does not belong to the management vlan, meaning the cascade ports and the ports connecting with the management device do not allow the packets fro...
Page 1192
1-12 0180-c200-000a, cluster management packets cannot traverse these devices. For a cluster to work normally in this case, you can modify the destination mac address of a cluster management protocol packet without changing the current networking. The management device periodically sends mac address...
Page 1193: Member Devices
1-13 removing a member device to do… use the command… remarks enter system view system-view — enter cluster view cluster — remove a member device from the cluster delete-member member-number [ to-black-list ] required rebooting a member device to do… use the command… remarks enter system view system...
Page 1194
1-14 the member devices through the management device. You can manage member devices in a cluster through switching from the operation interface of the management device to that of a member device or configure the management device by switching from the operation interface of a member device to that...
Page 1195
1-15 to do… use the command… remarks add a candidate device to the cluster administrator-address mac-address name name required configuring advanced cluster functions this section covers these topics: z configuring topology management z configuring interaction for a cluster z snmp configuration sync...
Page 1197
1-17 to do… use the command… remarks configure the nm interface of the management device nm-interface vlan-interface vlan-interface-id optional to isolate management protocol packets of a cluster from packets outside the cluster, you are recommended to configure to prohibit packets from the manageme...
Page 1198
1-18 z the snmp-related configurations are retained when a cluster is dismissed or the member devices are removed from the whitelist. Z for information about snmp, refer to snmp configuration in the system volume. Configuring web user accounts in batches configuring web user accounts in batches enab...
Page 1199
1-19 displaying and maintaining cluster management to do… use the command… remarks display ndp configuration information display ndp [ interface interface-list ] display the global ntdp information display ntdp display the device information collected through ntdp display ntdp device-list [ verbose ...
Page 1200
1-20 figure 1-4 network diagram for cluster management configuration configuration procedure 1) configure the member device switch a # enable ndp globally and for port gigabitethernet 1/0/1. System-view [switcha] ndp enable [switcha] interface gigabitethernet 1/0/1 [switcha-gigabitethernet1/0/1] ndp...
Page 1201
1-21 [switchb-gigabitethernet1/0/3] quit # configure the period for the receiving device to keep ndp packets as 200 seconds. [switchb] ndp timer aging 200 # configure the interval to send ndp packets as 70 seconds. [switchb] ndp timer hello 70 # enable ntdp globally and for ports gigabitethernet 1/0...
Page 1202
1-22 restore topology from local flash file,for there is no base topology. (please confirm in 30 seconds, default no). (y/n) n # enable management vlan auto-negotiation. [abc_0.Switchb-cluster] management-vlan synchronization enable # configure the holdtime of the member device information as 100 se...
Page 1203: Table of Contents
I table of contents 1 stack configuration···································································································································1-1 stack configuration overview································································································...
Page 1204: Stack Configuration
1-1 1 stack configuration when configuring stack, go to these sections for information you are interested in: z stack configuration overview z stack configuration task list z configuring the master device of a stack z configuring stack ports of a slave device z logging in to the cli of a slave from ...
Page 1205
1-2 stack management requires 10 ge ports to connect member devices. Therefore, among the s5500-si series switches, only the following models that provide 10 ge ports support the stack management function: z s5500-28c-si z s5500-52c-si z s5500-28c-pwr-si z s5500-52c-pwr-si you can install an interfa...
Page 1207
1-4 configuring stack ports of a slave device you need to configure stack ports to add a slave device to the stack. The ports of a slave device that connect to other stack devices need to be configured as stack ports. Follow the steps below to configure stack ports: to do… use the command… remarks e...
Page 1208: Stack Configuration Example
1-5 stack configuration example stack configuration example network requirements z as shown in figure 1-2 , switch a, switch b, switch c, and switch d are connected with one another. Z create a stack, where switch a is the master device, switch b, switch c, and switch d are slave devices. An adminis...
Page 1209
1-6 3) verify the configuration # display stack information of the stack members on switch a. Display stack members number : 0 role : master sysname : stack_0. Switcha switch type: h3c s5500-28c-si mac address: 000f-e200-1000 number : 1 role : slave sysname : stack_1. Switchb device type: h3c s5500-...
Page 1210: Table of Contents
I table of contents 1 automatic configuration ··························································································································1-1 introduction to automatic configuration·························································································...
Page 1211: Automatic Configuration
1-1 1 automatic configuration when configuring automatic configuration, go to these sections for information you are interested in: z introduction to automatic configuration z typical networking of automatic configuration z how automatic configuration works introduction to automatic configuration au...
Page 1212
1-2 name of the tftp server from a dhcp response, the device can also resolve the domain name of the tftp server to the ip address of the tftp server through the dns server. If the dhcp server, tftp server, dns server, and the device that performs automatic configuration are not in the same segment,...
Page 1213
1-3 figure 1-2 work flow of automatic configuration start the device without loading the configuration file the interface obtains parameters through dhcp is the tftp server address contained in the parameters? Yes no yes no unicast a tftp request to obtain the configuration file yes yes broadcast a ...
Page 1214
1-4 z the configuration file name is saved in the option 67 or file field of the dhcp response. The device first resolves the option 67 field; if this field contains the configuration file name, the device does not resolve the file field; otherwise, it resolves the file field. Z temporary configurat...
Page 1215
1-5 you need to configure a client id (when a device works as the dhcp client, it uses the client id as its id) of the static binding when you configure manual address allocation. Therefore, you need to obtain the client id in this way: start the device that performs automatic configuration, enable ...
Page 1216
1-6 obtaining the configuration file figure 1-3 obtain the configuration file is the configuration file contained in the dhcp response? Obtain the network intermediate file search the domain name corresponding to the ip address in the network intermediate file yes obtain the specified configuration ...
Page 1217
1-7 z if the ip address and the domain name of the tftp server are not contained in the dhcp response or they are illegitimate, the device broadcasts a tftp request to the tftp server. Z when broadcasting a tftp request, the device obtains the configuration file from the tftp server who responds the...