QSW-8300 series CONFIGURATION MANUAL
Content CONTENT .............................................................................................................. 1 CHAPTER 1 PORT CONFIGURATION .............................................................. 13 1.1 INTRODUCTION TO PORT ................................................................................................ 13 1.2 NETWORK PORT CONFIGURATION TASK LIST .................................................................. 13 1.3 PORT CONFIGURATION EXAMPLE......................
6.3 PORT CHANNEL CONFIGURATION TASK LIST ................................................................... 38 6.4 PORT CHANNEL EXAMPLES............................................................................................ 40 6.5 PORT CHANNEL TROUBLESHOOTING .............................................................................. 42 CHAPTER 7 JUMBO CONFIGURATION ........................................................... 43 7.1 INTRODUCTION TO JUMBO ............................................
9.5.4 Dynamic VLAN Troubleshooting ................................................................... 70 9.6 VOICE VLAN CONFIGURATION ....................................................................................... 71 9.6.1 Introduction to Voice VLAN ........................................................................... 71 9.6.2 Voice VLAN Configuration ............................................................................. 72 9.6.3 Typical Applications of the Voice VLAN .................
13.4 FLOW-BASED REDIRECTION TROUBLESHOOTING HELP ................................................ 107 CHAPTER 14 EGRESS QOS CONFIGURATION ............................................ 108 14.1 INTRODUCTION TO EGRESS QOS ................................................................................ 108 14.1.1 Egress QOS Terms ..................................................................................... 108 14.1.2 Basic Egress QoS Model ...............................................................
16.5.3 ARP Troubleshooting ................................................................................. 140 16.6 HARDWARE TUNNEL CAPACITY CONFIGURATION ......................................................... 141 16.6.1 Introduction to Hardware Tunnel Capacity ............................................... 141 16.6.2 Hardware Tunnel Capacity Configuration................................................. 141 16.6.3 Hardware Tunnel Capacity Troubleshooting ............................................
22.3 KEEPALIVE GATEWAY EXAMPLE ................................................................................. 158 22.4 KEPALIVE GTEWAY TROUBLESHOOTING ...................................................................... 159 CHAPTER 23 DHCP CONFIGURATION .......................................................... 160 23.1 INTRODUCTION TO DHCP .......................................................................................... 160 23.2 DHCP SERVER CONFIGURATION .....................................
27.4 DHCP SNOOPING TROUBLESHOOTING HELP .............................................................. 201 27.4.1 Monitor and Debug Information ................................................................ 201 27.4.2 DHCP Snooping Troubleshooting Help .................................................... 201 CHAPTER 28 IPV4 MULTICAST PROTOCOL ................................................. 202 28.1 IPV4 MULTICAST PROTOCOL OVERVIEW .....................................................................
28.6.4 PIM-SSM Troubleshooting ......................................................................... 235 28.7 DVMRP ................................................................................................................... 235 28.7.1 Introduction to DVMRP .............................................................................. 235 28.7.2 DVMRP Configuration Task List ................................................................ 237 28.7.3 DVMRP Configuration Examples...................
29.3 ANYCAST RP V6 CONFIGURATION ........................................................................... 272 29.3.1 Introduction to ANYCAST RP v6 ............................................................... 272 29.3.2 ANYCAST RP v6 Configuration Task ........................................................ 272 29.3.3 ANYCAST RP v6 Configuration Examples ............................................... 275 29.3.4 ANYCAST RP v6 Troubleshooting.............................................................
32.1.1 The Format of VRRPv3 Message ............................................................... 301 32.1.2 VRRPv3 Working Mechanism .................................................................... 302 32.2 VRRPV3 CONFIGURATION ......................................................................................... 303 32.2.1 Configuration Task Sequence ................................................................... 303 32.3 VRRPV3 T YPICAL EXAMPLES ..............................................
37.3 TYPICAL EXAMPLES OF RSPAN ................................................................................. 332 37.4 RSPAN T ROUBLESHOOTING...................................................................................... 335 CHAPTER 38 SFLOW CONFIGURATION ....................................................... 336 38.1 INTRODUCTION TO SFLOW .......................................................................................... 336 38.2 SFLOW CONFIGURATION TASK LIST ............................
43.7.2 System Log Configuration ......................................................................... 359 43.7.3 System Log Configuration Example ......................................................... 361 CHAPTER 44 RELOAD SWITCH AFTER SPECIFIED TIME .......................... 362 44.1 INTRODUCE TO RELOAD SWITCH AFTER SPECIFID TIME ................................................ 362 44.2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST ......................................................
Chapter 1 Port Configuration 1.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet command to enter the appropriate Ethernet port configuration mode, where stands for one or more ports.
2. Configure the properties for the Ethernet ports Command Explanation Port Mode combo-forced-mode {copper-forced | sfp-forced} Sets the combo port mode (combo ports only). shutdown no shutdown Enables/Disables specified ports. name no name mdi { auto | across | normal } no mdi Names or cancels the name of specified ports. Sets the cable type for the specified port; this command is not supported by combo port and fiber port of switch.
<0-86400>|] no rate-violation the rate of the received packet violates the packet reception rate, shut down this port and configure the recovery time, the default is 300s. The no command will disable the rate-violation function of a port. Global Mode port-rate-statistics interval [] Configure the interval of port-rate-statistics. 3. Virtual cable test Command Explanation Port Configuration Mode virtual-cable-test Test virtual cables of the port. 1.
Switch1(config)#interface ethernet 1/0/7 Switch1(Config-If-Ethernet1/0/7)#bandwidth control 50 both Switch2: Switch2(config)#interface ethernet 1/0/9 Switch2(Config-If-Ethernet1/0/9)#speed-duplex force100-full Switch2(Config-If-Ethernet1/0/9)#exit Switch2(config)#interface ethernet 1/0/10 Switch2(Config-If-Ethernet1/0/10)#speed-duplex force1g-full Switch2(Config-If-Ethernet1/0/10)#exit Switch2(config)#monitor session 1 source interface ethernet1/0/8;1/0/9 Switch2(config)#monitor session 1 destination interf
Chapter 2 Port Isolation Function Configuration 2.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
3. Specify the flow to be isolated Command Explanation Global Mode Apply the port isolation configuration to isolate layer-2 flows, layer-3 flows or all flows. isolate-port apply [] 4. Display the configuration of port isolation Command Explanation Admin Mode and global Mode show isolate-port group [ ] Display the configuration of port isolation, including all configured port isolation groups and Ethernet ports in each group. 2.
Switch(config)#isolate-port group test Switch(config)#isolate-port group test switchport interface ethernet 1/0/1;1/0/10 +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 3 Port Loopback Detection Function Configuration 3.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
1. Configure the time interval of loopback detection Command Explanation Global Mode loopback-detection interval-time Configure the time interval of loopback detection. no loopback-detection interval-time 2. Enable the function of port loopback detection Command Explanation Port Mode loopback-detection specified-vlan no loopback-detection specified-vlan Enable and disable the function of port loopback detection. 3.
Command Explanation Global Mode loopback-detection control-recovery timeout <0-3600> Configure the loopback-detection control mode (automatic recovery enabled or not) or recovery time. 3.3 Port Loopback Detection Function Example Typical example of port loopback detection As shown in the above configuration, the switch will detect the existence of loopbacks in the network topology.
Switch(Config-Mstp-Region)# 3.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if required. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 4 ULDP Function Configuration 4.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirectional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one. Since the physical layer of the link is connected and works normal, via the checking mechanism of the physical layer, communication problems between the devices can not be found.
Converter) or interfaces have problems, software problems, hardware becomes unavailable or operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree topological loop, broadcast black hole. ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in the situations mentioned above. In a switch connected via fibers or copper Ethernet line (like ultra five-kind twisted pair), ULDP can monitor the link state of physical links.
Command Explanation Port configuration mode uldp enable Enable or disable ULDP function on a port. uldp disable 3. Configure aggressive mode globally Command Explanation Global configuration mode uldp aggressive-mode no uldp aggressive-mode Set the global working mode. 4. Configure aggressive mode on a port Command Explanation Port configuration mode uldp aggressive-mode no uldp aggressive-mode Set the working mode of the port. 5.
Command Explanation Global configuration mode or port configuration mode Reset all ports in global configuration mode; uldp reset Reset the specified port in configuration mode. port 9. Display and debug the relative information of ULDP Command Explanation Admin mode show uldp [interface ethernet IFNAME] Display ULDP information. No parameter means to display global ULDP information. The parameter specifying a port will display global information and the neighbor information of the port.
4.3 ULDP Function Typical Examples Switch A g1/0/1 g1/0/2 g1/0/3 g1/0/4 Switch B PC2 PC1 Fiber Cross Connection In the network topology in Graph, port g1/0/1 and port g1/0/2 of switch A as well as port g1/0/3 and port g1/0/4 of switch B are all fiber ports. And the connection is cross connection. The physical layer is connected and works normally, but the data link layer is abnormal. ULDP can discover and disable this kind of error state of link.
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/1 shut down! %Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/2 need to be shutted down! %Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/2 shutted down! Port g1/0/3, and port g1/0/4 of switch B are all shut down by ULDP, and there is notification information on the CRT terminal of PC2.
The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time (30-86400 seconds). Reset command and reset mechanism can only reset the ports automatically shut down by ULDP. The ports shut down manually by users or by other modules won’t be reset by ULDP. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 5 LLDP Function Operation Configuration 5.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them. If necessary, the ports can also send update information to the neighbor devices directly connected to them, and those neighbor devices will store the information in standard SNMP MIBs.
connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure. LLDP will be a very useful management tool, providing accurate information about network mirroring, flow data and searching network problems. 5.2 LLDP Function Configuration Task Sequence 1. 2. 3. 4. 5.
4. Configure the intervals of LLDP updating messages Command Explanation Global Mode Configure the intervals of LLDP updating messages as the specified value or default value. lldp tx-interval no lldp tx-interval 5. Configure the aging time multiplier of LLDP messages Command Explanation Global Mode Configure the aging time multiplier of LLDP messages as the specified value or default value. lldp msgTxHold no lldp msgTxHold 6.
[sysName] [sysDesc] [sysCap] no lldp transmit optional tlv attribute of the port as the option value of default values. 10. Configure the size of space to store Remote Table of the port Command Explanation Port Configuration Mode Configure the size of space to store Remote Table of the port as the specified lldp neighbors max-num < value > no lldp neighbors max-num value or default value. 11.
5.3 LLDP Function Typical Example LLDP Function Typical Configuration Example In the network topology graph above, the port 1,3 of switch B are connected to port 2,4 of switch A. Port 1 of switch B is configured to message-receiving-only mode, Option TLV of port 4 of switch A is configured as portDes and SysCap.
Chapter 6 Port Channel Configuration 6.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but a port sequence.
All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all Hybrid ports. If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native VLAN” property should also be the same. If Port Channel is configured manually or dynamically on switch, the system will automatically set the port with the smallest number to be Master Port of the Port Channel.
When configuring static LACP aggregation, use “on” mode to force the port to enter the aggregation group. 6.2.2 Dynamic LACP Aggregation 1. The summary of the dynamic LACP aggregation Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it does not allow the user to add or delete the member ports of the dynamic LACP aggregation.
Command Explanation Global Mode port-group Create or delete a port group. no port-group 2. Add physical ports to the port group Command Explanation Port Mode port-group mode {active | passive | on} no port-group Add the ports to the port group and set their mode. 3. Enter port-channel configuration mode. Command Explanation Global Mode interface port-channel 4.
no lacp port-priority The no command restores the default value. 7. Set the timeout mode of the current port in LACP protocol Command Explanation Port mode Set lacp timeout {short | long} the timeout mode in LACP protocol. The no command restores the default value. no lacp timeout 6.4 Port Channel Examples Scenario 1: Configuring Port Channel in LACP.
Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/0/6 Switch2(Config-If-Ethernet1/0/6)#port-group 2 mode passive Switch2(Config-If-Ethernet1/0/6)#exit Switch2(config)#interface ethernet 1/0/8-10 Switch2(Config-If-Port-Range)#port-group 2 mode passive Switch2(Config-If-Port-Range)#exit Switch2(config)#interface port-channel 2 Switch2(Config-If-Port-Channel2)# Configuration result: Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4 of S1 form an aggr
Switch1(config)#interface ethernet 1/0/3 Switch1(Config-If-Ethernet1/0/3)#port-group 1 mode on Switch1(Config-If-Ethernet1/0/3)#exit Switch1(config)#interface ethernet 1/0/4 Switch1(Config-If-Ethernet1/0/4)#port-group 1 mode on Switch1(Config-If-Ethernet1/0/4)#exit Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/0/6 Switch2(Config-If-Ethernet1/0/6)#port-group 2 mode on Switch2(Config-If-Ethernet1/0/6)#exit Switch2(config)#interface ethernet 1/0/8-10 Switch2(Config-If-Port-Ra
Chapter 7 Jumbo Configuration 7.1 Introduction to Jumbo So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the switch. However considering the length of Jumbo frames, they will not be sent to CPU.
Chapter 8 EFM OAM Configuration 8.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development. Due to lack the effectively management mechanism, it affects Ethernet application to Metropolitan Area Network and Wide Area Network, implementing OAM on Ethernet becomes a necessary development trend.
1. Ethernet OAM connection establishment Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and passive mode. One session can only be established by the OAM entity working in the active mode and ones working in the passive mode need to wait until it receives the connection request.
peer. As Information OAMPDUs are exchanged continuously across established OAM connections, an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs. Therefore, the network administrator can keep track of link status in time through the log information and troubleshoot in time.
Customer Service Provider Customer 802.3ah Ethernet in the First Mile CE 802.1ah OAMPDU PE Typical OAM application topology 8.2 EFM OAM Configuration EFM OAM configuration task list 1. Enable EFM OAM function of port 2. Configure link monitor 3. Configure remote failure 4. Enable EFM OAM loopback of port Note: it needs to enable OAM first when configuring OAM parameters. 1.
2. Configure link monitor Command Explanation Port mode ethernet-oam link-monitor no ethernet-oam link-monitor Enable link monitor of EFM OAM, no command disables link monitor. ethernet-oam errored-symbol-period {threshold low | window } Configure the low threshold and window period of errored symbol period no ethernet-oam errored-symbol-period {threshold low | window } event, no command resotores the default value.
ethernet-oam errored-frame threshold high {high-frames | none} no ethernet-oam errored-frame threshold high Configure the high threshold of errored frame event, no command restores the default value. (optional) ethernet-oam errored-frame-seconds threshold high {high-frame-seconds | none} no ethernet-oam errored-frame-seconds threshold high Configure the high threshold of errored frame seconds event, no command restores the default value. (optional) 4.
CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported Other parameters use the default configuration. Configuration on PE: PE(config)#interface ethernet 1/0/1 PE (config-if-ethernet1/0/1)#ethernet-oam Other parameters use the default configuration. Execute the following command when using remote loopback. PE(config-if-ethernet1/0/1)#ethernet-oam remote-loopback Execute the following command to make one of OAM peers exiting OAM loopback after complete detection.
Chapter 9 VLAN Configuration 9.1 VLAN Configuration 9.1.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or management requirements. By this way, virtual workgroups can be formed regardless of the physical location of the devices. IEEE announced IEEE 802.
Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged. The ports of Access type only belongs to one VLAN, usually they are used to connect the ports of the computer. The ports of Trunk type allow multi-VLANs to pass, can receive and send the packets of multiVLANs. Usually they are used to connect between the switches.
VLAN Mode name no name Set or delete VLAN name. 3. Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface no switchport interface Assign Switch ports to VLAN. 4. Set the Switch Port Type Command Explanation Port Mode switchport mode {trunk | access | hybrid} Set the current port as Trunk, Access or Hybrid port. 5.
add WORD | except WORD | remove WORD} {tag | untag} no switchport hybrid allowed vlan switchport hybrid native vlan no switchport hybrid native vlan Hybrid port with tag or untag mode. Set/delete PVID of the port. 8. Disable/Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable no vlan ingress enable Enable/Disable VLAN ingress rules. 9.
VLAN100 VLAN200 VLAN 2 PC PC WorkstationWorkstatio n PC PC Switch Trunk Link A Switch B PC VLAN 2 PC WorkstationVLAN100 Workstation PC PC VLAN200 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross two different location A and B.
Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/0/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/0/11 Switch(Config-If-Ethernet1/0/11)#switchport mode trunk Switch(Config-If-Ethernet1/0/11)#exit Switch(config)# Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/0/5-7 Switch(Config-Vlan
internet Switch A Switch B PC PC 1 Typical Application of2Hybrid Port PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB. It is required that PC1 and PC2 can not mutually access due to reason of the security, but PC1 and PC2 can access other network resources through the gateway SwitchA. We can implement this status through Hybrid port.
Switch B: Switch(config)#vlan 7;9;10 Switch(config)#interface ethernet 1/0/7 Switch(Config-If-Ethernet1/0/7)#switchport mode hybrid Switch(Config-If-Ethernet1/0/7)#switchport hybrid native vlan 7 Switch(Config-If-Ethernet1/0/7)#switchport hybrid allowed vlan 7;10 untag Switch(Config-If-Ethernet1/0/7)#exit Switch(Config)#interface Ethernet 1/0/9 Switch(Config-If-Ethernet1/0/9)#switchport mode hybrid Switch(Config-If-Ethernet1/0/9)#switchport hybrid native vlan 9 Switch(Config-If-Ethernet1/0/9)#switchport hyb
A typical application scene A and G switches are not directly connected in layer 2 network; BCDEF are intermediate switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF switches do not. When GVRP is not enabled, A and G cannot communicate with each other, because intermediate switches without relevant VLANs.
2. Configure port type Command Explanation Port mode gvrp no gvrp Enable/ disable GVRP function of port. 3. Enable GVRP function Command Explanation Global mode gvrp no gvrp Enable/ disable function of port. the global GVRP 9.2.3 Example of GVRP GVRP application: PC Switch A Switch B Switch C PC Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch.
communicate with each other through Switch B without static VLAN100 entries. Configuration Item Configuration description VLAN100 Port 2-6 of Switch A and C. Trunk port Port 11 of Switch A and C, Port 10, 11 of Switch B. Global GVRP Switch A, B, C. Port GVRP Port 11 of Switch A and C, Port 10, 11 of Switch B. Connect two workstations to the VLAN100 ports in switch A and B, connect port 11 of Switch A to port 10 of Switch B, and port 11 of Switch B to port 11 of Switch C.
Switch(Config-If-Ethernet1/0/11)# gvrp Switch(Config-If-Ethernet1/0/11)#exit 9.2.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be disabled first. 9.3 Dot1q-tunnel Configuration 9.3.1 Introduction to Dot1q-tunnel Dot1q-tunnel is also called QinQ (802.1Q-in-802.
traveling in the ISP internet network while carrying two VLAN tags (the inner tag is added when entering PE1, and the outer is SPVID), whereas the VLAN information of the user network is open to the provider network. When the packet reaches PE2 and before being forwarded to CE2 from the client port on PE2, the outer VLAN tag is removed, then the packet CE2 receives is absolutely identical to the one sent by CE1.
9.3.3 Typical Applications of the Dot1q-tunnel Scenario: Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data between CE1 and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is connected to public network, the TPID of the connected equipment is 9100; port1 of PE2 is connected to CE2, port10 is connected to public network. Configuration Item Configuration Explanation VLAN3 Port1 of PE1 and PE2. dot1q-tunnel Port1 of PE1 and PE2.
9.3.4 Dot1q-tunnel Troubleshooting Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application. So it is not recommended to enable dot1q-tunnel on Trunk port. Enabled with STP/MSTP is not supported. Enabled with PVLAN is not supported. 9.4 VLAN-translation Configuration 9.4.
Port mode vlan-translation miss drop in no vlan-translation miss drop in Configure the VLAN-translation packet dropped on port if there is any failure. 4. Show the related configuration of vlan-translation Command Explanation Admin mode show vlan-translation Show the related configuration of vlan-translation. 9.4.3 Typical application of VLAN-translation Scenario: Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and CE2 of the client network with VLAN3.
switch(Config-Ethernet1/0/1)# vlan-translation enable switch(Config-Ethernet1/0/1)# vlan-translation 20 to 3 in switch(Config-Ethernet1/0/1)# vlan-translation 3 to 20 out switch(Config-Ethernet1/0/1)# exit switch(Config)#interface ethernet 1/0/1 switch(Config-Ethernet1/0/1)#switchport mode trunk switch(Config-Ethernet1/0/1)#exit switch(Config)# 9.4.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports.
Notice: Dynamic VLAN needs to associate with Hybrid attribute of the ports to work, so the ports that may be added to a dynamic VLAN must be configured as Hybrid port. 9.5.2 Dynamic VLAN Configuration Dynamic VLAN Configuration Task Sequence: 1. Configure the MAC-based VLAN function on the port 2. Set the VLAN to MAC VLAN 3. Configure the correspondence between the MAC address and the VLAN 4. Configure the IP-subnet-based VLAN function on the port 5.
Port Mode switchport subnet-vlan enable no switchport subnet-vlan enable Enable/disable the port IP-subnet-base VLAN function on the port. 5.
or VLAN300, the port connecting M is configured as Hybrid mode and belongs to VLAN100 with untag mode. In this way, the data of VLAN100 will be forwarded to the port connecting M, and implement the communication requirement in VLAN100. SwitchA SwitchB SwitchC VLAN100 VLAN200 VLAN300 M Typical topology application of dynamic VLAN Configuration Items MAC-based VLAN Configuration Explanation Global configuration on Switch A, Switch B, Switch C.
may not go through. The solution will be letting the two equipments positively send data packet to the switch (such as ping), to let the switch learn their source MAC, then the two equipments will be able to communicate freely within the dynamic VLAN. Ping 192.168.1.200 Ping 192.168.1.100 Dynamic VLAN 192.168.1.100/2 4 192.168.1.200/2 4 Dynamic VLAN Troubleshooting Priority of dynamic vlan and vlan ingress filtering for processing packets is: dynamic vlan> vlan ingress filtering 9.
that may be added to Voice VLAN must be configured as Hybrid port. 9.6.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence: Set the VLAN to Voice VLAN Add a voice equipment to Voice VLAN Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN Command Explanation Global Mode voice-vlan vlan Set/cancel the VLAN as a Voice VLAN no voice-vlan 2.
Switch IP-phone1 IP-phone2 VLAN typical apply topology Figure Configuration items Voice VLAN Configuration Explanation Global configuration on the Switch.
Chapter 10 MAC Table Configuration 10.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch. The initial MAC table contains no address mapping entries.
PC1 are in the same physical segment and filter the message (i.e. drop this message). Three types of frames can be forwarded by the switch: Broadcast frame Multicast frame Unicast frame The following describes how the switch deals with all the three types of frames: Broadcast frame: The switch can segregate collision domains but not broadcast domains. If no VLAN is set, all devices connected to the switch are in the same broadcast domain.
id > [interface [ethernet | portchannel] ] | [source|destination|both] no mac-address-table {static | static- entires. multicast | blackhole | dynamic} [address ] [vlan ] [interface [ethernet | portchannel] ] Clear dynamic address table Command Explanation Admin Mode clear mac-address-table dynamic [address ] [vlan ] [interface [ethernet | portchannel] ] Clear the dynamic address table. 10.
Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1. 2.Set the static mapping relationship for PC2 and PC3 to port 7 and port 9, respectively. Switch(config)#mac-address-table static address 00-01-22-22-22-22 vlan 1 interface ethernet 1/0/7 Switch(config)#mac-address-table static address 00-01-33-33-33-33 vlan 1 interface ethernet 1/0/9 10.4 MAC Table Troubleshooting Using the show mac-address-table command, a port is found to be failed to learn the MAC of a device connected to it.
1. Enable MAC address binding function for the ports Command Explanation Port Mode Enable MAC address binding function for the port and lock the port. When a port is locked, the MAC address learning function for the port will be disabled: the “no switchport switchport port-security no switchport port-security port-security” command disables the MAC address binding function for the port, and restores the MAC address learning function for the port. 2.
port-security maximum” command restores the default value. switchport port-security violation {protect | Set the violation mode for the port; the “no shutdown} [recovery <30-3600>] no switchport port-security violation switchport port-security violation” command restores the default setting. 4.
Chapter 11 MSTP Configuration 11.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST domain (MSTP domain).
Root A Root A B E M D F C MST REGIO N D Example of CIST and MST Region In the above network, if the bridges are running the STP or the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked. 11.1.1.
Boundary Ports. They only process CIST related information and abandon MSTI information. 11.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port On top of those roles, each MSTI port has one new role: Master Port. The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are defined in the same ways as those in the RSTP. 11.1.
2. Configure instance parameters Command Explanation Global Mode spanning-tree mst priority no spanning-tree mst priority Set bridge priority for specified instance. spanning-tree priority Configure the spanning-tree priority of the no spanning-tree priority switch.
list> ] name no name Set MSTP region name. revision-level no revision-level Set MSTP region revision level. abort Quit MSTP region mode and return to Global mode without saving MSTP region configuration. exit Quit MSTP region mode and return to Global mode with saving MSTP region configuration. no Cancel one command or set initial value. 4.
Configure the format of port spanning-tree packet, standard format is provided by IEEE, privacy is compatible with CISCO and auto spanning-tree format standard spanning-tree format privacy spanning-tree format auto means the format is determined by checking the received packet. no spanning-tree format 7. Configure the spanning-tree attribute of port Command Explanation Port Mode spanning-tree cost no spanning-tree cost Set the port path cost.
spanning-tree tcflush {enable| disable| protect} no spanning-tree tcflush Configure the port flush mode. The no command restores to use the global configured flush mode. 11.3 MSTP Example The following is a typical MSTP application example: Switch1 2 1 Switch2 1 4 5 5 x 2 2x 3 3 x 4 6 x Switch3 1 6 7 7x Switch4 Typical MSTP Application Scenario The connections among the switches are shown in the above figure.
Cost Port 2 200000 200000 200000 Port 3 200000 200000 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The ports marked with “x” are in the discarding status, and the other ports are in the forwarding status. Configurations Steps: Step 1: Configure port to VLAN mapping: Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4.
Switch2(Config-Port-Range)#switchport mode trunk Switch2(Config-Port-Range)#exit Switch2(config)#spanning-tree Switch3: Switch3(config)#vlan 20 Switch3(Config-Vlan20)#exit Switch3(config)#vlan 30 Switch3(Config-Vlan30)#exit Switch3(config)#vlan 40 Switch3(Config-Vlan40)#exit Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;5
Switch4(Config-Port-Range)#exit Switch4(config)#spanning-tree Switch4(config)#spanning-tree mst 4 priority 0 After the above configuration, Switch1 is the root bridge of the instance 0 of the entire network. In the MSTP region which Switch2, Switch3 and Switch4 belong to, Switch2 is the region root of the instance 0, Switch3 is the region root of the instance 3 and Switch4 is the region root of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance 3.
2 2 X Switch 2 5 X 4 3 3 X 4 6 7 X Switch 3 6 5 7 Switch4 x The Topology Of the Instance 4 after the MSTP Calculation 11.4 MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port. The MSTP parameters co work with each other, so the parameters should meet the following conditions. Otherwise, the MSTP may work incorrectly. 2×(Bridge_Forward_Delay -1.
Chapter 12 QoS Configuration 12.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Internal Priority: The internal priority setting of the switch chip, it’s valid range relates with the chip, it’s shortening is Int-Prio or IntP. Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop precedence, the ranging is 0-1. It’s shortening is Drop-Prec or DP. Classification: The entry action of QoS, classifying packet traffic according to the classification information carried in the packet and ACLs.
are QoS egress actions. Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal priority based the classification information. For different packet types, classification is performed differently; the flowchart below explains this in detail. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Start N tag packet Y L2 COS value obtained by the packet as the default COS(*1) L2 COS value of the packet is its own L2 COS Trust DSCP (*2) Y IP packet N N N Trust COS (*2) Y Y N tag packet Y Set Int-Prio as the default ingress IntPrio COS -to-Int-Prio conversion according to L2 COS value of the packet DSCP-to-Int-Prio conversion according to DSCP value of the packet Enter the policing flow Classification process Note 1: L2 CoS value is considered a property of the packets, there is no
Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate bandwidth to classified traffic, the assigned bandwidth policy may be single bucket dual color or dual bucket three color. The traffic, will be assigned with different color, can be discarded or passed, for the passed packets, add the remarking action.
Start No Whether configure the policy Yes Unrelated action with the color Drop Pass The option is as follows: Set Int-Prio: Set the internal priority of the packets Decide the packet color and action according to the policing policy The specific color action Drop Pass Select one option of the following: Set Int-Prio: Set the internal priority of the packets(*1) Policied-IntP-Transmit: Drop the internal priority of the packets(*2) Enter scheduling Drop the packets Policing and Remarking process
scheduling operation assigns the packets to different priority queues according to the internal priority, and then forward the packets according to the priority queue weight and the drop precedence. The following flowchart describes the scheduling operation.
to classify the data stream. Different classes of data streams will be processed with different policies. Configure a policy map After data steam classification, a policy map can be created to associate with the class map created earlier and enter class mode. Then different policies (such as bandwidth limit, priority degrading assigning new DSCP value) can be applied to different data streams. You can also define a policy set that can be use in a policy map by several classes.
no policy-map mode; the no command deletes the specified policy map. After a policy map is created, it can be class [insert-before ] no class set internal priority no set internal priority associated to a class. Different policy or new DSCP value can be applied to different data streams in class mode; the no command deletes the specified class.
assigned action. transmit no transmit 3. Apply QoS to port or VLAN interface Command Explanation Interface Configuration Mode Configure port trust; the no command mls qos trust {cos | dscp} no mls qos trust {cos | dscp} disables the current trust status of the port. Configure the default CoS value of the port; the no command restores the default setting.
to | dscp-intp to | dscp-dp to ) command restores the default mapping value. no mls qos map (cos-dp | dscp-dscp | dscpintp | dscp-dp) mls qos map intp-dscp no mls qos map intp-dscp 6. Clear accounting data of the specific ports or VLANs Command Explanation Admin Mode Clear accounting data of the specified clear mls qos statistics [interface | vlan ] ports or VLAN Policy Map.
Switch(Config-If-Ethernet1/0/1)#mls qos cos 5 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of each port is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/0/1, it will be map to the internal priority according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8 respectively. If the incoming packet has no CoS value, it is default to 5 and will be put in queue6.
QoS area Server Switch 3 Switch 2 Trunk Switch 1 Typical QoS topology As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics and assigns different IP precedences. For example, set CoS precedence for packets from segment 192.168.1.0 to 5 on port ethernet1/0/1(set the internal priority to 40, set the default intp-dscp mapping to 40-40, the corresponding IP precedence to 5). The port connecting to switch2 is a trunk port.
Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#mls qos trust cos 12.4 QoS Troubleshooting trust cos and EXP can be used with other trust or Policy Map. trust dscp can be used with other trust or Policy Map. This configuration takes effect to IPv4 and IPv6 packets. trust exp, trust dscp and trust cos may be configured at the same time, the priority is: EXP>DSCP>COS.
Chapter 13 Flow-based Redirection 13.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
13.3 Flow-based Redirection Examples Example: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port6. Modification of configuration: 1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111; 2: Apply the redirection based on this flow to port 1.
Chapter 14 Egress QoS Configuration 14.1 Introduction to Egress QoS In traditional IP networks, all packets are treated in the same way. All network equipments treat them by the first-in-first-out policy and try best effort to send them to the destination. However, it does not guarantee the performance like reliability and transmission delay. Network develops so fast that new demand has been raised for the quality of service on IP network with the continual emergence of new applications.
14.1.
Start Classify or not No Yes Modify QoS (optional): Set cos/dscp Drop Transmit Whether configured Policing policy No Yes Modify QoS according remark table(optional): Cos-cos、cos-dscp、 dscp-cos、dscp-dscp Action of red packets: drop/transmit 结束 Description of action that modify QoS attribute according to egress remark table: cos-cos: for cos value of packets, modify cos value of packets according to cos table of QoS remarking cos-dscp: for cos value of packets, modify dscp value of packets accordin
After data steam classification, a policy map can be created to associate with a class map created earlier and enter policy class mode. Then different policies (such as bandwidth limit, assigning new DSCP value) can be applied to different data streams. Apply Egress QoS to port or VLAN Configure the trust mode or binding policies for ports. A policy will only take effect on a port when it is bound to that port. The policy may be bound to the specific VLAN.
set {ip dscp | ip precedence | cos | c-vid | s-vid | s-tpid } no set {ip dscp | ip precedence | cos | c-vid | s-vid | s-tpid} Assign a new DSCP, CoS and IP Precedence value for the classified flow, no command cancels the operation. Single bucket mode: policy ({action ACTION} | exceed-action drop | transmit}) Configure a policy for the classified flow.
no service-policy output Global Mode service-policy output vlan no service-policy output vlan Apply a policy map to the egress of the VLAN; the no command deletes the specified policy map applied to the VLAN interface. 4.
show mls qos maps {cos-cos | cos-dscp | dscp-cos | dscp-exp} {green | yellow | red |} Show mapping relation of Egress QoS remark. 14.3 Egress QoS Examples Example1: On the egress of the port1, change cos value as 4 for the packet with dscp value of 0.
Example 3: In egress of port 1, limit the speed of packets. Set the bandwidth for packets to 1 Mb/s, with the normal burst value of 1 MB, the max burst value of 4 MB, set dscp value of 1 as 10 for green packets, set dscp value of yellow packets as 9 and drop red packets.
preferential for modifying packets. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 15 Flexible QinQ Configuration 15.1 Introduction to Flexible QinQ 15.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone network of the ISP internet to provide a simple layer-2 tunnel for the users.
Create a class-map and enter class-map mode, the no command deletes the specified class-map.
Global mode service-policy input vlan no service-policy input vlan Apply a policy-map to a VLAN, the no command deletes the specified policymap applied to the VLAN. 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode show mls qos {interface [] Show flexible QinQ configuration on the port. 15.
an external tag. In the above figure, the external tag of the second user is different to the first user for distinguishing DSLAM location and locating the user finally.
Switch(config-policymap-p1)#class c3 Switch(config-policymap-p1-class-c3)# set s-vid 3002 Switch(config-policymap-p1-class-c3)#exit Switch(config-policymap-p1)#exit Switch(config)#interface ethernet 1/0/1 Switch(config-if-ethernet1/0/1)# service-policy input p1 15.
Chapter 16 Layer 3 Forward Configuration Switch supports Layer 3 forwarding which forwards Layer 3 protocol packets (IP packets) across VLANs. Such forwarding uses IP addresses, when a interface receives an IP packet, it will perform a lookup in its own routing table and decide the operation according to the lookup result. If the IP packet is destined to another subnet reachable from this switch, then the packet will be forwarded to the appropriate interface.
(4) Configure the relation between VRF instance and the interface 1. Create Layer 3 Interface Command Explanation Global Mode interface vlan no interface vlan interface loopback no interface loopback Creates a VLAN interface (VLAN interface is a Layer 3 interface); the no command deletes the VLAN interface (Layer 3 interface) created in the switch.
Command Explanation Global Mode ip vrf Create VRF instance; VRF instance is not no ip vrf created by default. VRF Mode Configure RD of VRF instance. RD is not created by default. rd route-target {import | export | both} no route-target {import | export | both} Configure RT of VRF instance Interface Mode ip vrf forwarding Configure no ip vrf forwarding instance and the interface.
lifespan of existing IPv4 infrastructure, including Network Address Translation(NAT for short), and Classless Inter-Domain Routing(CIDR for short), etc.
enables Correspondent Node communicate with Mobile Node directly, thereby avoids the extra system cost caused by triangle routing choice required in IPv4. Avoid the use of Network Address Translation. The purpose of the introduction of NAT mechanism is to share and reuse same address space among different network segments. This mechanism mitigates the problem of the shortage of IPv4 address temporally; meanwhile it adds the burden of address translation process for network device and application.
(1) Configure DAD neighbor solicitation message number (2) Configure send neighbor solicitation message interval (3) Enable and disable router advertisement (4) Configure router lifespan (5) Configure router advertisement minimum interval (6) Configure router advertisement maximum interval (7) Configure prefix advertisement parameters (8) Configure static IPv6 neighbor entries (9) Delete all entries in IPv6 neighbor table (10) Set the hoplimit of sending router advertisement (11) Set the mtu of sending rout
(2) Set IPv6 Static Routing Command Explanation Global mode ipv6 route {| | { }} [distance] no ipv6 route {| |{ }} [distance] 2.
(4) Configure Router Lifespan Command Explanation Interface Configuration Mode ipv6 nd ra-lifetime no ipv6 nd ra-lifetime Configure Router advertisement Lifespan. The NO command resumes default value (1800 seconds). (5) Configure router advertisement Minimum Interval Command Description Interface Configuration Mode ipv6 nd min-ra-interval no ipv6 nd min-ra-interval Configure the minimum interval for router advertisement. The NO command resumes default value (200 seconds).
no ipv6 neighbor Delete neighbor table entries. (9) Delete all entries in IPv6 neighbor table Command Explanation Admin Mode clear ipv6 neighbors Clear all static neighbor table entries. (10) Set the hoplimit of sending router advertisement Command Explanation Interface Configuration Mode ipv6 nd ra-hoplimit Set the hoplimit of sending router advertisement.
(15) Set the flag representing whether the address information will be obtained via DHCPv6 Command Explanation Interface Configuration Mode Set the flag representing whether the address information will be obtained via DHCPv6. ipv6 nd managed-config-flag 3. IPv6 Tunnel Configuration (1) Add/Delete tunnel Command Explanation Global mode interface tunnel Create a tunnel. The NO command deletes a no interface tunnel tunnel.
Configure tunnel next-hop IPv4 address. The NO command deletes the IPv4 address of tunnel nexthop end. tunnel nexthop no tunnel nexthop (6) Configure Tunnel Mode Command Explanation Tunnel Configuration Mode tunnel mode [[gre] | ipv6ip [ 6to4 | isatap]] no tunnel mode Configure tunnel mode. The NO command clears tunnel mode.
Configure IPv4 address 192.168.1.1 255.255.255.0 in VLAN1 of Switch1, and configure IPv4 address 192.168.2.1 255.255.255.0 in VLAN2. Configure two VLANs on Switch2, respectively VLAN2 and VLAN3. Configure IPv4 address 192.168.2.2 255.255.255.0 in VLAN2 of Switch2, and configure IPv4 address 192.168.3.1 255.255.255.0 in VLAN3. The IPv4 address of PC1 is 192.168.1.100 255.255.255.0, and the IPv4 address of PC2 is 192.168.3.100 255.255.255.0. Configure static routing 192.168.3.
The user’s configuration requirements are: Configure IPv6 address of different network segments on Switch1 and Switch2, configure static routing and validate reachability using ping6 function. Configuration Description: Configure two VLANs on Switch1, namely, VLAN1 and VLAN2. Configure IPv6 address 2001::1/64 in VLAN1 of Switch1, and configure IPv6 address 2002::1/64 in VLAN2. Configure 2 VLANs on Switch2, namely, VLAN2 and VLAN3.
interface Loopback mtu 3924 ! ipv6 route 2003::/64 2002::2 ! no login ! end Switch2#show run interface Vlan2 ipv6 address 2002::2/64 ! interface Vlan3 ipv6 address 2003::1/64 ! interface Loopback mtu 3924 ! ipv6 route 2001::/64 2002::1 ! no login ! End Example 2: SwitchC SwithA PC-A SwitchB PC-B +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
IPv6 tunnel This case is IPv6 tunnel with the following user configuration requirements: SwitchA and SwitchB are tunnel nodes, dual-stack is supported. SwitchC only runs IPv4, PC-A and PC-B communicate. Configuration Description: Configure two vlans on SwitchA, namely, VLAN1 and VLAN2. VLAN1 is IPv6 domain, VLAN2 connects to IPv4 domain. Configure IPv6 address 2002:caca:ca01:2::1/64 in VLAN1 of SwitchA and turn on RA function, configure IPv4 address 202.202.202.1 in VLAN2.
SwitchB(config)#interface tunnel 1 SwitchB(Config-if-Tunnel1)#tunnel source 203.203.203.1 SwitchB(Config-if-Tunnel1)#tunnel destination 202.202.202.1 SwitchB(Config-if-Tunnel1)#tunnel mode ipv6ip SwitchB(config)#ipv6 route ::/0 tunnel1 16.2.4 IPv6 Troubleshooting The router lifespan configured should not be smaller than the Send Router advertisement Interval. If the connected PC has not obtained IPv6 address, you should check RA announcement switch (the default is turned off). 16.3 IP Forwarding 16.3.
address as the destination address which is acquired from the packet. If the found router exit interface does not match the entrance interface acquired from this packet, the switch will consider this packet a fake packet and discard it. In Source Address Spoofing attacks, attackers will construct a series of messages with fake source addresses. For applications based on IP address verification, such attacks may allow unauthorized users to access the system as some authorized ones, or even the administrator.
16.4.3 URPF Typical Example SW1 E1/0/8 SW2 E1/0/8 E1/0/2 Vlan3 E3/2 SW3 Globally enable URPF 10.1.1.10/24 vlan1 E1/0/2 Vlan4 E1/0/3 Enable URPF Pretending to be SW2 by using 10.1.1.10 to launch a vicious attack PC Vicious access host PC 2002::4/64 In the network, topology shown in the graph above, IP URPF function is enabled on SW3.
separation and communicate via proxy ARP interface as if in the same physical network. 16.5.2 ARP Configuration Task List ARP Configuration Task List: 1. Configure static ARP 2. Configure proxy ARP 3. Clear dynamic ARP 4. Clear the statistic information of ARP messages 1.
Check whether the corresponding ARP has been learned by the switch. If ARP has not been learned, then enabled ARP debugging information and view the sending/receiving condition of ARP packets. Defective cable is a common cause of ARP problems and may disable ARP learning. 16.6 Hardware Tunnel Capacity Configuration 16.6.1 Introduction to Hardware Tunnel Capacity Hardware Tunnel Capacity is the maximum number of tunnel and MPLS forwarded by hardware.
Chapter 17 ARP Scanning Prevention Function Configuration 17.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network. It might even do large-trafficattack in the network via fake ARP messages to collapse of the network by exhausting the bandwidth.
1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode anti-arpscan enable no anti-arpscan enable Enable or disable the ARP Prevention function globally. Scanning 2.
no anti-arpscan recovery time Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti-arpscan log enable no anti-arpscan log enable Enable or disable the log function of ARP scanning prevention. anti-arpscan trap enable Enable or disable the SNMP Trap function of no anti-arpscan trap enable ARP scanning prevention.
SwitchA(config)#interface ethernet1/0/2 SwitchA (Config-If-Ethernet1/0/2)#anti-arpscan trust port SwitchA (Config-If-Ethernet1/0/2)#exit SwitchA(config)#interface ethernet1/0/19 SwitchA (Config-If-Ethernet1/0/19)#anti-arpscan trust supertrust-port Switch A(Config-If-Ethernet1/0/19)#exit switchB configuration task sequence: Switch B(config)# anti-arpscan enable SwitchB(config)#interface ethernet1/0/1 SwitchB (Config-If-Ethernet 1/0/1)#anti-arpscan trust port SwitchB (Config-If-Ethernet 1/0/1)exit 17.
Chapter 18 Prevent ARP, ND Spoofing Configuration 18.1 Overview 18.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is 00-1F-CE-FD-1D-2B.
switches, host computers or network equipment. What the essential method on preventing attack and spoofing switches based on ARP in networks is to disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.
18.3 Prevent ARP, ND Spoofing Example Switch A B C Equipment Explanation Equipment switch Configuration IP:192.168.2.4; IP:192.168.1.4; mac: 00-00-00-00-00-04 Quality 1 A IP:192.168.2.1; mac: 00-00-00-00-00-01 1 B IP:192.168.1.2; mac: 00-00-00-00-00-02 1 C IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram. A wants switch to forward packets sent by B to itself, so need switch sends the packets transfer from B to A.
Switch(Config)# Switch(config)#ip arp-security convert If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it wont be refreshed by new ARP reply packet, and protect use data from sniffing. Switch#config Switch(config)#ip arp-security updateprotect +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 19 ARP GUARD Configuration 19.1 Introduction to ARP GUARD There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address and MAC address, causing problems in network communication.
19.2 ARP GUARD Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip no arp-guard ip Configure/delete ARP GUARD address +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 20 ARP Local Proxy Configuration 20.1 Introduction to ARP Local Proxy function In a real application environment, the switches in the aggregation layer are required to implement local ARP proxy function to avoid ARP cheating. This function will restrict the forwarding of ARP messages in the same vlan and thus direct the L3 forwarding of the data flow through the switch. 192.168.1.1 192.168.1.200 192.168.1.
20.2 ARP Local Proxy Function Configuration Task List 1. Enable/disable ARP local proxy function Command Explanation Interface vlan mode ip local proxy-arp no ip local proxy-arp Enable or disable ARP local proxy function. 20.3 Typical Examples of ARP Local Proxy Function As shown in the following figure, S1 is a medium/high-level layer-3 switch supporting ARP local proxy, S2 is layer-2 access switches supporting interface isolation. Considering security, interface isolation function is enabled on S2.
In the process of operation, the system will show corresponding prompts if any operational error occurs. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 21 Gratuitous ARP Configuration 21.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the destination of the ARP request. The basic working mode for QTECH switches is as below: The Layer 3 interfaces of the switch can be configured to advertise gratuitous ARP packets period or the switch can be configured to enable to send gratuitous ARP packets in all the interfaces globally.
21.3 Gratuitous ARP Configuration Example Switch Interface vlan10 192.168.15.254 255.255.255.0 Interface vlan1 192.168.14.254 255.255.255.0 PC1 PC2 PC3 PC4 PC5 Gratuitous ARP Configuration Example For the network topology shown in the figure above, interface VLAN10 whose IP address is 192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Three PCs – PC3, PC4, PC5 are connected to the interface. The IP address of interface VLAN 1 is 192.168.14.
Chapter 22 Keepalive Gateway Configuration 22.1 Introduction to Keepalive Gateway Ethernet port is used to process backup or load balance, for the reason that it is a broadcast channel, it may not detect the change of physical signal and fails to get to down when the gateway is down. Keepalive Gateway is introduced to detect the connectivity to the higher-up gateway, in the case that a Ethernet port connect with a higher-up gateway to form a point-topoint network topology.
interfaces. show ip interface [interface-name] Show IPv4 running status of the specified interface, if there is no interface is specified, show IPv4 running status of all interfaces. 22.3 Keepalive Gateway Example Keepalive gateway typical example In above network topology, interface address of interface vlan10 is 1.1.1.1 255.255.255.0 for gateway A, interface address of interface vlan100 is 1.1.1.2 255.255.255.
22.
Chapter 23 DHCP Configuration 23.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network. DHCP is the enhanced version of BOOTP.
Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period. The differences and relations between dynamic IP address allocation and manual IP address binding are: 1) IP address obtained dynamically can be different every time; manually bound IP address will be the same all the time.
no network-address operation of this command cancels the allocation address pool. default-router Configure default gateway for DHCP [[[…]]] no default-router clients. The no operation cancels the default gateway. dns-server [[[…]]] no dns-server Configure DNS server for DHCP clients. The no command deletes DNS server configuration.
(3) Configure manual DHCP address pool parameters Command Explanation DHCP Address Pool Mode hardware-address [{Ethernet | IEEE802|}] no hardware-address Specify/delete the hardware address when assigning address manually. host [ | ] Specify/delete the IP address to be assigned to the specified client when binding address no host manually.
to the relay agent field in the DHCPDISCOVER packet on receiving the packet, and forwards the packet to the specified DHCP server (for DHCP frame format, please refer to RFC2131). On the receiving the DHCPDISCOVER packets forwarded by DHCP relay, the DHCP server sends the DHCPOFFER packet via DHCP relay to the DHCP client. DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet, DHCP relay forwards the packet to the DHCP server after processing.
10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WWW server 10.16.1.209 WINS node type H-node Lease 3 days Lease 1day In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”. Switch(config)#service dhcp Switch(config)#interface vlan 1 Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.
client gateway and the switch must be ensured for the client to get an IP address from the 10.16.2.0/24 address pool. Scenario 2: DHCP Client DHCP Client E1/0/1 192.168.1.1 E1/0/2 10.1.1.1 DHCP Relay DHCP Server 10.1.1.10 DHCP Client DHCP Relay Configuration As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server address is 10.1.1.
23.5 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok. Verify the DHCP server is running, start the related DHCP server if not running. If the DHCP clients and servers are not in the same physical network, verify the router responsible for DHCP packet forwarding has DHCP relay function.
Chapter 24 DHCPv6 Configuration 24.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration protocol relative to IPv6.
message, which includes the identity of the server –DUID, and its priority. It is possible that the client receives multiple ADVERTISE messages. The client should select one and reply it with a REQUEST message to request the address which is advertised in the ADVERTISE message. The selected DHCPv6 server then confirms the client about the IPv6 address and any other configuration with the REPLY message. The above four steps finish a Dynamic host configuration assignment process.
1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enable DHCPv6 service. 2. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
24.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: To enable/disable DHCPv6 service To configure DHCPv6 relay delegation on port 1. To enable DHCPv6 service Command Explanation Global Mode service dhcpv6 no service dhcpv6 To enableDHCPv6 service. 2.
no service dhcpv6 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool To configure prefix delegation pool. no ipv6 local pool 3. To configure DHCPv6 address pool (1) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool no ipv6 dhcp pool To configure DHCPv6 address pool.
4. To enable DHCPv6 prefix delegation server function on port Command Explanation Interface Configuration Mode ipv6 dhcp server [preference ] [rapid-commit] [allow-hint] no ipv6 dhcp server To enable DHCPv6 server function on specified port, and binding used DHCPv6 address pool. 24.
DHCPv6 server in secondary aggregation layer, and connected with backbone network or higher aggregation layers; The Windows Vista which be provided with DHCPv6 client must load on PC.
Switch3(Config-if-Vlan10)#exit Switch3(config)# Switch2 configuration: Switch2>enable Switch2#config Switch2(config)#service dhcpv6 Switch2(config)#interface vlan 1 Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64 Switch2(Config-if-Vlan1)#exit Switch2(config)#interface vlan 10 Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64 Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd su
Switch2, is configured as the prefix delegation client.
Switch1(config)#interface vlan 2 Switch1(Config-if-Vlan2)#ipv6 dhcp client pd prefix-from-provider Switch1(Config-if-Vlan2)#exit Switch1(config)#interface vlan 3 Switch1(Config-if-Vlan3)#ipv6 address prefix-from-provider 0:0:0:1::1/64 Switch1(Config-if-Vlan3)#exit Switch1(config)#ipv6 dhcp pool foo Switch1(dhcpv6-foo-config)#dns-server 2001:4::1 Switch1(dhcpv6-foo-config)#domain-name www.ipv6.
Chapter 25 DHCP option 82 Configuration 25.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other information), to the DHCP request message from the client then forwards the message to DHCP server.
Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 25.1.2 Option 82 Working Mechanism DHCP Relay Agent DHCP Request DHCP Request Option 82 DHCP Reply DHCP Reply Option 82 DHCP Client DHCP option 82 flow chart DHCP Server If the DHCP Relay Agent supports option 82, the DHCP client should go through the following four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge.
Configure DHCP option 82 default format of Relay Agent Configure delimiter Configure creation method of option82 Diagnose and maintain DHCP option 82 1. Enabling the DHCP option 82 of the Relay Agent. Command Explanation Global mode ip dhcp relay information option no ip dhcp relay information option Set this command to enable the option 82 function of the switch Relay Agent. The “no ip dhcp relay information option” is used to disable the option 82 function of the switch Relay Agent. 2.
like”Vlan2+Ethernet1/0/12”, is the circuit-id contents of option 82 specified by users, which is a string no longer than 64characters. The” no ip dhcp relay information option subscriber-id” command will set the format of added option 82 sub-option1 (Circuit ID option) as standard format.
no ip dhcp relay information option delimiter command restores the delimiter as slash. 6.
25.3 DHCP option 82 Application Examples DHCP PC1 Client Switch1 Vlan3 Vlan2:ethernet1/ Switch2 DHCP PC2 DHCP Relay Vlan2:ethernet1/ Agent Switch3 0/3 0/2 DHCP Server Client A DHCP option 82 typical application example In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3 switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as DHCP Relay Agent.
} class "Switch3Vlan2Class2" { match if option agent.circuit-id = "Vlan2+Ethernet1/0/3" and option agent.remoteid=00:1f:ce:02:33:01; } subnet 192.168.102.0 netmask 255.255.255.0 { option routers 192.168.102.2; option subnet-mask 255.255.255.0; option domain-name "example.com.cn"; option domain-name-servers 192.168.10.3; authoritative; pool { range 192.168.102.21 192.168.102.50; default-lease-time 86400; #24 Hours max-lease-time 172800; #48 Hours allow members of "Switch3Vlan2Class1"; } pool { range 192.168.
operate normally, the allocation of addresses will fail. When there is more than one kind of Relay Agent, please pay attention to the retransmitting policy of the interface DHCP request messages. To implement the option 82 function of DHCP Relay Agent, the “debug dhcp relay packet” command can be used during the operating procedure, including adding the contents of option 82, the retransmitting policy adopted, the option 82 contents of the server peeled by the Relay Agent and etc.
Chapter 26 DHCPv6 option37, 38 26.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts. When DHCPv6 client wants to request address and configure parameter of DHCPv6 server from different link, it needs to communicate with server through DHCPv6 relay agent.
1.DHCPv6 snooping option basic functions configuration Command Description Global mode ipv6 dhcp snooping remote-id option no ipv6 dhcp snooping remote-id option This command enables DHCPv6 SNOOPING to support option 37 option, no command disables it. ipv6 dhcp snooping subscriber-id option no ipv6 dhcp snooping subscriber-id This command enables DHCPv6 SNOOPING to support option 38 option, no command option disables it.
select delimiter ipv6 dhcp snooping subscriber-id select (sp|sv|pv|spv) delimiter WORD (delimiter WORD |) no ipv6 dhcp snooping subscriber-id select delimiter Configures user configuration options to generate subscriber-id. The no command restores to its original default configuration, i.e. vlan name together with port name.
ipv6 dhcp relay subscriber-id select (sp | sv Configures user configuration options to | pv | spv) delimiter WORD (delimiter WORD generate subscriber-id. The no command |) restores to its original default configuration, no ipv6 dhcp relay subscriber-id select i.e. vlan name together with port name.
ipv6 dhcp class no ipv6 dhcp class This command defines a DHCPv6 class and enters DHCPv6 class mode, the no form of this command removes this DHCPv6 class. Interface configuration mode ipv6 dhcp server select relay-forw no ipv6 dhcp server select relay-forw This command enables the DHCPv6 server to support selections when multiple option 37 or option 38 options exist and the option 37 and option 38 of relay-forw in the innermost layer are selected.
26.3 DHCPv6 option37, 38 Examples 26.3.1 DHCPv6 Snooping option37, 38 Example Switch B Interface E1/0/1 Switch A Interface E1/0/2 Interface E1/0/3 Interface E1/0/4 MAC-AA MAC-BB MAC-CC DHCPv6 Snooping option schematic As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected to untrusted interface 1/2, 1/3 and 1/4 respectively, and they get IP 2010:2, 2010:3 and 2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/1.
Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EastDormPool SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::1000 2001:da8:100:1::2 SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1 SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.
SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64 SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool SwitchB(config-if-vlan1)#exit SwitchB(config)# 26.3.2 DHCPv6 Relay option37, 38 Example Example 1: When deploying IPv6 campus network, DHCPv6 server function of routing device can be used for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address. DHCPv6 server supports both stateful and stateless DHCPv6.
S2(config-vlan10)#int vlan 10 S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64 S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1 S2(config-if-vlan10)#exit S2(config)# 26.4 DHCPv6 option37, 38 Troubleshooting Request packets sent by DHCPv6 client are multicast packets received by the device within its VLAN, if DHCPv6 server wants to receive the packets from client, DHCPv6 client and DHCPv6 server must be in the same VLAN, otherwise it needs to use DHCPv6 relay.
Chapter 27 DHCP Snooping Configuration 27.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET.
The Encryption of Private Messages: The communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different option 82 will be added in DHCP messages according to user’s authentication status. 27.2 DHCP Snooping Configuration Task Sequence 1. Enable DHCP Snooping 2.
3. Enable DHCP Snooping binding ARP function Command Explanation Globe mode ip dhcp snooping binding arp no ip dhcp snooping binding arp Enable or disable the dhcp snooping binding ARP function. 4. Enable DHCP Snooping option82 function Command Explanation Globe mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable/disable function. DHCP Snooping option 82 5.
no ip dhcp snooping trust ports. 9. Enable DHCP SNOOPING binding DOT1X function Command Explanation Port mode ip dhcp snooping binding dot1x no ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function. 10. Enable or disable the DHCP SNOOPING binding USER function Command Explanation Port mode ip dhcp snooping binding usercontrol no ip dhcp snooping binding usercontrol Enable or disable the DHCP snooping binding user function. 11.
ip dhcp snooping limit-rate no ip dhcp snooping limit-rate Set rate limitation of the transmission of DHCP snooping messages. 14. Enable the debug switch Command Explanation Admin mode debug ip dhcp snooping packet debug ip dhcp snooping event debug ip dhcp snooping update debug ip dhcp snooping binding Please refer to troubleshooting. the chapter on system 15.
ip dhcp snooping information option selfdefined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac) | string WORD} no ip dhcp snooping information option type self-defined subscriber-id ip dhcp snooping information option selfdefined subscriber-id format [ascii | hex] Set creation method for option82, users can define the parameters of circute-id suboption by themselves. Set self-defined format snooping option82.
switch(config)#ip dhcp snooping enable switch(config)#interface ethernet 1/0/11 switch(Config-If-Ethernet1/0/11)#ip dhcp snooping trust switch(Config-If-Ethernet1/0/11)#exit switch(config)#interface ethernet 1/0/12 switch(Config-If-Ethernet1/0/12)#ip dhcp snooping trust switch(Config-If-Ethernet1/0/12)#exit switch(config)#interface ethernet 1/0/1-10 switch(Config-Port-Range)#ip dhcp snooping action shutdown switch(Config-Port-Range)# 27.4 DHCP Snooping Troubleshooting Help 27.4.
Chapter 28 IPv4 Multicast Protocol 28.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 28.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network. One way is to use Unicast mode, i.e.
28.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of Unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle.
224.0.0.17 All SBMS 224.0.0.18 VRRP 224.0.0.22 IGMP When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
Data repository, finance application (stock) etc Any data distribution application of “one point to multiple points” In the situation of more and more multimedia operations in IP network, Multicast has tremendous market potential and Multicast operation will be generalized and popularized. 28.2 PIM-DM 28.2.1 Introduction to PIM-DM PIM-DM(Protocol Independent Multicast, Dense Mode) is a Multicast Routing Protocol in dense mode which applies to small network.
connected to Multicast source indicated by Unicast routing, then this Multicast packet is considered to be from the correct path. Otherwise the Multicast packet is to be discarded as redundant message. The Unicast routing message used as path judgment can root in any Unicast Routing Protocol, such as messages found by RIP, OSPF, etc. It doesn’t rely on any specific Unicast Routing Protocol. 4.
To enable PIM-DM interface.(Required) ip pim dense-mode protocol for the specified 2. Configure static multicast routing entries Command Explanation Global Configuration Mode ip mroute <.ifname> no ip mroute [ <.ifname>] To configure a static multicast routing entry. The no form of this command will remove the specified entry. 3.
To configure PIM-DM management boundary for the interface and apply ACL for the management boundary. With default settings, 239.0.0.0/8 is considered as the ip pim scope-border <199 >| no ip pim scope-border scope of the management group. If ACL is configured, then the scope specified by ACL permit command is the scope of the management group. The no form of this command will remove the configuration. 4.
Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)# ip pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 20.1.1.1 255.255.255.
packets and message control is cut down and the transaction cost of routers decreases. Multicast data get to the network segment where the Multicast group members are located along the shared tree flow. When the data traffic reaches a certain amount, Multicast data stream can be switched to the shortest path tree SPT based on the source to reduce network delay. PIM-SM doesn’t rely on any specific Unicast Routing Protocol but make RPF Check using existing Unicast routing table. 1.
more than one RP at the same time. Configure BSR BSR is the management center of PIMSM network. It is in charge of collecting messages sent by candidate RPs and broadcast them. Only one BSR can exist within a network, but more than one C-BSR (Candidate-BSR) can be configured. In this way, if some BSR goes wrong, it can switch to another. C-BSRs elect BSR automatically. 28.3.
(Required). 2. Configure static multicast routing entries Command Explanation Global Configuration Mode ip mroute <.ifname> no ip mroute [ <.ifname>] To configure a static multicast routing entry. The no form of this command will remove the specified static multicast routing entry. 3.
Configure the interface as the boundary interface of the PIM-SM protocol Command Explanation Interface Configuration Mode To configure the interface as the boundary of PIMSM protocol. On the boundary interface, BSR messages will not be sent or received. The network connected the interface is considered as directly ip pim bsr-border no ip pim bsr-border connected network. The no form of this command will remove the configuration.
[][] no ip pim rp-candiate the information of PIM-SM candidate RP so that it can compete for RP router with other candidate RP. The “no ip pim rp-candidate” command cancels the configuration of RP. 3) Configure static RP Command Explanation Global Configuration Mode ip pim rp-address The command is the multicast group configuration [] no ip pim rp-address {|} static RP of the globally or multicast address range.
PIM-SM Typical Environment The configuration procedure for SwitchA, SwitchB, SwitchC and SwitchD is as follows: (1) Configure SwitchA: Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)# ip pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 13.1.1.1 255.255.255.
Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)# ip address 13.1.1.3 255.255.255.0 Switch(Config-if-Vlan2)# ip pim sparse-mode Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)# ip address 30.1.1.1 255.255.255.
routing leading to BSR. Use show ip pim rp-hash command to check if RP information is correct; if there is not RP information, you still need to check unicast routing. If all attempts including Check are made but the problems on PIM-SM can’t be solved yet, then use debug commands such debug pim/debug pim BSR please, and then copy DEBUG information in 3 minutes and send to Technology Service Center. 28.4 MSDP Configuration 28.4.
Configuring Originator RP Configuring TTL value Configuration of MSDP entities Configuring the Connect-Source interface Configuring the descriptive information for MSDP entities Configuring the AS number Configuring the specified mesh group of MSDP Configuring the maximum size for the cache Configurations on delivery of SA packets Configuring filter policies for creation of SA packets Configuring filter rules on how to receive and forward SA packets Configuring SA request packets Configuring filter policies
1. Enabling MSDP Commands Explanation Global Configuration Mode router msdp no router msdp To enable MSDP. The no form of this command will disable MSDP globally. 2. Configuration of MSDP parameters Commands Explanation MSDP Configuration Mode connect-source no connect-source To configure the Connect-Source interface for MSDP Peer. The no form of this command will remove the configured Connect-Source interface.
no connect-source MSDP Peer. The no form of this command will remove the configured Connect-Source interface. To configure the descriptive information about the MSDP entities. The no form of this command will remove the configured description. description no description To configure the AS number for MSDP Peer. remote-as no remote-as The no form of this command will remove the configured AS number of MSDP Peer.
number | access-list-name>] rules for SA request packets. 28.4.6 Configuration of Parameters of SA-cache Commands Explanation MSDP Configuration Mode cache-sa-state no cache-sa-state To enable the SA packet cache. To disable the SA packets cache. MSDP Configuration Mode cache-sa-holdtime <150-3600> no cache-sa-holdtime The aging time for entries in the SA cache. To restore the default aging time configuration.
DomainB RouterB RP2 DomainC RP3 RouterA Source DomainA RP1 Receiver Network Topology for MSDP Entry Configuration tasks are listed as below: Prerequisites: Enable the single cast routing protocol and PIM protocol on every router, and make sure that the inter-domain routing works well and multicasting inside the domain works well. Suppose the multicast server S in Domain A offers multicast programs at 224.1.1.1. A host in Domain C named R subscribes this program.
Switch(router-msdp)#peer 10.1.1.1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 20.1.1.1 Router B in Domain B: Switch#config Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(Config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.2 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.
group use a unique group name. As it is shown in Figure, when Mesh-Group is configured for the four meshed Peers in the same domain, flooding of SA messages reduced remarkably. SA Peer Peer Peer PIM SM 1 Peer Peer Peer Flooding of SA messages Mesh Group SA Peer RA Peer PIM SM 1 Peer RB Peer RC Peer Peer Flooding of SA messages with mesh group configuration Configuration steps are listed as below: Router A: Switch#config Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ip address 10.
Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-if-Vlan3)#ip address 30.1.1.1 255.255.255.0 Switch(Config-if-Vlan3)#exit Switch(config)#router msdp Switch(router-msdp)#peer 10.1.1.2 Switch(router-msdp)#mesh-group QTECH-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 20.1.1.4 Switch(router-msdp)#mesh-group QTECH-1 Switch(msdp-peer)#exit Switch(router-msdp)#peer 30.1.1.
Switch#config Switch(config)#interface vlan 4 Switch(Config-if-Vlan4)#ip address 40.1.1.4 255.255.255.0 Switch(Config-if-Vlan4)#exit Switch(config)#interface vlan 5 Switch(Config-if-Vlan5)#ip address 50.1.1.4 255.255.255.0 Switch(Config-if-Vlan5)#exit Switch(config)#interface vlan 6 Switch(Config-if-Vlan6)#ip address 60.1.1.4 255.255.255.0 Switch(Config-if-Vlan6)#exit Switch(config)#router msdp Switch(router-msdp)#peer 20.1.1.
Switch(router-msdp)#mesh-group QTECH -1 28.4.8 MSDP Troubleshooting When MSDP is being configured, it may not function because of the physical link not working or configuration mistakes.
address, to notify all the other devices of the original destination. 28.5.2 ANYCAST RP Configuration Task 1. Enable ANYCAST RP v4 function 2. Configure ANYCAST RP v4 1. Enable ANYCAST RP v4 function Command Explanation Global Configuration Mode Enable ANYCAST RP function. (necessary) No operation will globally disable ANYCAST RP function. ip pim anycast-rp no ip pim anycast-rp 2.
register message from DR unicast, it needs to forward the register message to all the other RP in the network, notifying them of the state of source (S.G). While forwarding the register message, this router will change the source address of it into self-rp-address.
2 The configuration is allowed to be done with the absence of the interface in accordance with the anycast-rp-addr. Configure on this router (as a RP) the otherrp-addresses of other RP communicating with it. This unicast address identifies other RP and is used in the communication with local routers.
28.5.3 ANYCAST RP Configuration Examples Multicast Server VLAN1:10.1.1. 1 DR VLAN2:192.168.2. 5 VLAN2:192.168.2.1 RP1 VLAN1:192.168.1.4 ……… receiver RP2 VLAN2:192.168.3. 2 VLAN2:2.2.2.2 receiver receiver The ANYCAST RP v4 function of the router As shown in the Figure, the overall network environment is PIM-SM, which provides two routers supporting ANYCAST RP, RP1 and RP2.
Switch(config)#ip pim anycast-rp Switch(config)#ip pim anycast-rp self-rp-address 192.168.2.1 Switch(config)#ip pim anycast-rp 1.1.1.1 192.168.3.2 RP2 Configuration: Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ip address 1.1.1.1 255.255.255.255 Switch(Config-if-Loopback1)#exit Switch(config)#ip pim rp-candidate loopback1 Switch(config)#ip pim multicast-routing Switch(config)#ip pim anycast-rp Switch(config)#ip pim anycast-rp self-rp-address 192.168.3.
address. In SSM, hosts can be added into the multicast group manually and efficiently like the traditional PIM-SM, but leave out the shared tree and RP management in PIM-SM. In SSM, SPT tree will be constructed with (S, G). G for the multicast group address and S for the source address of the multicast which sends datagram to G. (S, G) in a pair is named as a channel of SSM.
Switch(config)#ip pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ip pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.255 Switch(config)#ip multicast ssm range 1 (2) Configuration of SwitchB.
Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ip pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#interface vlan 3 Switch(Config-If-Vlan3)# ip pim sparse-mode Switch(Config-If-Vlan3)#exit Switch(config)#access-list 1 permit 224.1.1.1 0.0.0.255 Switch(config)#ip multicast ssm range 1 28.6.4 PIM-SSM Troubleshooting In configuring and using PIM-SSM Protocol, PIM-SSM Protocol might not operate normally caused by physical connection or incorrect configuration.
you are interested in is where the packets are from but not where they go), thus the information in DVMRP routing table is used to determine if an input Multicast packet is received at the correct interface. Otherwise, the packet will be discarded to prevent Multicast circulation. The check which determines if the packet gets to the correct interface is called RPF check.
switch. DVMRP switch makes use of poison reverse to notify the upstream switch for some specific source: “I am your downstream.” By adding infinity (32) to the routing distance of some specific source it broadcasts, DVMRP switch responds to the source upstream exchange to fulfill poison reverse.
(1) Configure DVMRP Interface Parameters Configure the delay of transmitting report message on DVMRP interface and the message number each time it transmits Configure metric value of DVMRP interface Configure if DVMRP is able to set up neighbors with DVMRP routers which can not Prune/Graft Command Explanation Interface Configuration Mode ip dvmrp output-report-delay [] no ip dvmrp output-report-delay Configure the delay of transmitting DVMRP report message on interface and the mes
SwitchA SwitchB Vlan 1 Vlan 1 Vlan 2 DVMRP Network Topology Diagram The configuration procedure for SwitchA and SwitchB is as follows: (1) Configure SwitchA: Switch (config)#ip dvmrp multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 10.1.1.1 255.255.255.0 Switch(Config-if-Vlan1)# ip dvmrp enable (2) Configure SwitchB: Switch (config)#ip dvmrp multicast-routing Switch (config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 12.1.1.2 255.255.255.
unicast routing must be assured beforehand. (DVMRP uses its own unicast table, please use show ip dvmrp route command to look up). If all attempts including Check are made but the problems on DVMRP can’t be solved yet, then please use commands such as debug DVMRP, and then copy DEBUG information in 3 minutes and send to Technology Service Center. 28.8 DCSCM 28.8.1 Introduction to DCSCM DCSCM (Destination control and source control multicast) technology mainly includes three aspects, i.e.
Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command Explanation Global Configuration Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally. It is noticeable that, after enabling source control globally, all multicast packets are discarded [no] ip multicast source-control (Required) by default.
it received after configuring global destination control. Therefore, It should be avoided to connect two or more other Layer 3 switches in the same VLAN on a switch on which destination control is enabled. The configuration commands are as follows: Command Explanation Global Configuration Mode Globally enable IPv4 and IPv6destination control. The no operation of this command will globally [no] multicast destination-control (required) disable destination control.
Multicast Strategy Configuration Multicast Strategy uses the manner of specifying priority for specified multicast data to achieve and guarantee the effects the specific user requires. It is noticeable that multicast data can not get a special care all along unless the data are transmitted at TRUNK port. The configuration is very simple, it has only one command, i.e. to set priority for the specified multicast.
Multicast strategy Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can configure on its join-in switch as follows: Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.
1. The election mechanism of multicast switches on the shared network segment Shared network segment is the situation of there is more than one multicast switch on a network segment. Under this kind of situation, since all switches which runs IGMP under this network segment can get membership report message from the host, therefore, only one switch is required to transmit membership query message, so an exchange election mechanism is required to determine a switch as query machine.
the synchronization with these variables of non-queries. Max Response Time in Query Message has an exponential range, with maximum value from 25.5 secs of v2 to 53 mins, which can be used in links of great capacity. In order to increase strength, the host retransmits State-Change message. Additional data is defined to adapt future extension. Report group is sent to 224.0.0.22 to help with IGMP Snooping of Layer 2 Switch.
Interface Configuration Mode ip dvmrp enable| ip pim dense-mode | Enable IGMP Protocol, the corresponding commands “no ip dvmrp enable| no ip pim ip pim sparse-mode dense-mode | no ip pim sparse-mode” disable IGMP Protocol.
restores default value. (3) Config IGMP version Command Explanation Global Mode Configure IGMP version on the interface; the “no ip igmp version” command restores the default ip igmp version no ip igmp version value. Disable IGMP Protocol Command Explanation Interface Configuration Mode no ip dvmrp | no ip pim dense-mode | no ip pim sparse-mode | no ip dvmrp multicast-routing | no ip pim multicast-routing Disable IGMP Protocol. 28.9.
Switch(config)#ip pim multicast-routing Switch(config)#interface vlan1 Switch(Config-if-Vlan1)#ip address 12.1.1.2 255.255.255.0 Switch(Config-if-Vlan1)#ip pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan1)#ip address 20.1.1.1 255.255.255.0 Switch(Config-if-Vlan2)#ip pim dense-mode Switch(Config-if-Vlan2)#ip igmp version 3 28.9.
28.10.2 IGMP Snooping Configuration Task List 1. Enable IGMP Snooping 2. Configure IGMP Snooping 1. Enable IGMP Snooping Command Explanation Global Mode ip igmp snooping Enables IGMP Snooping. The no operation no ip igmp snooping disables IGMP Snooping function. 2. Configure IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan no ip igmp snooping vlan Enables IGMP Snooping for specified VLAN. The no operation disables IGMP Snooping for specified VLAN.
ip igmp snooping vlan mrouterport learnpim no ip igmp snooping vlan mrouter-port learnpim ip igmp snooping vlan mrpt no ip igmp snooping vlan mrpt Enable the function that the specified VLAN learns mrouter-port (according to pim packets), the no command will disable the function. Configure this survive time of mrouter port. The “no ip igmp snooping vlan mrpt” command restores the default value.
ip igmp snooping vlan report source-address no ip igmp snooping vlan report source-address ip igmp snooping vlan specificquery-mrsp no ip igmp snooping vlan specific-query-mrspt Configure forwarding IGMP packet source address, The no operation cancels the packet source address. Configure the maximum query response time of the specific group or source, the no command restores the default value. 28.10.
Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2, three of four hosts running multicast applications are connected to port 2, 6, 10 plays program1, while the host is connected to port 12 plays program 2. IGMP Snooping listening result: The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1, 2, 6, 10 in Group1 and ports 1, 12 in Group2.
SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 100 SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/0/1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result: Similar to scenario 1 Scenario 3: To run in cooperation with layer 3 multicast protocols. switch which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same.
configured static mrouter Use show ip igmp snooping vlan command check IGMP Snooping information 28.11 IGMP Proxy Configuration 28.11.1 Introduction to IGMP Proxy IGMP/MLD proxy which is introduced in rfc4605, is a simplified multicast protocol running at edge boxes. The edge boxes which runs the IGMP/MLD proxy protocol, does not need to run complicated multicast routing protocols such as PIM/DVMRP. However they work with multicast protocol enabled network through IGMP/MLD proxy.
function. 3. Configure IGMP Proxy assistant parameter Command Explanation Global Mode ip igmp proxy limit {group <1-500>| source <1-500>} To configure the maximum number of groups that upstream ports can join, and the maximum number of sources in a single no ip igmp proxy limit group. The no form of this command will restore the default value. ip igmp proxy unsolicited-report interval <1-5> no ip igmp proxy unsolicited-report To configure how often the upstream ports send out unsolicited report.
Multicast Router Multicast Router Multicast Server IGMP PROXY Switch 1 IGMP PROXY Switch 3 IGMP PROXY Switch 2 IGMP Proxy Topology Diagram As it is show in the figure above, the switch functions as IGMP Proxy in a network of topology of tree, the switch aggregates the multicast dataflow from upstream port and redistributes them to the downstream ports, while the IGMP membership reports flow from downstream ports to upstream ports.
through downstream ports. Example2: IGMP Proxy for multicast sources from downstream ports. Multicast Router Multicast Server Multicast Router IGMP PROXY Switch 1 IGMP PROXY Switch 3 IGMP PROXY Switch 2 IGMP Proxy for multicast sources from downstream ports As it is show in the figure above, IGMP Proxy enabled switches connected to the network in tree topology.
Switch(Config-if-Vlan1)#ip pim sparse-mode Switch(Config-if-Vlan1)#ip pim bsr-border Multicast Configuration: Suppose the server provides programs through the multicast address 224.1.1.1, and some hosts subscribe that program on the edge of the network. The host reports their IGMP multicast group membership to Switch 2 and Switch 3 through downstream ports. Switch 2 and Switch 3 then aggregate and forward them to Switch 1 which then forwards the information to multicast router.
Chapter 29 IPv6 Multicast Protocol 29.1 PIM-DM6 29.1.1 Introduction to PIM-DM6 PIM-DM6(Protocol Independent Multicast, Dense Mode) is the IPv6 version of Protocol Independent Multicast Dense Mode. It is a Multicast Routing Protocol in dense mode which adapted to small network. The members of multicast group are relatively dense under this kind of network environment. There is no difference compared with the IPv4 version PIM-DM except that the addresses it uses are IPv6 addresses.
3. RPF examination Adopting RPF examination, PIM-DM establishes a multicast forwarding tree initiating from data source, using existing unicast routing table. When a multicast packet arrives, the router will determine the correctness of its coming path first. If the arrival interface is the interface connected to multicast source indicated by unicast routing, then this multicast packet is considered to be from the correct path; otherwise the multicast packet will be discarded as redundant message.
Command Explanation Command configuration mode To ipv6 pim multicast-routing enable PIM-DM multicast routing global. However, in order to enable PIM-DM for specific interfaces, the following command must be issued. Enable PIM-SM for the specific interface: Command Explanation Interface configuration mode To enable PIM-DM for the specified interface (required). ipv6 pim dense-mode 2.
3) Configure the boundary interfaces Command Explanation Interface Configuration Mode To configure the interface as the boundary of PIMDM6 protocol. On the boundary interface, STATE REFRESH messages will not be sent or received. The network connected the interface is considered as directly connected network. The no form of this ipv6 pim bsr-border no ipv6 pim bsr-border command will remove the configuration.
SWITCHB SWITCHA vlan1 vlan2 vlan1 vlan2 PIM-DM Typical Environment The configuration procedure for SwitchA and SwitchB is as below: (1) Configure SwitchA: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:10:1:1::1/64 Switch(Config-if-Vlan1)#ipv6 pim dense-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan2 Switch(Config-if-Vlan2)#ipv6 address 2000:12:1:1:: 1/64 Switch(Config-if-Vlan2)#ipv6 pim dense-mode (2) Configure Swi
correctness of unicast route shall be guaranteed above all. If all attempts fail to solve the problems on PIM-DM, then use debug commands such as debug ipv6 pim, copy DEBUG information in 3 minutes and send to Technology Service Center. 29.2 PIM-SM6 29.2.1 Introduction to PIM-SM6 PIM-SM6(Protocol Independent Multicast, Sparse Mode) is the IPv6 version of Protocol Independent Multicast Sparse Mode.
When multicast source S sends a multicast packet to multicast group G, the PIM-SM multicast router directly connected to it will take charge of sealing the multicast packet into registered message and unicast it to corresponding RP. If there are more than one PIM-SM multicast routers on a network segment, then DR (Designated Router) takes charge of forwarding the multicast packet.
Configure the switch as a candidate BSR Configure the switch as a candidate RP Configure static RP Configure the cache time of kernel multicast route Disable the PIM-SM protocol 1. Enable PIM-SM protocol The PIM-SM protocol can be enabled on QTECH series Layer 3 switches by enabling PIM6 in global configuration mode and then enabling PIM-SM for specific interfaces in the interface configuration mode.
the interval to the default value. 2) Configure the hold time for PIM-SM6 hello messages Command Explanation Interface Configuration Mode ipv6 pim hello-holdtime no ipv6 pim hello-holdtime To configure the value of the holdtime field in the PIM-SM hello messages. The no form of this command will restore the hold time to the default value.
(2) Configure global PIM-SM6 parameter 1) Configure the switch as a candidate BSR Command Explanation Global Configuration Mode ipv6 pim bsr-candiate {vlan | | tunnel <150>}[hash-mask-length] [priority] This command is the global candidate BSR configuration command, which is used to configure the information of PIM-SM candidate BSR so that it no Ipv6 pim bsr-candiate {vlan | | tunnel <150>}[hash-mask-length] [priority] can compete for BSR router with other candidate BS
4. Disable PIM-SM protocol Command Explanation Interface Configuration Mode no ipv6 pim sparse-mode To disable the PIM-SM6 protocol. Global Configuration Mode no ipv6 pim sparse-mode To disable PIM-DM globally. 29.2.3 PIM-SM6 Typical Application As shown in the following figure, add the Ethernet interfaces of SwitchA, SwitchB, SwitchC and SwitchD to corresponding VLAN, and start PIM-SM Protocol on each VLAN interface.
Switch(Config-if-Vlan2)#ipv6 address2000:24:1:1::2/64 Switch(Config-if-Vlan2)#ipv6 pim sparse-mode Switch(Config-if-Vlan2)#exit Switch(config)#ipv6 pim rp-candidate vlan2 Configure SwitchC: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)#ipv6 address 2000:34:1:1::3/64 Switch(Config-if-Vlan1)#ipv6 pim sparse-mode Switch(Config-if-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-if-Vlan2)#ipv6 address 2000:13:1:1::3/64 Switch(Config-if-Vlan2)#ipv6 pim
Unicast route shall be used to carry out RPF examination for multicast protocol. So the correctness of unicast route shall be guaranteed above all. PIM-SM Protocol requires supports of RP and BSR, therefore you should use show ipv6 pim bsr-router first to see if there is BSR information. If not, you need to check if there is unicast routing leading to BSR.
1. Enable ANYCAST RP v6 function Command Explanation Global Configuration Mode Enable ANYCAST RP function. (necessary) The no operation will globally disable the ANYCAST RP function. ipv6 pim anycast-rp no ipv6 pim anycast-rp 2. Configure ANYCAST RP v6 (1) Configure RP candidate Command Explanation Global Configuration Mode Now, the PIM-SM has allowed the Loopback interface to be a RP candidate.
will create (S,G) state and send back a registerterminating message, whose destination address is the source address of the register message. Pay attention: self-rp-address has to be the address of a three-layer interface on this router, but the configuration is allowed to be done with the absence of the interface. The self-rp-address should be unique. No operation will cancel the self-rp-address which is used to communicate with other RP by this router.
2 Multiple other-rp-addresses can be configured in accordance with one anycast-rp-addr, Once the register message from a DR is received, it should be forwarded to all of this RP one by one. No operation will cancel other-rp-address communicating with this router. 29.3.
Switch#config Switch(config)#interface loopback 1 Switch(Config-if-Loopback1)#ipv6 address 2006::1/128 Switch(Config-if-Loopback1)#exit Switch(config)#ipv6 pim rp-candidate loopback1 Switch(config)#ipv6 pim multicast-routing Switch(config)#ipv6 pim anycast-rp Switch(config)#ipv6 pim anycast-rp self-rp-address 2004::2 Switch(config)#ipv6 pim anycast-rp 2006::1 2003::1 Please pay attention to that, for promulgating loopback interface router, if use MBGP4+ protocol, then can use network command; or use RIPng p
like the traditional PIM-SM6, but leave out the shared tree and RP management in PIM-S6M. In SSM6, SPT tree will be constructed with (S,G). G for the multicast group address and S for the source address of the multicast which sends datagram to G. (S,G) in a pair is named as a channel of SSM6. SSM6 serves best for the application of multicast service which is from one station to many ones, for example, the network sports video channel, and the news channel.
Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:12:1:1::1/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:13:1:1::1/64 Switch(Config-If-Vlan2)# ipv6 pim sparse-mode Switch(Config-If-Vlan2)#exit Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 (2)Configuration of switchB: Switch(config)#ipv6 pim m
Switch(Config-If-Vlan3)# exit Switch(config)# ipv6 pim bsr-candidate vlan2 30 10 Switch(config)#ipv6 access-list 500 permit ff1e::1/64 Switch(config)#ip pim ssm range 500 (4) Configuration of SwitchD: Switch(config)#ipv6 pim multicast-routing Switch(config)#interface vlan 1 Switch(Config-If-Vlan1)# ipv6 address 2000:34:1:1::4/64 Switch(Config-If-Vlan1)# ipv6 pim sparse-mode Switch(Config-If-Vlan1)#exit Switch(config)#interface vlan 2 Switch(Config-If-Vlan2)# ipv6 address 2000:24:1:1::4/64 Switch(Config-If-V
29.5 IPv6 DCSCM 29.5.1 Introduction to IPv6 DCSCM The technology of IPv6 DCSCM (Destination Control and Source Control Multicast) includes three aspects: the multicast source control, the multicast user control and the service-priorityoriented policy multicast. IPv6 DCSCM Controllable Multicast technology proceeds as the following way: 1. If source controlled multicast is configured on the edge switches, only the multicast data of the specified group from the specified source can pass. 2.
be dropped by default. All the source control configurations can only be done after globally enabled, and only when all the configured rules are disabled, the source control can be disabled globally. The next is configuring the source control rules, which adopts the same method as configuring ACL, using ACL number from 8000 to 8099, while each rule number can configure 10 rules. What should be paid attention to is that these rules have orders, the earliest configured rule is at the front.
control(necessary) the no operation of this command will globally disable destination control. All of the other configuration can only take effect after globally enabled. The next is configuring destination control rules, which are similar to that of source control, but using ACL number from 9000 to 10099 instead.
Command Explanation Global Configuration Mode [no] ipv6 multicast policy cos Configure multicast policy, set priority for sources and groups in a specified range, the priority valid range is 0 to 7. 29.5.3 IPv6 DCSCM Typical Examples 1. Source control In order to prevent an edge switch sends multicast data at will, we configure on the edge switch that only the switch whose port is Ethernet1/0/5 can send multicast data, and the group of data should be ff1e::1.
switch protocol might operate abnormally). 29.5.4 IPv6 DCSCM Troubleshooting IPv6 DCSCM module acts like ACL, so most problems are caused by improper configuration. Please read the instructions above carefully. 29.6 MLD 29.6.1 Introduction to MLD MLD (Multicast Listener Discovery) is the multicast group member (receiver) discovery protocol serving IPv6 multicast. It is similar to IGMP Protocol in IPv4 multicast application.
Configure MLD auxiliary parameters (Required) (1) Configure MLD group parameters 1) Configure MLD group filter conditions (2) Configure MLD query parameters 1) Configure the interval of MLD sending query message 2) Configure the maximum response time of MLD query 3) Configure overtime of MLD query Shut down MLD Protocol Start MLD Protocol There is no special command for starting MLD Protocol on EDGECORE series layer 3 switches.
Command Explanation Port Configuration Mode ipv6 mld query-interval no ipv6 mld query-interval Configure the interval of MLD query messages sent periodically; the NO operation of this command restores the default value. ipv6 mld query-max-response-time Configure the maximum response time of the interface for MLD query; the NO operation of this no ipv6 mld query-max-response-time command restores the default value.
Switch (config) #ipv6 pim multicast-routing Switch (config) #ipv6 pim rp-address 3FFE::1 Switch (config) #interface vlan1 Switch (Config-if-Vlan1) #ipv6 address 3FFE::2/64 Switch (Config-if-Vlan1) #ipv6 pim sparse-mode Switch (Config-if-Vlan1) #exit Switch (config) #interface vlan2 Switch (Config-if-Vlan2) #ipv6 address 3FFA::1/64 Switch (Config-if-Vlan2) #ipv6 pim sparse-mode Switch (Config-if-Vlan2) #ipv6 mld query-timeout 150 29.6.
multicast devices only. The switch listens to the MLD messages between multicast routers and listeners, and maintains the multicast group forwarding list based on the listening result. The switches forwards multicast packets according to the multicast forwarding list The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user can acquire IPv6 multicast with the switch. 29.7.2 MLD Snooping Configuration Task 1. Enable the MLD Snooping function 2. Configure the MLD Snooping 1.
mrouter-port learnpim6 function. ipv6 mld snooping vlan mrpt Configure the keep-alive time of the mrouter no ipv6 mld snooping vlan mrpt port. The “no” form of this command restores to the default. ipv6 mld snooping vlan queryinterval Configure the query interval. The “no” form of no ipv6 mld snooping vlan query- this command restores to the default.
Multicast Router Mrouter Port MLD Snooping Switch Group Group Group Group 1 Open1the switch 1 MLD Snooping 2 Function figure As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10, 12. Four hosts are respectively connected to 2, 6, 10, 12 while the multicast router on port 1.
Switch as MLD Querier Function figure Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically, global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
MLD Snooping interception results: Same as scenario 1 Scenario 3: To run in cooperation with layer 3 multicast protocols switch which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1.
Chapter 30 Multicast VLAN 30.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
Enable the IGMP Snooping function. The “no” form of this command disables the IGMP snooping function. ip igmp snooping no ip igmp snooping 3. Configure the MLD Snooping ipv6 mld snooping vlan no ipv6 mld snooping vlan Enable MLD Snooping on multicast VLAN; the “no” form of this command disables MLD Snooping on multicast VLAN. ipv6 mld snooping no ipv6 mld snooping Enable the MLD Snooping function. The “no” form of this command disables the MLD snooping function. 30.
SwitchA(config-vlan10)exit SwitchA(config)#interface vlan 10 Switch(Config-if-Vlan10)#ip pim dense-mode Switch(Config-if-Vlan10)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan20)#exit SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ether
Chapter 31 VRRP Configuration 31.1 Introduction to VRRP VRRP (Virtual Router Redundancy Protocol) is a fault tolerant protocol designed to enhance connection reliability between routers (or L3 Ethernet switches) and external devices. It is developed by the IETF for local area networks (LAN) with multicast/broadcast capability (Ethernet is a Configuration Example) and has wide applications.
31.2 VRRP Configuration Task List Configuration Task List: Create/Remove the Virtual Router (required) Configure VRRP dummy IP and interface (required) Activate/Deactivate Virtual Router (required) Configure VRRP sub-parameters (optional) Configure the preemptive mode for VRRP Configure VRRP priority Configure VRRP Timer intervals Configure VRRP interface monitor 1.
(2) Configure VRRP priority Command Explanation VRRP protocol configuration mode priority Configures VRRP priority. (3) Configure VRRP Timer intervals Command Explanation VRRP protocol configuration mode advertisement-interval
Configuration of SwitchB: SwitchB(config)#interface vlan 1 SwitchB (Config-if-Vlan1)# ip address 10.1.1.7 255.255.255.0 SwitchB(config)#router vrrp 1 SwitchB (Config-Router-Vrrp)# virtual-ip 10.1.1.5 SwitchB(Config-Router-Vrrp)# interface vlan 1 SwitchB(Config-Router-Vrrp)# enable 31.4 VRRP Troubleshooting In configuring and using VRRP protocol, the VRRP protocol may fail to run properly due to reasons such as physical connection failure or wrong configurations.
Chapter 32 IPv6 VRRPv3 Configuration 32.1 Introduction to VRRPv3 VRRPv3 is a virtual router redundancy protocol for IPv6. It is designed based on VRRP (VRRPv2) in IPv4 environment. The following is a brief introduction to it. In a network based on TCP/IP protocol, in order to guarantee the communication between the devices which are not physically connected, routers should be specified.
Detection, which checks whether a neighbor node is failed by sending unicast neighbor request messages to it. In order to reduce the overheads of sending neighbor request messages, these messages are only sent to those neighbor nodes which are sending flows, and are only sent if there is no instruction of UP state of the router in a period of time.
VRRPv3 message 32.1.2 VRRPv3 Working Mechanism The working mechanism of VRRPv3 is the same with that of VRRPv2, which is mainly implemented via the interaction of VRRP advertisement messages. It will be briefly described as follows: Each VRRP router has a unique ID: VRIP, ranging from 1 to 255. This router has a unique virtual MAC address outwardly, and the format of which is 00-00-5E-00-02-{VRID} (the format of virtual MAC address in VRRPv2 is 00-00-5E-00-01-{VRID}).
IP owner in the VRRP group, it will always be the master router. For the candidate routers having the same priority, selection will be done according to the magnitude of IP addresses (the bigger IP address takes precedence). VRRP also provides a preemptive priority policy. If such policy is configured, the backup router with higher priority will preempt the role of new master router over the current master router with lower priority.
disable Disable the virtual router. 4. Configure VRRPv3 assistant parameters (1 ) Configure VRRPv3 preempt mode Command Explanation VRRPv3 Protocol Mode preempt-mode {true| false} Configure VRRPv3 preempt mode. ( 2 ) Configure VRRPv3 priority Command Explanation VRRPv3 Protocol Mode priority < priority > Configure VRRPv3 priority. ( 3 ) Configure the VRRPv3 advertisement interval Command Explanation VRRPv3 Protocol Mode Configure the VRRPv3 advertisement interval (in cent seconds).
As shown in graph, switch A and switch B are backups to each other, switch A is the master of backup group 1 and a backup of backup group 2. Switch B is the master of backup group 2 and a Backup of backup group 1.
And then, make sure that IPv6 forwarding function is enabled (use ipv6 enable command); Besides, make sure that VRRPv3 protocol is enable on the interface; Check whether the time of timer in different routers (or layer-three Ethernet switch) within the same backup group is the same; Check whether the virtual IPv6 addresses in the same backup group is the same. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 33 MRPP Configuration 33.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link. MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend. Transfer node: except for primary node, other nodes are transfer nodes on each ring. The node role is determined by user configuration. As shown Fig 3-1, Switch A is primary node of Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1. 4.
LINK-DOWN-FLUSH_FDB packet After primary node detects ring failure or receives LINK-DOWN packet, open blocked secondary port, and then uses two ports to send the packet, to inform each transfer node to refresh own MAC address. LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 33.1.3 MRPP Protocol Operation System 1.
2) Configure MRPP ring 3) Configure the query time of MRPP 4) Display and debug MRPP relevant information 1) Globally enable MRPP Command Explanation Global Mode mrpp enable Globally enable and disable MRPP. no mrpp enable 2) Configure MRPP ring Command Explanation Global Mode mrpp ring Create MRPP ring. The “no” command no mrpp ring deletes MRPP ring and its configuration.
mrpp poll-time <20-2000> Configure the query interval of MRPP. 4) Display and debug MRPP relevant information Command Explanation Admin Mode debug mrpp no debug mrpp Disable MRPP module debug information, format “no” disable MRPP debug information output. show mrpp {} Display MRPP ring configuration information. show mrpp statistics {} Display receiving data information of MRPP ring.
Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#fail-timer 18 Switch(mrpp-ring-4000)#hello-timer 5 Switch(mrpp-ring-4000)#node-mode master Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config
switch D configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# 33.
Chapter 34 ULPP Configuration 34.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the Standby state. When the master port has the link problem, the master port becomes down state, and the slave port is siwthed to forwarding state.
through the method of MSTP instances, and ULPP does not provide the protection to other VLANs. When the uplink switch is happennig, the primary forwarding entries of the device will not be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as the master port at forwarding state, here the MAC address of PC is learned by Switch D from portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded.
Configure ULPP group Show and debug the relating information of ULPP 1. Create ULPP group globally Command Expalnation Global mode ulpp group Configure and delete ULPP group no ulpp group globally. 2. Configure ULPP group Command Explanation ULPP group configuration mode preemption mode no preemption mode Configure the preemption mode of ULPP group. The no operation deletes the preemption mode.
ulpp group slave no ulpp group slave Configure or delete the slave port of ULPP group. 3. Show and debug the relating information of ULPP Command Explanation Admin mode show ulpp group [group-id] Show the configuration information of the configured ULPP group. show ulpp flush counter interface {ethernet | } Show the statistic information of the flush packets. show ulpp flush-receive-port Show flush type and control VLAN received by the port.
34.3 ULPP Typical Examples 34.3.1 ULPP Typical Example1 SwitchD SwitchB E1/0/1 E1/0/2 SwitchC E1/0/1 E1/0/2 SwitchA ULPP typical example1 The above topology is the typical application environment of ULPP protocol. SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled, this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the master port and the slave port of ULPP group.
Switch(ulpp-group-1)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp group 1 master Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)# ulpp flush en
34.3.2 ULPP Typical Example2 SwitchD SwitchB E1/0/11Vlan 100 E1/0/2 SwitchC E1/0/2 E1/0/ 1 Vlan 200 101- SwitchA ULPP typical example2 ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA configures two ULPP groups: port E1/0/1 is the master port and port 1/0/2 is the slave port in group1, port 1/0/2 is the master port and port 1/0/1 is the slave port in group2. The VLANs protected by group1 are 1-100 and by group2 are 101-200.
Switch(config-If-Ethernet1/0/1)#ulpp group 1 master Switch(config-If-Ethernet1/0/1)#ulpp group 2 slave Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#switchport mode trunk Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave Switch(config-If-Ethernet1/0/2)# ulpp group 2 master Switch(config-If-Ethernet1/0/2)#exit SwitchB configuration task list: Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#switchport mode trunk Switch(co
Chapter 35 ULSM Configuration 35.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple. The port may be a physical port or a port channel, but it can not be a member port of a port channel, and each port only belongs to one ULSM group. The uplink port is the monitored port of ULSM group.
ULSM using scene 35.2 ULSM Configuration Task List Create ULSM group globally Configure ULSM group Show and debug the relating information of ULSM 1. Create ULSM group globally Command explanation Global mode ulsm group no ulsm group Configure and delete ULSM group globally. 2.
35.3 ULSM Typical Example SwitchD E1/0/3 SwitchB E1/0/1 E1/0/ 1 E1/0/ 4 E1/0/2 SwitchC E1/0/2 SwitchA ULSM typical example The above topology is the typical application environment which is used by ULSM and ULPP protocol. ULSM is used to process the port state synchronization, its independent running is useless, so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol, it is used to switch the uplink.
Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface ethernet 1/0/3 Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink Switch(config-If-Ethernet1/0/3)#exit SwitchC configuration task list: Switch(Config)#ulsm group 1 Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#ulsm group 1 downlink Switch(config-If-Ethernet1/0/2)#exit Switch(Config)#interface ethernet 1/0/4 Switch(config-If-Eth
Chapter 36 Mirror Configuration 36.1 Introduction to Mirror Mirror functions include port mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
{interface } {rx| tx| both} deletes mirror source port. no monitor session source {interface } 3. Specify flow mirror source Command Explanation Global mode monitor session source {interface Specifies flow mirror source port } access-group {rx|tx|both} and apply rule; the no command no monitor session source {interface deletes flow mirror source port. } access-group 36.
If the throughput of mirror destination port is smaller than the total throughput of mirror source port(s), the destination port will not be able to duplicate all source port traffic; please decrease the number of source ports, duplicate traffic for one direction only or choose a port with greater throughput as the destination port. Mirror destination port can not be pulled into Isolate vlan, or will affect mirror between VLAN. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 37 RSPAN Configuration 37.1 Introduction to RSPAN Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port. It is more convenience for network administrator to monitor and manage the network and diagnostic after the mirroring function achieved.
configuration, and reduced system resources. To be noticed: Normal mode is introduced by default. When using the normal mode, datagrams with reserved MAC addresses cannot be broadcasted. The number of the source mirror ports is not limited, and can be one or more. Multiple source ports are not restricted to be in the same VLAN. The destination port and the source ports can be in different VLAN. For configuration of RSPAN, a dedicated RSPAN VLAN should be configured first for carrying the RSPAN datagrams.
Configure reflector port Configure remote VLAN of mirror group 1. Configure RSPAN VLAN Command Explanation VLAN Configuration Mode To configure the specified VLAN as RSPAN remote-span VLAN. The no command will remove the configuration of RSPAN VLAN. no remote-span 2.
5. Configure remote VLAN of mirror group Command Explanation Global Mode monitor session remote vlan no monitor session remote vlan To configure remote VLAN of mirror group, the no command deletes the remote VLAN of mirror group. 37.3 Typical Examples of RSPAN Before RSPAN is invented, network administrators had to connect their PCs directly to the switches, in order to check the statistics of the network.
Switch(config)#vlan 5 Switch(Config-Vlan5)#remote-span Switch(Config-Vlan5)#exit Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#switchport mode trunk Switch(Config-If-Ethernet1/0/2)#exit Switch(config)#monitor session 1 source interface ethernet1/0/1 rx Switch(config)#monitor session 1 destination interface ethernet1/0/2 Switch(config)#monitor session 1 remote vlan 5 Intermediate switch: Interface ethernet1/0/6 is the source port which is connected to the source switch.
Switch(Config-If-Ethernet1/0/10)#exit Solution 2: Source switch: Interface ethernet 1/0/1 is the source port. Interface ethernet 1/0/2 is the TRUNK port, which is connected to the intermediate switch. The native VLAN should not be a RSPAN VLAN. Interface Ethernet 1/0/3 is a reflector port. The reflector port belongs the RSPAN VLAN, it is access port or TRUNK port of the RSPAN VLAN. RSPAN VLAN is 5.
Interface ethernet1/0/9 is the source port which is connected to the source switch. Interface ethernet1/0/10 is the destination port which is connected to the monitor. This port is required to be configured as an access port, and belong to the RSPAN VLAN. RSPAN VLAN is 5.
Chapter 38 sFlow Configuration 38.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address no sflow agent-address Configure the source IP address applied by the sFlow proxy; the “no” form of the command deletes this address. 3. Configure the sFlow proxy priority Command Explanation Global Mode sflow priority no sflow priority Configure the priority when sFlow receives packet from the hardware; the “no sflow priority” command restores to the default 4.
7. Configure the sFlow statistic sampling interval Command Explanation Port Mode sflow counter-interval no sflow counter-interval Configure the max interval when sFlow performing statistic sampling. The “no” form of this command deletes 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no no sflow analyzer sflowtrend command deletes the analyzer. 38.
Switch (config)# interface ethernet1/0/2 Switch (Config-If-Ethernet1/0/2)#sflow rate input 20000 Switch (Config-If-Ethernet1/0/2)#sflow rate output 20000 Switch (Config-If-Ethernet1/0/2)#sflow counter-interval 40 38.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc.
Chapter 39 SNTP Configuration 39.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer’s clock deviation independently, so as to achieve high accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to 50ms according to the characteristics of the synchronization source and network route.
39.2 Typical Examples of SNTP Configuration SNTP/NTP SERVER SNTP/NTP SERVER … … switch switch switch Typical SNTP Configuration All switches in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any switch and the two SNTP/NTP servers. Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.
Chapter 40 NTP Function Configuration 40.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among distributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305. The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the network so that the devices can provide diverse applications based on the consistent time.
] no ntp server { | } 3. To configure the max number of broadcast or multicast servers supported by the NTP client Command Explication Global Mode Set the max number of broadcast or multicast ntp broadcast server count no ntp broadcast server count servers supported by the NTP client. The no operation will cancel the configuration and restore the default value. 4.
7. To specified some interface as NTP broadcast/multicast client interface Command Explication Interface Configuration Mode ntp broadcast client no ntp broadcast client To configure specified interface to receive NTP broadcast packets. ntp multicast client To configure specified interface to receive NTP no ntp multicast client multicast packets. ntp ipv6 multicast client no ntp ipv6 multicast client To configure specified interface to receive IPv6 NTP multicast packets. 8.
debug ntp sync no debug ntp sync To enable debug switch of time synchronize information. debug ntp events no debug ntp events To enable debug switch of NTP event information. 40.
configuration. If the configuration is right please use debug every relative debugging command and display specific information in procedure, and the function is configured right or not, you can also use show command to display the NTP running information, any questions please send the recorded message to the technical service center. +7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 41 DNSv4/v6 Configuration 41.1 Introduction to DNS DNS (Domain Name System) is a distributed database used by TCP/IP applications to translate domain names into corresponding IPv4/IPv6 addresses. With DNS, you can use easy-to-remember and signification domain names in some applications and let the DNS server translate them into correct IPv4/IPv6 addresses. There are two types of DNS services, static and dynamic, which supplement each other in application.
each domain to keep track of their own changes, avoiding the need for a central register to be continually consulted and updated. In general, the Domain Name System also stores other types of information, such as the list of mail servers that accept email for a given Internet domain. By providing a world-wide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet. 41.
4. To delete the domain entry of specified address in dynamic cache Command Explanation Admin Mode clear dynamic-host { | | all} To delete the domain entry of specified address in dynamic cache. 5. To enable DNS dynamic domain name resolution Command Explanation Global Mode To enable resolution. dns lookup {ipv4 | ipv6} DNS dynamic domain name 6.
of resolved by switch. show dns config Display the configured global DNS information on the switch. show dns client Display the DNS Client information maintained by the switch. debug dns {all | packet [send | recv] | events | relay} no debug dns {all | packet [send | recv] | To enable/disable DEBUG of DNS function. events | relay} 41.3 Typical Examples of DNS DNS SERVER IP: 87.250.250.3 IPv6: 2001::1 ip domain-lookup dns-server 87.250.250.
DNS SERVER typical environment The figure above is an application of DNS SERVER. Under some circumstances, the client PC doesn’t know the real DNS SERVER, and points to the switch instead. The switch plays the role of a DNS SERVER in two steps: Enable the global DNS SERVER function, configure the IP address of the real DNS server. After the DNS SERVER function is globally enabled, the switch will look up its local cache when receiving a DNS request from a client PC.
+7(495) 797-3311 www.qtech.ru Москва, Новозаводская ул., 18, стр.
Chapter 42 Summer Time Configuration 42.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting. The rule that adopt summer time is different in each country. At present, almost 110 countries implement summer time.
Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1 Example2: The configuration requirement in the following: The summer time from 23:00 on the first Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours, and summer time is named as time_travel. Configuration procedure is as follows: Switch(config)#clock summer-time time_travel recurring 23:00 first sat apr 00:00 last sun oct 120 42.
Chapter 43 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem. Switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes. 43.
43.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1.
show switchport interface [ethernet ] Display the VLAN port mode and the belonging VLAN number of the switch as well as the Trunk port information. show tcp show tcp ipv6 Display the TCP connection status established currently on the switch. show udp show udp ipv6 Display the UDP connection status established currently on the switch. Display the information of the Telnet client which show telnet login show tech-support currently establishes a Telnet connection with the switch.
43.7.1.
emergencies will be outputted. Follow table summarized the log information severity level and brief description. Note: these severity levels are in accordance with the standard UNIX/LINUX syslog.
Display and clear log buffer zone Command Description Admin Mode show logging buffered [ level {critical | warnings} | Show detailed log information in the range ] log buffer channel. clear logging {sdram | nvram} Clear log buffer zone information. Configure the log host output channel Command Description Global Mode logging { | } [ facility ] [level ] host.
commands 43.7.3 System Log Configuration Example Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4 address of the remote log server is 100.100.100.5. It is required to send the log information with a severity equal to or higher than warnings to this log server and save in the log record equipment local1. Configuration procedure: Switch(config)#interface vlan 1 Switch(Config-if-Vlan1)# ip address 100.100.100.1 255.255.255.
Chapter 44 Reload Switch after Specified Time 44.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully. 44.2 Reload Switch after Specifid Time Task List 1.
Chapter 45 Debugging and Diagnosis for Packets Received and Sent by CPU 45.1 Introduction to Debugging and Diagnosis for Packets Received and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support. 45.
