Switch 8800 Configuration Guide Version 3.01.01 http://www.3com.com/ Published February 2005 Part No.
3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2005, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 1 SYSTEM ACCESS Product Overview 3 Function Features 3 Configuring the Switch 8800 4 Setting Terminal Parameters 5 Configuring Through Telnet 7 Configuring Through a Dial-up Modem 10 Configuring the User Interface 11 Command Line Interface 19 Command Line View 19 Features and Functions of the Command Line 22 PORT CONFIGURATION Ethernet Port Overview 27 Configuring Ethernet Ports 27 Example: Configuring the Default VLAN ID of the Trunk Port Troubleshooting VLAN Port
NETWORK PROTOCOL OPERATION Configuring IP Address 49 Subnet and Mask 50 Configuring an IP Address 50 Troubleshooting an IP Address Configuration 52 Configuring Address Resolution Protocol (ARP) 52 Configuring ARP 52 DHCP Relay 54 Configuring DHCP Relay 55 Troubleshooting a DHCP Relay Configuration 58 IP Performance 59 Configuring TCP Attributes 59 Displaying and Debugging IP Performance 59 Troubleshooting IP Performance 60 IPX Configuration 61 IPX Address Structure 61 Routing Information Protocol 61 Service
IP Routing Policy 151 Routing Information Filters 152 Configuring an IP Routing Policy 153 Troubleshooting Routing Policies 159 Route Capacity 159 Limiting Route Capacity 160 Configuring Route Capacity 160 MULTICAST PROTOCOL IP Multicast Overview 167 Multicast Addresses 168 IP Multicast Protocols 170 Forwarding IP Multicast Packets 171 Applying Multicast 172 Configuring Common Multicast 172 Configuring Common Multicast 172 Configuring IGMP 174 Configuring IGMP 175 IGMP Snooping 181 Configuring IGMP Snoopin
QoS Configuration 216 QoS Configuration 219 Configuration Examples 229 Traffic Policing Configuration Example 229 Traffic Shaping Configuration Example 231 Port Mirroring Configuration Example 231 Traffic Priority Configuration Example 232 Traffic Redirection Configuration Example 233 Queue Scheduling Configuration Example 234 WRED Parameters Configuration Example 235 Traffic Statistics Configuration Example 235 Configuring Logon User ACL Control 236 Configuring ACL for Telnet Users 236 Configuration Exampl
AAA AND RADIUS OPERATION IEEE 802.1x 265 802.1x System Architecture 265 Configuring 802.
SNMP Versions and Supported MIB Configuring SNMP 323 RMON 329 Configuring RMON 330 NTP 333 Configuring NTP 335 NTP Configuration Examples 341 322
ABOUT THIS GUIDE This guide describes the 3Com® Switch 8800 and how to configure it in version 3.0 of the software. Conventions Table 1 lists icon conventions that are used throughout this book. Table 1 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device.
2 ABOUT THIS GUIDE
SYSTEM ACCESS 1 This chapter covers the following topics: Product Overview ■ Product Overview ■ Configuring the Switch 8800 ■ Setting Terminal Parameters ■ Command Line Interface The 3Com Switch 8800 is a large capacity, modular wire speed Layer 2/Layer 3 switch. It is designed for IP metropolitan area networks (MAN), large-sized enterprise networks, and campus network users. The Switch 8800 has an integrated chassis structure.
4 CHAPTER 1: SYSTEM ACCESS Table 1 Function Features (continued) Configuring the Switch 8800 Features Support IP routing Static route RIP v1/v2 OSPF BGP (in advanced software) IS-IS (in advanced software) IP routing policy DHCP Relay Dynamic Host Configuration Protocol (DHCP) Relay Link aggregation IEEE 802.3ad Link aggregation Mirror Port-based mirroring (one to one, many to one) Security features Multi-level user management and password protect 802.
Setting Terminal Parameters Setting Terminal Parameters 5 To set terminal parameters: 1 Start the PC and select Start > Programs > Accessories > Communications > HyperTerminal. 2 The HyperTerminal window displays the Connection Description dialog box, as shown in Figure 2. Figure 2 Set Up the New Connection 3 Enter the name of the new connection in the Name field and click OK. The dialog box, shown in Figure 3 displays. 4 Select the serial port to be used from the Connect using dropdown menu.
6 CHAPTER 1: SYSTEM ACCESS 5 Click OK. The Port Settings tab, shown in Figure 4, displays and you can set serial port parameters. Set the following parameters: ■ Baud rate = 9600 ■ Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none Figure 4 Set Communication Parameters 6 Click OK. The HyperTerminal dialogue box displays, as shown in Figure 5. 7 Select Properties.
Setting Terminal Parameters 7 8 In the Properties dialog box, select the Settings tab, as shown in Figure 6. 9 Select VT100 in the Emulation dropdown menu. 10 Click OK.
8 CHAPTER 1: SYSTEM ACCESS Connecting the PC to the Switch 8800 To connect the PC and Switch 8800 through Telnet: 1 Authenticate the Telnet user through the console port before the user logs in by Telnet. By default, a password is required for authenticating the Telnet user to log in the Switch 8800. If a user logs in by Telnet without a password, the user sees the message: Login password has not been set! 2 Enter system view, return to user view by pressing Ctrl+Z.
Setting Terminal Parameters 9 6 Use the appropriate commands to configure the Switch 8800 or to monitor the operational state. Enter ? to get immediate help. For details on specific commands, refer to the chapters in this guide. When configuring the Switch 8800 by Telnet, do not modify the IP address unless necessary, because the modification might terminate the Telnet connection. By default, after passing the password authentication and logging on, a Telnet user can access the commands at login level 0.
10 CHAPTER 1: SYSTEM ACCESS 6 Use the appropriate commands to configure the Switch 8800 or view its operational state. Enter ? to get immediate help. For details on a specific command, refer to the appropriate chapter in this guide. Configuring Through a Dial-up Modem To configure your router with a dial-up modem through the AUX port: 1 Authenticate the modem user through the console port of the Switch 8800 before the user logs in to the switch through a dial-up modem.
Setting Terminal Parameters 11 Figure 11 Set the Dialed Number Figure 12 Dial the Remote PC 4 Enter the preset login password on the remote terminal emulator and wait for the prompt. 5 Use the appropriate commands to configure the Switch 8800 or view its operational state. Enter ? to get immediate help. For details on a specific command, refer to the appropriate chapter in this guide. By default, after login, a modem user can access the commands at Level 0.
12 CHAPTER 1: SYSTEM ACCESS ■ Remote configuration through a modem through the console port. There are two types of user interfaces: ■ AUX user interface is used to log in the Switch 8800 through a dial-up modem. A Switch 8800 can only have one AUX port. ■ VTY user interface is used to telnet the Switch 8800. For the Switch 8800, the AUX port and Console port are the same port. There is only the type of AUX user interface. The user interface is numbered by absolute number or relative number.
Setting Terminal Parameters 13 Perform the following configurations in user interface (AUX user interface only) view. Table 3 Configure the Attributes of the AUX (Console) Port Operation Command Configure the transmission speed on AUX (Console) port. By default, the transmission speed is 9600bps speed speed-value Restore the default transmission speed on AUX (Console) port undo speed Configure the flow control on AUX (Console) port.
14 CHAPTER 1: SYSTEM ACCESS By default, terminal service is enabled on all the user interfaces. Note the following points: ■ For the sake of security, the undo shell command can only be used on the user interfaces other than the AUX user interface. ■ You cannot use this command on the user interface through which you log in. ■ You must confirm your privilege before using the undo shell command in any legal user interface.
Setting Terminal Parameters 15 Table 8 Set the History Command Buffer Size Operation Command Restore the default history command buffer size undo history-command max-size Managing Users The management of users includes, the setting of the user logon authentication method, the level of command a user can use after logging on, the level of command a user can use after logging on from the specific user interface, and the command level.
16 CHAPTER 1: SYSTEM ACCESS Perform username and password authentication when a user logs in through the VTY 0 user interface and set the username and password to zbr and 3Com respectively: [SW8800-ui-vty0]authentication-mode scheme [SW8800-ui-vty0]quit [SW8800]local-user zbr [SW8800-luser-zbr]service-type telnet [SW8800-luser-zbr]password simple 3Com 3 Set the Switch 8800 to allow user access without authentication.
Setting Terminal Parameters 17 When a user logs in to the switch, the command level that the user can access depends on two points. One is the command level that the user can access, the other is the set command level of the user interface. If the two levels are different, the former is taken. For example, the command level of VTY 0 user interface is 1, however, user Tom has the right to access commands of level 3; if Tom logs in from VTY 0 user interface, he can access commands of level 3 and lower.
18 CHAPTER 1: SYSTEM ACCESS Perform the following configuration in user view. Table 15 Configure to Send Messages Between User Interfaces Operation Command Configure to send messages between different user interfaces. send { all | number | type number } The auto-execute Command is used to run a command automatically after you log in. The command is automatically executed when you log in again. See Table 16.
Command Line Interface Command Line Interface 19 The Switch 8800 provides a series of configuration commands and command line interfaces for configuring and managing the Switch 8800. The command line interface has the following features. ■ Local configuration through the console and AUX ports. ■ Local or remote configuration through Telnet. ■ Remote configuration through a dial-up Modem through the AUX port to log in to the Switch 8800.
20 CHAPTER 1: SYSTEM ACCESS Login users are also classified into four levels that correspond to the four command levels. After users of different levels log in, they can only use commands at their own, or lower, levels. To prevent unauthorized users from illegal intrusion, users are identified when switching from a lower level to a higher level with the super [ level ] command. User ID authentication is performed when users at a lower level switch to users at a higher level.
Command Line Interface 21 Figure 13 Relation Diagram of the Views Ethernet port view User interface view VLAN view VLAN interface view OSPF area view RIP view OSPF view Route policy view Basic ACL view System view User view Advanced ACL view ACL Interface-based ACL view Layer-2 ACL view FTP client view Local-user view PIM view IS-IS view BGP view RADIUS server group view Table 18 describes the function features of different views.
22 CHAPTER 1: SYSTEM ACCESS Table 18 Function Feature of Command View (continued) Features and Functions of the Command Line Command view Function Prompt Command to enter Local-user view Configure local user parameters [SW8800-useruser1] Enter local-user user1 in System view User interface view Configure user interface parameters [SW8800-ui0] Enter user-interface 0 in System view FTP Client view Configure FTP Client parameters [ftp] Enter ftp in user view PIM view Configure PIM paramete
Command Line Interface 23 quit Exit from current command view super Enter the command workspace with specified user priority level telnetEstablish one TELNET connection tracertTrace route function ■ Enter a command with a ?, separated by a space. If this position is for keywords, then all the keywords and the corresponding brief descriptions will be listed.
24 CHAPTER 1: SYSTEM ACCESS Common Command Line Error Messages All the commands that are entered by users can be correctly executed if they have passed the grammar check. Otherwise, error messages are reported to users. Common error messages are listed in Table 19. Table 19 Common Command Line Error Messages Error messages Causes Unrecognized command Cannot find the command. Cannot find the keyword. Wrong parameter type. The value of the parameter exceeds the range.
Command Line Interface 25 Table 21 Editing Functions Key Function Tab Press Tab after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line. If there is not a matched key word or the matched key word is not unique, the system will do no modification but displays the originally typed word in a new line.
26 CHAPTER 1: SYSTEM ACCESS
2 PORT CONFIGURATION This chapter covers the following topics: Ethernet Port Overview ■ Ethernet Port Overview ■ Configuring Link Aggregation The following features are found in the Ethernet ports of the Switch 8800: ■ 10GBASE-X-XENPAK 10-Gigabit Ethernet ports work in 10-gigabit full duplex mode. ■ 10GBASE-X-XFP operates in 10 Gbps full duplex mode, which needs no configuring. ■ 1000BASE-X-SFP Gigabit Ethernet ports work in gigabit full duplex mode.
28 CHAPTER 2: PORT CONFIGURATION ■ Displaying and Debugging Ethernet Ports Entering Ethernet Port View Before configuring the Ethernet port, enter Ethernet port view. Perform the following configuration in system view. Table 1 Enter Ethernet Port View Operation Command Enter Ethernet port view interface { Gigabit | Ethernet } slot/subslot/port The subslot on the Fabric is always set to 1. Enabling and Disabling Ethernet Ports The following command can be used for disabling or enabling the port.
Ethernet Port Overview 29 Perform the following configuration in Ethernet port view. Table 4 Set the Duplex Attribute for an Ethernet Port Operation Command Set the duplex attribute for an Ethernet port. duplex {auto | full | half} Restore the default duplex attribute of Ethernet port. undo duplex The Gigabit Ethernet Base-T ports can operate in full duplex, half duplex, or auto-negotiation mode.
30 CHAPTER 2: PORT CONFIGURATION packets and packet loss is reduced. The flow control function of the Ethernet port can be enabled or disabled using the following commands. Perform the following configuration in Ethernet port view. Table 7 Set Flow Control for Ethernet Port Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control By default, Ethernet port flow control is disabled.
Ethernet Port Overview 31 Setting the Ethernet Port Broadcast Suppression Ratio You can use the following commands to restrict the broadcast traffic. Once the broadcast traffic exceeds the value set by the user, the system maintains an appropriate broadcast packet ratio by discarding the overflow traffic. This is done to suppress broadcast storm, avoid congestion, and ensure good traffic flow. The parameter indicates the maximum wire speed ratio of the broadcast traffic allowed on the port.
32 CHAPTER 2: PORT CONFIGURATION Adding an Ethernet Port to a VLAN The following commands are used for adding an Ethernet port to a specified VLAN. Access ports can be added to only one VLAN, while hybrid and trunk ports can be added to multiple VLANs. Perform the following configuration in Ethernet port view.
Ethernet Port Overview 33 To guarantee proper packet transmission, the default VLAN ID of local hybrid port or Trunk port should be identical to that of the hybrid port or Trunk port on the peer switch. The VLAN of hybrid port and trunk port is VLAN 1 by default. The access port is the VLAN to which it belongs. Copying a Port Configuration to Other Ports To keep the configuration of other ports consistent with a specified port, you can copy the configuration of that specified port to other ports.
34 CHAPTER 2: PORT CONFIGURATION Example: Configuring the Default VLAN ID of the Trunk Port In this example, Switch A is connected to the peer, Switch B, through the trunk port GigabitEthernet2/1/1. Configure the trunk port with a default VLAN ID, so that the port can forward packets to the member ports belonging to the default VLAN when it receives them without a VLAN tag.
Configuring Link Aggregation ■ ■ ■ ■ STP priority ■ Path cost ■ Maximum transmission speed ■ Loop protection ■ Root protection ■ Type of port (edge) 35 QoS setting ■ Traffic limiting ■ Priority marking ■ Default 802.1p priority ■ Bandwidth assurance ■ Congestion avoidance ■ Traffic redirection ■ Traffic statistics.
36 CHAPTER 2: PORT CONFIGURATION Port State In an aggregation group, ports may be in selected or standby state and only the selected ports can transmit user service packets. The selected port with the minimum port number serves as the master port, while others serve as sub-ports.
Configuring Link Aggregation 37 Perform the following configuration in system view. Table 16 Create or Delete an Aggregation Group Operation Command Create an aggregation group link-aggregation group agg-id mode { manual } Delete an aggregation group undo link-aggregation group agg-id Adding or Deleting Ethernet Ports to or from an Aggregation Group You can use the following commnad to add or delete ports into/from a manual aggregation group.
38 CHAPTER 2: PORT CONFIGURATION Table 19 Display and Debug Link Aggregation (continued) Example: Link Aggregation Configuration Operation Command Display detailed link aggregation information at the port display link-aggregation interface { interface-type interface-number | interface-name } [ to { interface-type interface-num | interface-name } ] Disable/enable debugging link aggregation errors [ undo ] debugging link-aggregation error Disable/enable debugging link aggregation events [ undo ] de
3 VLAN CONFIGURATION This chapter covers the following topics: VLAN Overview ■ VLAN Overview ■ Configuring VLANs ■ Configuring GARP/GVRP A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. Using VLAN technology, you can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same resource requirements.
40 CHAPTER 3: VLAN CONFIGURATION Perform the following configurations in system view. Table 1 Creating or Deleting a VLAN Operation Command Create and enter a VLAN view vlan vlan_id Delete the specified VLAN undo vlan { vlan_id [ to vlan_id ] / all } The command creates the VLAN then enters the VLAN view. If the VLAN already exists, the command enters the VLAN view directly. Note that the default VLAN, VLAN 1, cannot be deleted.
Configuring VLANs 41 Perform the following configurations in system view. Table 4 Specifying and Removing VLAN interfaces Operation Command Create a new VLAN interface interface vlan-interface vlan_id and enter VLAN interface view Remove the specified VLAN interface undo interface vlan-interface vlan_id Create a VLAN before creating an interface for it. Shutting Down or Enabling a VLAN Interface Use the following command to shut down or enable a VLAN interface.
42 CHAPTER 3: VLAN CONFIGURATION Figure 1 VLAN Configuration Example Switch 8800 E4/1/1 E3/1/1 VLAN2 E4/1/2 E3/1/2 VLAN3 1 Create VLAN 2 and enter its view. [SW8800]vlan 2 2 Add GigabitEthernet3/1/1 and GigabitEthernet4/1/1 to VLAN2. [SW8800-vlan2]port GigabitEthernet3/1/1 GigabitEthernet4/1/1 3 Create VLAN 3 and enters its view. [SW8800-vlan2]vlan 3 4 Add GigabitEthernet3/1/2 and GigabitEthernet4/1/2 to VLAN3.
Configuring GARP/GVRP 43 attribute information by sending join declarations or withdrawal declarations. It can also register or remove the attribute information of other GARP members according to the join declarations or withdrawal declarations that it receives from them. GARP members exchange information by sending GARP messages. There are three main types of GARP messages, including join, leave, and leaveall.
44 CHAPTER 3: VLAN CONFIGURATION information received within the time specified by the hold timer can be sent in one frame to save bandwidth. Table 7 Setting the GARP Timers Operation Command Configure the hold, join, and leave timers in Ethernet port view. Set the GARP hold, join, and leave timers garp timer { hold | join | leave } timer_value Restore the default GARP hold, join, and leave timer settings undo garp timer { hold | join | leave } Configure the leaveall timer in system view.
Configuring GARP/GVRP 45 dynamically update local VLAN registration information, including the active members and the port through which each member can be reached. All the switches that support GVRP can distribute their local VLAN registration information to other switches so that VLAN information is consistent on all GVRP devices in the same network.
46 CHAPTER 3: VLAN CONFIGURATION Setting the GVRP Registration Type The GVRP includes normal, fixed, and forbidden registration types (see IEEE 802.1Q). ■ When an Ethernet port registration type is set to normal, the dynamic and manual creation, registration, and logout of VLAN are allowed on this port. ■ When one trunk port registration type is set to fixed, the system adds the port to the VLAN if a static VLAN is created on the switch and the trunk port allows VLAN passing.
Configuring GARP/GVRP 47 Figure 2 GVRP Configuration Example E3/1/1 E4/1/1 Switch A Switch B Configure Switch A: 1 Set GigabitEthernet3/1/1 as a trunk port and allow all the VLANs to pass through. [SW8800]interface GigabitEthernet3/1/1 [SW8800-GigabitEthernet3/1/1]port link-type trunk [SW8800-GigabitEthernet3/1/1]port trunk permit vlan all 2 Enable GVRP on the trunk port. [SW8800-GigabitEthernet3/1/1]gvrp Configure Switch B: 1 Enable GVRP globally.
48 CHAPTER 3: VLAN CONFIGURATION
4 NETWORK PROTOCOL OPERATION This chapter covers the following topics: Configuring IP Address ■ Configuring IP Address ■ Configuring Address Resolution Protocol (ARP) ■ DHCP Relay ■ IP Performance IP address is a 32-bit address represented by four octets. IP addresses are divided into five classes, A, B, C, D and E. The octets are set according to the first few bits of the first octet.
50 CHAPTER 4: NETWORK PROTOCOL OPERATION ■ Subnet and Mask Troubleshooting an IP Address Configuration IP protocol allocates one IP address for each network interface. Multiple IP addresses can only be allocated to a device which has multiple network interfaces. IP addresses on a device with multiple interfaces have no relationship among themselves. With the rapid development of the Internet, IP addresses are depleting very fast.
Configuring IP Address 51 Configuring the IP Address of the VLAN Interface You can configure a maximum of ten IP addresses for a VLAN interface. Perform the following configuration in VLAN interface view.
52 CHAPTER 4: NETWORK PROTOCOL OPERATION Troubleshooting an IP Address Configuration If the Switch 8800 cannot ping a certain host on the LAN, proceed as follows: 1 Determine which VLAN includes the port connected to the host. Check whether the VLAN has been configured with the VLAN interface. Determine whether the IP address of the VLAN interface and the host are on the same network segment.
Configuring Address Resolution Protocol (ARP) 53 ARP configuration includes tasks described in the following sections: ■ Manually Adding/Deleting Static ARP Mapping Entries ■ Learning Gratuitous ARPs ■ Configuring the Dynamic ARP Aging Timer ■ Displaying and Debugging ARP Manually Adding/Deleting Static ARP Mapping Entries Perform the following configuration in System view.
54 CHAPTER 4: NETWORK PROTOCOL OPERATION configuration. Execute the debugging command in user view to debug the ARP configuration.
DHCP Relay 55 Configuring DHCP is described in the following sections: Configuring DHCP Relay ■ Configuring DHCP Relay ■ Troubleshooting a DHCP Relay Configuration DHCP relay configuration includes tasks described in the following sections: ■ Configuring a DHCP Server IP Address in a DHCP Server Group ■ Configuring the DHCP Server Group for the VLAN Interface ■ Configuring the Address Table Entry ■ Enabling/Disabling DHCP Security Features ■ Enabling/Disabling DHCP Pseudo-server Detection
56 CHAPTER 4: NETWORK PROTOCOL OPERATION When associating a VLAN interface to a new DHCP server group, you can configure the association without disassociating it from the previous group. By default, VLAN interfaces have no associated DHCP server group. Configuring the Address Table Entry To check the address of users who have valid and fixed IP addresses in the VLAN (with DHCP enabled), it is necessary to add an entry in the static address table. Perform the following configuration in system view.
DHCP Relay 57 Displaying and Debugging DHCP Relay Execute display command in all views to display the current DHCP Relay configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug DHCP Relay configuration.
58 CHAPTER 4: NETWORK PROTOCOL OPERATION 6 Configure the corresponding interface and gateway address of VLAN3. [SW8800]vlan 3 [SW8800-vlan3]port GigabitEthernet 1/1/3 [SW8800]interface vlan 3 [SW8800-VLAN-Interface3]ip address 21.2.2.1 255.255.0.0 7 It is necessary to configure a VLAN for the servers. The corresponding interface VLAN of the DHCP server group 1 is configured as 4000, and that of the group 2 is configured as 3001.
IP Performance IP Performance Configuring TCP Attributes 59 IP performance configuration includes: ■ Configuring TCP Attributes ■ Displaying and Debugging IP Performance ■ Troubleshooting IP Performance The TCP attributes that can be configured include: ■ synwait timer: When sending the syn packets, TCP starts the synwait timer. If response packets are not received before synwait timeout, the TCP connection will be terminated.
60 CHAPTER 4: NETWORK PROTOCOL OPERATION Table 15 Display and Debug IP Performance Operation Command Display the FIB entries matching the destination IP address (range) display fib ip_address1 [ { mask1 | mask-length1 } [ ip_address2 { mask2 | mask-length2 } | longer ] | longer ] Display the FIB entries that match a specific ACL display fib acl { number | name } Display the FIB entries which are output from display fib | { { begin | include | exclude } the buffer according to regular expression and
IPX Configuration 61 Packet length :60 Data offset: 10 ■ Debug and trace the packets located in SYN, FIN or RST. Operations include: terminal debugging debugging tcp transact The TCP packets received or sent can be checked in real time, and the specific packet formats are the same as those mentioned above. IPX Configuration Internetwork Packet Exchange (IPX) protocol is a network layer protocol in the NetWare protocol suite. It is similar to IP in the TCP/IP protocol suite.
62 CHAPTER 4: NETWORK PROTOCOL OPERATION The servers periodically broadcast their services and addresses to the networks directly connected to them. Users cannot use such information directly, however. Instead, the information is collected by the SAP agents of the switches on the networks and saved in their server information tables.
5 IP ROUTING PROTOCOL OPERATION This chapter covers the following topics: IP Routing Protocol Overview ■ IP Routing Protocol Overview ■ Static Routes ■ RIP ■ OSPF ■ IS-IS ■ BGP ■ IP Routing Policy ■ Route Capacity Routers select an appropriate path through a network for an IP packet according to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
64 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 1 About Hops A R R Route Segment R R R C B Networks can have different sizes, so, the segment lengths connected between two different pairs of routers are also different. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network.
IP Routing Protocol Overview 65 ■ The output interface — Indicates an interface through which an IP packet should be forwarded. ■ The next hop address — Indicates the next router that an IP packet will pass through. ■ The priority added to the IP routing table for a route — Indicates the type of route that is selected. There may be multiple routes with different next hops to the same destination.
66 CHAPTER 5: IP ROUTING PROTOCOL OPERATION the user are managed together with the dynamic routes as detected by the routing protocol. The static routes and the routes learned or configured by routing protocols can be shared with each other. Routing protocols (as well as the static configuration) can generate different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine a current route to a single destination.
Static Routes 67 main route. When the line fails, the main route hides itself and the router chooses one from the remaining routes as a backup route whose precedence is higher than others' to send data. When the main route recovers, the router restores it and re-selects a route. As the main route has the highest precedence, the router chooses the main route to send data. This process is the automatic switchover from the backup route to the main route.
68 CHAPTER 5: IP ROUTING PROTOCOL OPERATION entry of the routing table, the router selects the default route to forward this packet. If there is no default route and the destination address of the packet fails to match any entry in the routing table, the packet is discarded, and an Internet Control Message Protocol (ICMP) packet is sent to the originating host to indicate that the destination host or network is unreachable.
Static Routes 69 destination address is in the directly connected network, the transmitting interface can be specified. ■ For a P2P interface, the address of the next hop defines the transmitting interface because the address of the opposite interface is the address of the next hop of the route. In fact, for all routing items, the next hop address must be specified.
70 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 5 Displaying and Debugging the Routing Table Operation Command View the route filtered through specified basic display ip routing-table acl { acl-number | access control list (ACL) acl-name } [ verbose ] Example: Typical Static Route Configuration View the route information that through specified ip prefix list display ip routing-table ip-prefix ip-prefix-number [ verbose ] View the routing information found by the specified protocol display ip rout
RIP 71 6 Configure the default gateway of the Host C to be 1.1.1.2 Using this procedure, all the hosts or switches in Figure 3 can be interconnected in pairs. Troubleshooting Static Routes The Switch 8800 is not configured with any dynamic routing protocols enabled. Both the physical status and the link layer protocol status of the interface are enabled, but the IP packets cannot be forwarded normally.
72 CHAPTER 5: IP ROUTING PROTOCOL OPERATION The whole process of RIP startup and operation can be described as follows: 1 If RIP is enabled on a router for the first time, the router broadcasts a request packet to adjacent routers. When they receive the request packet, adjacent routers (on which RIP is also enabled) respond to the request by returning response packets containing information about their local routing tables.
RIP ■ Setting Additional Routing Metrics ■ Configuring Route Filtering ■ Displaying and Debugging RIP 73 Enabling RIP and Entering the RIP View Perform the following configurations in system view. Table 6 Enabling RIP and Entering the RIP View Operation Command Enable RIP and enter the RIP view rip Disable RIP undo rip By default, RIP is not enabled.
74 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, RIP does not send messages to unicast addresses. Usually, this command is not recommended because the opposite side does not need to receive two of the same messages at a time. It should be noted that the peer command should also be restricted by the rip work, rip output, rip input and network commands. Specifying the RIP Version RIP has two versions, RIP-1 and RIP-2. You can specify the version of the RIP packet processed by the interface.
RIP 75 Perform the following configuration in RIP view. Table 10 Configuring RIP Timers Operation Command Configure RIP timers timers { update update-timer-length | timeout timeout-timer-length }* Restore the default settings of RIP undo timers { update | timeout } * The modification of RIP timers takes effect immediately. By default, the values of period update and timeout timers are 30 seconds and 180 seconds.
76 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in VLAN interface view.
RIP 77 Perform the following configurations in RIP view. Table 14 Enabling Route Aggregation Operation Command Enable the automatic aggregation function of summary RIP-2 Disable the automatic aggregation function of undo summary RIP-2 By default, RIP-2 uses the route aggregation function. Setting RIP-2 Packet Authentication RIP-1 does not support packet authentication. However, you can configure packet authentication on RIP-2 interfaces.
78 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in VLAN interface view. Table 16 Configuring Split Horizon Operation Command Enable split horizon rip split-horizon Disable split horizon undo rip split-horizon By default, split horizon of the interface is enabled. Enabling RIP to Import Routes of Other Protocols RIP allows users to import the route information of other protocols into the routing table. RIP can import direct, static, OSPF, BGP, and IS-IS routes.
RIP 79 Perform the following configurations in RIP view. Table 19 Setting the RIP Preference Operation Command Set the RIP Preference preference value Restore the default value of RIP preference undo preference By default, the preference of RIP is 100. Setting Additional Routing Metrics The additional routing metric, is the input or output routing metric added to a RIP route.
80 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, RIP does not filter received and distributed routing information. Displaying and Debugging RIP After configuring RIP, execute the display command in all views to display the RIP configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug the RIP module. Execute the reset command in RIP view to reset the system configuration parameters of RIP.
OSPF 81 [Switch B-rip]network 110.11.2.0 3 Configure RIP on Switch C: [Switch C]rip [Switch C-rip]network 117.102.0.0 [Switch C-rip]network 110.11.2.0 Troubleshooting RIP OSPF The Switch 8800 cannot receive update packets when the physical connection to the peer routing device is normal. ■ RIP does not operate on the corresponding interface (for example, if the undo rip work command is executed) or this interface is not enabled through the network command.
82 CHAPTER 5: IP ROUTING PROTOCOL OPERATION the protocol packets to each other. Thus, each router receives the LSAs of other routers and all these LSAs constitute its LSD. ■ LSA describes the network topology around a router, so the LSD describes the network topology of the entire network. Routers can easily transform the LSD to a weighted directed graph, which actually reflects the topology of the whole network. All the routers have the same graph.
OSPF ■ 83 Designated Router (DR) In a broadcast network, in which all routers are directly connected, any two routers must establish adjacency to broadcast their local status information to the whole AS. In this situation, every change that a router makes results in multiple transmissions, which is not only unnecessary but also wastes bandwidth. To solve this problem, OSPF defines a “designated router” (DR).
84 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring OSPF You must first enable OSPF then specify the interface and area ID before configuring other functions. However, the configuration of functions that are related to the interface does not depend on whether OSPF is enabled. However, if OSPF is disabled, the OSPF-related interface parameters become invalid.
OSPF 85 Enabling OSPF and Entering OSPF View Perform the following configurations in system view. Table 23 Enabling the OSPF Process Operation Command Enable the OSPF process ospf [ process-id [[ router-id router-id ]] Disable the OSPF process undo ospf [ process-id ] By default, OSPF is not enabled. Entering OSPF Area View Perform the following configurations in OSPF view.
86 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in system view. Table 26 Configuring Router ID Operation Command Configure router ID router id router-id Remove the router ID undo router id To ensure the stability of OSPF, you must determine the division of router IDs and manually configure them when implementing network planning.
OSPF 87 the network type to P2MP manually. The most common method is to change a partially connected NBMA network to a P2MP network. ■ NBMA forwards packets by unicast and requires neighbors to be configured manually. P2MP forward packets by multicast. Perform the following configuration in VLAN interface view.
88 CHAPTER 5: IP ROUTING PROTOCOL OPERATION fails, the BDR becomes the DR instantly. Since no re-election is needed and the adjacencies have already been established, the process is very short. But in this case, a new BDR must be elected. Although it also takes a long time, it does not affect the route calculation. Note that: ■ The DR on the network is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second highest priority.
OSPF 89 According to RFC2328, the consistency of hello intervals between network neighbors should be kept. The hello interval value is in inverse proportion to the route convergence rate and network load. Perform the following configuration in VLAN interface view.
90 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in VLAN interface view. Table 33 Configuring an Interval for LSU packets Operation Command Configure an interval for sending LSU packets ospf trans-delay seconds Restore the default interval of sending LSU packets undo ospf trans-delay By default, LSU packets are transmitted by seconds.
OSPF 91 Configuring the OSPF STUB Area STUB areas are special LSA areas in which the ABRs do not propagate the learned external routes of the AS. In these areas, the routing table sizes of routers and the routing traffic are significantly reduced. The STUB area is an optional configuration attribute, but not every area conforms to the configuration condition. Generally, STUB areas, located at the AS boundaries, are those non-backbone areas with only one ABR.
92 CHAPTER 5: IP ROUTING PROTOCOL OPERATION are propagated in the OSPF AS. However, the type-5 LSAs do not reach Area 1 because Area 1 is an NSSA. NSSAs and STUB areas have the same approach in this aspect. Similar to a STUB area, the NSSA cannot be configured with virtual links. Figure 5 NSSA RIP NSSA ABR Area 2 Area 0 NSSA ASBR Area 1 NSSA RIP Perform the following configuration in OSPF Area view.
OSPF 93 When the ABR transmits routing information to other areas, it generates Sum_net_Lsa (type-3 LSA) per network. If some continuous networks exist in this area, you can use the abr-summary command to summarize these segments into one segment. Thus, the ABR only needs to send an aggregate LSA, and all the LSAs in the range of the aggregate segment specified by the command are not transmitted separately. Therefore, the sizes of the LSDBs in other areas can be reduced.
94 CHAPTER 5: IP ROUTING PROTOCOL OPERATION The “logic channel” means that the multiple routers running OSPF between two ABRs only take the role of packet forwarding (the destination addresses of the protocol packets are not these routers, so these packets are transparent to them and the routers forward them as common IP packets). The routing information is directly transmitted between the two ABRs.
OSPF 95 password for the area and the authentication-mode md5 command to configure the MD5 authentication-key password. Perform the following configuration in OSPF Area view. Table 41 Configuring the OSPF Area to Support Packet Authentication Operation Command Configure the area to support authentication type authentication-mode [ simple | md5 ] Cancel the configured authentication key undo authentication-mode By default, the area does not support packet authentication.
96 CHAPTER 5: IP ROUTING PROTOCOL OPERATION The external type-1 routes refer to imported IGP routes (such as static route and RIP). Since these routes are more reliable, the calculated cost of the external routes is the same as the cost of routes within the AS. Also, this route cost and the route cost of the OSPF itself are comparable.
OSPF 97 Table 44 Configuring Parameters for OSPF to Import External Routes Operation Command Configure the default tag for the OSPF to import external routes default tag tag Restore the default tag for the OSPF to import undo default tag external routes Configure the default type of external routes that OSPF will import default type { 1 | 2 } Restore the default type of the external routes undo default type imported by OSPF No default cost and tag are available when importing external routes, and t
98 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring OSPF Route Filtering Perform the following configuration in OSPF view.
OSPF 99 no neighboring relationship can be established on the interface. This enhances OSPF’s ability to adapt to the network, which reduces the consumption of system resources. Configuring OSPF and Network Management System (NMS) Configuring OSPF MIB Binding After multiple OSPF processes are enabled, you can configure to which OSPF process MIB is bound. Perform the following configuration in system view.
100 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in user view. Table 52 Resetting the OSPF Process Operation Command Reset the OSPF process reset ospf [ statistics ] { all | process-id } Resetting the OSPF process can immediately clear the invalid LSAs, make the modified router ID effective or re-elect the DR and BDR.
OSPF 101 Figure 6 Configuring DR Election Based on OSPF Priority Switch A 1.1.1.1 Switch D 4.4.4.4 DR 196.1.1.1/24 196.1.1.4/24 196.1.1.2/24 196.1.1.3/24 BDR 2.2.2.2 Switch B 3.3.3.3 Switch C The commands listed in the following examples enable Switch A and Switch C to be DR and BDR. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, so it is elected as the BDR.
102 CHAPTER 5: IP ROUTING PROTOCOL OPERATION [Switch D]ospf [Switch D-ospf-1]area 0 [Switch D-ospf-1-area-0.0.0.0]network 196.1.1.0 0.0.0.255 On Switch A, execute the display ospf peer command to display the OSPF neighbors. Note that Switch A has three neighbors. The state of each neighbor is full, which means that adjacency is set up between Switch A and each neighbor.
OSPF [Switch [Switch [Switch [Switch [Switch 103 A-Vlan-interface1]ip address 196.1.1.1 255.255.255.0 A]router id 1.1.1.1 A]ospf A-ospf]area 0 A-ospf-area-0.0.0.0]network 196.1.1.0 0.0.0.255 2 Configure Switch B: [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch B]interface vlan-interface 7 B-Vlan-interface7]ip address 196.1.1.2 255.255.255.0 B]interface vlan-interface 8 B-Vlan-interface8]ip address 197.1.1.2 255.255.255.0 B]router id 2.2.2.
104 CHAPTER 5: IP ROUTING PROTOCOL OPERATION peer router, it indicates that faults have occurred to the physical link and the lower level protocol. ■ ■ ■ ■ ■ ■ ■ ■ If the physical link and the lower layer protocol are normal, check the OSPF parameters configured on the interface. The parameters should be the same parameters configured on the router adjacent to the interface. The same area ID should be used, and the networks and the masks should also be consistent.
IS-IS IS-IS 105 Intermediate System-to-Intermediate System (IS-IS) intra-domain routing information exchange protocol is the dynamic routing protocol used in the AS issued by the International Organization for Standardization (ISO). An intermediate system (IS) in the OSI reference model is basically equivalent to a router in the TCP/IP reference model. The IS-IS protocol, based on the link state algorithm, uses the Shortest Path First (SPF) algorithm.
106 CHAPTER 5: IP ROUTING PROTOCOL OPERATION All the Level-2 routers make up the backbone network of the RD, which is responsible for the inter-area communications. Every area has at least one router located on both Level-1 and Level-2 (called a Level-1/Level-2 router), which connects the area to the backbone network. A Level-1/Level-2 router contiguous with a router in some other area will notify the Level-1 routers in the local area that it is an exit point from the area.
IS-IS 107 Figure 9 IS-IS Topology NSAP Structure of IS-IS Figure 10 illustrates the NSAP structure. The whole address is of 8 to 20 bytes long. Figure 10 NSAP Structure NSAP includes initial domain part (IDP) and domain specific part (DSP). IDP and DSP are length-variable with a total length of 20 bytes.
108 CHAPTER 5: IP ROUTING PROTOCOL OPERATION authority and format identifier (AFI) and initial domain identifier (IDI). The AFI defines the format of the IDI. The DSP has several bytes. The Area Address is composed of routing field and area identifier. The routing field includes the AFI and the IDI and may also include the first byte of the DSP. It identifies the organizational structure. It is followed by a 16-bit area identifier.
IS-IS Configuring Integrated IS-IS 109 Integrated IS-IS is designed to function as a routing protocol for IP. Therefore, the network must be set up with IP addresses and VLANs in the same way that is required for RIP or OSPF. This set up is not discussed in this section. Beyond the standard IP setup, you must decide what type of routing hierarchy to implement.
110 CHAPTER 5: IP ROUTING PROTOCOL OPERATION ■ Setting IS-IS Authentication ■ Setting the Mesh Group of the Interface ■ Setting the Router Type ■ Setting Default Route Generation ■ Setting a Summary Route ■ Setting the Overload Flag Bit ■ Setting to Ignore the LSP Checksum Errors ■ Setting Peer Change Logging ■ Setting the LSP Refresh Interval ■ Setting the Lifetime of LSP ■ Setting the SPF Calculation in Slice ■ Setting SPF to Release CPU Resources ■ Setting the SPF Computing Int
IS-IS 111 Perform the following configuration in IS-IS view. Table 55 Setting the Network Entity Title (NET) Operation Command Set Network Entity Title (NET) network-entity net Delete a NET undo network-entity net The format of parameter net is X…X.XXXXXXXXXXXX.XX, among which the first “X…X” is the area address, the twelve Xs in the middle is the System ID of the router. The last XX should be 00. CAUTION: A router can be configured with multiple area addresses.
112 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in VLAN interface view.. Table 58 Setting IS-IS Link State Routing Cost Operation Command Set the routing cost of the interface isis cost value [ level-1 | level-2 ] Restore the default routing cost of the interface undo isis cost [ level-1 | level-2 ] If the level is not specified, the default setting is, Level-1 routing cost. The value parameter is configured according to the link state of the Interface.
IS-IS 113 If the level is not specified, it defaults to setting the CSNP packet broadcast interval for Level-1. By default, the CSNP packet is transmitted by an interface every 10 seconds. Setting the LSP Packet Interval LSP carries the link state records for propagation throughout the area. Perform the following configuration in VLAN interface view.. Table 61 Setting the LSP Packet Interval Operation Command Set LSP packet interval on the interface, measured in milliseconds.
114 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, the Hello failure interval is 30 seconds. If the level is not specified, it defaults to setting the Hello packet failure interval Level-1. Setting the Priority for DIS Election In the broadcast network, the IS-IS needs to elect a DIS from all the routers. In IS-IS, both a Level-1 and a Level-2 DIS are selected, based on priority. An IS/router with a higher priority will be selected as DIS over a router with a lower priority.
IS-IS 115 Setting Interface Authentication The authentication password set on the interface is mainly used in the Hello packet to confirm the validity and correctness of its peers. The authentication passwords at the same level for all the connected interfaces of a network should be identical. Perform the following configurations in VLAN interface view..
116 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Setting the IS-IS to Use the MD5 Algorithm That Is Compatible With Other Vendors’ You must configure this command when the switch needs to authenticate the devices of other vendors using MD5 algorithm in IS-IS. Perform the following configurations in IS-IS view.
IS-IS 117 Setting Default Route Generation In an IS-IS route domain, a Level-1 router only has the LSDB for the local area, so it can only generate routes for the local areas. The Level-2 router has the backbone LSDB for the IS-IS route domain and generates backbone network routes only. If a Level-1 router in one area wants to forward packets to other areas, it must first forward the packets to the closest Level-1-2 router in the local area according to its default route.
118 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in IS-IS view. Table 73 Setting Overload Flag Bit Operation Command Set overload flag bit set-overload Remove the overload flag bit undo set-overload By default, no overload bit is set. Setting to Ignore the LSP Checksum Errors After receiving an LSP packet, the local IS-IS calculates its checksum and compares the result with the checksum in the LSP packet.
IS-IS 119 By default, an LSP is refreshed every 900 seconds (15 minutes). Setting the Lifetime of LSP When a router generates an LSP, it sets the maximum lifetime of the LSP. When other routers receive this LSP, they reduce its lifetime continuously as time passes. If an updated LSP has not been received before the old one times out, the LSP is deleted from the LSDB. Perform the following configurations in IS-IS view..
120 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in IS-IS view.. Table 79 Setting SPF to Release CPU Resources Operation Command Set the number of routes to process before releasing the CPU spf-delay-interval number Restore the default configuration undo spf-delay-interval By default, the CPU is released after 5000 routes are processed by the SPF of IS-IS. Setting the SPF Computing Interval When the IS-IS LSDB changes, the router will compute the shortest path again.
IS-IS 121 Configuring IS-IS to Import Routes of Other Protocols For IS-IS, the routes discovered by other routing protocols are processed as routes outside the routing domain. When importing the routes of other protocols, you can specify their default cost. When IS-IS imports routes, you can also specify whether to import the routes into Level-1, Level-2 or Level-1-2. Perform the following configurations in IS-IS view..
122 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Protocol specifies the routing protocol sources for distributing routes, which can be direct, static, rip, bgp, ospf, or ospf-ase. For more information, see “Configuring for Filtering Received Routes” and “Configuring for Filtering Distributed Routes ”.
IS-IS 123 Execute the display command in all views to display the IS-IS configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug the IS-IS module.
124 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 11 IS-IS Configuration Example 1 Configure Switch A [Switch A]isis [Switch A-isis]network-entity 86.0001.0000.0000.0005.00 [Switch A]interface vlan-interface 100 [Switch A-Vlan-interface100]isis enable [Switch A]interface vlan-interface 101 [Switch A-Vlan-interface101]isis enable [Switch A]interface vlan-interface 102 [Switch A-Vlan-interface102]isis enable 2 Configure Switch B [Switch B]isis [Switch B-isis]network-entity 86.0001.0000.0000.0006.
BGP 125 [Switch C-Vlan-interface101]isis enable [Switch C]interface vlan-interface 100 [Switch C-Vlan-interface100]isis enable 4 Configure Switch D [Switch D]isis [Switch D-isis]network-entity 86.0001.0000.0000.0008.00 [Switch D]interface vlan-interface 102 [Switch D-Vlan-interface102]isis enable [Switch D]interface vlan-interface 100 [Switch D-Vlan-interface100]isis enable BGP Border gateway protocol (BGP) is an inter-autonomous system (inter-AS) dynamic route discovery protocol.
126 CHAPTER 5: IP ROUTING PROTOCOL OPERATION BGP runs on a router in any of the following modes: ■ Internal BGP (IBGP) ■ External BGP (EBGP) BGP is called IBGP when it runs within an AS and EBGP when it runs among different ASs.
BGP 127 Route Advertisement Policy In the Switch 8800, BGP uses the following policies when it advertises routes: ■ If there are multiple routes available, a BGP speaker only selects the optimum one. ■ A BGP speaker only advertises its own route to its peers. ■ A BGP speaker advertises the routes obtained from EBGP to all its BGP peers (including EBGP and IBGP peers). ■ A BGP speaker does not advertise the routes obtained from IBGP to its other IBGP peers.
128 CHAPTER 5: IP ROUTING PROTOCOL OPERATION ■ Configuring Application Features of BGP Peer (Group) ■ Configuring the Route Filtering of a Peer (Group) ■ Configuring Networks for BGP Distribution ■ Configuring Interaction Between BGP and IGP ■ Configuring BGP Route Summarization ■ Configuring BGP Route Filtering ■ Configuring BGP Route Dampening ■ Configuring BGP Preferences ■ Configuring the BGP Timer ■ Configuring Local Preferences ■ Configuring MED for AS ■ Comparing the MED Rout
BGP 129 Perform the following configurations in BGP view. Table 90 Entering Extended Address Family View Operation Command Enter multicast sub-address family view ipv4-family multicast Delete multicast sub-address family configuration undo ipv4-family multicast Use the undo command to delete the application configuration. See “Multicast Protocol” on page 63 for MBGP configuration commands.
130 CHAPTER 5: IP ROUTING PROTOCOL OPERATION A BGP peer must belong to a peer group. If you want to configure a BGP peer, you need to first create a peer group and then add a peer to the group. Table 93 Creating a Peer Group and Add a Member Operation Command Add a peer to the peer group peer peer-address group group-name [ as-number as-number ] Delete a peer undo peer peer-address If a peer is added to an IBGP peer group, the AS number cannot be specified in the command.
BGP 131 this command is higher than the timer command, which is used to configure timers for the whole BGP peers.
132 CHAPTER 5: IP ROUTING PROTOCOL OPERATION For detailed information on the route reflector, see “Configuring a BGP Route Reflector” on page 140. Configuring Transmission of a Default Route to a Peer Group .
BGP 133 Configuring the Transmission of Community Attributes to a Peer Group Table 103 Configuring for Transmission of Community Attributes to a Peer Group Operation Command Configure to send the community attributes to a peer group peer group-name advertise-community Configure not to send the community attributes to a peer group undo peer group-name advertise-community Configuring the Repeating Time of a Local AS Using the peer allow-as-loop command, the repeating time of local AS can be configured
134 CHAPTER 5: IP ROUTING PROTOCOL OPERATION In BGP, no authentication is performed in setting up TCP connections, by default. The multicast extension configured in BGP view is also available in MBGP, because they use the same TCP link. Configuring the Route Filtering of a Peer (Group) The Switch 8800 supports filtering imported and advertised routes to peers (groups) through the route-policy, AS path list, ACL, and ip prefix list.
BGP 135 Table 109 Configuring Route Filtering Policy Based on an AS Path List for a Peer (Group) Operation Command Remove the ingress route filtering policy based undo peer { peer-address | group-name } on AS path list of a peer (group) as-path-acl acl-number import Configure the egress route filtering policy based on IP ACL for a peer group peer group-name as-path-acl acl-number export Remove the egress route filtering policy based undo peer group-name as-path-acl on IP ACL for a peer group acl-numbe
136 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in BGP view.. Table 112 Importing IGP Routing Information Operation Command Configure BGP to import routes of IGP protocol import-route protocol [ process-id ] [ med med ] [ route-policy route-policy-name ] Configure BGP not to import routes of IGP protocol undo import-route protocol By default, BGP does not import the route information of other protocols.
BGP 137 Perform the following configurations in BGP view. The routes received by the BGP can be filtered, and only those routes that meet certain conditions will be received by the BGP.
138 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 116 Configuring BGP Route Dampening Operation Command Clear route attenuation information and eliminating the suppression of the route reset dampening [ network-address [ mask ] ] Cancel BGP route dampening undo dampening By default, route dampening is disabled. The parameters in the command are dependent on one another. If one parameter is configured, other parameters must be specified.
BGP 139 Configuring Local Preferences Different local preferences can be configured to affect BGP routing. When a router running BGP gets routes with the same destination address but different next hops through different internal peers, it will select the route with the highest local preference. Perform the following configurations in BGP view..
140 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, MED comparison is not allowed among routes from neighbors in different ASs. You should not use this configuration unless you can make sure that the ASs adopt the same IGP routing method. Configuring BGP Community Community attributes are optional and transitive. Some community attributes are globally recognized, which are called standard community attributes, whereas some are for special purposes which are called extended community attributes.
BGP 141 In the following figure, Router A receives an update packet from the external peer and transmits it to Router C. Router C is a route reflector with two peer clients: Router A and Router B. Router C reflects the update packet from client Router A to client Router B. In this configuration, the peer session between Router A and Router B is actually eliminated because the route reflector will transfer the BGP information to Router B.
142 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Two Measures to Avoid Looping Inside an AS As route reflector is imported, it is possible that path looping will be generated in AS. Path update packets that already left the cluster may attempt to return to the cluster. The conventional AS path method can not detect the internal AS looping, because the path update packet has not left AS.
BGP 143 Table 126 Configuring a Sub-AS Belonging to the Confederation Operation Command Remove the specified sub-AS from the confederation undo confederation peer-as [ as-number-1 ] [ ...as-number-n ] By default, no autonomous systems are configured as a member of the confederation.
144 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Defining Match Principle See “Defining If-match Clauses for a Route Policy” on page 154. Defining Evaluation Rules page 155. See “Defining Apply Clauses for a Route Policy” on Clearing the BGP Connection After you change a BGP policy or protocol configuration, you must reset the current BGP connection to enable the new configuration. Perform the following configuration in user view.
BGP 145 Table 131 Displaying and Debugging BGP Operation Command Display BGP dampened paths display bgp routing-table dampened Display the routing information the specified BGP peer advertised or received display bgp routing-table peer peer-address { advertised | received } [ network-address [ mask ] | statistic ] Display the routes matching with the specified display bgp routing-table as-path-acl access-list acl-number Display route flapping statistics information display bgp routing-table flap-in
146 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 13 AS Confederation Configuration AS100 AS1001 Switch A 172.68.10.1 AS1002 Switch B 172.68.10.2 Ethernet 172.68.10.3 172.68.1.1 156.10.1.1 Switch C 172.68.1.2 AS1003 Switch D 156.10.1.
BGP 147 receives a route update from Switch B, it will transmit such information to Switch D. You must establish an IBGP connection between Switch B and Switch D, because Switch C reflects information to Switch D. Figure 14 BGP Route Reflector Configuration VLAN 3 193.1.1.1/24 Switch C Network 1.0.0.0 Route reflector VLAN 4 194.1.1.1/24 AS200 VLAN 100 1.1.1.1/8 IBGP EBGP VLAN 2 192.1.1.1/24 Switch A AS100 VLAN 3 193.1.1.2/24 VLAN 2 192.1.1.2/24 Switch B IBGP VLAN 4 194.1.1.
148 CHAPTER 5: IP ROUTING PROTOCOL OPERATION [Switch [Switch [Switch [Switch [Switch C]bgp 200 C-bgp]group rr internal C-bgp]peer rr reflect-client C-bgp]peer 193.1.1.2 group rr C-bgp]peer 194.1.1.2 group rr 4 Configure Switch D: a Configure VLAN 4: [Switch D]interface vlan-interface 4 [Switch D-Vlan-interface4]ip address 194.1.1.2 255.255.255.0 b Configure BGP peers [Switch D]bgp 200 group in internal [Switch D-bgp]peer 194.1.1.
BGP 149 b Specify the network that BGP sends to [Switch A-bgp]network 1.0.0.0 c Configure the peers [Switch [Switch [Switch [Switch [Switch A-bgp]group ex192 external A-bgp]peer 192.1.1.2 group ex192 as-number 200 A-bgp]group ex193 external A-bgp]peer 193.1.1.2 group ex193 as-number 200 A-bgp]quit d Configure the MED attribute of Switch A ■ Add ACL on Switch A, enable network 1.0.0.0. [Switch A]acl number 2000 [Switch A-acl-basic-2000]rule permit source 1.0.0.0 0.255.255.
150 CHAPTER 5: IP ROUTING PROTOCOL OPERATION [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch C-ospf-1]area 0 C-ospf-1-area-0.0.0.0]network 193.1.1.0 0.0.0.255 C-ospf-1-area-0.0.0.0]network 195.1.1.0 0.0.0.255 C]bgp 200 C-bgp]group ex external C-bgp]peer 193.1.1.1 group ex as-number 100 C-bgp]group in internal C-bgp]peer 195.1.1.
IP Routing Policy Troubleshooting BGP 151 The neighborhood cannot be established (the established state cannot be entered). The establishment of a BGP neighborhood requires that the router be able to establish a TCP connection through port 179 and exchanges open packets correctly. Do the following: ■ Check whether the configuration of the neighbor's AS number is correct. ■ Check whether the neighbor's IP address is correct.
152 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Routing Information Filters ■ Troubleshooting Routing Policies ■ Limiting Route Capacity ■ Configuring Route Capacity The Switch 8800 supports four kinds of filters, route-policy, acl, ip-prefix, and community-list.
IP Routing Policy 153 An ip-prefix is identified by the ip-prefix name. Each ip-prefix can include multiple list items, and each list item can specify the match range of the network prefix forms, and is identified with a index-number. The index-number designates the matching check sequence in the ip-prefix. During the matching, the router checks list items identified by the sequence-number in ascending order.
154 CHAPTER 5: IP ROUTING PROTOCOL OPERATION route does not take the test of the next node. If a route does not satisfy all the if-match clauses of the node, however, the route takes the test of the next node. The router tests the route against the nodes in the route policy in sequence, once a node is matched, the route policy filtering is passed. By default, the route policy is not defined. If multiple nodes are defined in a route policy, at least one of them should be in permit mode.
IP Routing Policy 155 By default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the routes pass the filtering on the node.
156 CHAPTER 5: IP ROUTING PROTOCOL OPERATION If the routing information meets the match conditions specified in the route policy and also notifies the MED value configured with apply cost-type internal when notifying the IGP route to the EBGP peers, then this value is regarded as the MED value of the IGP route.
IP Routing Policy 157 the items are in the deny mode, no route will pass the ip-prefix filtering. You can define an item of permit 0.0.0.0/0 greater-equal 0 less-equal 32 after the multiple list items in the deny mode to let all the other routes pass. Configuring for Filtering Received Routes Perform the following configuration in routing protocol view.
158 CHAPTER 5: IP ROUTING PROTOCOL OPERATION If routing-process is BGP, you should also specify the process number or AS number. By default, the filtering of the received and distributed routes will not be performed. Displaying and Debugging the Routing Policy Execute display command in all views to display the operation of the routing policy configuration, and to verify the effect of the configuration.
Route Capacity 159 4 Import the static routes [Switch A-ospf]import-route static Configure Switch B: 1 Configure the IP address of VLAN interface. [Switch B]interface vlan-interface 100 [Switch B-Vlan-interface100]ip address 10.0.0.2 255.0.0.0 2 Configure the access control list. [Switch B]acl number 2000 [Switch B-acl-basic-2000]rule deny source 30.0.0.0 0.255.255.
160 CHAPTER 5: IP ROUTING PROTOCOL OPERATION The default value normally meets the network requirements. You should be careful when modifying the configuration to avoid reducing the stability of the network. Limiting Route Capacity The size of the routing table is determined by BGP and OSPF routes. Therefore, the route capacity limitation of the Switch 8800 is only effective for these two types of routes and has no impact on static routes and other dynamic routing protocols.
Route Capacity Perform the following configurations in system view. Table 141 Enabling and Preventing Automatic Recovery of Disconnected Routing Protocols Operation Command Enable automatic recovery of disconnected routing protocols memory auto-establish enable Prevent automatic recovery of disconnected routing protocols memory auto-establish disable By default, memory automatic restoration function of a switch is enabled.
162 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
Route Capacity 163
164 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
Route Capacity 165
166 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
6 MULTICAST PROTOCOL This chapter includes information on the following: IP Multicast Overview ■ IP Multicast Overview ■ Configuring Common Multicast ■ Configuring IGMP ■ IGMP Snooping ■ Configuring PIM-DM ■ Configuring PIM-SM ■ GMRP Many transmission methods can be used when the destination (including data, voice and video) is the secondary use of the network. If the multicast method is used, you should establish an independent data transmission path for each user.
168 CHAPTER 6: MULTICAST PROTOCOL Figure 1 Comparison Between the Unicast and Multicast Transmission Receiver Unicast Receiver Server Receiver Receiver Multicast Receiver Server Receiver A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously. A router that does not support multicast may exist on the network.
IP Multicast Overview 169 A multicast group can be either permanent or temporary. Part of addresses in the multicast group are reserved by the IANA and are known as the permanent multicast group. IP addresses of a permanent group are unchanged, but the members in the group can change. The number of members in a permanent multicast group can be random or even 0. Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups.
170 CHAPTER 6: MULTICAST PROTOCOL transmitted, the destination is no longer a specific receiver but a group with unspecific members. Therefore, the multicast MAC address should be used. Multicast MAC addresses correspond to multicast IP addresses. IANA (Internet Assigned Number Authority) stipulates that the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address.
IP Multicast Overview 171 possible for multicast. The multicast application sends the packets to a group of receivers (as with multicast addresses) who are ready to receive the data but not only to one receiver (as with unicast address). The multicast routing creates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast routing protocol is to create a distribution tree architecture.
172 CHAPTER 6: MULTICAST PROTOCOL table independently provided for multicast (such as the MBGP multicast routing table). This check mechanism is the basis for most multicast routing protocols , which is known as a RPF (Reverse Path Forwarding) check. A multicast router uses the source address from the multicast packet to query the unicast routing table, or the independent multicast routing table, to determine the incoming interface at which the packet arrives.
Configuring Common Multicast 173 Table 3 Enabling Multicast Operation Command Disable multicast undo multicast routing-enable By default, multicast routing is disabled. Only when multicast is enabled can another multicast configuration be used.
174 CHAPTER 6: MULTICAST PROTOCOL Displaying and Debugging Common Multicast Configuration After the previous configurations, execute the display command to view the multicast configuration, and to verify the configuration. Execute the debugging command in user view to debug multicast.
Configuring IGMP 175 IGMP Version 2 boasts the following improvements over IGMP Version 1: ■ Election mechanism of multicast routers on the shared network segment A shared network segment means that there are multiple multicast routers on a network segment. In this case, all routers running IGMP on the network segment can receive the membership report from hosts. Therefore, only one router is required to send membership query messages.
176 CHAPTER 6: MULTICAST PROTOCOL ■ Configuring the IGMP Querier Present Timer ■ Configuring the Maximum Query Response Time ■ Deleting IGMP Groups Joined on an Interface ■ Displaying and Debugging IGMP Enabling Multicast After multicast is enabled, IGMP will automatically run on all interfaces. For details, see “Configuring Common Multicast ” on page 172. Enabling IGMP on an Interface You must enable multicast before you can execute the igmp enable command.
Configuring IGMP 177 If other hosts, which are interested in the specified group, receive the IGMP query message from the IGMP query router, they send back the IGMP Membership Report message within the specified maximum response time interval. If the IGMP query router receives the IGMP Membership Report message within the defined period (equal to robust-value seconds), it continues to maintain the membership of this group.
178 CHAPTER 6: MULTICAST PROTOCOL Table 11 Configure the Times of Sending IGMP Group-Specific Query Packet Operation Command Restore the times of sending IGMP Group-Specific Query packet to the default value undo igmp robust-count By default, the robust-value is 2. This command is only available on an IGMP query router running IGMP v2. For a host running IGMP v1, this command cannot take effect, because the host may not send the IGMP Leave message when it leaves a group.
Configuring IGMP 179 Perform the following configuration in VLAN-interface view. Table 14 Limit the Access to IP Multicast Groups Operation Command Limit the range of allowed multicast groups on current interface igmp group-policy acl-number [ 1 | 2 ] Remove the filter set on the interface undo igmp group-policy By default, no filters are configured. All multicast groups are allowed on the interface.
180 CHAPTER 6: MULTICAST PROTOCOL Setting the maximum response time allows the host to respond to query messages quickly. In this case, the router can master the existing status of the members of the multicast group. Perform the following configuration in VLAN interface view.
IGMP Snooping IGMP Snooping 181 IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on layer 2. It is used for multicast group management and control. IGMP Snooping runs on the link layer. When receiving the IGMP messages, the Layer 2 Switch 8800 uses IGMP Snooping to analyze the information. If the switch hears an IGMP host report message from an IGMP host, it adds the host to the corresponding multicast table.
182 CHAPTER 6: MULTICAST PROTOCOL Figure 4 Multicast Packet Transmission With IGMP Snooping Video stream Internet/Intranet Multicast router Video stream VOD server Layer 2 Ethernet switch Video stream Video stream Multicast group member Nonmulticast group member Video stream Nonmulticast group member Implement IGMP Snooping This section introduces related switch concepts of IGMP Snooping: ■ Router Port: The port directly connected to the multicast router.
IGMP Snooping 183 Figure 5 Implementing IGMP Snooping Internet A router running IGMP IGMP packets An Ethernet switch running IGMP snooping IGMP packets 1 IGMP general query message: Transmitted by the multicast router to query which multicast group contains member. When a router port receives an IGMP general query message, the Switch 8800 will reset the aging timer of the port.
184 CHAPTER 6: MULTICAST PROTOCOL not have any member, the switch will notify the multicast router to remove it from the multicast tree.
IGMP Snooping 185 By default, the port aging time is 260 seconds. Configuring Maximum Response Time This task sets the maximum response time. If the Switch 8800 receives no report message from a port in the maximum response time, it will remove the port from the multicast group. Perform the following configuration in system view.
186 CHAPTER 6: MULTICAST PROTOCOL IGMP Snooping Configuration Example To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router through the router port, and with user PC through the non-router ports. Figure 6 IGMP Snooping Configuration Network Internet A router running IGMP IGMP packets An Ethernet switch running IGMP snooping IGMP packets 1 Display the status of GMRP.
Configuring PIM-DM ■ Configuring PIM-DM 187 If they are not consistent, contact the maintenance personnel for help. PIM-DM (Protocol Independent Multicast, Dense Mode) belongs to dense mode multicast routing protocols. PIM-DM is suitable for small networks. Members of multicast groups are relatively dense in such network environments. The working procedures of PIM-DM include neighbor discovery, flood and prune, and graft.
188 CHAPTER 6: MULTICAST PROTOCOL Figure 7 Assert Mechanism Diagram Multicast packets forwarded by the upstream node Router B Router A Receiver Router C When they detect such a case, routers need to select a unique sender by using the assert mechanism. Routers send Assert packets to select the best path. If two or more have the same priority and metric, the path with a higher IP address will be the upstream neighbor of the (S, G) entry. This is responsible for forwarding the (S, G) multicast packet.
Configuring PIM-DM 189 Enabling PIM-DM PIM-DM needs to be enabled in the configuration of all interfaces. After PIM-DM is enabled on an interface, it will send PIM Hello messages periodically, and process protocol packets sent by PIM neighbors. Perform the following configuration in VLAN interface view. Table 25 Enable PIM-DM Operation Command Enable PIM-DM on an interface pim dm Disable PIM-DM on an interface undo pim dm 3Com recommends that you configure PIM-DM on all interfaces.
190 CHAPTER 6: MULTICAST PROTOCOL Configuring the Filtering of Multicast Source/Group You can set to filter the source (and group) address of multicast data packets via this command. When this feature is configured, the router filters not only multicast data, but the multicast data encapsulated in the registration packets. Perform the following configuration in the PIM view.
Configuring PIM-DM 191 If the existing PIM neighbors exceed the configured value during configuration, they are not deleted. Clearing PIM Neighbors Perform the following configuration in user view.
192 CHAPTER 6: MULTICAST PROTOCOL Figure 8 PIM-DM Configuration Networking VLAN10 VLAN11 Switch B Multicast source Switch A Receiver 1 VLAN12 Switch C Receiver 2 Configuration procedure This section only provides the configuration for Switch A because the configuration procedures for Switch B and Switch C are similar. 1 Enable the multicast routing protocol. [SW8800]multicast routing-enable 2 Enable PIM-DM.
Configuring PIM-SM 193 information of the router to build the RP-rooted shared tree (RPT). This helps to reduce the bandwidth occupied by data packets and control packets, and reduces the process overhead of the router. Multicast data flows along the shared tree to the network segments. When data traffic is sufficient, the multicast data flow switches over to the SPT (Shortest Path Tree) rooted on the source. This reduces network delay.
194 CHAPTER 6: MULTICAST PROTOCOL RP Multicast Source S RPT Receiver join Multicast source registration Figure 9 RPT Schematic Diagram RP Multicast source S RPT Receiver join Multicast source registration Multicast Source Registration When multicast source S sends a multicast packet to group G, the PIM-SM multicast router is responsible for encapsulating the packet into a registration packet upon receipt. It then sends the packet to the corresponding RP in unicast.
Configuring PIM-SM 195 calculate the RPs corresponding to multicast groups according to the same algorithm, after receiving the C-RP messages that the BSR advertises. One RP can serve multiple multicast groups or all multicast groups. Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs. Configure BSRs The BSR is the management core in a PIM-SM network.
196 CHAPTER 6: MULTICAST PROTOCOL ■ Displaying and Debugging PIM-SM At least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs. Enabling Multicast Refer to “Configuring Common Multicast ” on page 172. Enabling IGMP on an Interface Refer to “Configuring IGMP” on page 174. Enabling PIM-SM This configuration can be effective only after multicast is enabled. Perform the following configuration in VLAN interface view.
Configuring PIM-SM 197 Perform the following configuration in system view. Table 35 Entering PIM View Operation Command Enter PIM view pim Back to system view undo pim Using undo pim command, you can clear the configuration in PIM view and back to system view. Configuring Candidate-BSRs In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information.
198 CHAPTER 6: MULTICAST PROTOCOL Perform the following configuration in PIM view. Table 37 Configuring Candidate-RPs Operation Command Configure a candidate-RP c-rp interface-type interface-number [ group-policy acl-number ] Remove the candidate-RP configured undo c-rp interface-type interface-number If the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range.
Configuring PIM-SM 199 Configuring the Filtering of Multicast Source/Group See “Configuring PIM-DM” on page 187. Configuring the Filtering of PIM Neighbor See “Configuring PIM-DM” on page 187. Configuring the Maximum Number of PIM Neighbor on an Interface See “Configuring PIM-DM” on page 187. Configuring RP to Filter the Register Messages Sent by DR In the PIM-SM network, the register message filtering mechanism can control which sources to send messages to, which groups on the RP, i.e.
200 CHAPTER 6: MULTICAST PROTOCOL Perform the following configuration in PIM view. Table 41 Limiting the Range of Legal BSR Operation Command Limit the legal BSR range bsr-policy acl-number Restore to the default setting undo bsr-policy For detailed information of the bsr-policy command, see the Switch 8800 Command Reference Guide.
Configuring PIM-SM 201 This command clears multicast route entries from PIM routing table, as well as the corresponding route entries and forward entries in the multicast core routing table and MFC. Clearing PIM Neighbors Perform the following configuration in user view.
202 CHAPTER 6: MULTICAST PROTOCOL Configure Switch A 1 Enable PIM-SM.
GMRP 203 [SW8800]pim [SW8800-pim] c-rp vlan-interface 10 group-policy 2005 4 Configure PIM domain border. [SW8800]interface vlan-interface 12 [SW8800-vlan-interface12] pim bsr-boundary After VLAN-interface 12 is configured as BSR, the LS_D will be excluded from the local PIM domain and cannot receive the BSR information transmitted from LS_B anymore. Configure Switch C: 1 Enable PIM-SM.
204 CHAPTER 6: MULTICAST PROTOCOL The multicast information transmitted by GMRP includes, local static multicast registration information configured manually, and the multicast registration information dynamically registered by other switches.
GMRP Example: Configuring GMRP 205 Implement dynamic registration and an update of multicast information between switches. Figure 11 GMRP Networking E0/1 Switch A E0/1 Switch B Configure LS_A: 1 Enable GMRP globally. [SW8800]gmrp 2 Enable GMRP on the port. [SW8800]interface GigabitEthernet1/1/1 [SW8800-Ethernet1/1/1] gmrp Configure LS_B: 1 Enable GMRP globally. [SW8800]gmrp 2 Enable GMRP on the port.
206 CHAPTER 6: MULTICAST PROTOCOL
7 QOS/ACL OPERATION This chapter covers the following topics: ACL Overview ■ ACL Overview ■ Configuring ACLs ■ Displaying and Debugging ACL Configurations ■ ACL Configuration Example ■ QoS Configuration ■ Configuration Examples ■ Configuring Logon User ACL Control The Access Control List (ACL) classifies the data packets with a series of matching rules, including source address, destination address and port number.
208 CHAPTER 7: QOS/ACL OPERATION while 129.102.1.1 0.0.255.255 specifies the network segment 129.102.0.1 through 129.102.255.255. The host is listed first in the access control list. The specific standard is: ■ For basic ACL statements, source address wildcards are compared directly. If the wildcards are the same, the configuration sequence is used. ■ For the ACL based on the interface filter, the rule that is configured is listed at the end, while others follow the configuration sequence.
Configuring ACLs ■ Defining ACLs ■ Activating ACLs 209 3Com recommends you perform the configuration tasks in the order in which they appear in this section. Configuring Time Range The process of configuring a time-range includes configuring the hour-minute range, date range, and period range. The hour-minute range is expressed in the units of minutes and hour (hh:mm). The date range is expressed in the units of date, month, and year (MM-DD-YYYY).
210 CHAPTER 7: QOS/ACL OPERATION Note that the sum of all elements should be less than 16 bytes in length. The following table lists the length of the elements involved.
Configuring ACLs Defining ACLs 211 The switch supports several types of ACLs, which are described in this section. Follow these steps to define an ACL 1 Enter the corresponding ACL view 2 Define ACL rules. Note that: ■ If the time-range keyword is not selected, the ACL will be effective at any time after being activated. ■ You can define multiple rules for the ACL by using the rule command several times.
212 CHAPTER 7: QOS/ACL OPERATION Table 7 Defining advanced ACL Operation Command Define an ACL rule (advanced ACL view) rule [ rule-id ] { permit | deny } protocol [ source { source-addr wildcard | any } ] [ destination { dest-addr wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type type code ] [ established ] [ [ precedence precedence | tos tos ]* | dscp dscp ] [ fragment ] [ time-range name ] [ vpn-instance instance-name ] Delete an A
Displaying and Debugging ACL Configurations 213 Table 9 Activating ACL Displaying and Debugging ACL Configurations Operation Command Activate IP group ACL and link group ACL at same time packet-filter inbound ip-group { acl-number | acl-name } { rule rule link-group { acl-number | acl-name } [ rule rule [ system-index index ] ] | link-group { acl-number | acl-name } rule rule } Deactivate IP group ACL and link group ACL at same time undo packet-filter inbound ip-group { acl-number | acl-name } { ru
214 CHAPTER 7: QOS/ACL OPERATION Figure 1 Networking for advanced ACL configuration President's office 129.111.1.2 Wage server 129.110.1.2 Switch #4 #3 #1 #2 Administrative Dept Financial Dept To router Only the commands concerning ACL configuration are listed here. 1 Define the time range from 8:00 to 18:00. [SW8800]time-range 3com 8:00 to 18:00 working-day 2 Define inbound traffic to the wage server. Create a name-based advanced ACL "traffic-of-payserver" and enter it.
ACL Configuration Example 215 Figure 2 Networking for basic ACL configuration #1 To router Switch Only the commands concerning ACL configuration are listed. 1 Define the time range from 8:00 to 18:00. [SW8800]time-range 3com 8:00 to 18:00 daily 2 Define the traffic with source IP 10.1.1.1. Create a name-based basic ACL "traffic-of-host" and enter it. [SW8800]acl name traffic-of-host basic Define ACL rule for source IP 10.1.1.1. [SW8800-acl-basic-traffic-of-host]rule 1 deny ip source 10.1.1.
216 CHAPTER 7: QOS/ACL OPERATION Define ACL rule for the traffic with source MAC 00e0-fc01-0101 and destination MAC 00e0-fc01-0303. [SW8800-acl-link-traffic-of-link]rule 1 deny ingress 00e0-fc01-0101 0-0-0 egress 00e0-fc01-0303 0-0-0 time-range 3com 3 Activate the ACL "traffic-of-host". [SW8800-GigabitEthernet2/1/1]packet-filter inbound link-group traffic-of-link QoS Configuration In a traditional IP network, all packets are treated equally without priority difference.
QoS Configuration ■ 217 Run the filtering operation (deny or permit) to the identified traffic. The default filtering operation is to deny traffic. Traffic policing QoS can police traffic at the ingress port, to provide better services with the limited network resources. Redirection You can re-specify forwarding port for packets, based on QoS policy. Traffic priority Switches can provide priority tags, including ToS, DSCP, 802.1p, and so on, for specific packets.
218 CHAPTER 7: QOS/ACL OPERATION IEEE to represent a packet with 802.1Q tag added. The contents of 802.1Q tag header are shown in Figure 6. Figure 6 802.1Q Tag Header In the figure, the priority field in TCI stands for 802.1p priority, which consists of three bits. There are eight priority levels, numbered as 0 to 7, for determining which packets to send first when switch congestion takes place. Since their applications are defined in detail in the 802.1p Recommendation, they are named as 802.
QoS Configuration 219 WRR algorithm Each port supports four or eight outbound queues. In WRR mode, the system processes the queues by turn, so every queue can have a service period. See the case where the port supports four outbound queues. Every queue is assigned with a weight value (respectively numbered as w3, w2, w1 and w0), which indicates the weight in obtaining resources. For a 100 Mbps port, the weight values are set as 50, 30, 10 and 10 (corresponding respectively to w3, w2, w1 and w0).
220 CHAPTER 7: QOS/ACL OPERATION Configuring Packet Filtering Before initiating any of these QoS configuration tasks, you should first define the corresponding ACL. Then you can achieve packet filtering just by activating the right ACL. Some of QoS terms are listed in the following table. Table 11 QoS Terms Term Description CoS Means the same as 802.1p priority. Both refer to the priority at packet header, with the value ranging from 0 to 7.
QoS Configuration 221 Table 12 Configuring Mapping Tables Operation Command Restore the default values of CoS -> Drop-precedence mapping table undo qos cos-drop-precedence-map Configure the CoS -> Local-precedence mapping table qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-local-prec cos3-map-local-prec cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec Restore the default values of CoS -> Local-precedence mapping table undo qos cos-local
222 CHAPTER 7: QOS/ACL OPERATION Table 14 Configuring Traffic Policing Operation Command Remove traffic policing setting which undo traffic-limit inbound ip-group { acl-number | applies IP group ACL and link group ACL acl-name } { rule rule link-group { acl-number | at same time acl-name } [ rule rule ] | link-group { acl-number | acl-name } rule rule } Configure traffic policing which only applies link group ACL traffic-limit inbound link-group { acl-number | acl-name } [ rule rule [ system-index inde
QoS Configuration 223 rate with the capacity of downstream devices. Its major difference from traffic policing is: Traffic shaping buffers packets at over-threshold rates to make them sent at average rates, while traffic policing drops excessive packets. Therefore, traffic shaping may increase transmission delay, but not for traffic policing. Perform the following configurations in Ethernet interface view.
224 CHAPTER 7: QOS/ACL OPERATION Table 17 Configuring Traffic Priority Operation Command Remove traffic priority setting which only undo traffic-priority inbound link-group { applies link group ACL acl-number | acl-name } [ rule rule ] You must first define the corresponding ACL and configure the DSCP + Conform-Level -> Service parameters mapping table before starting this configuration. The DSCP + Conform-Level 0 -> Service parameters mapping table (the mapping table for conform level 0) is used here.
QoS Configuration 225 Configuring Queue Scheduling The switch supports eight outbound queues at a port and it puts the packets into the queues according to the local precedence of packets. Queue scheduling is used to resolve problems of resource contention by many packets. The switch supports SP algorithm and WRR algorithm. Different outbound queues at the port can use different algorithms.
226 CHAPTER 7: QOS/ACL OPERATION max-thresholds of red, yellow and green packets are exceeded, all excessive packets are dropped. You must first configure WRED parameters for every outbound queue in defining drop precedence. The switch provides four sets of default WRED parameters, respectively numbered as 0 to 3. Each set includes 80 parameters, 10 parameters for each of the eight queues.
QoS Configuration 227 Configuring Traffic Mirroring Traffic mirroring duplicates the traffic that matches ACL rules to the CPU, for traffic analysis and monitoring. Perform the following configurations in Ethernet interface or VLAN view.
228 CHAPTER 7: QOS/ACL OPERATION ■ The monitor port and the monitored ports must be the ports in the same interface card. ■ Only one mirror group can be configured on one interface card for one direction mirror. For example, only one inbound direction mirror group can be configured on an interface card. If user configures another inbound direction mirror group, the system will give configure failure prompt. So does the outbound direction mirror group.
Configuration Examples 229 Table 25 Displaying and Debugging QoS Configurations Operation Command Display traffic priority configuration of a port display qos-interface [ interface-name | interface-type interface-num ] traffic-priority Display traffic redirection configuration of a port display qos-interface [ interface-name | interface-type interface-num ] traffic-redirect Display traffic statistics of a port display qos-interface [ interface-name | interface-type interface-num ] traffic-statistic
230 CHAPTER 7: QOS/ACL OPERATION Figure 8 Networking for traffic policing configuration Wage server 129.110.1.2 Switch The rank and file (vlan1) Financial Dept. (vlan2) To router Director (vlan3) Only the commands concerning QoS/ACL configuration are listed here. 1 Define the time range "worktime" in system view. [SW8800]time-range worktime 08:30 to 18:00 working-day 2 Define the traffic to the wage server. Create a name-based advanced ACL "traffic-to-payserver" and enter it.
Configuration Examples 231 [SW8800-vlan2]traffic-limit inbound ip-group traffic-from-payserver rule 1 100 2000 3000 Traffic Shaping Configuration Example Set traffic shaping for the outbound queue 2 at the port GE7/1/8: maximum rate 500kbps, burst size 12k bytes. Figure 9 Networking for QoS Configuration GE7/1/8 GE7/1/1 VLAN2, 1.0.0.1/8 GE7/1/2 VLAN3, 2.0.0.1/8 PC2 PC1 1 Enter Ethernet interface GigabitEthernet7/1/8 view.
232 CHAPTER 7: QOS/ACL OPERATION Define a mirroring group, with the monitoring port as GigabitEthernet3/1/8. [SW8800]mirroring-group 1 inbound GigabitEthernet3/1/1 GigabitEthernet3/1/2 mirrored-to GigabitEthernet3/1/8 [SW8800]mirroring-group 2 outbound GigabitEthernet3/1/1 GigabitEthernet3/1/2 mirrored-to GigabitEthernet3/1/8 Traffic Priority Configuration Example Re-allocate service parameters according to the mapping table for DSCP 63 for the packets from PC1 (IP 1.0.0.
Configuration Examples 233 Table 26 Modified CoS-> Conform-Level Mapping Table COS Value Drop-precedence 6 0 7 0 4 Define the DSCP + Conform-Level -> Service parameter mapping table. Allocate a set of service parameters for the packets from PC1 according the mapping table for DSCP 63. [SW8800]qos conform-level 0 [SW8800-conform-level-0]dscp 63 : 32 4 4 4 0 The modified DSCP + Conform-Level -> Service parameter mapping table: Re-allocate service parameters for the packets from PC1.
234 CHAPTER 7: QOS/ACL OPERATION [SW8800-acl-basic-2000]rule 0 permit source 1.0.0.1 0 time-range 3com 3 Modify the next hop for the packets from PC1. Define the next hop for the packets from PC1 as 2.0.0.1. [SW8800-GigabitEthernet7/1/1]traffic-redirect inbound ip-group 2000 rule 0 next-hop 2.0.0.1 Queue Scheduling Configuration Example Modify the correspondence between 802.1p priority levels and local priority levels to change the mapping between 802.
Configuration Examples 235 Ethernet7/1/1 Port scheduling: QID: scheduling-group weight ----------------------------------- WRED Parameters Configuration Example 0 : wrr , group1 20 1 : wrr , group1 20 2 : wrr , group1 30 3 : wrr , group2 20 4 : wrr , group2 20 5 : wrr , group2 40 6 : sp 0 7 : sp 0 Set WRED parameters and drop algorithm for packets at the port GE7/1/1: Configure parameters for WRED 0; outbound queue ID is 7; green-min-threshold is 150; green-max-threshold is 50
236 CHAPTER 7: QOS/ACL OPERATION Figure 15 Networking for QoS Configuration GE7/1/8 GE7/1/1 VLAN2, 1.0.0.1/8 GE7/1/2 VLAN3, 2.0.0.1/8 PC1 PC2 1 Define the time range from 8:00 to 18:00. [SW8800]time-range 3com 8:00 to 18:00 daily 2 Define the traffic from PC1. Define ACL rule for the traffic from PC1. [SW8800]acl number 2000 [SW8800-acl-basic-2000]rule 0 permit source 1.0.0.1 0.0.0.0 time-range 3com 3 Count the packets to PC1 and display the result using the display command.
Configuring Logon User ACL Control 237 Defining ACLs Currently only number-based ACLs can be imported, with the number ranging from 2000 to 3999. Perform the following configurations in system view.
238 CHAPTER 7: QOS/ACL OPERATION [SW8800-acl-basic-2000]rule 2 permit source 10.110.100.46 0 [SW8800-acl-basic-2000]quit 2 Import the ACL. [SW8800]user-interface vty 0 4 [SW8800-user-interface-vty0-4]acl 2000 inbound Configuring ACL for SNMP Users 3Com switches support remote network management (NM) and the user can use SNMP to access them. Proper ACL configuration can prevent illegal users from logging onto the switches.
Configuring Logon User ACL Control 239 You can import different ACLs in the three commands listed above. See the Switch 8800 Command Reference Guide for details about these commands. Currently you can import only the basic ACLs with digit IDs. Configuration Example Only SNMP users from 10.110.100.52 and 10.110.100.46 can access the switch. Figure 17 ACL configuration for SNMP users Internet Switch 1 Define a basic ACL.
240 CHAPTER 7: QOS/ACL OPERATION
8 STP OPERATION This chapter covers the following topics: STP Overview ■ STP Overview ■ Configuring STP ■ MSTP Overview ■ Configuring MSTP Spanning Tree Protocol (STP), defined by IEEE 802.1D, is applied in a loop network to block undesirable redundant paths. Using STP avoids the proliferation and infinite cycling of a packet in a loop network.
242 CHAPTER 8: STP OPERATION Designating Switches and Ports A designated switch is a switch in charge of forwarding packets to the local switch by a port called the designated port. For a LAN, the designated switch is a switch that forwards packets to the network segment by the designated port. As illustrated in Figure 1, Switch A forwards data to Switch B through GigabitEthernet port1/1/1. So to Switch B, the designated switch is Switch A and the designated port is GigabitEthernet1/1/1 of Switch A.
Configuring STP Generating the Configuration BPDU 243 When initialized, each port of the switches will generate the configuration BPDU taking itself as the root, root path cost as 0, designated switch IDs as their own switch IDs, and the designated ports as their ports.
244 CHAPTER 8: STP OPERATION The comparison process of each switch is: ■ Switch A GigabitEthernet1/1/1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the GigabitEthernet1/1/2 in a similar way.
Configuring STP 245 spanning tree calculation is launched again by new events, for example, the link from Switch B to C is down or the port receives a better configuration BPDU. GigabitEthernet1/1/1 receives the updated configuration BPDU, {0, 5, 1, e1/1/4}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, e1/1/4}.
246 CHAPTER 8: STP OPERATION through the old path. If the new root port and designated port begin to forward data immediately after they are elected, a occasional loop may still occur. In RSTP, a transitional state mechanism is then adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again.
MSTP Overview 247 Figure 4 MSTP Concepts Region A0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CIST: Common and Internal Spanning Tree MSTI: Multiple SpanningTree Instance Region A0 vlan 1 mapped to Instance 1, region root B vlan 2 and 3 mapped to Instance 2, region root C Other vlans mapped to CIST BPDU BPDU A C B Region B0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CST: Common Spanning Tree D BPDU Region C0 vlan 1 map
248 CHAPTER 8: STP OPERATION Multiple Spanning Tree Instance (MSTI) Multiple spanning trees can be generated in an MST region and are independent of one another. Each of these spanning trees is called an MSTI. MSTI Region root The MSTI region root refers to the root of the MSTI in an MST region. Each spanning tree in an MST region can have a different topology with a different region root. Common Root Bridge The common root bridge refers to the root bridge of the CIST.
Configuring MSTP 249 Figure 5 Port Roles MSTP Principles MSTP divides the entire Layer 2 network into several MST regions, and calculates and generates CST for them. Multiple spanning trees are generated in a region and each of them is called an MSTI. The instance 0 is called IST, and others are called MSTI. CIST calculation The CIST root is the highest-priority switch, elected from the switches on the entire network by comparing their configuration BPDUs.
250 CHAPTER 8: STP OPERATION ■ Configuring the Path Cost of a Port ■ Configuring the Priority of a Port ■ Configuring the Port Connection with the Point-to-Point Link ■ Configuring the mCheck Variable of a Port ■ Configuring the Switch Security Function ■ Enabling MSTP on the Device ■ Enabling or Disabling MSTP on a Port ■ Displaying and Debugging MSTP Only after MSTP is enabled on the device will other configurations take effect.
Configuring MSTP 251 Configuring the MST Region Perform the following configuration in MST region view.
252 CHAPTER 8: STP OPERATION You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree. Perform the following configuration in system view. Table 4 Specify the Switch as Primary or Secondary Root Switch Operation Command Specify current switch as the primary root switch of the specified spanning tree.
Configuring MSTP 253 region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch provides the multiple spanning tree function. You can use the following command to configure the MSTP operational mode. MSTP can intercommunicate with STP. If there is a STP switch in the switching network, you can use the command to configure the current MSTP to run in STP-compatible mode, otherwise, configure it to run in MSTP mode.
254 CHAPTER 8: STP OPERATION each time it is forwarded by a switch, the max hop is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region. You can use the following command to configure the max hops in an MST region. Perform the following configuration in system view.
Configuring MSTP Configuring the Time Parameters of a Switch 255 The switch has three time parameters: ■ forward delay, ■ hello time, ■ and max age. Forward delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. The configuration BPDU recalculated cannot be immediately propagated throughout the network.
256 CHAPTER 8: STP OPERATION A max age that is too short, can cause the network device to calculate the spanning tree frequently and mistake the congestion as a link fault. If the max age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which weakens the auto-adaptation capacity of the network. The default value is recommended.
Configuring MSTP 257 By default, the max transmission speed on every Ethernet port of the switch is 3. Configuring a Port as an Edge Port An edge port refers to the port not directly connected to any switch, or indirectly connected to a switch over the connected network. You can configure a port as an edge port or non-edge port in the following ways. Configuring in System View Perform the following configuration in system view.
258 CHAPTER 8: STP OPERATION the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing.
Configuring MSTP 259 You can configure the path cost of a port in the following ways. Configuring in System View Perform the following configuration in system view. Table 14 Configure the Path Cost of a Port Operation Command Configure the Path Cost of a port. stp interface interface-list instance instance-id cost cost Restore the default path cost of a port.
260 CHAPTER 8: STP OPERATION Configuring in Ethernet Port View Perform the following configuration in Ethernet port view. Table 17 Configure the Port Priority Operation Command Configure the port priority. stp instance instance-id port priority priority Restore the default port priority. undo stp instance instance-id port priority For more about the commands, see the Switch 8800 Command Reference Guide. After the change of port priority, MSTP will recalculate the port role and transit the state.
Configuring MSTP 261 Table 19 Configure the Port Connection With the Point-to-point Link Operation Command Configure MSTP to automatically detect if the undo stp point-to-point port is directly connected with the point-to-point link, as defaulted. For more about the commands, see the Switch 8800 Command Reference Guide.
262 CHAPTER 8: STP OPERATION The command can be used only if the switch runs MSTP. The command does not make any sense when the switch runs in STP-compatible mode. Configuring the Switch Security Function An MSTP switch provides BPDU protection, Root protection, and loop-protection functions. For an access device, the access port is, mainly, directly connected to the user terminal or a file server, and the access port is set to edge port to implement fast transition.
Configuring MSTP 263 Table 22 Configure the Switch Security Function Operation Command Configure switch loop protection function (from Ethernet port view) stp loop-protection Restore the disabled loop protection state, as defaulted (from Ethernet port view) stp loop-protection After configured with BPDU protection, the switch will disable the edge port through MSTP, which receives a BPDU, and notifies the network manager at the same time. These ports can be resumed by the network manager only.
264 CHAPTER 8: STP OPERATION Configuring in System View Perform the following configuration in system view. Table 24 Enable/Disable MSTP on a Port Operation Command Enable MSTP on a port. stp interface interface-list enable Disable MSTP on a port. stp interface interface-list disable Restore the default MSTP state on the port. undo stp interface-list Configuring in Ethernet Port View Perform the following configuration in Ethernet port view.
AAA AND RADIUS OPERATION 9 This chapter covers the following topics: IEEE 802.1x ■ IEEE 802.1x ■ Configuring the AAA and RADIUS Protocols IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access control protocol that is used as the standard for LAN user access authentication. In LANs that comply with IEEE 802 standards, the user can access devices and share resources in the LAN by connecting a device such as a LAN Switch.
266 CHAPTER 9: AAA AND RADIUS OPERATION LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is encapsulated in packets of other AAA upper layer protocols (e.g. RADIUS). This provides a channel through the complicated network to the Authentication Server. Such procedure is called EAP Relay. There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port.
IEEE 802.1x 267 The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. 802.1x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802.1x in implementing the user ID authentication.
268 CHAPTER 9: AAA AND RADIUS OPERATION Perform the following configurations in system view or Ethernet port view. Table 1 Enable/Disable 802.1x Operation Command Enable the 802.1x dot1x [interface interface-list] Disable the 802.1x undo dot1x [interface interface-list] User can configure 802.1x on an individual port. The configuration will take effect right after 802.1x is enabled globally. By default, 802.1x authentication has not been enabled globally, or on any port.
IEEE 802.1x 269 Checking the Users that Log on the Switch by Proxy The following commands are used for checking the users that log on by proxy. Perform the following configurations in system view or Ethernet port view.
270 CHAPTER 9: AAA AND RADIUS OPERATION ■ EAP relay — the switch sends authentication information to the RADIUS server in the form of EAP packets, directly, so that the RADIUS server never supports EAP authentication Perform the following configurations in system view. Table 7 Configure the Authentication Method for 802.1x Users Operation Command Configure the authentication method for 802.
IEEE 802.1x 271 Perform the following configurations in system view. Table 10 Configure Timers Operation Command Configure timers dot1x timer {quiet-period quiet-period-value | tx-period tx-period-value | supp-time-out supp-timeout-value | server-timeout server-timeout-value} Restore default settings of the timers undo dot1x timer {quiet-period | tx-period | supp-timeout | server-timeout} quiet-period: Specify the quiet timer. If an 802.
272 CHAPTER 9: AAA AND RADIUS OPERATION Perform the following configuration in system view. Table 11 Enable/Disable a Quiet-Period Timer Operation Command Enable a quiet-period timer. dot1x quiet-period Disable a quiet-period timer undo dot1x quiet-period Displaying and Debugging 802.1x Execute the display command in all views to display the VLAN configuration, and to verify the configuration. Execute the reset command in user view to reset 802.1x statistics information.
IEEE 802.1x 273 The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled. Figure 2 Enabling 802.1x and RADIUS to Perform AAA on the Requester Authentication servers (RADIUS server cluster IP address: 10.11.1.1, 10.11.1.2) Switch E1/1/2 Requestor Internet Authenticator The following examples concern most of the AAA/RADIUS configuration commands.
274 CHAPTER 9: AAA AND RADIUS OPERATION [SW8800-radius-radius1]timer realtime-accounting 15 10 Configure the system to transmit the user name to the RADIUS server after removing the domain name. [SW8800-radius-radius1]user-name-format without-domain [SW8800-radius-radius1]quit 11 Create the user domain 3com163.net and enters isp configuration mode. [SW8800]domain 3com163.net 12 Specify radius1 as the RADIUS server group for the users in the domain 3com163.net. [SW8800-isp-3com163.
Configuring the AAA and RADIUS Protocols 275 As mentioned above, AAA is a management framework, so it can be implemented by some protocols. RADIUS is frequently used. Remote Authentication Dial-In User Service, RADIUS for short, is distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from an interruption of unauthorized access, and it is often used in the network environments requiring both high security and remote user access.
276 CHAPTER 9: AAA AND RADIUS OPERATION Figure 3 Networking with Switch 8800 Applying RADIUS Authentication Authentication server PC use1 PC user2 Accounting server1 Switch 7700 Switch 7700 ISP1 PC user3 Switch 7700 PC user4 Internet Switch 7700 ISP2 Configuring the AAA and RADIUS Protocols is described in the following sections: Configuring AAA ■ Configuring AAA ■ Configuring the RADIUS Protocol ■ Troubleshooting AAA and RADIUS AAA configuration includes tasks that are described in the fol
Configuring the AAA and RADIUS Protocols 277 complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy (RADIUS server group applied etc.) For the Switch 8800, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain. Perform the following configurations in system view.
278 CHAPTER 9: AAA AND RADIUS OPERATION Creating a Local User A local user is a group of users set on NAS. The username is the unique identifier of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS. Perform the following configurations in system view.
Configuring the AAA and RADIUS Protocols 279 Table 17 Set/Remove the Attributes Concerned with a Specified User Operation Command Configure the attributes of lan-access users attribute {ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum }* Remove the attributes defined for the lan-access users undo attribute {ip | mac | idle-cut | access-limit | vlan | location } Disconnecting a User by Force Somet
280 CHAPTER 9: AAA AND RADIUS OPERATION ■ Setting the Maximum Retransmitting Times of the Stop Accounting Request ■ Setting the Supported Type of RADIUS Server ■ Setting RADIUS Server State ■ Setting Username Format Transmitted to RADIUS Server ■ Setting the Unit of Data Flow that Transmitted to RADIUS Server ■ Configuring a Local RADIUS Server Group ■ Displaying and Debugging the AAA and RADIUS Protocols ■ Configuring FTP/Telnet User Authentication at Remote RADIUS Server ■ Configuring F
Configuring the AAA and RADIUS Protocols 281 Perform the following configurations in RADIUS server group view. Table 20 Set IP Address and Port Number of RADIUS Server Operation Command Set IP address and port number of primary RADIUS authentication/authorization server. primary authentication ip-address [port-number] Restore IP address and port number of primary undo primary authentication RADIUS authentication/authorization or server to the default values.
282 CHAPTER 9: AAA AND RADIUS OPERATION Setting the RADIUS Packet Encryption Key RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet by setting the encryption key. Only when the keys are identical can both ends accept the packets from each other and give a response. Perform the following configurations in RADIUS server group view.
Configuring the AAA and RADIUS Protocols 283 By default, RADIUS request packet will be retransmitted up to three times. Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if RADIUS accounting server fails when the accounting optional is configured, the user can still use the network resource, otherwise, the user will be disconnected. Perform the following configurations in RADIUS server group view.
284 CHAPTER 9: AAA AND RADIUS OPERATION Setting Maximum Times of Real-time Accounting Request The RADIUS server usually verifies that a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for a specified period, it stops accounting. Therefore, it may be necessary to disconnect the user at the NAS end and on the RADIUS server when some unpredictable failure exists.
Configuring the AAA and RADIUS Protocols 285 the server responds or discards the messages. Use this command to set the maximum retransmission times. Perform the following configurations in RADIUS server group view.
286 CHAPTER 9: AAA AND RADIUS OPERATION Setting Username Format Transmitted to RADIUS Server As mentioned before, clients are generally named in userid@isp-name format. The part following “@” is the ISP domain name. The Switch 8800 will put users into different ISP domains according to their domain name. However, some earlier RADIUS servers rejected the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server.
Configuring the AAA and RADIUS Protocols 287 When using the local RADIUS server function of the Switch 8800, remember that: ■ The number of the UDP port used for authentication is 1645 and the number for accounting is 1646.
288 CHAPTER 9: AAA AND RADIUS OPERATION In the environment illustrated in the following figure, it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered. One RADIUS server (as authentication server) is connected to the switch and the server IP address is 10.110.91.146. The password for exchanging messages between the switch and the authentication server is "expert".
Configuring the AAA and RADIUS Protocols 289 For details about local RADIUS authentication of Telnet/FTP users, see “Configuring a Local RADIUS Server Group”on page 286. Troubleshooting AAA and RADIUS The RADIUS protocol of TCP/IP protocol suite is located on the application layer. It basically specifies how to exchange user information between NAS and RADIUS server of ISP. So it is likely to be invalid.
290 CHAPTER 9: AAA AND RADIUS OPERATION
10 RELIABILITY This chapter covers the following topics: VRRP Overview ■ VRRP Overview ■ Configuring VRRP Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route, for example, 10.100.10.1 in Figure 1, is configured for every host on a network, so that packets destined for another network segment go through the default route to Layer 3 Switch1, implementing communication between the host and the external network.
292 CHAPTER 10: RELIABILITY Figure 2 Virtual Router Network Actual IP address 10.100.10.3 Actual IP address 10.100.10.2 Backup Master Virtual IP address 10.100.10.1 Ethernet 10.100.10.7 Host 1 Virtual IP address 10.100.10.1 10.100.10.8 Host 2 10.100.10.9 Host 3 This virtual router has its own IP address: 10.100.10.1, which can be the actual interface address of a switch within the virtual router. The switches within the virtual router have their own IP addresses, such as 10.100.10.
Configuring VRRP 293 Perform the following commands in system view. Table 1 Enable/Disable the Ping Function Operation Command Enable pinging of the virtual IP address vrrp ping-enable Disable pinging of the virtual IP address undo vrrp ping-enable By default, ping response for the virtual IP address is disabled. Setting Correspondence Between Virtual IP and MAC Addresses This operation sets the virtual IP address to correspond to either the real or the virtual MAC address.
294 CHAPTER 10: RELIABILITY Perform the following configuration in VLAN interface view. Table 3 Add/Delete a Virtual IP Address Configuring the Priority of Switches Operation Command Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address Delete a virtual IP address. undo vrrp vrid virtual-router-ID [ virtual-ip virtual-address ] The status of each switch in the virtual router group is determined by its priority in VRRP.
Configuring VRRP 295 The delay ranges from 0 to 255, measured in seconds. The default mode is preemption with a delay of 0 second. Configuring Authentication Type and Authentication Key To prevent unauthorized routes from joining the virtual router, a key can be configured that is used in one of the following VRRP authentication types: ■ Simple character authentication — The authentication type is set to simple. The switch adds the authentication key to the VRRP packets before transmitting it.
296 CHAPTER 10: RELIABILITY Table 7 Configure VRRP Timer Operation Command Clear VRRP timer undo vrrp vrid virtual-router-ID timer advertise By default, adver-interval is 1. Configuring a Switch to Track an Interface The VRRP track interface function expands the backup function by including other switch interfaces of participating routers. Backup is provided not only to the interface where the virtual router resides, but also to other switch interfaces of participating routers.
Configuring VRRP 297 VRRP virtual router information includes virtual router ID1, virtual IP address 202.38.160.111, switch A as the Master and switch B as the backup allowed preemption. Figure 3 VRRP Configuration Host B 10.2.3.1 Internet VLAN-interface3: 10.100.10.2 Switch B Switch A VLAN-interface2: 202.38.160.1 Virtual IP address: 202.38.160.111 VLAN-interface2: 202.38.160.2 Host A 202.36.160.3 Configure switch A: [SW8800_A-vlan-interface2]vrrp vrid 1 virtual-ip 202.38.160.
298 CHAPTER 10: RELIABILITY [SW8800_A-vlan-interface2]vrrp vrid 1 priority 110 3 Set the authentication key for the virtual router. [SW8800_A-vlan-interface2]vrrp authentication-mode md5 lanswitch 4 Set Master to send VRRP packets every 5 seconds. [SW8800_A-vlan-interface2]vrrp vrid 1 timer advertise 5 5 Track an interface. [SW8800_A-vlan-interface2]vrrp vrid 1 track vlan-interface 3 reduced 30 Configure switch B 1 Create a virtual router. [SW8800_B-vlan-interface2]vrrp vrid 1 virtual-ip 202.38.160.
Configuring VRRP 299 2 Create virtual router 2. [SW8800_B-vlan-interface2]vrrp vrid 2 virtual-ip 202.38.160.112 3 Set the priority for the virtual router. [SW8800_B-vlan-interface2]vrrp vrid 2 priority 110 Troubleshooting VRRP The configuration of VRRP is simple so almost all troubleshooting can be done by viewing the configuration and debugging information. Here are some possible failures you might experience and the corresponding troubleshooting methods.
300 CHAPTER 10: RELIABILITY
11 SYSTEM MANAGEMENT This chapter covers the following topics: File System ■ File System ■ Managing the MAC Address Table ■ Managing Devices ■ Maintaining and Debugging the System ■ SNMP ■ RMON ■ NTP The Switch 8800 provides a file system module for efficient management with storage devices such as flash memory.
302 CHAPTER 11: SYSTEM MANAGEMENT Table 1 Directory Operation Managing Files Operation Command Delete a directory rmdir directory Display the current working directory pwd Display the information about directories or files dir [ / all ] [ file-url ] Change the current directory cd directory You can use the file system to delete, undelete, or permanently delete a file.
File System 303 Example: File System Operation 1 Format the flash. format flash: All sectors will be erased, proceed? [confirm] y Format flash: completed 2 Display the working directory in the flash. cd flash:/ pwd flash:/ 3 Create a directory named test. mkdir test 4 Display the flash directory information after creating the test directory.
304 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configuration in all views.
File System 305 FTP Server configuration includes tasks described in the following sections: ■ Enabling and Disabling the FTP Server ■ Configuring the FTP Server Authentication and Authorization ■ Configuring FTP Server Parameters ■ Displaying and Debugging the FTP Server Enabling and Disabling the FTP Server You can use the following commands to enable or disable the FTP server. Perform the following configuration in system view.
306 CHAPTER 11: SYSTEM MANAGEMENT for a period of time, it will cut the connection to it, thereby avoiding illegal access by unauthorized users. Perform the following configuration in system view. Table 10 Configure FTP Server Connection Timeout Operation Command Configure FTP server connection timeouts ftp timeout minute Restoring the default FTP server connection timeouts undo ftp timeout By default, the FTP server connection timeout is 30 minutes.
Managing the MAC Address Table 307 Perform the following configuration in system view. Table 12 Configuring the File Transmission Mode Operation Command Configure the file transmission mode tftp { ascii | binary } By default, TFTP transmits files in binary mode. Downloading Files with TFTP To download a file, the client sends a request to the TFTP server and receives data from it, then sends acknowledgement to it. Use the following commands to download files with TFTP.
308 CHAPTER 11: SYSTEM MANAGEMENT Figure 1 The Switch 8800 Forwards Packets According to the MAC Address Table MAC Address Port MACD MACA .... MACA 1 MACB 1 MACC 2 MACD 2 Port 1 MACD MACA .... Port 2 The Switch 8800 also provides the function of MAC address aging. If the switch does not receive a packet from a MAC address for a set period of time, it will delete the related entry from the MAC address table.
Managing the MAC Address Table 309 Table 15 Setting MAC Address Table Entries Operation Command Delete an address entry undo mac-address [ { static | dynamic } mac-address interface { interface-name | interface-type interface-num } vlan-id] Disabling or Enabling Global MAC Address Learning With the address learning function enabled, an Ethernet switch can learn new MAC addresses.
310 CHAPTER 11: SYSTEM MANAGEMENT If aging time is set too long, the Ethernet switch stores a great number of out-of-date MAC address in its table. This consumes MAC address table resources and the switch will not be able to update the MAC address table according to the network change. If aging time is set too short, the Ethernet switch may delete valid MAC address table entries. You can use the following commands to set the MAC address aging time for the system.
Managing the MAC Address Table 311 Execute the debugging command in user view to debug MAC address table configuration.
312 CHAPTER 11: SYSTEM MANAGEMENT 00-e0-fc-17-a7-d6 00-e0-fc-5e-b1-fb 00-e0-fc-55-f1-16 Managing Devices 1 1 1 LearnedEthernet1/1/2 300 Learned Ethernet1/1/2 300 Learned Ethernet1/1/2 300 With device management, the Switch 8800 displays the current state and event debugging information about the slots and physical devices. In addition, there is a command for rebooting the system when a function failure occurs.
Maintaining and Debugging the System 313 Resetting a Slot The Switch 8800 allows the administrator to reset a slot in the system. Perform the following configuration in user view. Table 24 Resetting a Slot Operation Command Reset a slot reboot [ slot slot-num ] The parameter slot-num ranges from 0 to 13, depending on the chassis. Setting the parameter to 0 resets the fabric module, taking the same effect as resetting the entire system.
314 CHAPTER 11: SYSTEM MANAGEMENT Configuring System Basics ■ Testing Tools for Network Connection ■ Logging Function This section describes the following basic system configuration tasks: ■ Setting the System Name ■ Setting the System Clock ■ Setting the Time Zone ■ Setting Daylight Saving Time Setting the System Name Perform the following commands in system view.
Maintaining and Debugging the System 315 By default, daylight saving time is not set. Displaying System Information and State The following display commands are used for displaying the system state and the statistics information. For the display commands related to each protocol and different ports, refer to the appropriate chapters. Perform the following operations in all views.
316 CHAPTER 11: SYSTEM MANAGEMENT Figure 3 Debugging Output Debugging information 1 2 3 Protocol debugging switch ON 1 Screen output switch ON OFF 3 1 3 ON OFF 1 3 You can use the following commands to control debugging. Perform the following operations in user view.
Maintaining and Debugging the System 317 You can perform the following operations in all views. Table 33 Displaying Diagnostic Information Operation Command Display diagnostic information display diagnostic-information To view the data later, enable saving a screen capture to a file.
318 CHAPTER 11: SYSTEM MANAGEMENT The process is repeated until the packet reaches the destination. The process is to record the source address of each ICMP TTL timeout message to provide the route of an IP packet to the destination. Perform the following operation in user view. Table 35 The Tracert Command Logging Function Operation Command Trace a route tracert [ -f first-TTL ] [ -m max-TTL ] [ -p port ] [ -q nqueries ] [ -w timeout ] host The syslog characterizes the behavior of the Switch 8800.
Maintaining and Debugging the System 319 By default, syslog is disabled. When syslog is enabled, system performance is affected by the information classification and the output, especially when there is a large amount of information to be processed. Setting the Output Channel of the Log The syslog of the Ethernet switch has six possible output destinations. Use the configuration commands to specify the required channels for syslog output.
320 CHAPTER 11: SYSTEM MANAGEMENT The system assigns a channel in each output direction by default. See Table 38. Table 38 Numbers and Names of the Channels for Log Output Name Channel number Default channel name Console 0 console Monitor 1 monitor Info-center loghost 2 loghost Trap buffer 3 trapbuf Logging buffer 4 logbuf SNMP 5 snmpagent The six settings are independent from each other. The settings will take effect only after enabling the information center.
Maintaining and Debugging the System 321 module-name specifies the module name. level refers to the severity levels and severity specifies the severity level of information. The information with the level below it will not be output. channel-number specifies the channel number and channel-name specifies the channel name. Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000.
322 CHAPTER 11: SYSTEM MANAGEMENT SNMP The Simple Network Management Protocol (SNMP) is used for transmitting management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network. They can also locate faults promptly and implement the fault diagnosis, capacity planning, and report generating. SNMP adopts the polling mechanism and provides the most basic function set.
SNMP 323 The current SNMP Agent of Ethernet switch supports SNMP V1, V2C and V3. The MIBs supported are listed in the following table.
324 CHAPTER 11: SYSTEM MANAGEMENT only query the device information, whereas the community with read-write authority can also configure the device. Use the following commands to set the community name. Perform the following configuration in system view.
SNMP 325 The privacy parameter specifies that the packet is authenticated and encrypted. This parameter is supported only in SNMP V3. Setting the Lifetime of the Trap Message You can use the following command to set lifetime of a trap message. A trap message that exists longer than the set lifetime will be dropped. Perform the following configuration in system view.
326 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configuration in system view.
SNMP 327 The authentication-mode parameter specifies the use of authentication. The privacy-mode parameter specifies the use of authentication and encryption. This parameter is supported only in SNMP V3. For details, see the Switch 8800 Command Reference Guide. Creating and Updating View Information or Deleting a View Use the following commands to create, update the information of views, or delete a view. Perform the following configuration in system view.
328 CHAPTER 11: SYSTEM MANAGEMENT If a user disables an NMP Agent, it is enabled whatever snmp-agent command is configured. Displaying and Debugging SNMP Execute the display command to view the SNMP configuration and to verify the effect of the configuration. Execute the debugging command in user view to debug the SNMP configuration.
RMON 329 Figure 5 SNMP Configuration Example 129.102.149.23 129.102.0.1 NMS Ethernet 1 Enter the system view. system-view 2 Set the community name, group name, and user. [SW8800]snmp-agent [SW8800]snmp-agent [SW8800]snmp-agent [SW8800]snmp-agent [SW8800]snmp-agent sys-info version all community write public mib include internet 1.3.6.1 group v3 managev3group write internet usm v3 managev3user managev3group 3 Set the administrator ID, contact and the physical location of the Ethernet switch.
330 CHAPTER 11: SYSTEM MANAGEMENT NMS and the agent running on the network devices. On the network monitor or detector, RMON agent tracks and accounts for different traffic information on the segment connected to its port. For example, the total number of packets on a segment in a certain period of time or that of the correct packets sent to a host. RMON helps the SNMP monitor the remote network device more actively and effectively, which provides a highly efficient means for monitoring subnet operations.
RMON 331 Perform the following configuration in system view. Table 58 Adding or Delete an Entry to or from the Alarm Table Operation Command Add an entry to the alarm table. rmon alarm entry-number alarm-variable sampling-time { delta | absolute } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ] Delete an entry from the alarm table.
332 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configuration in system view.
NTP 333 Figure 6 RMON Configuration Networking Internet Network port Console port Switch 1 Configure RMON. [SW8800-Ethernet2/1/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in user view. display rmon statistics Ethernet2/1/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface Ethernet2/1/1.
334 CHAPTER 11: SYSTEM MANAGEMENT Figure 7 Basic Operating Principle of NTP In page 334, Switch A and Switch B are connected to the Ethernet port. They have independent system clocks. Before implementing automatic clock synchronization on both switches, we assume that: ■ Before synchronizing the system clocks on Switch A and B, the clock on Switch A is set to 10:00:00am, and the clock on B is set to 11:00:00am.
NTP 335 Switch A uses this information to set the local clock and to synchronize it with the clock on Switch B.
336 CHAPTER 11: SYSTEM MANAGEMENT broadcast, multicast, or reference clock IP address. In this case, the local switch operates in client mode. In this mode, only the local client synchronizes its clock with the clock of the remote server, while the reverse synchronization will not happen. Perform the following configurations in system view.
NTP 337 Perform the following configurations in VLAN interface view. Table 66 Configuring NTP Broadcast Server Mode Operation Command Configure NTP broadcast server mode ntp-service broadcast-server [ authentication-keyid keyid ] [ version number ] Cancel NTP broadcast server mode undo ntp-service broadcast-server NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295.
338 CHAPTER 11: SYSTEM MANAGEMENT This command can only be configured on the interface where the NTP multicast packet is transmitted. Configuring NTP Multicast Client Mode Designate an interface on the local switch to receive NTP multicast messages and operate in multicast client mode. The local switch listens to the multicast from the server. When it receives the first multicast packets, it starts a brief client/server mode to switch messages with a remote server for estimating the network delay.
NTP 339 Perform the following configurations in system view. Table 72 Setting the Specified Key as Reliable Operation Command Set the specified key as reliable ntp-service reliable authentication-keyid key-number Cancel the specified reliable key.
340 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configurations in VLAN interface view. Table 75 Enabling or Disabling an Interface to Receive an NTP Message Operation Command Enable an interface to receive an NTP message undo ntp-service in-interface disable Disable an interface from receiving an NTP message ntp-service in-interface disable This configuration task must be performed on the interface to be disabled from receiving an NTP message.
NTP 341 Displaying and Debugging NTP After completing the previous configurations, you can use the display command to show how NTP runs and verify the configurations according to the outputs. You can use the debugging command, in user view, to debug NTP. See Table 78 for the details of these commands.
342 CHAPTER 11: SYSTEM MANAGEMENT Configure Switch SW88002: 1 Enter system view. system-view 2 Set SW88001 as the NTP server. [SW88002]ntp-service unicast-server 1.0.1.11 The above examples synchronized SW88002 by SW88001. Before the synchronization, the SW88002 is shown in the following status: [SW88002]display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 100.0000 Hz actual frequency: 100.
NTP 343 peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, SW88002 has been synchronized by SW88001 and is at stratum 3, higher than SW88001 by 1. Display the sessions of SW88002 and you will see SW88002 has been connected with SW88001. [SW88002]display ntp-service sessions source disper reference stra reach poll now offset delay ******************************************************************** ****** [12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.
344 CHAPTER 11: SYSTEM MANAGEMENT [SW88005]ntp-service refclock-master 1 3 After performing local synchronization, set SW88004 as a peer. [SW88005]ntp-service unicast-peer 3.0.1.32 The above examples configure SW88004 and SW88005 as peers and configure SW88005 as in active peer mode and SW88004 in passive peer mode. Since SW88005 is at stratum 1 and SW88004 is at stratum 3, synchronize SW88004 by SW88005.
NTP 345 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Configuring NTP Broadcast Mode On SW88003, set local clock as the NTP master clock at stratum 2, and configure to broadcast packets from Vlan-interface2. Configure SW88004 and SW88001 to listen to the broadcast from their Vlan-interface2. See Figure 1-2. Configure Switch SW88003: 1 Enter system view. system-view 2 Set the local clock as the NTP master clock at stratum 2.
346 CHAPTER 11: SYSTEM MANAGEMENT actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, SW88004 has been synchronized by SW88003 and it is at stratum 3, higher than SW88003 by 1.
NTP 347 Configure Switch SW88004: 1 Enter system view. system-view 2 Enter Vlan-interface2 view. [SW88004]interface vlan-interface 2 3 Enable multicast client mode. [SW88004-Vlan-Interface2]ntp-service multicast-client Configure Switch SW88001: 1 Enter system view. system-view 2 Enter Vlan-interface2 view. [SW88001]interface vlan-interface 2 3 Enable multicast client mode.
348 CHAPTER 11: SYSTEM MANAGEMENT [SW88002]ntp-service reliable authentication-keyid 42 The above examples synchronized SW88002 by SW88001. Since SW88001 has not been enabled authentication, it cannot synchronize SW88002. Perform the following additional configurations on SW88001: 1 Enable authentication. [SW88001]ntp-service authentication enable 2 Set the key. [SW88001]ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey 3 Configure the key as reliable.
