Switch 7700 Configuration Guide Version 3.0 http://www.3com.com/ Published November 2004 Part No.
3Com Corporation 350 Campus Drive Marlborough, MA 01752-3064 Copyright © 2004, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Conventions 1 SYSTEM ACCESS Product Overview 3 Function Features 3 Configuring the Switch 7700 4 Setting Terminal Parameters 5 Configuring Through Telnet 8 Configuring Through a Dial-up Modem 11 Configuring the User Interface 12 Command Line Interface 20 Command Line View 20 Features and Functions of the Command Line 23 PORT CONFIGURATION Ethernet Port Overview 27 Configuring Ethernet Ports 27 Setting the VLAN VPN Feature 33 Example: Configuring the Default VLAN ID of the Trun
NETWORK PROTOCOL OPERATION Configuring IP Address 59 Subnet and Mask 60 Configuring an IP Address 60 Troubleshooting an IP Address Configuration 62 Configuring Address Resolution Protocol (ARP) 62 Configuring ARP 63 DHCP Relay 64 Configuring DHCP Relay 65 Troubleshooting a DHCP Relay Configuration 68 IP Performance 68 Configuring TCP Attributes 68 Configuring Special IP Packet Transmission to the CPU Configuring L3 Broadcast Forwarding 69 Displaying and Debugging IP Performance 70 Troubleshooting IP Perform
BGP Routing 149 BGP Peers and Peer Groups 150 Configuring BGP 150 Typical BGP Configuration Examples 168 Troubleshooting BGP 174 IP Routing Policy 174 Routing Information Filters 175 Configuring an IP Routing Policy 176 Troubleshooting Routing Policies 182 Route Capacity 183 Limiting Route Capacity 183 Configuring Route Capacity 183 MULTICAST PROTOCOL IP Multicast Overview 191 Multicast Addresses 192 IP Multicast Protocols 194 Forwarding IP Multicast Packets 195 Applying Multicast 196 Configuring Common Mu
Activating an ACL 236 ACL Configuration Examples 237 Access Control 237 Basic ACL 238 Link ACL 239 Configuring QoS 239 Qos Concepts 240 Configuring QoS 243 QoS Configuration Examples 250 Configuring ACL Control 257 Configuring ACL Control for TELNET Users 258 Configuring ACL Control for SNMP Users 259 STP OPERATION STP Overview 263 Configuring STP 263 Designating Switches and Ports 264 Calculating the STP Algorithm 264 Generating the Configuration BPDU 265 Selecting the Optimum Configuration BPDU 265 Desig
802.1x System Architecture 287 Configuring 802.
Configuring RMON 354 NTP 357 Configuring NTP 358 NTP Configuration Examples 364 SSH Terminal Services 371 Configuring the SSH Server 373 Configuring the SSH Client 376 Specifying the Server IP Address 376 Displaying and Debugging SSH 379 SSH Configuration Example 380
ABOUT THIS GUIDE This guide describes the 3Com® Switch 7700 and how to configure it in version 3.0 of the software. Conventions Table 1 lists icon conventions that are used throughout this book. Table 1 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device.
2 ABOUT THIS GUIDE
SYSTEM ACCESS 1 This chapter covers the following topics: Product Overview ■ Product Overview ■ Configuring the Switch 7700 ■ Setting Terminal Parameters ■ Command Line Interface The 3Com Switch 7700 is a large capacity, modularized wire speed Layer 2/Layer 3 Switch 7700. It is designed for IP metropolitan area networks (MAN), large-sized enterprise networks, and campus network users. The Switch 7700 has an integrated chassis structure.
4 CHAPTER 1: SYSTEM ACCESS Table 1 Function Features (continued) Configuring the Switch 7700 Features Support IP routing Static route RIP V1/v2 OSPF BGP (in extended software) IS-IS (in extended software) IP routing policy DHCP Relay Dynamic Host Configuration Protocol (DHCP) Relay Link aggregation Link aggregation Mirror Port-based mirroring Security features Multi-level user management and password protect 802.
Setting Terminal Parameters 5 Figure 1 Setting Up the Local Configuration Environment Through the Console Port RS-232 Serial port Console port Console cable Setting Terminal Parameters To set terminal parameters: 1 Start the PC and select Start > Programs > Accessories > Communications > HyperTerminal. 2 The HyperTerminal window displays the Connection Description dialog box, as shown in Figure 2.
6 CHAPTER 1: SYSTEM ACCESS Figure 3 Properties Dialog Box 5 Click OK. The Port Settings tab, shown in Figure 4, displays and you can set serial port parameters.
Setting Terminal Parameters Figure 4 Set Communication Parameters 6 Click OK. The HyperTerminal dialogue box displays, as shown in Figure 5. 7 Select Properties. Figure 5 HyperTerminal Window 8 In the Properties dialog box, select the Settings tab, as shown in Figure 6. 9 Select VT100 in the Emulation dropdown menu. 10 Click OK.
8 CHAPTER 1: SYSTEM ACCESS Figure 6 Settings Tab Setting the Terminal Parameters is described in the following sections: Configuring Through Telnet ■ Configuring Through Telnet ■ Configuring Through a Dial-up Modem ■ Configuring the User Interface Before you can telnet to a Switch 7700 and configure it, you must: 1 Configure the IP address of a VLAN interface for the Switch 7700 through the console port (using the ip address command in VLAN interface view) 2 Add the port (that connects to a termi
Setting Terminal Parameters 9 Connecting the PC to the Switch 7700 To connect the PC and Switch 7700 through Telnet: 1 Authenticate the Telnet user through the console port before the user logs in by Telnet. By default, a password is required for authenticating the Telnet user to log in the Switch 7700. If a user logs in by Telnet without a password, the user sees the message: Login password has not been set! 2 Enter system view, return to user view by pressing Ctrl+Z.
10 CHAPTER 1: SYSTEM ACCESS 6 Use the appropriate commands to configure the Switch 7700 or to monitor the operational state. Enter ? to get immediate help. For details on specific commands, refer to the chapters in this guide. When configuring the Switch 7700 by Telnet, do not modify the IP address unless necessary, because the modification might terminate the Telnet connection. By default, after passing the password authentication and logging on, a Telnet user can access the commands at login level 0.
Setting Terminal Parameters Configuring Through a Dial-up Modem 11 To configure your router through a dial-up modem: 1 Authenticate the modem user through the console port of the Switch 7700 before the user logs in to the switch through a dial-up modem. By default, a password is required for authenticating the modem user to log in to the Switch 7700. If a user logs in through the modem without a password, the user sees the message, Password required, but none set.
12 CHAPTER 1: SYSTEM ACCESS Figure 11 Set the Dialed Number Figure 12 Dial the Remote PC 4 Enter the preset login password on the remote terminal emulator and wait for the prompt. 5 Use the appropriate commands to configure the Switch 7700 or view its operational state. Enter ? to get immediate help. For details on a specific command, refer to the appropriate chapter in this guide. By default, after login, a modem user can access the commands at Level 0.
Setting Terminal Parameters ■ 13 Remote configuration through a modem through the console port. There are two types of user interfaces: ■ AUX user interface is used to log in the Switch 7700 through a dial-up modem. A Switch 7700 can only have one AUX port. ■ VTY user interface is used to telnet the Switch 7700. For the Switch 7700, the AUX port and Console port are the same port. There is only the type of AUX user interface. The user interface is numbered by absolute number or relative number.
14 CHAPTER 1: SYSTEM ACCESS Perform the following configurations in user interface (AUX user interface only) view. Table 3 Configure the Attributes of the AUX (Console) Port Operation Command Configure the transmission speed on AUX (Console) port. By default, the transmission speed is 9600bps speed speed-value Restore the default transmission speed on AUX (Console) port undo speed Configure the flow control on AUX (Console) port.
Setting Terminal Parameters 15 By default, terminal service is enabled on all the user interfaces. Note the following points: ■ For the sake of security, the undo shell command can only be used on the user interfaces other than the AUX user interface. ■ You cannot use this command on the user interface through which you log in. ■ You must confirm your privilege before using the undo shell command in any legal user interface.
16 CHAPTER 1: SYSTEM ACCESS Table 8 Set the History Command Buffer Size Operation Command Restore the default history command buffer size undo history-command max-size Managing Users The management of users includes, the setting of the user logon authentication method, the level of command a user can use after logging on, the level of command a user can use after logging on from the specific user interface, and the command level.
Setting Terminal Parameters 17 Perform username and password authentication when a user logs in through the VTY 0 user interface and set the username and password to zbr and 3Com respectively: [SW7700-ui-vty0] authentication-mode scheme [SW7700-ui-vty0] quit [SW7700] local-user zbr [SW7700-luser-zbr] service-type telnet [SW7700-luser-zbr] password simple 3Com 3 Set the Switch 7700 to allow user access without authentication.
18 CHAPTER 1: SYSTEM ACCESS When a user logs in to the switch, the command level that the user can access depends on two points. One is the command level that the user can access, the other is the set command level of the user interface. If the two levels are different, the former is taken. For example, the command level of VTY 0 user interface is 1, however, user Tom has the right to access commands of level 3; if Tom logs in from VTY 0 user interface, he can access commands of level 3 and lower.
Setting Terminal Parameters 19 Perform the following configuration in user view. Table 15 Configure to Send Messages Between User Interfaces Operation Command Configure to send messages between different user interfaces. send { all | number | type number } The auto-execute Command is used to run a command automatically after you log in. The command is automatically executed when you log in again. See Table 16.
20 CHAPTER 1: SYSTEM ACCESS Command Line Interface The Switch 7700 provides a series of configuration commands and command line interfaces for configuring and managing the Switch 7700. The command line interface has the following features. ■ Local configuration through the console port. ■ Local or remote configuration through Telnet. ■ Remote configuration through a dial-up Modem to log in to the Switch 7700. ■ Hierarchy command protection to prevent unauthorized users from accessing the switch.
Command Line Interface 21 Login users are also classified into four levels that correspond to the four command levels. After users of different levels log in, they can only use commands at their own, or lower, levels. To prevent unauthorized users from illegal intrusion, users are identified when switching from a lower level to a higher level with the super [ level ] command. User ID authentication is performed when users at a lower level switch to users at a higher level.
22 CHAPTER 1: SYSTEM ACCESS Figure 13 Relation Diagram of the Views Ethernet port view User interface viiew VLAN view VLAN interface view OSPF area view RIP view OSPF view Route policy view Basic ACL view User view System view Advanced ACL view ACL Interface-based ACL view Layer-2 ACL view FTP client view Local-user view PIM view RADIUS server group view Table 18 describes the function features of different views.
Command Line Interface 23 Table 18 Function Feature of Command View (continued) Features and Functions of the Command Line Command view Function Prompt Command to enter Local-user view Configure local user parameters [SW7700-useruser1] Enter local-user user1 in System view User interface view Configure user interface parameters [SW7700-ui0] Enter user-interface 0 in System view FTP Client view Configure FTP Client parameters [ftp] Enter ftp in user view PIM view Configure PIM parameters
24 CHAPTER 1: SYSTEM ACCESS quit Exit from current command view super Enter the command workspace with specified user priority level telnetEstablish one TELNET connection tracertTrace route function ■ Enter a command with a ?, separated by a space. If this position is for keywords, then all the keywords and the corresponding brief descriptions will be listed.
Command Line Interface 25 Common Command Line Error Messages All the commands that are entered by users can be correctly executed if they have passed the grammar check. Otherwise, error messages are reported to users. Common error messages are listed in Table 19. Table 19 Common Command Line Error Messages Error messages Causes Unrecognized command Cannot find the command. Cannot find the keyword. Wrong parameter type. The value of the parameter exceeds the range.
26 CHAPTER 1: SYSTEM ACCESS Table 21 Editing Functions Key Function Tab Press Tab after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line. If there is not a matched key word or the matched key word is not unique, the system will do no modification but displays the originally typed word in a new line.
2 PORT CONFIGURATION This chapter covers the following topics: Ethernet Port Overview ■ Ethernet Port Overview ■ Configuring Link Aggregation The following features are found in the Ethernet ports of the Switch 7700: ■ 10BASE-T/100BASE-TX Gigabit Ethernet ports support MDI/MDI-X auto-sensing, and can be configured to operate in half/full duplex mode or auto-negotiation mode to negotiate the duplex mode and speed with other network devices. This also allows you to use the optimal mode automatically.
28 CHAPTER 2: PORT CONFIGURATION ■ Setting Cable Type for Ethernet Port ■ Setting Flow Control for Ethernet Port ■ Permitting/Forbidding Jumbo Frames on the Ethernet port ■ Setting the Maximum MAC Addresses an Ethernet Port can Learn ■ Setting the Link Type for an Ethernet Port ■ Adding the Ethernet Port to a VLAN ■ Setting the Default VLAN ID for Ethernet Port ■ Copying a Port Configuration to Other Ports ■ Displaying and Debugging Ethernet Ports Entering Ethernet Port View Before confi
Ethernet Port Overview 29 Setting Duplex Attribute of the Ethernet Port Set the port to full duplex to send and receive data packets at the same time. Set the port to half-duplex to either send or receive only. If the port has been set to auto-negotiation mode, the local and peer ports will automatically negotiate the duplex mode. Perform the following configuration in Ethernet port view. Table 4 Set Duplex Attribute for Ethernet Port Operation Command Set duplex attribute for Ethernet port.
30 CHAPTER 2: PORT CONFIGURATION Setting Flow Control for Ethernet Port If congestion occurs in the local switch after enabling flow control in both the local and the peer switch, then the switch will inform its peer to pause sending packets. Once the peer switch receives this message, it will pause packet sending, and vice versa. In this way, packet loss is effectively reduced. The flow control function of the Ethernet port can be enabled or disabled through the following command.
Ethernet Port Overview 31 If the count parameter is set to 0, the port is not permitted to learn MAC address. By default, there is no limit to the amount of the MAC addresses that an Ethernet port can learn. However the number of MAC addresses a port can learn is still restricted by the size of the MAC address table. Setting Ethernet Port Broadcast Suppression Ratio You can use the following commands to restrict the broadcast traffic.
32 CHAPTER 2: PORT CONFIGURATION A port on a switch can be configured as an access port, a hybrid port, or a trunk port. However, to reconfigure between hybrid and trunk link types, you must first restore the default, or access link type. The default link type is the access link type. Adding the Ethernet Port to a VLAN The following commands are used for adding an Ethernet port to a specified VLAN. Access ports can be added to only one VLAN, while hybrid and trunk ports can be added to multiple VLANs.
Ethernet Port Overview 33 Table 13 Set the Default VLAN ID for the Ethernet Port Operation Command Restore the default VLAN ID of the hybrid port undo port hybrid pvid to the default value Restore the default VLAN ID of the trunk port to the default value Setting the VLAN VPN Feature undo port trunk pvid ■ A Trunk port and isolate-user-vlan cannot be configured simultaneously. A hybrid port and isolate-user-vlan can be configured simultaneously.
34 CHAPTER 2: PORT CONFIGURATION ■ QoS setting — includes traffic limiting, priority marking, default 802.1p priority, bandwidth assurance, congestion avoidance, traffic redirection, traffic statistics. ■ VLAN setting — includes permitted VLAN types, default VLAN ID. ■ Port setting — includes port link type, port speed, duplex mode. LACP setting includes LACP enabling/disabling. Perform the following configuration in system view.
Configuring Link Aggregation 35 The following configurations are used for Switch A, configure Switch B in a similar way: 1 Enter the Ethernet port view of Ethernet1/0/1. [SW7700] interface ethernet1/0/1 2 Set the Ethernet1/0/1 as a trunk port and allows VLAN 2, 6 through 50, and 100 to pass through. [SW7700-Ethernet1/0/1] port link-type trunk [SW7700-Ethernet1/0/1] port trunk permit vlan 2 6 to 50 100 3 Create the VLAN 100. [SW7700] vlan 100 4 Configure the default VLAN ID of Ethernet1/0/1 as 100.
36 CHAPTER 2: PORT CONFIGURATION (point-to-point or not), STP priority, path cost, max transmission speed, loop protection, root protection, edge port or not. The QoS setting includes traffic limiting, priority marking, default 802.1p priority, bandwidth assurance, congestion avoidance, traffic redirection, traffic statistics. The VLAN setting includes permitted VLAN types, default VLAN ID. The port setting includes port link type.
Configuring Link Aggregation ■ 37 The system sets ports to inactive state if their basic configurations are different from the basic configuration of the active port with the lowest port number.
38 CHAPTER 2: PORT CONFIGURATION compares port priority values and then port numbers and the small port ID is considered prior. If system ID changes from non-priority to priority, then the selected or standby state is determined by the port priority of the system. You can decide whether the port is selected or standby by setting system priority and port priority. Load Sharing In terms of load balancing, link aggregation may be load balancing and non-load balancing.
Configuring Link Aggregation ■ 39 Displaying and Debugging Link Aggregation Enabling or Disabling LACP at a Port You should first enable LACP at the ports before performing dynamic aggregation, so that both parties can agree on adding/deleting the ports into/from a dynamic LACP aggregation group. Perform the following configuration in Ethernet port view.
40 CHAPTER 2: PORT CONFIGURATION to a static one. In the former case, LACP shall be disabled at the member ports automatically, while in the latter case, LACP shall remain enabled. Adding or Deleting Ethernet Ports to or from an Aggregation Group You can add/delete ports into/from a manual or static LACP aggregation group, but member port adding or deleting for a dynamic LACP aggregation group is implemented by the system. Perform the following configuration in corresponding view.
Configuring Link Aggregation 41 Perform the following configuration in system view. Table 21 Configure System Priority Operation Command Configure system priority lacp system-priority system-priority-value Restore the default system priority undo lacp system-priority By default, system priority is 32768.
42 CHAPTER 2: PORT CONFIGURATION Table 23 Display and Debug Link Aggregation (continued) Operation Command Disable/enable debugging LACP state machine [ undo ] debugging lacp state [ interface { interface-type interface-number | interface-name } [ to { interface-type interface-num | interface-name } ] ] { { actor-churn | mux | partner-churn | ptx | rx }* | all } Example: Link Aggregation Configuration Disable/enable debugging LACP packets [ undo ] debugging lacp packet [ interface { interface-type in
Configuring Link Aggregation [SW7700-Ethernet1/0/1] [SW7700-Ethernet1/0/2] [SW7700-Ethernet1/0/2] [SW7700-Ethernet1/0/3] 43 interface ethernet1/0/2 port link-aggregation group 1 interface ethernet1/0/3 port link-aggregation group 1 3 Configure a dynamic LACP aggregation ■ Enable LACP at Ethernet ports Ethernet1/0/1 to Ethernet1/0/3.
44 CHAPTER 2: PORT CONFIGURATION
3 VLAN CONFIGURATION This chapter covers the following topics: VLAN Overview ■ VLAN Overview ■ Configuring VLANs ■ Configuring GARP/GVRP A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. Using VLAN technology, you can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands.
46 CHAPTER 3: VLAN CONFIGURATION Common VLAN Configuration Tasks The following sections discuss the common tasks for configuring a VLAN: ■ Creating or Deleting a VLAN ■ Specifying the Broadcast Suppression Ratio for a VLAN ■ Setting or Deleting the VLAN Description Character String ■ Specifying or Removing VLAN Interfaces ■ Shutting Down or Enabling a VLAN Interface ■ Displaying and Debugging a VLAN Creating or Deleting a VLAN Use the following command to create or delete a VLAN.
Configuring VLANs 47 Setting or Deleting the VLAN Description Character String You can use the following command to set or delete the VLAN description character string. The description character strings, such as workgroup_name and department_name, are used to distinguish the different VLANs. Perform the following configuration in VLAN view.
48 CHAPTER 3: VLAN CONFIGURATION status of one or more Ethernet ports is UP, the status of the VLAN interface is UP also, so the VLAN interface is enabled. Displaying and Debugging a VLAN After the configuring a VLAN, execute the display command in any view to display the VLAN configuration, and to verify the effect of the configuration.
Configuring VLANs Configuring Port-Based VLANs 49 Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN. Perform the following configuration in VLAN view.
50 CHAPTER 3: VLAN CONFIGURATION Creating and Deleting a VLAN Protocol Type You can use the following command to create or delete a VLAN protocol type. Perform the following configuration in VLAN view.
Configuring VLANs 51 [SW7700-vlan2] vlan 3 4 Add Ethernet1/0/3 and Ethernet1/0/4 to VLAN3. [SW7700-vlan3] port ethernet1/0/3 to ethernet1/0/4 Example: Protocol-Based VLAN Configuration From port G1/0/1, all the traffic with source IP 10.0.0.1 will belong to VLAN 2 and any other IP traffic will belong to VLAN 3. If we configure port G1/0/2 in VLAN 2, the traffic with source IP 10.0.0.1 will be sent from port G1/0/2.
52 CHAPTER 3: VLAN CONFIGURATION 2 Configure VLAN 2 and VLAN 3 as protocol VLANs. Set VLAN 2 as IP 10.0.0.1 protocol and VLAN 3 as IP protocol [SW7700-vlan2]protocol-vlan ? at Specify AT(AppleTalk Protocol) configuration information ip Specify IP(Internet Protocol) configuration information ipx Specify IPX(Internetwork Packet eXchange) configuration information mode Specify other protocol mode configuration information [SW7700-vlan2]vlan [SW7700-vlan2]protocol-vlan [SW7700-vlan2]protocol-vlan ip 10.
Configuring GARP/GVRP 53 [SW7700-GigabitEthernet1/0/1]port hybrid protocol-vlan 2 0 [SW7700-GigabitEthernet1/0/1]port hybrid protocol-vlan 3 0 [SW7700-GigabitEthernet1/0/1]display th # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid vlan 2 to 3 tagged port hybrid vlan 1 untagged port hybrid protocol-vlan 2 0 port hybrid protocol-vlan 3 0 # return 4 Configure port G1/0/3 as VLAN 3 and port G1/0/2 as VLAN 2 [SW7700]vlan 3 [SW7700-vlan3]port g1/0/3 [SW7700-vlan3]vlan 2 [SW7700-vlan2]port g1
54 CHAPTER 3: VLAN CONFIGURATION messages cooperate to ensure the logout and the re-registration of a message. By exchanging messages, all the attribute information to be registered can be propagated to all the switches in the same switching network. The destination MAC addresses of the packets of the GARP participants are specific multicast MAC addresses.
Configuring GARP/GVRP 55 Note that the value of the join timer should be no less than twice the value of the hold timer, and the value of the leave timer should be greater than twice the value of the join timer and smaller than the leaveall timer value. Otherwise, the system displays an error message.
56 CHAPTER 3: VLAN CONFIGURATION ■ Enabling or Disabling Port GVRP ■ Setting the GVRP Registration Type When you configure GVRP, you need to enable it globally and for each port participating in GVRP. Similarly, the GVRP registration type can take effect only after you configure port GVRP. In addition, you must configure GVRP on the trunk port. Enabling or Disabling Global GVRP Use the following commands to enable or disable global GVRP. Perform the following configurations in system view.
Configuring GARP/GVRP ■ 57 When an Ethernet port registration type is set to forbidden, all the VLANs except VLAN1 are logged out and no other VLANs can be created or registered on this port. Perform the following configurations in Ethernet port view.
58 CHAPTER 3: VLAN CONFIGURATION [SW7700-Ethernet1/0/1] [SW7700-vlan3] vlan 4 vlan 3 3 Enable GVRP globally. [SW7700-vlan4] quit [SW7700] gvrp 4 Enable GVRP on the trunk port. [SW7700] interface Ethernet 1/0/1 [SW7700-Ethernet1/0/1] gvrp Configure Switch B: 1 Set Gigabit Ethernet2/1 as a trunk port and allow all the VLANs to pass through. [SW7700] interface Ethernet 2/0/1 [SW7700-Ethernet2/0/1] port link-type trunk [SW7700-Ethernet2/0/1] port trunk permit vlan all 2 Enable GVRP globally.
4 NETWORK PROTOCOL OPERATION This chapter covers the following topics: Configuring IP Address ■ Configuring IP Address ■ Configuring Address Resolution Protocol (ARP) ■ DHCP Relay ■ IP Performance ■ Configuring IPX IP address is a 32-bit address represented by four octets. IP addresses are divided into five classes, A, B, C, D and E. The octets are set according to the first few bits of the first octet.
60 CHAPTER 4: NETWORK PROTOCOL OPERATION Subnet and Mask ■ Configuring an IP Address ■ Troubleshooting an IP Address Configuration IP protocol allocates one IP address for each network interface. Multiple IP addresses can only be allocated to a device which has multiple network interfaces. IP addresses on a device with multiple interfaces have no relationship among themselves. With the rapid development of the Internet, IP addresses are depleting very fast.
Configuring IP Address 61 Perform the following configuration in VLAN interface view. Table 2 Configure IP Address for a VLAN Interface Operation Command Configure IP address for a VLAN interface ip address ip-address net-mask [ sub ] Delete the IP address of a VLAN interface [ undo ] ip address [ ip-address { net-mask | mask-length } [ sub ] ] The network ID of an IP address is identified by the mask. For example, the IP address of a VLAN interface is 129.9.30.42 and the mask is 255.255.0.0.
62 CHAPTER 4: NETWORK PROTOCOL OPERATION [SW7700-vlan-interface1] ip address 129.2.2.1 255.255.255.0 Troubleshooting an IP Address Configuration If the Ethernet Switch cannot ping a certain host on the LAN, proceed as follows: 1 Determine which VLAN includes the port connected to the host. Check whether the VLAN has been configured with the VLAN interface. Determine whether the IP address of the VLAN interface and the host are on the same network segment.
Configuring Address Resolution Protocol (ARP) Configuring ARP 63 The ARP mapping table can be maintained dynamically or manually. Addresses that are mapped manually are referred to as static ARP. The user can display, add, or delete the entries in the ARP mapping table through manual commands.
64 CHAPTER 4: NETWORK PROTOCOL OPERATION Displaying and Debugging ARP After the previous configuration, execute display command in all views to display the operation of the ARP configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug the ARP configuration.
DHCP Relay 65 Then the server transmits the configuration information to the clients through the DHCP relay, thereby, completing the dynamic configuration of the client.
66 CHAPTER 4: NETWORK PROTOCOL OPERATION Configuring the Address Table Entry To check the address of users who have valid and fixed IP addresses in the VLAN (with DHCP enabled), it is necessary to add an entry in the static address table. Perform the following configuration in system view.
DHCP Relay 67 Figure 3 Networking Diagram of Configuring DHCP Relay 1.99.255.36 Server Group 1 VLAN 2 VLAN 4000 1.99.255.35 IP Network VLAN 3001 1.88.255.36 Server Group 2 VLAN 3 1.88.255.35 1 Configure the DHCP Server IP addresses into DHCP Server Group 1. [SW7700] dhcp-server 1 ip 1.99.255.36 1.99.255.35 2 Associate DHCP Server Group 1 with VLAN interface 2. [SW7700-VLAN-Interface2] dhcp-server 1 3 Configure the IP address corresponding to DHCP server group 2. [SW7700] dhcp-server 2 ip 1.88.
68 CHAPTER 4: NETWORK PROTOCOL OPERATION 8 Show the configuration of DHCP server groups in User view. display dhcp-server 1 9 Show the DHCP Server Group number corresponding to the VLAN interface in User view.
IP Performance 69 finwait timer timeout, the TCP connection will be terminated. Finwait ranges 76 to 3600 seconds and it is 675 seconds by default. ■ The receiving/sending buffer size of connection-oriented Socket is in the range from 1 to 32K bytes and is 4K bytes by default. Perform the following configuration in System view.
70 CHAPTER 4: NETWORK PROTOCOL OPERATION If a broadcast packet reaches the destination network after being forwarded by the switch, the switch will receive the broadcast packet; the switch also belongs to the subnet. The VLAN of the switch isolates the broadcast domain, it will stop forwarding the packet to the network. Using the following configuration task, you can choose to forward the broadcast packet to the network for broadcasting. Perform the following configuration in system view.
IPX Configuration 71 Operations include: terminal debugging debugging tcp packet The TCP packets, received or sent can be checked in real time. Specific packet formats include: TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1 Destination port: 4296 Sequence number :4185089 Ack number: 0 Flag :SYN Packet length :60 Data offset: 10 ■ Debug and trace the packets located in SYN, FIN or RST.
72 CHAPTER 4: NETWORK PROTOCOL OPERATION next site and if there is any, forwards the packet. The routing information can be configured statically or collected dynamically. This chapter introduces RIP in IPX. For the RIP configurations on an IP network, refer to the routing protocol section in this manual. Service Advertising Protocol The Service Advertising Protocol (SAP) advertises the services provided by servers and their addresses.
IPX Configuration 73 Assigning IPX Network Numbers to VLAN Interfaces To enable IPX on a VLAN interface after it is enabled globally, you must assign a network number to the VLAN interface. One VLAN interface can have only one network number. Perform the following configuration in VLAN interface view.
74 CHAPTER 4: NETWORK PROTOCOL OPERATION Configuring an IPX Route Limit In IPX, you can configure in the routing table the maximum number of the dynamic routes and equivalent routes to the same destination. These two limit settings are independent. Perform the following configuration in system view.
IPX Configuration 75 Configuring the Update Interval of IPX RIP The switch broadcasts RIP update packets periodically. You can configure the update interval of IPX RIP with the following command. Perform the following configuration in system view.
76 CHAPTER 4: NETWORK PROTOCOL OPERATION Perform the following configuration in VLAN interface view. Table 25 Configuring the IPX Forwarding Delay on the VLAN Interface Operation Command Configure the IPX packet forwarding delay on ipx tick ticks the VLAN interface Restore the default forwarding delay undo ipx tick By default, the forwarding delay on the VLAN interface is one tick.
IPX Configuration 77 Configuring the Update Interval of IPX SAP In a huge network, one IPX SAP broadcast consumes enormous bandwidth resources. By configuring an appropriate SAP update interval, you can reduce the bandwidth waste. Perform the following configuration in system view.
78 CHAPTER 4: NETWORK PROTOCOL OPERATION ■ Respond with the information of the nearest server (the server with the smallest hop count in the service information table on the switch). ■ Respond with the information of one server that is picked out from all the known servers through round robin polling. ■ Respond depending on whether SAP GNS reply is enabled on the VLAN interface. Perform the following configuration in system view.
IPX Configuration 79 The following table shows some common service types and their values: Table 34 Service Types and Their Values Service Type Value Unknown 0000h Print Queue 0003h File Server 0004h Job Server 0005h Print Server 0007h Archive Server 0009h Remote Bridge Server 0024h Advertising Print Server 0047h Reserved Up To 8000h Wildcard FFFFh (-1) Configuring the Maximum Length of the Service Information Reserve-Queue for One Service Type IPX supports up to 10240 service entrie
80 CHAPTER 4: NETWORK PROTOCOL OPERATION on the VLAN interfaces on the switch. This allows the switch to broadcast update only when route or service information changes, thus avoiding broadcast flooding. Perform the following configuration in VLAN interface view. Table 36 Configuring Triggered Update of IPX Operation Command Enable triggered update of IPX ipx update-change-only Disable triggered update of IPX undo ipx update-change-only By default, the triggered update feature of IPX is disabled.
IPX Configuration 81 Perform the following configuration in VLAN interface view. Table 39 Enabling or Disabling Forward IPX Type 20 Broadcast Packets Operation Command Enable the forwarding of type 20 broadcast packets ipx netbios-propagation Disable the forwarding of type 20 broadcast packets undo ipx netbios-propagation By default, type 20 broadcast packets are not forwarded.
82 CHAPTER 4: NETWORK PROTOCOL OPERATION The client accesses the file and directory services provided by the server through the IPX network. The node address of the server is 0000-0c91-f61f. Figure 4 illustrates this configuration Figure 4 IPX Network Topology 1 Configure Switch A Enable IPX. [SW7700] ipx enable Assign the network number 2 to VLAN interface 2 to enable IPX on the interface.
IPX Configuration 83 [SW7700] interface vlan-interface 2 [SW7700-Vlan-interface2] ipx network 3 Set the IPX packet encapsulation format to Ethernet_SNAP on VLAN interface 2. [SW7700-Vlan-interface2] ipx encapsulation snap [SW7700-Vlan-interface2] quit Assign the network number 1001 to VLAN interface 1 to enable IPX on the interface.
84 CHAPTER 4: NETWORK PROTOCOL OPERATION ■ Use the display ipx interface command to check that SAP is not disabled on the VLAN interface. 4 A type 20 IPX packet cannot be transmitted to other network segments. Do the following: ■ Execute the display ipx interface command; check that the forwarding of type 20 IPX packets is enabled on the input and output interfaces.
IPX Configuration 85 ■ Check that the VLAN interface is UP and SAP is enabled with the display ipx interface command. ■ Check that the hop count of the route to the server is smaller than 16 with the display ipx routing-table command. ■ Adequate memory is available for adding the service entry into the service information table. You can try to add it as a static service entry. 3 No new dynamic service entry is found in the service information table.
86 CHAPTER 4: NETWORK PROTOCOL OPERATION ■ The switch receives the GNS packets with the debugging ipx packet sap command. ■ SAP is enabled on the VLAN interface where the GNS requests are received. ■ The VLAN interface is enabled to respond to GNS requests with the display ipx interface command. If GNS reply is disabled, execute the undo ipx sap gns-disable-reply command to enable it.
5 IP ROUTING PROTOCOL OPERATION This chapter covers the following topics: IP Routing Protocol Overview ■ IP Routing Protocol Overview ■ Static Routes ■ RIP ■ OSPF ■ IS-IS ■ BGP ■ IP Routing Policy ■ Route Capacity Routers select an appropriate path through a network for an IP packet according to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
88 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 1 About Hops A R R Route Segment R R R C B Networks can have different sizes, so, the segment lengths connected between two different pairs of routers are also different. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network.
IP Routing Protocol Overview 89 ■ The output interface — Indicates an interface through which an IP packet should be forwarded. ■ The next hop address — Indicates the next router that an IP packet will pass through. ■ The priority added to the IP routing table for a route — Indicates the type of route that is selected. There may be multiple routes with different next hops to the same destination.
90 CHAPTER 5: IP ROUTING PROTOCOL OPERATION the user are managed together with the dynamic routes as detected by the routing protocol. The static routes and the routes learned or configured by routing protocols can be shared with each other. Routing protocols (as well as the static configuration) can generate different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine a current route to a single destination.
Static Routes 91 In a relatively simple network, you only need to configure static routes to make the router work normally. The proper configuration and usage of the static route can improve network performance and ensure bandwidth for important applications. The following routes are static routes: ■ Reachable route — The normal route in which the IP packet is sent to the next hop towards the destination. It is a common type of static route.
92 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring a Static Route Perform the following configurations in system view.
Static Routes 93 Table 3 Configuring a Default Route Operation Command Delete a default route undo ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { interface-name | gateway-address } ] Parameters for default route are the same as for static route. Deleting All Static Routes You can use the undo ip route-static command to delete one static route. The Switch 7700 also provides the delete static-route all command for you to delete all static routes at one time, including the default routes.
94 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 3 Static Route Configuration C Host 1.1.5.1 1.1.5.2/24 1.1.3.1/24 Switch C 1.1.2.1/24 1.1.3.2/24 1.1.1.2/24 Switch A A 1.1.4.1/24 Switch B Host 1.1.1.1 B Host 1.1.4.2 1 Configure the static route for Ethernet Switch A: [Switch A]ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [Switch A]ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [Switch A]ip route-static 1.1.5.0 255.255.255.0 1.1.2.
RIP RIP 95 Routing Information Protocol (RIP) is a simple, dynamic routing protocol, that is Distance-Vector (D-V) algorithm-based. It uses hop counts to measure the distance to the destination host, which is called routing cost. In RIP, the hop count from a router to its directly connected network is 0. The hop count to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost value is an integer that ranges from 0 to 15.
96 CHAPTER 5: IP ROUTING PROTOCOL OPERATION validity of the routes. With these mechanisms, RIP, an interior routing protocol, enables the router to learn the routing information of the entire network. RIP has become one of the most popular standards of transmitting router and host routes. It can be used in most campus networks and regional networks that are simple, yet extensive. RIP is not recommended for larger and more complicated networks.
RIP 97 By default, RIP is not enabled. Enabling the RIP Interface For flexible control of RIP operation, you can specify the interface and configure the network where it is located in the RIP network, so that these interfaces can send and receive RIP packets. Perform the following configurations in RIP view.
98 CHAPTER 5: IP ROUTING PROTOCOL OPERATION default multicast address is 224.0.0.9. The advantage of transmitting packets in the multicast mode is that the hosts in the same network that do not run RIP, do not receive RIP broadcast packets. In addition, this mode prevents the hosts that are running RIP-1 from incorrectly receiving and processing the routes with subnet mask in RIP-2. When an interface is running RIP-2, it can also receive RIP-1 packets.
RIP 99 Before RIP completely deletes an unreachable route from the routing table, it advertises the route by sending four update packets with route metric of 16, to let all the neighbors knows that the route is unreachable. Routes do not always become unreachable when a new period starts so the actual value of the garbage-collection timer is 3 to 4 times the value of the period update timer.
100 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Disabling Host Route In some cases, the router can receive many host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources. Routers can be configured to reject host routes by using undo host-route command. Perform the following configurations in RIP view.
RIP 101 Perform the following configuration in VLAN interface view Table 15 Setting RIP-2 Packet Authentication Operation Command Configure RIP-2 simple authentication key rip authentication-mode simple password-string Configure RIP-2 MD5 authentication with packet type following RFC 1723 rip authentication-mode { simple password | md5 { usual key-string | nonstandard key-string key-id } } Configure RIP-2 MD5 authentication with packet type following RFC 2082 rip authentication-mode { simple passwo
102 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring the Default Cost for the Imported Route When you use the import-route command to import the routes of other protocols, you can specify their cost. If you do not specify the cost of the imported route, RIP will set the cost to the default cost, specified by the default cost parameter. Perform the following configurations in RIP view.
RIP 103 Configuring Route Filtering The router provides the route filtering function. You can configure the filter policy rules by specifying the ACL and ip-prefix for route redistribution and distribution. To import a route, the RIP packet of a specific router can also be received by designating a neighbor router. Perform the following configurations in RIP view.
104 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 4 RIP Configuration Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 Switch A Interface address: 110.11.2.1/24 Ethernet Network address: 110.11.2.2/24 Switch B Switch C Interface address: Interface address: 117.102.0.1/16 196.38.165.1/24 Network address: 196.38.165.0/24 Network address: 117.102.0.0/16 The following configuration only shows the operations related to RIP.
OSPF 105 ■ Fast convergence — Transmits the update packets instantly after the network topology changes so the change is synchronized in the AS ■ Loop-free — Calculates routes using the shortest path tree algorithm, according to the collected link states so that no loop routes are generated from the algorithm itself ■ Area partition — Allows the network of AS to be divided into different areas for management convenience, so that the routing information that is transmitted between the areas is further
106 CHAPTER 5: IP ROUTING PROTOCOL OPERATION The Hello packet is the most common packet sent by the OSPF protocol. A router periodically sends it to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. ■ Database Description (DD) Packet When two routers synchronize their databases, they use the DD packets to describe their own Link State Databases (LSDs), including the digest of each LSA.
OSPF ■ 107 Area If all routers on a large network are running OSPF, the large number of routers results in an enormous LSD, which consumes storage space, complicates the SPF algorithm, and adds CPU load. Furthermore, as a network grows larger, the topology becomes more likely to change. Hence, the network is always in “turbulence”, and a large number of OSFP packets are generated and transmitted in the network. This shrinks network bandwidth.
108 CHAPTER 5: IP ROUTING PROTOCOL OPERATION ■ Setting a Shortest Path First (SPF) Calculation Interval for OSPF ■ Configuring the OSPF STUB Area ■ Configuring NSSA of OSPF ■ Configuring the Route Summarization of OSPF Area ■ Configuring OSPF Virtual Link ■ Configuring Summarization of Imported Routes by OSPF ■ Configuring the OSPF Area to Support Packet Authentication ■ Configuring OSPF Packet Authentication ■ Configuring OSPF to Import the Routes of Other Protocols ■ Configuring Param
OSPF 109 the neighboring routers from transmitting information, and lead to congestion or self-loop of the routing information. Perform the following configuration in OSPF Area view. Table 25 Specifying Interface Operation Command Specify an interface to run OSPF network ip-address ip-mask Disable OSPF on the interface undo network ip-address ip-mask You must specify the segment to which the OSPF will be applied after enabling the OSPF tasks.
110 CHAPTER 5: IP ROUTING PROTOCOL OPERATION As you configure the network type, consider the following points: ■ NBMA means that a network is non-broadcast and multi-accessible. ATM is a typical example. You can configure the polling interval for hello packets before the adjacency of neighboring routers is formed. ■ Configure the interface type to nonbroadcast on a broadcast network without multi-access capability.
OSPF 111 Setting the Interface Priority for DR Election The priority of the router interface determines the qualification of the interface for DR election. A router of higher priority is considered first if there is a collision in the election. DR is not designated manually, instead, it is elected by all the routers on the segment. Routers with priorities > 0 in the network are eligible candidates. Among all the routers self-declared to be the DR, the one with the highest priority is elected.
112 CHAPTER 5: IP ROUTING PROTOCOL OPERATION adjacent router of the interface, and whether the adjacent router is eligible for election. This can be done by configuring the peer ip-address command. If dr-priority-number is not specified, the adjacent router will be regarded as ineligible. Perform the following configuration in OSPF view. Table 30 Configuring the Peer Operation Command Configure a peer for the NBMA interface.
OSPF 113 Table 32 Setting a Dead Timer for the Neighboring Routers Operation Command Restore the default dead interval of the neighboring routers undo ospf timer dead By default, the dead interval for the neighboring routers of P2P or broadcast interfaces is 40 seconds and for the neighboring routers of P2MP or NBMA interfaces is 120 seconds. Both hello and dead timers restore the default values if you modify the network type.
114 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Setting a Shortest Path First (SPF) Calculation Interval for OSPF Whenever the OSPF LSDB changes, the shortest path requires recalculation. Calculating the shortest path after a change consumes enormous resources and affects the operating efficiency of the router. Adjusting the SPF calculation interval, however, can restrain the resource consumption caused by frequent network changes. Perform the following configuration in OSPF view.
OSPF 115 By default, the STUB area is not configured, and the cost of the default route to a STUB area is 1. Configuring NSSA of OSPF An NSSA is similar to a STUB area. However, NSSA does not allow importing AS-External-LSAs (type-5 LSAs) although it does allow importing NSSA-External-LSAs (type-7 LSAs). ASBRs can be configured to convert type-5 LSAs to type-7 LSAs to allow advertising of type-5 LSAs within the NSSA.
116 CHAPTER 5: IP ROUTING PROTOCOL OPERATION type-7 LSA route can be generated only if the default route 0.0.0.0 is in the routing table. Executing the no-import-route command on the ASBR prevents the external routes that OSPF imported through the import-route command from advertising to the NSSA. Generally, if an NSSA router is both ASBR and ABR, this argument is used. The default-cost command is used on the ABR attached to the NSSA.
OSPF 117 have a direct physical link with the backbone area 0.0.0.0, a virtual link must be created. If physical connectivity cannot be made due to network topology restrictions, a virtual link can be used to meet the requirements of RFC 2328. The virtual link refers to a logic channel set up through the area of a non-backbone internal route between two ABRs. The two ends of the channel should be ABRs and the connection can take effect only when both ends are configured.
118 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, summarization of imported routes is disabled. After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command also summarizes the imported Type-7 LSA in the summary address range.
OSPF 119 you can specify the route cost type, cost value and tag to overwrite the default route receipt parameters (see “Configuring Parameters for OSPF to Import External Routes”). The OSPF uses the following four types of routes (in priority): ■ Intra-area route ■ Inter-area route ■ External route type 1 ■ External route type 2 Intra-area and inter-area routes describe the internal AS topology whereas the external route describes how to select the route to the destinations beyond the AS.
120 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in OSPF view.
OSPF 121 Perform the following configuration in OSPF view. Table 46 Setting OSPF Route Preference Operation Command Configure a priority for OSPF for comparing with the other routing protocols preference [ ase ] preference Restore the default protocol priority undo preference [ ase ] By default, the OSPF preference is 10, and the imported external routing protocol is 150. Configuring OSPF Route Filtering Perform the following configuration in OSPF view.
122 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in OSPF view. Table 49 Disabling the Interface to Send OSPF Packets Operation Command Prevent the interface from sending OSPF packets silent-interface silent-interface-type silent-interface-number Allow the interface to send OSPF packets undo silent-interface silent-interface-type silent-interface-number By default, all the interfaces are allowed to transmit and receive OSPF packets.
OSPF 123 Table 51 Enabling/Disabling OSPF TRAP Function Operation Command Disable OSPF TRAP function undo snmp-agent trap enable ospf [ process-id ] [ ifstatechange | virifstatechange | nbrstatechange | virnbrstatechange | ifcfgerror | virifcfgerror | ifauthfail | virifauthfail | ifrxbadpkt | virifrxbadpkt | txretransmit | viriftxretransmit | originatelsa | maxagelsa | lsdboverflow | lsdbapproachoverflow ] By default, the OSPF TRAP function is disabled so the switch does not send TRAP packets when any
124 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 53 Displaying and Debugging OSPF Example: OSPF Configuration Operation Command Display the information of OSPF ABR and ASBR display ospf [ process-id ] abr-asbr Display OSPF interface information display ospf [ process-id ] interface Display OSPF errors display ospf [ process-id ] error Configuring DR Election Based on OSPF Priority In this example, four Switch 7700 routers, Switch A, Switch B, Switch C, and Switch D, which can perform the route
OSPF [Switch [Switch [Switch [Switch [Switch [Switch 125 C-Vlan-interface1] ip address 196.1.1.3 255.255.255.0 C-Vlan-interface1] ospf dr-priority 2 C] router id 3.3.3.3 C] ospf C-ospf-1] area 0 C-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.255 4 Configure Switch D: [Switch [Switch [Switch [Switch [Switch [Switch D] interface Vlan-interface 1 D-Vlan-interface1] ip address 196.1.1.4 255.255.255.0 D] router id 4.4.4.4 D] ospf D-ospf-1] area 0 D-ospf-1-area-0.0.0.0] network 196.1.1.0 0.0.0.
126 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 7 OSPF Virtual Link Configuration Switch A 1.1.1.1 196.1.1.1/24 Area 0 196.1.1.2/24 197.1.1.2/24 Switch B 2.2.2.2 Area 1 Virtual Link 197.1.1.1/24 Switch C 3.3.3.3 152.1.1.1/24 Area 2 The commands listed below implement this configuration. 1 Configure Switch A: [Switch [Switch [Switch [Switch [Switch [Switch A] interface Vlan-interface 1 A-Vlan-interface1] ip address 196.1.1.1 255.255.255.0 A] router id 1.1.1.
OSPF 127 [Switch C-ospf-area-0.0.0.2] network 152.1.1.0 0.0.0.255 Troubleshooting OSPF 1 OSPF has been configured according to the previous procedures, but OSPF on the router does not run normally. ■ Troubleshoot locally Check whether the protocol between two directly connected routers is operating normally. The normal sign is the peer state machine between the two routers reaches the “FULL” state.
128 CHAPTER 5: IP ROUTING PROTOCOL OPERATION As shown in Figure 8, RTA and RTD are each configured to belong to only one area, whereas RTB and RTC are both configured to belong to two areas. RTB belongs to area0, which complies with the backbone area membership requirement. However, RTC does not belong to area0. Therefore, a virtual link must be set up between RTC and RTB to insure that area2 and area0 (the backbone area) are connected.
IS-IS ■ 129 Network Service Access Point (NSAP) is the ISO network layer address. It identifies an abstract network service access point and describes the network address for ISO model routing.
130 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Figure 9 IS-IS Topology NSAP Structure of IS-IS Figure 10 illustrates the NSAP structure. The whole address is of 8 to 20 bytes long. Figure 10 NSAP Structure NSAP includes initial domain part (IDP) and domain specific part (DSP). IDP and DSP are length-variable with a total length of 20 bytes.
IS-IS 131 authority and format identifier (AFI) and initial domain identifier (IDI). The AFI defines the format of the IDI. The DSP has several bytes. The Area Address is composed of routing field and area identifier. The routing field includes the AFI and the IDI and may also include the first byte of the DSP. It identifies the organizational structure. It is followed by a 16-bit area identifier. The following 48 bits (or 6 bytes) of System ID identifies the host or router uniquely.
132 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring Integrated IS-IS Integrated IS-IS is designed to function as a routing protocol for IP. Therefore, the network must be set up with IP addresses and VLANs in the same way that is required for RIP or OSPF. This set up is not discussed in this section. Beyond the standard IP setup, you must decide what type of routing hierarchy to implement.
IS-IS ■ Setting IS-IS Authentication ■ Setting the Mesh Group of the Interface ■ Setting the Router Type ■ Setting Default Route Generation ■ Setting a Summary Route ■ Setting the Overload Flag Bit ■ Setting to Ignore the LSP Checksum Errors ■ Setting Peer Change Logging ■ Setting the LSP Refresh Interval ■ Setting the Lifetime of LSP ■ Setting the SPF Calculation in Slice ■ Setting SPF to Release CPU Resources ■ Setting the SPF Computing Interval ■ Enabling or Disabling the Inte
134 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configuration in IS-IS view. Table 55 Setting the Network Entity Title (NET) Operation Command Set Network Entity Title (NET) network-entity net Delete a NET undo network-entity net The format of parameter net is X…X.XXXXXXXXXXXX.XX, among which the first “X…X” is the area address, the twelve Xs in the middle is the System ID of the router. The last XX should be 00. CAUTION: A router can be configured with multiple area addresses.
IS-IS 135 Perform the following configuration in VLAN interface view.. Table 58 Setting IS-IS Link State Routing Cost Operation Command Set the routing cost of the interface isis cost value [ level-1 | level-2 ] Restore the default routing cost of the interface undo isis cost [ level-1 | level-2 ] If the level is not specified, the default setting is, Level-1 routing cost. The value parameter is configured according to the link state of the Interface.
136 CHAPTER 5: IP ROUTING PROTOCOL OPERATION If the level is not specified, it defaults to setting the CSNP packet broadcast interval for Level-1. By default, the CSNP packet is transmitted by an interface every 10 seconds. Setting the LSP Packet Interval LSP carries the link state records for propagation throughout the area. Perform the following configuration in VLAN interface view..
IS-IS 137 By default, the Hello failure interval is 30 seconds. If the level is not specified, it defaults to setting the Hello packet failure interval Level-1. Setting the Priority for DIS Election In the broadcast network, the IS-IS needs to elect a DIS from all the routers. In IS-IS, both a Level-1 and a Level-2 DIS are selected, based on priority. An IS/router with a higher priority will be selected as DIS over a router with a lower priority.
138 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Setting Interface Authentication The authentication password set on the interface is mainly used in the Hello packet to confirm the validity and correctness of its peers. The authentication passwords at the same level for all the connected interfaces of a network should be identical. Perform the following configurations in VLAN interface view..
IS-IS 139 Setting the IS-IS to Use the MD5 Algorithm That Is Compatible With Other Vendors’ You must configure this command when the switch needs to authenticate the devices of other vendors using MD5 algorithm in IS-IS. Perform the following configurations in IS-IS view.
140 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Setting Default Route Generation In an IS-IS route domain, a Level-1 router only has the LSDB for the local area, so it can only generate routes for the local areas. The Level-2 router has the backbone LSDB for the IS-IS route domain and generates backbone network routes only.
IS-IS 141 Perform the following configurations in IS-IS view. Table 73 Setting Overload Flag Bit Operation Command Set overload flag bit set-overload Remove the overload flag bit undo set-overload By default, no overload bit is set. Setting to Ignore the LSP Checksum Errors After receiving an LSP packet, the local IS-IS calculates its checksum and compares the result with the checksum in the LSP packet.
142 CHAPTER 5: IP ROUTING PROTOCOL OPERATION By default, an LSP is refreshed every 900 seconds (15 minutes). Setting the Lifetime of LSP When a router generates an LSP, it sets the maximum lifetime of the LSP. When other routers receive this LSP, they reduce its lifetime continuously as time passes. If an updated LSP has not been received before the old one times out, the LSP is deleted from the LSDB. Perform the following configurations in IS-IS view..
IS-IS 143 Perform the following configurations in IS-IS view.. Table 79 Setting SPF to Release CPU Resources Operation Command Set the number of routes to process before releasing the CPU spf-delay-interval number Restore the default configuration undo spf-delay-interval By default, the CPU is released after 5000 routes are processed by the SPF of IS-IS. Setting the SPF Computing Interval When the IS-IS LSDB changes, the router will compute the shortest path again.
144 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring IS-IS to Import Routes of Other Protocols For IS-IS, the routes discovered by other routing protocols are processed as routes outside the routing domain. When importing the routes of other protocols, you can specify their default cost. When IS-IS imports routes, you can also specify whether to import the routes into Level-1, Level-2 or Level-1-2. Perform the following configurations in IS-IS view..
IS-IS 145 Protocol specifies the routing protocol sources for distributing routes, which can be direct, static, rip, bgp, ospf, or ospf-ase. For more information, see “Configuring for Filtering Received Routes” and “Configuring for Filtering Distributed Routes ”. Setting the Preference of the IS-IS Protocol In a router where several routing protocols are concurrently operating, there is an issue of sharing and selecting the routing information among all the routing protocols.
146 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Execute the display command in all views to display the IS-IS configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug the IS-IS module.
IS-IS Figure 11 IS-IS Configuration Example 1 Configure Switch A [Switch A] isis [Switch A-isis] network-entity 86.0001.0000.0000.0005.00 [Switch A] interface vlan-interface 100 [Switch A-Vlan-interface100] isis enable [Switch A] interface vlan-interface 101 [Switch A-Vlan-interface101] isis enable [Switch A] interface vlan-interface 102 [Switch A-Vlan-interface102] isis enable 2 Configure Switch B [Switch B] isis [Switch B-isis] network-entity 86.0001.0000.0000.0006.
148 CHAPTER 5: IP ROUTING PROTOCOL OPERATION [Switch C-Vlan-interface101] isis enable [Switch C] interface vlan-interface 100 [Switch C-Vlan-interface100] isis enable 4 Configure Switch D [Switch D] isis [Switch D-isis] network-entity 86.0001.0000.0000.0008.
BGP 149 BGP runs on a router in any of the following modes: ■ Internal BGP (IBGP) ■ External BGP (EBGP) BGP is called IBGP when it runs within an AS and EBGP when it runs among different ASs.
150 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Route Advertisement Policy In the Switch 7700, BGP uses the following policies when it advertises routes: ■ If there are multiple routes available, a BGP speaker only selects the optimum one. ■ A BGP speaker only advertises its own route to its peers. ■ A BGP speaker advertises the routes obtained from EBGP to all its BGP peers (including EBGP and IBGP peers). ■ A BGP speaker does not advertise the routes obtained from IBGP to its other IBGP peers.
BGP ■ Configuring Application Features of BGP Peer (Group) ■ Configuring the Route Filtering of a Peer (Group) ■ Configuring Networks for BGP Distribution ■ Configuring Interaction Between BGP and IGP ■ Configuring BGP Route Summarization ■ Configuring BGP Route Filtering ■ Configuring BGP Route Dampening ■ Configuring BGP Preferences ■ Configuring the BGP Timer ■ Configuring Local Preferences ■ Configuring MED for AS ■ Comparing the MED Routing Metrics from Peers in Different ASs ■
152 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in BGP view. Table 90 Entering Extended Address Family View Operation Command Enter multicast sub-address family view ipv4-family multicast Delete multicast sub-address family configuration undo ipv4-family multicast Use the undo command to delete the application configuration. See “Multicast Protocol” on page 87 for MBGP configuration commands.
BGP 153 A BGP peer must belong to a peer group. If you want to configure a BGP peer, you need to first create a peer group and then add a peer to the group. Table 93 Creating a Peer Group and Add a Member Operation Command Add a peer to the peer group peer peer-address group group-name [ as-number as-number ] Delete a peer undo peer peer-address If a peer is added to an IBGP peer group, the AS number cannot be specified in the command.
154 CHAPTER 5: IP ROUTING PROTOCOL OPERATION this command is higher than the timer command, which is used to configure timers for the whole BGP peers.
BGP 155 For detailed information on the route reflector, see “Configuring a BGP Route Reflector” on page 163. Configuring Transmission of a Default Route to a Peer Group .
156 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring the Transmission of Community Attributes to a Peer Group Table 103 Configuring for Transmission of Community Attributes to a Peer Group Operation Command Configure to send the community attributes to a peer group peer group-name advertise-community Configure not to send the community attributes to a peer group undo peer group-name advertise-community Configuring the Repeating Time of a Local AS Using the peer allow-as-loop command, the repeati
BGP 157 In BGP, no authentication is performed in setting up TCP connections, by default. The multicast extension configured in BGP view is also available in MBGP, because they use the same TCP link. Configuring the Route Filtering of a Peer (Group) The Switch 7700 supports filtering imported and advertised routes to peers (groups) through the route-policy, AS path list, ACL, and ip prefix list.
158 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 109 Configuring Route Filtering Policy Based on an AS Path List for a Peer (Group) Operation Command Remove the ingress route filtering policy based undo peer { peer-address | group-name } on AS path list of a peer (group) as-path-acl acl-number import Configure the egress route filtering policy based on IP ACL for a peer group peer group-name as-path-acl acl-number export Remove the egress route filtering policy based undo peer group-name as-path-acl
BGP 159 Perform the following configurations in BGP view.. Table 112 Importing IGP Routing Information Operation Command Configure BGP to import routes of IGP protocol import-route protocol [ process-id ] [ med med ] [ route-policy route-policy-name ] Configure BGP not to import routes of IGP protocol undo import-route protocol By default, BGP does not import the route information of other protocols.
160 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in BGP view. The routes received by the BGP can be filtered, and only those routes that meet certain conditions will be received by the BGP.
BGP 161 Table 116 Configuring BGP Route Dampening Operation Command Clear route attenuation information and eliminating the suppression of the route reset dampening [ network-address [ mask ] ] Cancel BGP route dampening undo dampening By default, route dampening is disabled. The parameters in the command are dependent on one another. If one parameter is configured, other parameters must be specified.
162 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring Local Preferences Different local preferences can be configured to affect BGP routing. When a router running BGP gets routes with the same destination address but different next hops through different internal peers, it will select the route with the highest local preference. Perform the following configurations in BGP view..
BGP 163 Table 121 Comparing the MED Routing Metrics from Peers in Different ASs Operation Command Do not compare the MED routing metrics from peers in different ASs undo compare-different-as-med By default, MED comparison is not allowed among routes from neighbors in different ASs. You should not use this configuration unless you can make sure that the ASs adopt the same IGP routing method. Configuring BGP Community Community attributes are optional and transitive.
164 CHAPTER 5: IP ROUTING PROTOCOL OPERATION can have multiple clients. Each client, in turn, can be a route reflector with multiple clients. In the following figure, Router A receives an update packet from the external peer and transmits it to Router C. Router C is a route reflector with two peer clients: Router A and Router B. Router C reflects the update packet from client Router A to client Router B.
BGP 165 Table 124 Configuring the Cluster ID Operation Command Canceling the Cluster_ID of the route reflector undo reflector cluster-id By default, the router ID of the route reflector is used as the cluster ID. Two Measures to Avoid Looping Inside an AS As route reflector is imported, it is possible that path looping will be generated in AS. Path update packets that already left the cluster may attempt to return to the cluster.
166 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Perform the following configurations in BGP view.. Table 126 Configuring a Sub-AS Belonging to the Confederation Operation Command Configure a confederation consisting of sub-ASs confederation peer-as as-number-1 [ ... as-number-n ] Remove the specified sub-AS from the confederation undo confederation peer-as [ as-number-1 ] [ ...as-number-n ] By default, no autonomous systems are configured as a member of the confederation.
BGP 167 one piece of this group of lists, it means that the routing information has been filtered by this group of as-path lists identified with this list number. Defining Route-policy See “Defining Route-policy” on page 167. Defining Match Principle See “Defining If-match Clauses for a Route Policy” on page 177. Defining Evaluation Rules page 178.
168 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 131 Displaying and Debugging BGP Operation Command Display the routing information of the specified BGP community display bgp routing-table community [ aa:nn | no-export-subconfed | no-advertise | no-export ]* [ whole-match ] Display the routing information allowed by the display bgp routing-table community-list specified BGP community list community-list-number [ whole-match ] Display BGP dampened paths display bgp routing-table dampened Display th
BGP Configuring the BGP AS Confederation Attribute Divide the following AS 100 into three sub-AS: 1001, 1002, and 1003, and configure EBGP, confederation EBGP, and IBGP. Figure 13 AS Confederation Configuration AS100 AS1001 Switch A 172.68.10.1 AS1002 Switch B 172.68.10.2 Ethernet 172.68.10.3 172.68.1.1 156.10.1.1 Switch C 172.68.1.2 AS1003 Switch D 156.10.1.
170 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Configuring BGP Route Reflector Switch B receives an update packet passing EBGP and transmits it to Switch C. Switch C is a reflector with two clients: Switch B and Switch D. When Switch C receives a route update from Switch B, it will transmit such information to Switch D. You must establish an IBGP connection between Switch B and Switch D, because Switch C reflects information to Switch D. Figure 14 BGP Route Reflector Configuration VLAN 3 193.1.1.
BGP 171 [Switch C] interface vlan-Interface 4 [Switch C-Vlan-interface4] ip address 194.1.1.1 255.255.255.0 c Configure BGP peers and route reflector. [Switch [Switch [Switch [Switch [Switch C] bgp C-bgp] C-bgp] C-bgp] C-bgp] 200 group rr internal peer rr reflect-client peer 193.1.1.2 group rr peer 194.1.1.2 group rr 4 Configure Switch D: a Configure VLAN 4: [Switch D] interface vlan-interface 4 [Switch D-Vlan-interface4] ip address 194.1.1.2 255.255.255.
172 CHAPTER 5: IP ROUTING PROTOCOL OPERATION a Enable BGP [Switch A] bgp 100 b Specify the network that BGP sends to [Switch A-bgp] network 1.0.0.0 c Configure the peers [Switch [Switch [Switch [Switch [Switch A-bgp] A-bgp] A-bgp] A-bgp] A-bgp] group ex192 external peer 192.1.1.2 group ex192 as-number 200 group ex193 external peer 193.1.1.2 group ex193 as-number 200 quit d Configure the MED attribute of Switch A ■ Add ACL on Switch A, enable network 1.0.0.0.
BGP [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch 173 C] interface vlan-interface 5 C-Vlan-interface5] ip address 195.1.1.2 255.255.255.0 C] ospf C-ospf-1] area 0 C-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 C-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 C] bgp 200 C-bgp] group ex external C-bgp] peer 193.1.1.1 group ex as-number 100 C-bgp] group in internal C-bgp] peer 195.1.1.
174 CHAPTER 5: IP ROUTING PROTOCOL OPERATION configured with local Preference attribute, 100 by default), Switch D will also first select the route 1.0.0.0 from Switch C. Troubleshooting BGP The neighborhood cannot be established (the established state cannot be entered). The establishment of a BGP neighborhood requires that the router be able to establish a TCP connection through port 179 and exchanges open packets correctly.
IP Routing Policy 175 Configuring IP Routing Policy is described in the following sections: Routing Information Filters ■ Routing Information Filters ■ Configuring an IP Routing Policy ■ Troubleshooting Routing Policies ■ Limiting Route Capacity ■ Configuring Route Capacity The Switch 7700 supports four kinds of filters, route-policy, acl, ip-prefix, and community-list.
176 CHAPTER 5: IP ROUTING PROTOCOL OPERATION specify the gateway options and require it to receive only the routing information distributed by certain routers. An ip-prefix is identified by the ip-prefix name. Each ip-prefix can include multiple list items, and each list item can specify the match range of the network prefix forms, and is identified with a index-number. The index-number designates the matching check sequence in the ip-prefix.
IP Routing Policy 177 The deny argument specifies that the apply clauses are not executed. If a route satisfies all the if-match clauses of the node, the node denies the route and the route does not take the test of the next node. If a route does not satisfy all the if-match clauses of the node, however, the route takes the test of the next node. The router tests the route against the nodes in the route policy in sequence, once a node is matched, the route policy filtering is passed.
178 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 133 Defining If-match Conditions Operation Command Cancel the tag domain of the matched OSPF routing information undo if-match tag By default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the routes pass the filtering on the node.
IP Routing Policy 179 Table 134 Defining Apply Clauses Operation Command Set the tag domain of the OSPF routing information apply tag value Cancel the tag domain of the OSPF routing information undo apply tag By default, no apply clauses are defined.
180 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Table 136 Defining Prefix-list Operation Command Remove a prefix list undo ip ip-prefix ip-prefix-name [ index index-number | permit | deny ] During the matching, the router checks list items identified by the index-number in the ascending order. If only one list item meets the condition, it means that it has passed the ip-prefix filtering (and does not enter the testing of the next list item).
IP Routing Policy 181 The route policy supports importing the routes discovered by the following protocols into the routing table: ■ Direct: The hop (or host) to which the local interface is directly connected.
182 CHAPTER 5: IP ROUTING PROTOCOL OPERATION [Switch A] ip route-static 20.0.0.1 255.255.255.255 12.0.0.1 [Switch A] ip route-static 30.0.0.1 255.255.255.255 12.0.0.1 [Switch A] ip route-static 40.0.0.1 255.255.255.255 12.0.0.1 3 Enable OSPF protocol and specifies the number of the area to which the interface belongs. [Switch [Switch [Switch [Switch A] router id 1.1.1.1 A] ospf A-ospf] area 0 A-ospf-area-0.0.0.0] network 10.0.0.0 0.0.0.
Route Capacity Route Capacity 183 In practical networking applications, there is always a large number of routes in the routing table, especially OSPF routes and BGP routes. The routing information is usually stored in the memory of the Ethernet switch. When the size of the routing table increases, it can consume a significant amount of switch’s memory. To solve this problem, Switch 7700 switches provide a mechanism to control the size of the routing table.
184 CHAPTER 5: IP ROUTING PROTOCOL OPERATION Setting the Safety Value for Switch Memory When the amount of free memory is reduced to the safety value but has not reached the lower limit, you can use the display memory limit command to see how much free memory remains. If automatic memory restoration is enabled, when the free memory of the Ethernet switch exceeds the safety value, the disconnected BGP and OSPF will be restored. Perform the following configurations in system view.
Route Capacity Perform the following configurations in system view. Table 143 Preventing Automatic Recovery of Disconnected Routing Protocols Operation Command Prevent automatic recovery of disconnected routing protocols memory auto-establish disable By default, memory automatic restoration function of a Ethernet switch is enabled. Enabling Automatic Recovery of Disconnected Routing Protocols Perform the following configurations in system view.
186 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
Route Capacity 187
188 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
Route Capacity 189
190 CHAPTER 5: IP ROUTING PROTOCOL OPERATION
6 MULTICAST PROTOCOL This chapter includes information on the following: IP Multicast Overview ■ IP Multicast Overview ■ Configuring Common Multicast ■ Configuring IGMP ■ IGMP Snooping ■ Configuring PIM-DM ■ Configuring PIM-SM ■ GMRP Many transmission methods can be used when the destination (including data, voice and video) is the secondary use of the network. If the multicast method is used you should establish an independent data transmission path for each user.
192 CHAPTER 6: MULTICAST PROTOCOL Figure 1 Comparison Between the Unicast and Multicast Transmission Receiver Unicast Receiver Server Receiver Receiver Multicast Receiver Server Receiver A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously. A router that does not support multicast may exist on the network.
IP Multicast Overview 193 A multicast group can be either permanent or temporary. Part of addresses in the multicast group are reserved by the IANA and are known as the permanent multicast group. IP addresses of a permanent group are unchanged, but the members in the group can change. The number of members in a permanent multicast group can be random or even 0. Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups.
194 CHAPTER 6: MULTICAST PROTOCOL transmitted, the destination is no longer a specific receiver but a group with unspecific members. Therefore, the multicast MAC address should be used. Multicast MAC addresses correspond to multicast IP addresses. IANA (Internet Assigned Number Authority) stipulates that the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address.
IP Multicast Overview 195 possible for multicast. The multicast application sends the packets to a group of receivers (as with multicast addresses) who are ready to receive the data but not only to one receiver (as with unicast address). The multicast routing creates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast routing protocol is to create a distribution tree architecture.
196 CHAPTER 6: MULTICAST PROTOCOL table independently provided for multicast (such as the MBGP multicast routing table). This check mechanism is the basis for most multicast routing protocols , which is known as a RPF (Reverse Path Forwarding) check. A multicast router uses the source address from the multicast packet to query the unicast routing table, or the independent multicast routing table, to determine the incoming interface at which the packet arrives.
Configuring Common Multicast 197 Table 3 Enabling Multicast Operation Command Disable multicast undo multicast routing-enable By default, multicast routing is disabled. Only when multicast is enabled can another multicast configuration be used.
198 CHAPTER 6: MULTICAST PROTOCOL Displaying and Debugging Common Multicast Configuration After the previous configurations, execute the display command to view the multicast configuration, and to verify the configuration. Execute debugging command in user view for the debugging of multicast.
Configuring IGMP 199 IGMP Version 2 boasts the following improvements over IGMP Version 1: ■ Election mechanism of multicast routers on the shared network segment A shared network segment means that there are multiple multicast routers on a network segment. In this case, all routers running IGMP on the network segment can receive the membership report from hosts. Therefore, only one router is required to send membership query messages.
200 CHAPTER 6: MULTICAST PROTOCOL ■ Configuring the IGMP Querier Present Timer ■ Configuring the Maximum Query Response Time ■ Deleting IGMP Groups Joined on an Interface ■ Displaying and Debugging IGMP Enabling Multicast After multicast is enabled, IGMP will automatically run on all interfaces. For details, see “Configuring Common Multicast ” on page 196. Enabling IGMP on an Interface You must enable multicast before you can execute the igmp enable command.
Configuring IGMP 201 If other hosts, which are interested in the specified group, receive the IGMP query message from the IGMP query router, they send back the IGMP Membership Report message within the specified maximum response time interval. If the IGMP query router receives the IGMP Membership Report message within the defined period (equal to robust-value seconds), it continues to maintain the membership of this group.
202 CHAPTER 6: MULTICAST PROTOCOL Table 11 Configure the Times of Sending IGMP Group-Specific Query Packet Operation Command Restore the times of sending IGMP Group-Specific Query packet to the default value undo igmp robust-count By default, the robust-value is 2. This command is only available on an IGMP query router running IGMP v2. For a host running IGMP v1, this command cannot take effect, because the host may not send the IGMP Leave message when it leaves a group.
Configuring IGMP 203 Perform the following configuration in VLAN-interface view. Table 14 Limit the Access to IP Multicast Groups Operation Command Limit the range of allowed multicast groups on current interface igmp group-policy acl-number [ 1 | 2 ] Remove the filter set on the interface undo igmp group-policy By default, no filters are configured. All multicast groups are allowed on the interface.
204 CHAPTER 6: MULTICAST PROTOCOL Setting the maximum response time allows the host to respond to query messages quickly. In this case, the router can master the existing status of the members of the multicast group. Perform the following configuration in VLAN interface view.
IGMP Snooping IGMP Snooping 205 IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on layer 2. It is used for multicast group management and control. IGMP Snooping runs on the link layer. When receiving the IGMP messages, the Layer 2 Switch 7700 uses IGMP Snooping to analyze the information. If the switch hears an IGMP host report message from an IGMP host, it adds the host to the corresponding multicast table.
206 CHAPTER 6: MULTICAST PROTOCOL Figure 4 Multicast Packet Transmission With IGMP Snooping Video stream Internet/Intranet Multicast router Video stream VOD server Layer 2 Ethernet switch Video stream Video stream Multicast group member Nonmulticast group member Video stream Nonmulticast group member Implement IGMP Snooping This section introduces related switch concepts of IGMP Snooping: ■ Router Port: The port directly connected to the multicast router.
IGMP Snooping 207 Figure 5 Implementing IGMP Snooping Internet A router running IGMP IGMP packets An Ethernet switch running IGMP snooping IGMP packets 1 IGMP general query message: Transmitted by the multicast router to query which multicast group contains member. When a router port receives an IGMP general query message, the Switch 7700 will reset the aging timer of the port.
208 CHAPTER 6: MULTICAST PROTOCOL not have any member, the switch will notify the multicast router to remove it from the multicast tree.
IGMP Snooping 209 By default, the port aging time is 260 seconds. Configuring Maximum Response Time This task sets the maximum response time. If the Switch 7700 receives no report message from a port in the maximum response time, it will remove the port from the multicast group. Perform the following configuration in system view.
210 CHAPTER 6: MULTICAST PROTOCOL IGMP Snooping Configuration Example To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router through the router port, and with user PC through the non-router ports. Figure 6 IGMP Snooping Configuration Network Internet A router running IGMP IGMP packets An Ethernet switch running IGMP snooping IGMP packets 1 Display the status of GMRP.
Configuring PIM-DM ■ Configuring PIM-DM 211 If they are not consistent, contact the maintenance personnel for help. PIM-DM (Protocol Independent Multicast, Dense Mode) belongs to dense mode multicast routing protocols. PIM-DM is suitable for small networks. Members of multicast groups are relatively dense in such network environments. The working procedures of PIM-DM include neighbor discovery, flood and prune, and graft.
212 CHAPTER 6: MULTICAST PROTOCOL Figure 7 Assert Mechanism Diagram Multicast packets forwarded by the upstream node Router B Router A Receiver Router C When they detect such a case, routers need to select a unique sender by using the assert mechanism. Routers send Assert packets to select the best path. If two or more have the same priority and metric, the path with a higher IP address will be the upstream neighbor of the (S, G) entry. This is responsible for forwarding the (S, G) multicast packet.
Configuring PIM-DM 213 After PIM-DM is enabled on an interface, it will send PIM Hello messages periodically, and process protocol packets sent by PIM neighbors. Perform the following configuration in VLAN interface view. Table 25 Enable PIM-DM Operation Command Enable PIM-DM on an interface pim dm Disable PIM-DM on an interface undo pim dm 3Com recommends that you configure PIM-DM on all interfaces. This configuration is effective only after the multicast routing is enabled in system view.
214 CHAPTER 6: MULTICAST PROTOCOL Configuring the Filtering of Multicast Source/Group You can set to filter the source (and group) address of multicast data packets via this command. When this feature is configured, the router filters not only multicast data, but the multicast data encapsulated in the registration packets. Perform the following configuration in the PIM view.
Configuring PIM-DM 215 If the existing PIM neighbors exceed the configured value during configuration, they are not deleted. Displaying and Debugging PIM-DM Execute the display command in all views to display the running of PIM-DM configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of PIM-DM.
216 CHAPTER 6: MULTICAST PROTOCOL Configuration procedure This section only provides the configuration for Switch A because the configuration procedures for Switch B and Switch C are similar. 1 Enable the multicast routing protocol. [SW7700] multicast routing-enable 2 Enable PIM-DM.
Configuring PIM-SM 217 Configuring PIM-SM is described in the following sections: PIM-SM Operating Principles ■ PIM-SM Operating Principles ■ Preparing to Configure PIM-SM ■ Configuring PIM-SM The PIM-SM working process is as follows: neighbor discovery, building the RP-rooted shared tree (RPT), multicast source registration and SPT switchover etc. The neighbor discovery mechanism is the same as that of PIM-DM.
218 CHAPTER 6: MULTICAST PROTOCOL Multicast Source Registration When multicast source S sends a multicast packet to group G, the PIM-SM multicast router is responsible for encapsulating the packet into a registration packet upon receipt. It then sends the packet to the corresponding RP in unicast. If there are multiple PIM-SM multicast routers on a network segment, the Designated Router (DR) will be responsible for sending the multicast packet.
Configuring PIM-SM ■ Configuring Candidate-BSRs ■ Configuring Candidate-RPs ■ Configuring Static RP 219 Advanced PIM-SM configuration includes: ■ Configuring the Interface Hello Message Interval ■ Configuring the Filtering of Multicast Source/Group ■ Configuring the Filtering of PIM Neighbor ■ Configuring the Maximum Number of PIM Neighbor on an Interface ■ Configuring RP to Filter the Register Messages Sent by DR ■ Limiting the Range of Legal BSR ■ Limiting the Range of Legal C-RP ■
220 CHAPTER 6: MULTICAST PROTOCOL Perform the following configuration in VLAN interface view. Table 33 Setting the PIM-SM Domain Border Operation Command Set the PIM-SM domain border pim bsr-boundary Remove the PIM-SM domain border configured undo pim bsr-boundary By default, no domain border is set. After this configuration is performed, a bootstrap message cannot cross the border, but other PIM packets can. This configuration can effectively divide a network into domains using different BSRs.
Configuring PIM-SM 221 Table 35 Configuring Candidate-BSRs Operation Command Remove the candidate-BSR configured undo c-bsr Candidate-BSRs should be configured on the routers in the network backbone. By default, no BSR is set. The default priority is 0. Only one router can be configured with one candidate-BSR. When a candidate-BSR is configured on another interface, it will replace the previous configuration.
222 CHAPTER 6: MULTICAST PROTOCOL Configuring the Interface Hello Message Interval Generally, PIM-SM advertises Hello messages periodically on the interface enabled with it to detect PIM neighbors and discover which router is the Designated Router (DR). Perform the following configuration in VLAN interface view.
Configuring PIM-SM 223 information in the network once it wins in the contention. To prevent malicious BSR proofing in the network, the following two measures need to be taken: ■ Prevent the router from being spoofed by hosts though faking legal BSR messages to modify RP mapping. BSR messages are of multicast type and their TTL is 1, so these types of attacks often hit edge routers.
224 CHAPTER 6: MULTICAST PROTOCOL Clearing Multicast Route Entries from PIM Routing Table Perform the following configuration in user view.
Configuring PIM-SM Example: Configuring PIM-SIM 225 Host A is the receiver of the multicast group at 225.0.0.1. Host B begins transmitting data destined to 225.0.0.1. Switch A receives the multicast data from Host B by Switch B. Figure 10 PIM-SM Configuration Networking Host A VLAN11 Host B VLAN12 VLAN12 VLAN10 VLAN10 VLAN11 VLAN10 VLAN11 VLAN12 LSD Configure Switch A 1 Enable PIM-SM.
226 CHAPTER 6: MULTICAST PROTOCOL [SW7700-vlan-interface10] pim sm [SW7700-vlan-interface10] quit [SW7700] vlan 11 [SW7700-vlan11] port Ethernet 1/0/4 to Ethernet 1/0/5 [SW7700-vlan11] quit [SW7700] pim [SW7700-pim] interface vlan-interface 11 [SW7700-vlan-interface11] pim sm [SW7700-vlan-interface11] quit [SW7700] vlan 12 [SW7700-vlan12] port Ethernet 1/0/6 to Ethernet 1/0/7 [SW7700-vlan12] quit [SW7700] pim [SW7700-pim] interface vlan-interface 12 [SW7700-vlan-interface12] pim sm [SW7700-vlan-interface1
GMRP 227 [SW7700-vlan-interface12] pim sm [SW7700-vlan-interface12] quit GMRP GMRP (GARP Multicast Registration Protocol), based on GARP, is used for maintaining dynamic multicast registration information. All the switches supporting GMRP can receive multicast registration information from other switches, and dynamically update local multicast registration information. Local multicast registration information can be transmitted to other switches.
228 CHAPTER 6: MULTICAST PROTOCOL Enabling/Disabling GMRP on the Port Perform the following configuration in Ethernet port view. Table 46 Enabling/Disabling GMRP on the Port Operation Command Enable GMRP on the port gmrp Disable GMRP on the port undo gmrp GMRP should be enabled globally before being enabled on a port. By default, GMRP is disabled on the port.
GMRP [SW7700-Ethernet1/0/1] gmrp 229
230 CHAPTER 6: MULTICAST PROTOCOL
7 ACL Overview QOS/ OPERATION ■ ACL Overview ■ Configuring ACLs ■ Displaying and Debugging an ACL ■ Configuring QoS ■ Configuring ACL Control The Access Control List (ACL) classifies the data packets with a series of matching rules, including source address, destination address and port number. The switch verifies the data packets with the rules in the ACL and decides to forward, prioritize, or discard them.
232 CHAPTER 7: QOS/ OPERATION This type of filtering includes ACLs that are used with the QoS function, ACLs used to filter the packet transmitted by the hardware, and so on. Filtering or Classifying Data Transmitted by the Software An ACL can be used to filter or classify the data transmitted by the software of the switch. The user can determine the match order of ACL’s sub-rules.
Configuring ACLs Configuring ACLs 233 ACL configuration includes the tasks described in the following sections: ■ Configuring the Time Range ■ Selecting the ACL Mode ■ Defining an ACL ■ Activating an ACL Configure the time range first, then define the ACL (using the defined time range in the definition), followed by activating the ACL to validate it. These steps must be done in sequence.
234 CHAPTER 7: QOS/ OPERATION Defining an ACL The Switch 7700 supports several kinds of ACLs. To define the ACL: 1 Enter the corresponding ACL view 2 Add a rule to the ACL You can add multiple rules to one ACL. If a specific time range is not defined, the ACL functions after it is activated. During the process of defining the ACL, you can use the rule command several times to define multiple rules for an ACL.
Configuring ACLs 235 the analyses of three kinds of packet priorities, ToS (Type of Service), IP, and DSCP priorities. Perform the following configuration in designated view.
236 CHAPTER 7: QOS/ OPERATION Perform the following configuration in the designated view.
ACL Configuration Examples 237 Table 8 Display and Debug ACL Operation Command Display the detail information about the ACL display acl config { all | acl-number | acl-name } Display the ACL mode chosen by the switch display acl mode Display the information about the ACL running state display acl running-packet-filter { all | interface { interface-name | interface-type interface-num } } Clear ACL counters reset acl counter { all | acl-number | acl-name } The matched information of the display ac
238 CHAPTER 7: QOS/ OPERATION In the following configuration steps, only the commands related to ACL configurations are listed. Define the work time range: 1 Set the time range 8:00 to 18:00. [SW7700] time-range 3com 8:00 to 18:00 working day Define the ACL to access the payment server: 1 Enter the name of the advanced ACL, named traffic-of-payserver. [SW7700]acl name traffic-of-payserver advanced match-order config 2 Set the rules for other department to access the payment server.
Configuring QoS 239 [SW7700]acl name traffic-of-host basic Define the rules for packet with source IP address 10.1.1.1. [SW7700-acl-basic-traffic-of-host]rule 1 deny ip source 10.1.1.1 0 time-range 3com 4 Activate ACL. Activate the ACL traffic-of-host .
240 CHAPTER 7: QOS/ OPERATION (FIFO) policy. Switches and routers make their best effort to transmit the packets to the destination, not making any commitment or guarantee of the transmission reliability, delay, or to satisfy other performance requirements. Ethernet technology is currently the most widely used network technology. Ethernet has been the dominant technology of various independent Local Area Networks (LANs), and many Ethernet LANs have been part of the Internet.
Configuring QoS 241 the classification standards are encapsulated in the header of the packets. The packet content is seldom used as the classification standard. Packet Filter Packet filters filter network traffic. For example, the deny operation discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through.
242 CHAPTER 7: QOS/ OPERATION Figure 3 SP high queue Packets sent through this interface Packets sent middle queue normal queue Classify bottom queue Dequeue Sending queue SP is designed for the key service application. A significant feature of the key service is required, for priority to enjoy the service, to reduce the response delay when congestion occurs.
Configuring QoS 243 This random number is compared with the discarding probability for the current queue. Any packet whose random number is greater than the probability is discarded. The longer the queue, the higher the discarding probability . However, there is a maximum discarding probability. Through randomly discarding packets, RED avoids global TCP synchronism.
244 CHAPTER 7: QOS/ OPERATION Perform the following two configuration tasks in system view. Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated monitor port, for purpose of data analysis and supervision. The switch supports many-to-one mirroring, that is, you can duplicate packets from multiple ports to a monitoring port. You can also specify the monitoring direction for only inbound or outbound packets. Perform the following configurations in system view.
Configuring QoS 245 Table 11 Mapping Between 802.1p Priority Levels and Outbound Queues 802.
246 CHAPTER 7: QOS/ OPERATION Configuring the Priority for Queue Scheduling You can use the following command to configure which priority is used for queue scheduling. Perform the following configuration in system view. Table 15 Configuring the Priority for Queue Scheduling Operation Command Configure the priority for queue scheduling priority-trust { dscp | ip-precedence | cos | local-precedence } By default, the switch chooses the local preference as the basic priority.
Configuring QoS 247 Setting Line Limit Line limit refers to limiting the total rate at the port. The adjustment step for the line rate of the Switch 7700 is 1Mbps. Perform the following configurations in QoS view. Table 18 Setting the Line Rate Operation Command Set the line limit line-rate target-rate Remove the line limit undo line-rate You can set line limit at a single port. Setting Traffic Bandwidth You can set desired traffic bandwidth to ensure target services.
248 CHAPTER 7: QOS/ OPERATION Only the 20-Port 10/100/1000BASE-T and 20-Port 1000BASE-X-SFP I/O modules support this configuration. Relabeling the Priority Level Relabeling the priority level creates a policy to tag the priority of the packets so they match the ACL. The new priority can be filled in the priority field of the packet header. Perform the following configuration in QoS view.
Configuring QoS 249 Configuring Traffic Statistics The traffic statistics function counts the transmitted data that matches the ACL rules. After the traffic statistics function is configured, you can use the display qos-info traffic-statistic command to display the statistics information. Perform the following configuration in QoS view.
250 CHAPTER 7: QOS/ OPERATION Table 24 Display and Debug QoS Operation Command Display the settings of priority used for putting display priority-trust the packet to the sending queue Clear the statistics information reset traffic-statistic { inbound | outbound } { all | ip-group { acl-number | acl-name } [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } For output and description of the related commands, see the Switch 7700 Command Reference Guide.
Configuring QoS 251 Figure 4 Traffic Limit and Line Rate Configuration Wage server 129.110.1.2 GE7/0/1 Switch To switch Only the commands concerning QoS/ACL configuration are listed here. To create this configuration: 1 Define outbound traffic for the wage server. Enter name-based advanced ACL view using the traffic-of-payserver. [SW7700]aclname traffic-of-payserver advanced Define the traffic-of-payserver rule in the advanced ACL. [SW7700-acl-adv-traffic-of-payserver]rule 1 permit ip source 129.110.
252 CHAPTER 7: QOS/ OPERATION For a 48-port module, the monitoring port and the monitored port must all be at the ports 1-24 or ports 25-48, on which only one mirroring group can be configured in one direction.
Configuring QoS 253 [SW7700-acl-basic-2000]rule 0 permit ip source 1.0.0.2 0 time-range 3com 3 Relabel ef priority for PC1 packets. Enter QoS view. [SW7700-GigabitEthernet7/0/1]qos [SW7700-qosb-GigabitEthernet7/0/1] Relabel ef priority for PC1 packets. [SW7700-qosb-GigabitEthernet7/0/1]traffic-priority inbound ip-group 1 dscp ef Packet Redirection In this example, packets sent 8:00~18:00 each day are forwarded from PC1 (IP 1.0.0.2) to the port GE7/0/8.
254 CHAPTER 7: QOS/ OPERATION [SW7700-qosb-GigabitEthernet7/0/1]traffic-redirect inbound ip-group 1 rule 0 interface gigabitetherent7/0/8 Queue Scheduling Modify the correspondence between 802.1p priority levels and local priority levels to change the mapping between 802.1p priority levels and queues. That is, put packets into outbound queues according to the new mapping. Use WRR algorithm, and the weight for different queues is respectively 5, 5, 10, 10, 15, 15, 9 and 9.
Configuring QoS 255 RED Run the RED operation for the packets sent between 8:00 and 18:00 every day from IP address 1.0.0.1 to the port E3/0/8. RED operation is set so that the queue length that triggers random discarding ranges from 64 Kbytes to 128 Kbytes. The probability for random discarding is 20%. The 20-Port 10/100/1000BASE-T and 20-Port 1000BASE-X-SFP I/O modules do not support this configuration. Figure 9 RED E3/0/8 GE3/0/1 VLAN2, 1.0.0.1/8 GE3/0/2 VLAN3, 2.0.0.
256 CHAPTER 7: QOS/ OPERATION The 20-Port 10/100/1000BASE-T and 20-Port 1000BASE-X-SFP I/O modules do not support this configuration. Figure 10 Traffic Bandwidth E3/0/8 GE3/0/1 VLAN2, 1.0.0.1/8 GE3/0/2 VLAN3, 2.0.0.1/8 To create this configuration: 1 Define the time range 8:00 to 18:00. [SW7700]time-range 3com 8:00 to 18:00 daily 2 Define traffic rules for the packets of IP addresses 1.0.0.1 and 2.0.0.1. [SW7700]acl number 2000 [SW7700-acl-basic-2000]rule 0 permit ip source 1.0.0.1 0.0.0.
Configuring ACL Control 257 Figure 11 Traffic Statistics GE7/0/8 GE7/0/1 VLAN2, 1.0.0.1/8 GE3/0/2 VLAN3, 2.0.0.1/8 PC1 PC2 To create this configuration: 1 Define the time range 8:00 to 18:00. [SW7700]time-range 3com 8:00 to 18:00 daily 2 Define traffic rules for PC1 packets. [SW7700]acl number 2000 [SW7700-acl-basic-2000]rule 0 permit ip source 1.0.0.1 0.0.0.0 time-range 3com 3 Count PC1 packets, view the statistics with the display command. Enter QoS view.
258 CHAPTER 7: QOS/ OPERATION Configuring ACL Control for TELNET Users By configuring ACL control over TELNET, users can filter the malicious and illegal connection requests before password authentication, and ensure device security. The steps to control TELNET users with ACL are described in the following sections: ■ Defining an ACL ■ Importing an ACL Defining an ACL To implement the ACL control function, you can only call the numbered basic ACL, ranging from 2000 to 2999.
Configuring ACL Control 259 Figure 12 Control TELNET User With ACL Internet Switch Use the following commands to control TELNET users with ACL. 1 Define the basic ACLs. [SW7700]acl number 2000 match-order config [SW7700-acl-basic-2000]rule 1 permit source 10.110.100.52 0 [SW7700-acl-basic-2000]rule 2 permit source 10.110.100.46 0 [SW7700-acl-basic-2000]quit 2 Call an ACL.
260 CHAPTER 7: QOS/ OPERATION Table 28 Define a Numbered Basic ACL Operation Command Import an ACL when configuring SNMP group snmp-agent group { v1 | v2c } group-name [ name. read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number] Import an ACL when configuring SNMP username.
Configuring ACL Control 2 Import the basic ACLs.
262 CHAPTER 7: QOS/ OPERATION
8 STP OPERATION This chapter covers the following topics: STP Overview ■ STP Overview ■ Configuring STP ■ MSTP Overview ■ Configuring MSTP Spanning Tree Protocol (STP) is applied in a loop network to block undesirable redundant paths. Using STP avoids the proliferation and infinite cycling of a packet in a loop network. The fundamental feature of STP is that the switches exchange packets called configuration Bridge Protocol Data Units, or BPDU, to decide the topology of the network.
264 CHAPTER 8: STP OPERATION Designating Switches and Ports A designated switch is a switch in charge of forwarding packets to the local switch by a port called the designated port. For a LAN, the designated switch is a switch that forwards packets to the network segment by the designated port. As illustrated in Figure 1, Switch A forwards data to Switch B through Ethernet port 1/0/1. So to Switch B, the designated switch is Switch A and the designated port is Ethernet 1/0/1 of Switch A.
Configuring STP Generating the Configuration BPDU 265 When initialized, each port of the switches will generate the configuration BPDU taking itself as the root, root path cost as 0, designated switch IDs as their own switch IDs, and the designated ports as their ports.
266 CHAPTER 8: STP OPERATION The comparison process of each switch is: ■ Switch A Ethernet 1/0/1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU. The configuration BPDU is processed on the Ethernet 1/0/2 in a similar way.
Configuring STP 267 calculation is launched again by new events, for example, the link from Switch B to C is down or the port receives a better configuration BPDU. Ethernet 1/0/1 receives the updated configuration BPDU, {0, 5, 1, e1/0/4}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, e1/0/4}. Meanwhile, Ethernet 1/0/5 receives the configuration BPDU from Switch A but its configuration BPDU is not updated and remains {0, 0, 0, e1/0/2}.
268 CHAPTER 8: STP OPERATION a transitional state mechanism is then adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state.
MSTP Overview 269 Figure 4 MSTP Concepts Region A0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CIST: Common and Internal Spanning Tree MSTI: Multiple SpanningTree Instance Region A0 vlan 1 mapped to Instance 1, region root B vlan 2 and 3 mapped to Instance 2, region root C Other vlans mapped to CIST BPDU BPDU A C B Region B0 vlan 1 mapped to Instance 1 vlan 2 mapped to Instance 2 Other vlans mapped to CIST CST: Common Spanning Tree D BPDU Region C0 vlan 1 map
270 CHAPTER 8: STP OPERATION Multiple Spanning Tree Instance (MSTI) Multiple spanning trees can be generated in an MST region and are independent of one another. Each of these spanning trees is called an MSTI. MSTI Region root The MSTI region root refers to the root of the MSTI in an MST region. Each spanning tree in an MST region can have a different topology with a different region root. Common Root Bridge The common root bridge refers to the root bridge of the CIST.
Configuring MSTP 271 Figure 5 Port Roles MSTP Principles MSTP divides the entire Layer 2 network into several MST regions, and calculates and generates CST for them. Multiple spanning trees are generated in a region and each of them is called an MSTI. The instance 0 is called IST, and others are called MSTI. CIST calculation The CIST root is the highest-priority switch, elected from the switches on the entire network by comparing their configuration BPDUs.
272 CHAPTER 8: STP OPERATION ■ Configuring the Path Cost of a Port ■ Configuring the Priority of a Port ■ Configuring the Port Connection with the Point-to-Point Link ■ Configuring the mCheck Variable of a Port ■ Configuring the Switch Security Function ■ Enabling MSTP on the Device ■ Enabling or Disabling MSTP on a Port ■ Displaying and Debugging MSTP Only after MSTP is enabled on the device will other configurations take effect.
Configuring MSTP 273 Configuring the MST Region Perform the following configuration in MST region view.
274 CHAPTER 8: STP OPERATION You can use the following commands to specify the current switch as the primary or secondary root of the spanning tree. Perform the following configuration in system view. Table 4 Specify the Switch as Primary or Secondary Root Switch Operation Command Specify current switch as the primary root switch of the specified spanning tree.
Configuring MSTP 275 region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch provides the multiple spanning tree function. You can use the following command to configure MSTP running mode. MSTP can intercommunicate with STP. If there is a STP switch in the switching network, you can use the command to configure the current MSTP to run in STP-compatible mode, otherwise, configure it to run in MSTP mode.
276 CHAPTER 8: STP OPERATION each time it is forwarded by a switch, the max hop is reduced by 1. The switch discards the configuration BPDU with 0 hops left. This makes it impossible for the switch beyond the max hops to take part in the spanning tree calculation, thereby limiting the scale of the MST region. You can use the following command to configure the max hops in an MST region. Perform the following configuration in system view.
Configuring MSTP Configuring the Time Parameters of a Switch 277 The switch has three time parameters: ■ forward delay, ■ hello time, ■ and max age. Forward delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. The configuration BPDU recalculated cannot be immediately propagated throughout the network.
278 CHAPTER 8: STP OPERATION A max age that is too short, can cause the network device to calculate the spanning tree frequently and mistake the congestion as a link fault. If the max age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which weakens the auto-adaptation capacity of the network. The default value is recommended.
Configuring MSTP 279 By default, the max transmission speed on every Ethernet port of the switch is 3. Configuring a Port as an Edge Port An edge port refers to the port not directly connected to any switch, or indirectly connected to a switch over the connected network. You can configure a port as an edge port or non-edge port in the following ways. Configuring in System View Perform the following configuration in system view.
280 CHAPTER 8: STP OPERATION the traffic from different VLANs can run over different physical links, thereby implementing the VLAN-based load-balancing.
Configuring MSTP 281 You can configure the path cost of a port in the following ways. Configuring in System View Perform the following configuration in system view. Table 14 Configure the Path Cost of a Port Operation Command Configure the Path Cost of a port. stp interface interface-list instance instance-id cost cost Restore the default path cost of a port.
282 CHAPTER 8: STP OPERATION Configuring in Ethernet Port View Perform the following configuration in Ethernet port view. Table 17 Configure the Port Priority Operation Command Configure the port priority. stp instance instance-id port priority priority Restore the default port priority. undo stp instance instance-id port priority For more about the commands, see the Switch 7700 Command Reference Guide. After the change of port priority, MSTP will recalculate the port role and transit the state.
Configuring MSTP 283 Table 19 Configure the Port Connection With the Point-to-point Link Operation Command Configure MSTP to automatically detect if the undo stp point-to-point port is directly connected with the point-to-point link, as defaulted. For more about the commands, see the Switch 7700 Command Reference Guide.
284 CHAPTER 8: STP OPERATION The command can be used only if the switch runs MSTP. The command does not make any sense when the switch runs in STP-compatible mode. Configuring the Switch Security Function An MSTP switch provides BPDU protection, Root protection, and loop-protection functions. For an access device, the access port is, mainly, directly connected to the user terminal or a file server, and the access port is set to edge port to implement fast transition.
Configuring MSTP 285 Table 22 Configure the Switch Security Function Operation Command Configure switch loop protection function (from Ethernet port view) stp loop-protection Restore the disabled loop protection state, as defaulted (from Ethernet port view) stp loop-protection After configured with BPDU protection, the switch will disable the edge port through MSTP, which receives a BPDU, and notifies the network manager at the same time. These ports can be resumed by the network manager only.
286 CHAPTER 8: STP OPERATION Configuring in System View Perform the following configuration in system view. Table 24 Enable/Disable MSTP on a Port Operation Command Enable MSTP on a port. stp interface interface-list enable Disable MSTP on a port. stp interface interface-list disable Restore the default MSTP state on the port. undo stp interface-list Configuring in Ethernet Port View Perform the following configuration in Ethernet port view.
AAA AND RADIUS OPERATION 9 This chapter covers the following topics: IEEE 802.1x ■ IEEE 802.1x ■ Configuring the AAA and RADIUS Protocols IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access control protocol that is used as the standard for LAN user access authentication. In LANs that comply with IEEE 802 standards, the user can access devices and share resources in the LAN by connecting a device such as a LAN Switch.
288 CHAPTER 9: AAA AND RADIUS OPERATION LANs) frame defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is encapsulated in packets of other AAA upper layer protocols (e.g. RADIUS). This provides a channel through the complicated network to the Authentication Server. Such procedure is called EAP Relay. There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port.
IEEE 802.1x 289 The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. 802.1x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802.1x in implementing the user ID authentication.
290 CHAPTER 9: AAA AND RADIUS OPERATION Perform the following configurations in system view or Ethernet port view. Table 1 Enable/Disable 802.1x Operation Command Enable the 802.1x dot1x [interface interface-list] Disable the 802.1x undo dot1x [interface interface-list] User can configure 802.1x on an individual port. The configuration will take effect right after 802.1x is enabled globally. By default, 802.1x authentication has not been enabled globally, or on any port.
IEEE 802.1x 291 Checking the Users that Log on the Switch by Proxy The following commands are used for checking the users that log on by proxy. Perform the following configurations in system view or Ethernet port view.
292 CHAPTER 9: AAA AND RADIUS OPERATION ■ EAP relay — the switch sends authentication information to the RADIUS server in the form of EAP packets, directly, so that the RADIUS server never supports EAP authentication Perform the following configurations in system view. Table 7 Configure the Authentication Method for 802.1x Users Operation Command Configure the authentication method for 802.
IEEE 802.1x 293 Perform the following configurations in system view. Table 10 Configure Timers Operation Command Configure timers dot1x timer {quiet-period quiet-period-value | tx-period tx-period-value | supp-time-out supp-timeout-value | server-timeout server-timeout-value} Restore default settings of the timers undo dot1x timer {quiet-period | tx-period | supp-timeout | server-timeout} quiet-period: Specify the quiet timer. If an 802.
294 CHAPTER 9: AAA AND RADIUS OPERATION Perform the following configuration in system view. Table 11 Enable/Disable a Quiet-Period Timer Operation Command Enable a quiet-period timer. dot1x quiet-period Disable a quiet-period timer undo dot1x quiet-period Displaying and Debugging 802.1x Execute the display command in all views to display the VLAN configuration, and to verify the configuration. Execute the reset command in user view to reset 802.1x statistics information.
IEEE 802.1x 295 The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is enabled. Figure 2 Enabling 802.1x and RADIUS to Perform AAA on the Requester Authentication servers (RADIUS server cluster IP address: 10.11.1.1, 10.11.1.2) Switch E1/0/2 Requestor Internet Authenticator The following examples concern most of the AAA/RADIUS configuration commands.
296 CHAPTER 9: AAA AND RADIUS OPERATION [SW7700-radius-radius1] timer realtime-accounting 15 10 Configure the system to transmit the user name to the RADIUS server after removing the domain name. [SW7700-radius-radius1] user-name-format without-domain [SW7700-radius-radius1] quit 11 Create the user domain 3com163.net and enters isp configuration mode. [SW7700] domain 3com163.net 12 Specify radius1 as the RADIUS server group for the users in the domain 3com163.net. [SW7700-isp-3com163.
Configuring the AAA and RADIUS Protocols 297 As mentioned above, AAA is a management framework, so it can be implemented by some protocols. RADIUS is frequently used. Remote Authentication Dial-In User Service, RADIUS for short, is distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from an interruption of unauthorized access, and it is often used in the network environments requiring both high security and remote user access.
298 CHAPTER 9: AAA AND RADIUS OPERATION Figure 3 Networking with Switch 7700 Applying RADIUS Authentication Authentication server PC use1 PC user2 Accounting server1 Switch 7700 Switch 7700 ISP1 PC user3 Switch 7700 PC user4 Internet Switch 7700 ISP2 Configuring the AAA and RADIUS Protocols is described in the following sections: Configuring AAA ■ Configuring AAA ■ Configuring the RADIUS Protocol ■ Troubleshooting AAA and RADIUS AAA configuration includes tasks that are described in the fol
Configuring the AAA and RADIUS Protocols 299 complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy (RADIUS server group applied etc.) For the Switch 7700, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain. Perform the following configurations in system view.
300 CHAPTER 9: AAA AND RADIUS OPERATION Creating a Local User A local user is a group of users set on NAS. The username is the unique identifier of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS. Perform the following configurations in system view.
Configuring the AAA and RADIUS Protocols 301 Table 17 Set/Remove the Attributes Concerned with a Specified User Operation Command Configure the attributes of lan-access users attribute {ip ip-address | mac mac-address | idle-cut second | access-limit max-user-number | vlan vlanid | location { nas-ip ip-address port portnum | port portnum }* Remove the attributes defined for the lan-access users undo attribute {ip | mac | idle-cut | access-limit | vlan | location } Disconnecting a User by Force Somet
302 CHAPTER 9: AAA AND RADIUS OPERATION ■ Setting the Maximum Retransmitting Times of the Stop Accounting Request ■ Setting the Supported Type of RADIUS Server ■ Setting RADIUS Server State ■ Setting Username Format Transmitted to RADIUS Server ■ Setting the Unit of Data Flow that Transmitted to RADIUS Server ■ Configuring a Local RADIUS Server Group ■ Displaying and Debugging the AAA and RADIUS Protocols ■ Configuring FTP/Telnet User Authentication at Remote RADIUS Server ■ Configuring F
Configuring the AAA and RADIUS Protocols 303 Perform the following configurations in RADIUS server group view. Table 20 Set IP Address and Port Number of RADIUS Server Operation Command Set IP address and port number of primary RADIUS authentication/authorization server. primary authentication ip-address [port-number] Restore IP address and port number of primary undo primary authentication RADIUS authentication/authorization or server to the default values.
304 CHAPTER 9: AAA AND RADIUS OPERATION Setting the RADIUS Packet Encryption Key RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet by setting the encryption key. Only when the keys are identical can both ends accept the packets from each other and give a response. Perform the following configurations in RADIUS server group view.
Configuring the AAA and RADIUS Protocols 305 By default, RADIUS request packet will be retransmitted up to three times. Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if RADIUS accounting server fails when the accounting optional is configured, the user can still use the network resource, otherwise, the user will be disconnected. Perform the following configurations in RADIUS server group view.
306 CHAPTER 9: AAA AND RADIUS OPERATION Setting Maximum Times of Real-time Accounting Request The RADIUS server usually verifies that a user is online with timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for a specified period, it stops accounting. Therefore, it may be necessary to disconnect the user at the NAS end and on the RADIUS server when some unpredictable failure exists.
Configuring the AAA and RADIUS Protocols 307 the server responds or discards the messages. Use this command to set the maximum retransmission times. Perform the following configurations in RADIUS server group view.
308 CHAPTER 9: AAA AND RADIUS OPERATION Setting Username Format Transmitted to RADIUS Server As mentioned before, clients are generally named in userid@isp-name format. The part following “@” is the ISP domain name. The Switch 7700 will put users into different ISP domains according to their domain name. However, some earlier RADIUS servers rejected the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server.
Configuring the AAA and RADIUS Protocols 309 When using the local RADIUS server function of the Switch 7700, remember the number of the UDP port used for authentication is 1812 and the number for accounting is 1813. Displaying and Debugging the AAA and RADIUS Protocols After you configure RADIUS, execute the display command in all views to display the running of the AAA and RADIUS configuration, and to verify the effect of the configuration.
310 CHAPTER 9: AAA AND RADIUS OPERATION between the switch and the authentication server is "expert". The switch cuts off domain name from username and sends the left part to the RADIUS server. Figure 4 Configuring Remote RADIUS Authentication for Telnet Users Authentication Servers (IP address: 10.110.91.164) Internet Telnet user Switch 1 Add a Telnet user. For details about configuring FTP and Telnet users, see “Configuring the User Interface” on page 12.
Configuring the AAA and RADIUS Protocols Troubleshooting AAA and RADIUS 311 The RADIUS protocol of TCP/IP protocol suite is located on the application layer. It basically specifies how to exchange user information between NAS and RADIUS server of ISP. So it is likely to be invalid. Tasks for Troubleshooting AAA and Radius are described in the following sections: ■ User authentication/authorization always fails ■ RADIUS packet cannot be transmitted to RADIUS server.
312 CHAPTER 9: AAA AND RADIUS OPERATION
10 RELIABILITY This chapter covers the following topics: VRRP Overview ■ VRRP Overview ■ Configuring VRRP Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route, for example, 10.100.10.1 in Figure 1, is configured for every host on a network, so that packets destined for another network segment go through the default route to Layer 3 Switch1, implementing communication between the host and the external network.
314 CHAPTER 10: RELIABILITY Figure 2 Virtual Router Network Actual IP address 10.100.10.3 Actual IP address 10.100.10.2 Backup Master Virtual IP address 10.100.10.1 Ethernet 10.100.10.7 Host 1 Virtual IP address 10.100.10.1 10.100.10.8 Host 2 10.100.10.9 Host 3 This virtual router has its own IP address: 10.100.10.1, which can be the actual interface address of a switch within the virtual router. The switches within the virtual router have their own IP addresses, such as 10.100.10.
Configuring VRRP 315 Perform the following commands in system view. Table 1 Enable/Disable the Ping Function Operation Command Enable pinging of the virtual IP address vrrp ping-enable Disable pinging of the virtual IP address undo vrrp ping-enable By default, ping response for the virtual IP address is disabled. Setting Correspondence Between Virtual IP and MAC Addresses This operation sets the virtual IP address to correspond to either the real or the virtual MAC address.
316 CHAPTER 10: RELIABILITY Perform the following configuration in VLAN interface view. Table 3 Add/Delete a Virtual IP Address Configuring the Priority of Switches Operation Command Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address Delete a virtual IP address. undo vrrp vrid virtual-router-ID [ virtual-ip virtual-address ] The status of each switch in the virtual router group is determined by its priority in VRRP.
Configuring VRRP 317 The delay ranges from 0 to 255, measured in seconds. The default mode is preemption with a delay of 0 second. Configuring Authentication Type and Authentication Key To prevent unauthorized routes from joining the virtual router, a key can be configured that is used in one of the following VRRP authentication types: ■ Simple character authentication — The authentication type is set to simple. The switch adds the authentication key to the VRRP packets before transmitting it.
318 CHAPTER 10: RELIABILITY Table 7 Configure VRRP Timer Operation Command Clear VRRP timer undo vrrp vrid virtual-router-ID timer advertise By default, adver-interval is 1. Configuring a Switch to Track an Interface The VRRP track interface function expands the backup function by including other switch interfaces of participating routers. Backup is provided not only to the interface where the virtual router resides, but also to other switch interfaces of participating routers.
Configuring VRRP 319 Figure 3 VRRP Configuration Host B 10.2.3.1 Internet VLAN-interface3: 10.100.10.2 Switch B Switch A VLAN-interface2: 202.38.160.1 Virtual IP address: 202.38.160.111 VLAN-interface2: 202.38.160.2 Host A 202.36.160.3 Configure switch A: [SW7700_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 [SW7700_A-vlan-interface2] vrrp vrid 1 priority 110 Configure switch B: [SW7700_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.
320 CHAPTER 10: RELIABILITY 4 Set Master to send VRRP packets every 5 seconds. [SW7700_A-vlan-interface2] vrrp vrid 1 timer advertise 5 5 Track an interface. [SW7700_A-vlan-interface2] vrrp vrid 1 track vlan-interface 3 reduced 30 Configure switch B 1 Create a virtual router. [SW7700_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 2 Set the authentication key for the virtual router.
Configuring VRRP 321 [SW7700_B-vlan-interface2] vrrp vrid 2 priority 110 Troubleshooting VRRP The configuration of VRRP is simple so almost all troubleshooting can be done by viewing the configuration and debugging information. Here are some possible failures you might experience and the corresponding troubleshooting methods.
322 CHAPTER 10: RELIABILITY
11 SYSTEM MANAGEMENT This chapter covers the following topics: File System ■ File System ■ Managing the MAC Address Table ■ Managing Devices ■ Maintaining and Debugging the System ■ SNMP ■ RMON ■ NTP ■ SSH Terminal Services The Switch 7700 provides a file system module for efficient management with storage devices such as flash memory.
324 CHAPTER 11: SYSTEM MANAGEMENT Perform the following operations in user view. Table 1 Directory Operation Managing Files Operation Command Create a directory mkdir directory Delete a directory rmdir directory Display the current working directory pwd Display the information about directories or files dir [ / all ] [ file-url ] Change the current directory cd directory You can use the file system to delete, undelete, or permanently delete a file.
File System 325 Example: File System Operation 1 Format the flash. format flash: All sectors will be erased, proceed? [confirm] y Format flash: completed 2 Display the working directory in the flash. cd flash:/ pwd flash:/ 3 Create a directory named test. mkdir test 4 Display the flash directory information after creating the test directory.
326 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configuration in all views.
File System 327 FTP Server configuration includes tasks described in the following sections: ■ Enabling and Disabling the FTP Server ■ Configuring the FTP Server Authentication and Authorization ■ Configuring FTP Server Parameters ■ Displaying and Debugging the FTP Server ■ Introduction to FTP Client Enabling and Disabling the FTP Server You can use the following commands to enable or disable the FTP server. Perform the following configuration in system view.
328 CHAPTER 11: SYSTEM MANAGEMENT Configuring FTP Server Parameters You can use the following commands to configure the connection timeout of the FTP server. If the FTP server does not receive a service request from the FTP client for a period of time, it will cut the connection to it, thereby avoiding illegal access by unauthorized users. Perform the following configuration in system view.
Managing the MAC Address Table ■ 329 Downloading Files with TFTP Configuring the File Transmission Mode TFTP transmits files in two modes; binary mode for program files and ASCII mode for text files. Use the following commands to configure the file transmission mode. Perform the following configuration in system view. Table 12 Configuring the File Transmission Mode Operation Command Configure the file transmission mode tftp { ascii | binary } By default, TFTP transmits files in binary mode.
330 CHAPTER 11: SYSTEM MANAGEMENT destined for the same MAC address can be forwarded directly. If the MAC address cannot be found after broadcasting the packet, the switch will drop it and notify the transmitter that the packet did not arrive at the destination. Figure 1 The Switch 7700 Forwards Packets According to the MAC Address Table MAC Address Port MACD MACA .... MACA 1 MACB 1 MACC 2 MACD 2 Port 1 MACD MACA .... Port 2 The Switch 7700 also provides the function of MAC address aging.
Managing the MAC Address Table 331 Perform the following configuration in system view.
332 CHAPTER 11: SYSTEM MANAGEMENT Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging. Too long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets. This affects the switch operation performance. If aging time is set too long, the Ethernet switch stores a great number of out-of-date MAC address tables.
Managing the MAC Address Table 333 Execute the debugging command in user view to debug MAC address table configuration.
334 CHAPTER 11: SYSTEM MANAGEMENT 00-e0-fc-17-a7-d6 00-e0-fc-5e-b1-fb 00-e0-fc-55-f1-16 Managing Devices 1 1 1 LearnedEthernet1/0/2 300 Learned Ethernet1/0/2 300 Learned Ethernet1/0/2 300 With device management, the Switch 7700 displays the current state and event debugging information about the slots and physical devices. In addition, there is a command for rebooting the system when a function failure occurs.
Managing Devices 335 Resetting a Slot The Switch 7700 allows the administrator to reset a slot in the system. Perform the following configuration in user view. Table 24 Resetting a Slot Operation Command Reset a slot reboot [ slot slot-num ] The parameter slot-num ranges from 0 to 6. Setting the parameter to 0 resets the fabric module, taking the same effect as resetting the entire system. Setting the parameter from 1 through 6 resets the I/O modules in the corresponding slots.
336 CHAPTER 11: SYSTEM MANAGEMENT The default setting is 1 (8G to slots 1 and 2, 4G to slots 3-6) Displaying Devices Execute the display command in all views to display the device management configuration, and to verify the configuration.
Maintaining and Debugging the System 337 Setting the Time Zone You can configure the name of the local time zone, and the time difference between the local time and the standard Universal Time Coordinated (UTC). Perform the following commands in user view. Table 30 Setting the Time Zone Operation Command Set the local time clock timezone zone_name { add | minus } HH:MM:SS Restore to the default UTC time zone undo clock timezone By default, the UTC time zone is set.
338 CHAPTER 11: SYSTEM MANAGEMENT Enabling and Disabling Terminal Debugging The Switch 7700 provides various ways for debugging most of the supported protocols and functions. The following switches control the outputs of debugging information: ■ The protocol debugging switch controls debugging output of a protocol. ■ The terminal debugging switch controls debugging output on a specified user screen. Figure 3 illustrates the relationship between two switches.
Maintaining and Debugging the System 339 For more about the usage and format of the debugging commands, refer to the appropriate chapters. Since the debugging output will affect the system operating efficiency, do not enable the debugging command unnecessarily. Use the debugging all command, especially, with caution. When the debugging is over, disable all debugging. Displaying Diagnostic Information You can collect information about the switch to locate the source of faults.
340 CHAPTER 11: SYSTEM MANAGEMENT Tracert Command Tracert is used for testing the gateways from the source host to the destination. It is used for checking if the network is connected and analyzing where faults occur in the network. The following list provides the tracert execution process: 1 Tracert sends a packet with TTL value of 1. 2 The first hop sends back an ICMP error message indicating that the packet cannot be sent, for the TTL is timeout. 3 Re-send the packet with TTL value of 2.
Maintaining and Debugging the System 341 For the above configuration, the log host is not configured on the switch. All other configurations will take effect after enabling the logging function. Enabling and Disabling the Logging Function You can use the following commands to enable or disable the logging function. Perform the following operation in system view. Table 37 Enable/Disable the Logging Function Operation Command Enable the logging function. info-center enable Disable the logging function.
342 CHAPTER 11: SYSTEM MANAGEMENT Table 38 Log Output (continued) Operation Command Cancel the source address setting for the packets sent to loghost undo info-center loghost source Configure to output the information to the trap buffer. info-center trapbuffer [ size buffersize ] [ channel { channel-number | channel-name } ] Disable the output of the information to the trap buffer. undo info-center trapbuffer [ channel | size ] Configure to output the information to SNMP.
Maintaining and Debugging the System 343 Use the following commands to define the filtering rules of the channels. Perform the following operation in system view.
344 CHAPTER 11: SYSTEM MANAGEMENT Local4.crit /var/log/SW7700/config SW7700 security messages: local5.notice /var/log/SW7700/security Pay attention to the following points when editing the file “/etc/syslog.conf”: ■ The description must start from a fresh line and begin with a pound key #. ■ Use tab character to separate the selectors/action pairs instead of space. ■ No redundant spaces should be left behind the name of the file.
SNMP 345 Displaying and Debugging the Syslog Function After performing the syslog configuration, execute the display command in all views to display the configuration and to verify the effect of the configuration. Execute the reset command in user view to clear the statistics of the syslog module. Execute the debugging command in user view to debug the syslog module. Perform the following configuration in system view.
346 CHAPTER 11: SYSTEM MANAGEMENT SNMP Versions and Supported MIB To uniquely identify the management variables of a device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree. A tree node represents a managed object, as shown in the figure below. Thus the object can be identified with the unique path starting from the root.
SNMP ■ Setting the Community Name ■ Enabling and Disabling the SNMP Agent to Send a Trap ■ Setting the Destination Address of a Trap ■ Setting the Lifetime of the Trap Message ■ Setting SNMP Information ■ Setting the Engine ID of a Local or Remote Device ■ Setting and Deleting an SNMP Group ■ Setting the Source Address of the Trap ■ Adding and Deleting a User to or from an SNMP Group ■ Creating and Updating View Information or Deleting a View ■ Setting the Size of an SNMP Packet Sent o
348 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configuration in system view.
SNMP 349 Perform the following configuration in system view. Table 49 Setting SNMP System Information Operation Command Set SNMP system information snmp-agent sys-info { contact sysContact | location syslocation | version { { v1 | v2c | v3 ] * | all } } Restore the default SNMP system information of the Ethernet switch undo snmp-agent sys-info [ { contact | location }* | version { { v1 | v2c | v3 ] * | all } ] By default, syslocation is specified as “Marlborough MA”.
350 CHAPTER 11: SYSTEM MANAGEMENT Setting the Source Address of the Trap Use the following commands to set or remove the source address of the trap. Perform the following configuration in system view.
SNMP 351 The agent can receive or send the SNMP packets ranging from 484 bytes to 17940 bytes. By default, the size of an SNMP packet is 1500 bytes. Perform the following configuration in system view.
352 CHAPTER 11: SYSTEM MANAGEMENT Table 58 Displaying and Debugging SNMP (continued) Example: SNMP Configuration Operation Command Display the current community name display snmp-agent community [ read | write ] Display the current MIB view display snmp-agent mib-view [ exclude | include | viewname mib-view ] Display the contact character string of the system display snmp-agent sys-info contact Display the location character string of the system display snmp-agent sys-info location Display the
RMON 353 [SW7700-vlan2] port ethernet 2/0/3 [SW7700-vlan2] interface vlan 2 [SW7700-Vlan-interface2] ip address 129.102.0.1 255.255.255.0 5 Set the administrator ID, contact and the physical location of the Ethernet switch. [SW7700] snmp-agent sys-info contact Mr.Smith-Tel:3306 [SW7700] snmp-agent sys-info location telephone-closet,3rd-floor 6 Enable the SNMP agent to send the trap to Network Management Station whose IP address is 129.102.149.23. The SNMP community is public.
354 CHAPTER 11: SYSTEM MANAGEMENT Configuring RMON RMON configuration includes tasks described in the following sections: ■ Adding and Deleting an Entry to or from the Alarm Table ■ Adding and Deleting an Entry to or from the Event Table ■ Adding and Deleting an Entry to or from the History Control Table ■ Adding and Deleting an Entry to or from the Extended RMON Alarm Table ■ Adding and Deleting an Entry to or from the Statistics Table ■ Displaying the RMON Configuration Adding and Deleting
RMON 355 Use the following commands to add or delete an entry to or from the history control table. Perform the following configuration in Ethernet port view.
356 CHAPTER 11: SYSTEM MANAGEMENT Displaying the RMON Configuration Execute the display command in all views to display the RMON configuration, and to verify the configuration.
NTP NTP 357 As the network topology gets more and more complex, it becomes important to synchronize the clocks of the equipment on the entire network. Network Time Protocol (NTP) is a TCP/IP feature that advertises the accurate time throughout the network. NTP ensures the consistency of the following applications: ■ Synchronizing the clock between two systems for incremental backup between the backup server and client.
358 CHAPTER 11: SYSTEM MANAGEMENT The system clocks are synchronized as follows: ■ Ethernet Switch A sends an NTP packet to Ethernet Switch B. The packet carries the timestamp 10:00:00am (T1) that tells when it left Ethernet Switch A. ■ When the NTP packet arrives at Ethernet Switch B, Ethernet Switch B adds a local timestamp 11:00:01am (T2) to it. ■ When the NTP packet leaves Ethernet Switch B, Ethernet Switch B adds another local timestamp 11:00:02am (T3) to it.
NTP 359 local switch will operate in broadcast mode. If you configure an interface on the local switch to receive NTP broadcast packets, the local switch will operate in broadcast client mode. If you configure an interface on the local switch to transmit NTP multicast packets, the local switch will operate in multicast mode. You may also configure an interface on the local switch to receive NTP multicast packets, the local switch will operate in multicast client mode.
360 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configurations in system view.
NTP 361 This command can only be configured on the interface where the NTP broadcast packets are received. Configuring NTP Multicast Server Mode Designate an interface on the local switch to transmit NTP multicast packets. In this case, the local equipment operates in multicast mode and serves as a multicast server to multicast messages to its clients regularly. Perform the following configurations in VLAN interface view.
362 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configurations in system view. Table 71 Configuring NTP Authentication Operation Command Enable NTP authentication ntp-service authentication enable Disable NTP authentication undo ntp-service authentication enable Setting the NTP Authentication Key This configuration task sets the NTP authentication key. Perform the following configurations in system view.
NTP 363 An interface is specified by interface-name or interface-type interface-number. The source address of the packets will be taken from the IP address of the interface. If the ntp-service unicast-server or ntp-service unicast-peer command also designates a transmitting interface, use the one designated by them. Setting the NTP Master Clock This configuration task sets the external reference clock or the local clock as the NTP master clock. Perform the following configurations in system view.
364 CHAPTER 11: SYSTEM MANAGEMENT Table 77 Setting the Authority to Access a Local Ethernet Switch Operation Command Cancel settings of the authority to access a local Ethernet switch undo ntp-service access { query | synchronization | serve | peer } IP address ACL number is specified through the acl-number parameter and ranges from 2000 to 2999. The meanings of other authority levels are as follows: ■ query: Allow control query for the local NTP service only.
NTP ■ Configuring NTP Multicast Mode ■ Configuring Authentication-Enabled NTP Server Mode 365 Configuring NTP Servers On SW77001, set the local clock as the NTP master clock at stratum 2. On SW77002, configure SW77001 as the time server in server mode and set the local equipment as in client mode. Figure 8 Typical NTP Configuration Networking Diagram SW77003 SW77001 SW77004 SW77000 SW77002 SW77005 Configure the Switch SW77001: 1 Enter system view.
366 CHAPTER 11: SYSTEM MANAGEMENT root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 UTC Jan 1 1900(00000000.00000000) After the synchronization, SW77002 turns into the following status: [SW77002] display ntp-service status clock status: synchronized clock stratum: 8 reference clock ID: LOCAL(0) nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.
NTP 367 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Configuring NTP Peers On SW77003, set local clock as the NTP master clock at stratum 2. On SW77002, configure SW77001 as the time server in server mode and set the local equipment as in client mode. At the same time, SW77005 sets SW77004 as its peer. See Figure 3-3. Configure Ethernet Switch SW77003: 1 Enter system view. system-view 2 Set the local clock as the NTP master clock at stratum 2.
368 CHAPTER 11: SYSTEM MANAGEMENT clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, SW77004 has been synchronized by SW77005 and it is at stratum 2, or higher than SW77005 by 1. Display the sessions of SW77004 and you will see SW77004 has been connected with SW77005.
NTP 369 Configure Ethernet Switch SW77004: 1 Enter system view. system-view 2 Enter Vlan-interface2 view. [SW77004] interface vlan-interface 2 [SW77004-Vlan-Interface2] ntp-service broadcast-client Configure Ethernet Switch SW77001: 1 Enter system view. system-view 2 Enter Vlan-interface2 view.
370 CHAPTER 11: SYSTEM MANAGEMENT ******************************************************************** ****** [12345]127.127.1.0 LOCAL(0) 7 377 64 57 0.0 0.0 1.0 [5]1.0.1.11 0.0 0.0.0.0 16 0 64 - 0.0 0.0 [5]128.108.22.44 0.0 0.0.0.0 16 0 64 - 0.0 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Configuring NTP Multicast Mode SW77003 sets the local clock as the master clock at stratum 2, and multicast packets from Vlan-interface2.
SSH Terminal Services 371 segments, SW77001 cannot receive the multicast packets from SW77003, while SW77004 is synchronized by SW77003 after receiving the multicast packet. Configuring Authentication-Enabled NTP Server Mode SW77001 sets the local clock as the NTP master clock at stratum 2. SW77002 sets SW77001 as its time server in server mode and itself in client mode and enables authentication. See Figure 1-2. Configure Ethernet Switch SW77001: 1 Enter system view.
372 CHAPTER 11: SYSTEM MANAGEMENT Figure 9 Setting up SSH channels in LAN 1 3 2 1 Switch running SSH server 2 PC running SSH client 3 Ethernet LAN In Figure 9, the VLAN for the Ethernet port must be configured with VLAN interfaces and IP address. The communication process between the server and client includes the following five stages: ■ Version negotiation: The client sends the TCP connection requirement to the server.
SSH Terminal Services 373 which compares it with the local authentication data. If the data match, the user is allowed to access the switch. Otherwise, the authentication process fails. ■ Session request: The client sends session request messages to the server which processes the request messages. ■ Interactive session: Both ends exchange data until the session ends. Session packets are encrypted in transfer and the session key is generated randomly.
374 CHAPTER 11: SYSTEM MANAGEMENT Configuring and Cancelling a Local RSA Key Pair In executing this command, if you have configured an RSA host key pair, the system gives an alarm after using this command and prompts that the existing one will be replaced. The server key pair is created dynamically by the SSH server. The maximum bit range of both key pairs is 2048 bits and the minimum is 512. Perform the following configurations in system view.
SSH Terminal Services 375 Defining the SSH Authentication Timeout Value Perform the following configurations in system view. Table 84 Defining the SSH Authentication Timeout Value Operation Command Define the SSH authentication timeout value ssh server timeout seconds Restore the default timeout value undo ssh server timeout By default, the timeout value for SSH authentication is 60 seconds.
376 CHAPTER 11: SYSTEM MANAGEMENT Perform the following configurations in the public key view. Table 87 Starting/terminating Public Key Editing Operation Command Enter public key edit view public-key-code begin Terminate public key edit view public-key-code end Quit public key view peer-public-key end Associating a Public Key with an SSH User Perform the following configurations in system view.
SSH Terminal Services 377 Figure 10 Figure 8-2 PuTTY Configuration for Basic Options 1 Enter the IP address of the switch in the Host Name (or IP Address) text box. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable. 2 Select the SSH protocol radio button. 3 To select the SSH version, select Connection > SSH in the Category menu. The window in Figure 11 displays.
378 CHAPTER 11: SYSTEM MANAGEMENT Figure 11 PuTTY Configuration for SSH Version 4 Select the 1 radio button. 5 To enable RSA authentication, you must specify RSA private key file, which is not required for password authentication. Select SSH > Auth to enable RSA authentication.
SSH Terminal Services Figure 12 379 PUTTY Configuration for RSA Authentication 6 Click Browse to select the RSA private key file. Click OK. 7 Click Open to enter the SSH client interface. If it runs normally, you are prompted to enter the username and password. 8 Enter the username and password and press Enter. 9 Log out of the SSH connection with the logout command.
380 CHAPTER 11: SYSTEM MANAGEMENT SSH Configuration Example See Figure 13 for an illustration of the local connection configuration from the SSH client to the switch. The client uses the SSH protocol to access the switch.
SSH Terminal Services 381 [SW7700-key-code]C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [SW7700-key-code]BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [SW7700-key-code]public-key-code end [SW7700-rsa-public]peer-public-key end [SW7700]ssh user client002 assign rsa-key key002 You need to specify the RSA private key which corresponds to the public key for the SSH user client002. Run the SSH1.
382 CHAPTER 11: SYSTEM MANAGEMENT