HP High-End Firewalls Network Management Configuration Guide Part number: 5998-2627 Software version: F1000-E/Firewall module: R3166 F5000-A5: R3206 Document version: 6PW101-20120706
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Interface management configuration ·························································································································· 1 Interface management overview ····································································································································· 1 Managing interfaces in the web interface ····················································································································· 1 Displaying infor
Configuring a MAC address table in the web interface ··························································································· 38 Adding a MAC address entry······························································································································ 38 Setting the aging time of MAC address entries ································································································· 39 MAC address table configuration example ·····················
Viewing frame forwarding statistics ·················································································································· 101 DHCP overview ······················································································································································· 103 Introduction ··································································································································································· 103 IP ad
DHCP client configuration ······································································································································ 153 Introduction to DHCP client ········································································································································· 153 Enabling the DHCP client on an interface ················································································································· 153 Displaying and mai
Configuring ARP entries ·············································································································································· 186 Configuring ARP entries in the web interface ·································································································· 186 Configuring ARP entries in the CLI ···················································································································· 189 Configuring gratuitous ARP ··········
Configuration procedure ···································································································································· 240 Displaying and maintaining static routes ·········································································································· 241 Basic static route configuration example ·········································································································· 242 RIP configuration ····························
BGP configuration ··················································································································································· 323 Configuring BGP in the web interface ······················································································································· 323 Configuration prerequisites ································································································································ 323 Configuration overvi
Configuration task list ········································································································································· 396 Enabling IP multicast routing ······························································································································ 396 Configuring multicast routing and forwarding ································································································· 397 Displaying and maintaining multicast r
MSDP configuration ················································································································································ 483 MSDP configuration task list ······································································································································· 483 Configuring basic functions of MSDP ························································································································ 484 Configuration
Interface management configuration Interface management overview An interface is the point of interaction or communication between network devices. It is used for exchanging data between network devices. A physical interface is an interface that materially exists and is supported by a network device. For example, an Ethernet interface or an AUX interface is a physical interface. A logical interface is an interface that can implement data switching but does not exist physically.
Figure 1 Interface management To view the statistics of an interface, click the interface name in the interface name list to enter the page shown in Figure 2.
Creating an interface Select Device Management > Interface from the navigation tree to enter the page shown in Figure 1. Click Add to enter the page for creating interfaces, as shown in Figure 3. Figure 3 Create an interface Table 1 Configuration items of creating an interface Item Description Set the name for the interface or its subinterface.
Item Description Set how the interface obtains an IP address: • None—Assigns no IP address to the interface. • Static Address—Manually assigns an IP address for the interface. After selecting this option, you must manually set the IP Address/Mask and Secondary IP Address/Mask options. IP Config • DHCP—Enables the interface to obtain an IP address through DHCP. • BOOTP—Enables the interface to obtain an IP address through BOOTP.
Figure 4 Modify interface information Table 2 Configuration items of editing an interface Item Description Interface Type Set the interface type. Select an interface type in the drop-down list. Set the interface to work in bridge mode or router mode. Working Mode A loopback interface operates only in router mode. Before configuring an IP address for the interface, make sure the interface is configured to work in router mode.
Interface management configuration example Network requirements Manage the loopback interfaces and port GigabitEthernet 0/1 on Device A shown in Figure 5. Figure 5 Network diagram for interface management Host A Device A 1.1.1.2/24 GE0/0 1.1.1.3/24 Device B GE0/1 1.1.2.3/24 Configuration procedure 1. Create an interface # Create an interface for Device A on Host A. • Select Device Management > Interface from the navigation tree and then click Add. • Set the interface name to Loopback1.
# View the interface list of Device A on Host A. • Select Device Management > Interface from the navigation tree. • View the Status column of the GigabitEthernet 0/1 row. In this case, is displayed in the Status column of the GigabitEthernet 0/1 row, indicating that GigabitEthernet has been shut down. You can click the icon to bring up GigabitEthernet 0/1. # View interface statistics of Device A on Host A. • Select Device Management > Interface from the navigation tree.
• Full-duplex mode (full)—Interfaces operating in this mode can send and receive packets simultaneously. • Half-duplex mode (half)—Interfaces operating in this mode cannot send and receive packets simultaneously. • Auto-negotiation mode (auto)—Interfaces operating in this mode negotiate a duplex mode with their peers. Similarly, you can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its peer.
To do… Shut down the Ethernet subinterface Use the command… Remarks Optional shutdown By default, an Ethernet subinterface is in the up state. NOTE: For the local and remote Ethernet subinterfaces to transmit traffic correctly, configure them with the same subinterface number and VLAN ID. Configuring the link mode of an Ethernet interface According to the layer at which the firewall processes received data packets, Ethernet interfaces can operate in bridge or route mode.
Configuring a Layer 2 Ethernet interface or subinterface Layer 2 Ethernet interface or subinterface configuration task list Complete these tasks to configure an Ethernet interface or subinterface operating in bridge mode: Task Remarks Optional Configuring storm suppression Applicable to Layer 2 Ethernet interfaces and Ethernet subinterfaces Optional Configuring jumbo frame support Applicable to Layer 2 Ethernet interfaces Configuring the MDI mode for an Ethernet interface Optional Applicable to Layer
Follow these steps to configure jumbo frame support on an Ethernet interface: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number — jumboframe enable [ value ] By default, the firewall allows jumbo frames within the specified length to pass through all Layer 2 Ethernet interfaces. Configure jumbo frame support Configuring the MDI mode for an Ethernet interface NOTE: Fiber ports do not support this function.
Configuring a Layer 3 Ethernet interface or subinterface Layer 3 Ethernet interface or subinterface configuration task list Complete these tasks to configure Layer 3 Ethernet interfaces or subinterfaces: Task Remarks Optional Setting the MTU for an Ethernet interface or subinterface Applicable to Layer 3 Ethernet interfaces and subinterfaces Configuring link change suppression interval on an Ethernet interface Configuring loopback testing on an Ethernet interface Optional Applicable to Layer 3 Ethernet
To do… Use the command… Set the link change suppression interval timer hold seconds Remarks Optional 10 seconds by default NOTE: You can increase the polling interval to reduce network instability due to time delay or heavy congestion. Configuring loopback testing on an Ethernet interface If an Ethernet interface does not work normally, you can enable loopback testing on it to identify the problem.
data packets sent to the loopback interface are considered as packets sent to the firewall itself, so the firewall does not forward these packets. Because a loopback interface is always up, it can be used for some other special purposes. For example, if no router ID is configured for a dynamic routing protocol, the highest loopback interface IP address is selected as the router ID.
To do… Use the command… Remarks Required Enter null interface view interface null 0 Interface Null 0 is the default null interface on your firewall. It cannot be manually created or removed. Optional Set a description for the null interface description text By default, the description of a null interface is in the format of interface name Interface.
IP addressing configuration NOTE: You can configure IP addresses in the web interface or the CLI. For more information about the IP address configuration procedure in the web, see the chapter “Interface management configuration.” This chapter introduces how to configure IP addresses in the CLI only. IP addressing overview IP address classes IP addressing uses a 32-bit address to identify each host on a network.
Table 3 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. A 0.0.0.0 to 127.255.255.255 B 128.0.0.0 to 191.255.255.255 –– C 192.0.0.0 to 223.255.255.255 –– D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255.
Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating somewhat fewer hosts For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets. • Without subnetting: 65,534 hosts (216 – 2). (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.
IP addressing configuration example Network requirements As shown in Figure 8, Ten-GigabitEthernet 0/0.1 on the Firewall is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the Firewall, and to enable the hosts on the LAN can communicate with each other, perform the following configurations: • Assign a primary IP address and a secondary IP address to Ten-GigabitEthernet 0/0.
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output shows that the Firewall can communicate with the hosts on subnet 172.16.1.0/24. # Ping a host on subnet 172.16.2.0/24 from the Firewall to check the connectivity. ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.
VLAN configuration Introduction to VLAN VLAN overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 9.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued by the Institute of Electrical and Electronics Engineers (IEEE) in 1999. In the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address is the Type field indicating the upper layer protocol type, as shown in Figure 10. Figure 10 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 11.
The web interface is available only for port-based VLANs, and this chapter only describes port-based VLANs. Port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: • An access port belongs to only one VLAN and usually connects to a user device.
Configuring a VLAN in the web interface Configuration task list Perform the tasks in Table 4 to configure a VLAN: Table 4 VLAN configuration task list Task Remarks Creating a VLAN Required Required Modifying a VLAN Select either task. Modifying a port Configure the untagged member ports and tagged member ports of the VLAN, or remove ports from the VLAN. Creating a VLAN Select Network > VLAN > VLAN from the navigation tree to enter the page as shown in Figure 12.
Return to VLAN configuration task list. Modifying a VLAN Select Network > VLAN > VLAN from the navigation tree to enter the page as shown in Figure 12. In the Operation column for the VLAN you want to modify, click the icon to enter the page for modifying the VLAN, as shown in Figure 14. Figure 14 Modify a VLAN Table 6 Configuration items of modifying a VLAN Item Description ID Displays the ID of the VLAN to be modified. Description Set the description string of the VLAN.
Figure 15 Port configuration page In the Operation column, click the port, as shown in Figure 16. icon for the port to be modified to enter the page for modifying the Figure 16 Modify a port Table 7 Configuration items of modifying a port Item Description Port Display the port to be modified. Untagged Member VLAN Display the VLAN(s) to which the port belongs as an untagged member. Tagged Member VLAN Display the VLAN(s) to which the port belongs as a tagged member.
Configure the GigabitEthernet 1/1 and GigabitEthernet 1/2 to permit packets of VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 to pass through. • Figure 17 Network diagram for VLAN configuration Configuration procedure 1. Configure Device A # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. • Select Network > VLAN > VLAN from the navigation tree. On the VLAN configuration page that appears, click Add. • On the VLAN adding page that appears, enter VLAN IDs 2, 6-50, 100. • Click Apply.
To do… Use the command… Remarks Required Enter VLAN view By default, only the default VLAN (VLAN 1) exists in the system. vlan vlan-id If the specified VLAN does not exist, this command creates the VLAN first. Configure a name for the VLAN Configure the description of the VLAN Optional name text By default, the name of a VLAN is its VLAN ID. For example, VLAN 0001. Optional description text By default, the description of a VLAN is its VLAN ID. For example, VLAN 0001.
To do… Use the command… Remarks Optional Shut down the VLAN interface By default, a VLAN interface is in the up state. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. shutdown A VLAN interface shut down with the shutdown command, however, will be in the DOWN (Administratively) state until you bring it up, regardless of how the state of the ports in the VLAN changes.
[Firewall-Vlan-interface5] ip address 192.168.0.10 24 [Firewall-Vlan-interface5] quit # Create VLAN-interface 10 and configure its IP address as 192.168.1.20/24. [Firewall] interface vlan-interface 10 [Firewall-Vlan-interface10] ip address 192.168.1.20 24 [Firewall-Vlan-interface10] return b. Configure PC A Configure the default gateway of the PC as 192.168.0.10. c. Configure PC B Configure the default gateway of the PC as 192.168.1.20. 3. Verification a. The PCs can ping each other. b.
To do… Use the command… Enter Ethernet interface view interface interface-type interface-number Remarks Required Use either command. • The configuration made in Ethernet interface view applies only to the port. • The configuration made in Layer 2 Enter interface view Enter Layer 2 aggregate interface view Configure the link type of the ports as access Assign the access ports to a VLAN aggregate interface view applies to the aggregate interface and its aggregation member ports.
To do… Use the command… Enter Ethernet interface view interface interface-type interface-number Remarks Required Use either command. • The configuration made in Ethernet interface view applies only to the port. • The configuration made in Layer 2 Enter interface view Enter Layer 2 aggregate interface view aggregate interface view applies to the aggregate interface and its aggregation member ports.
To do… Use the command… Enter Ethernet interface view interface interface-type interface-number Remarks Required Use either command. • The configuration made in Ethernet interface view applies only to the port. • The configuration made in Layer 2 Enter interface view Enter Layer 2 aggregate interface view Configure the link type of the ports as hybrid aggregate interface view applies to the aggregate interface and its aggregation member ports.
Figure 19 Network diagram for port-based VLAN configuration 2. Configuration procedure a. Configure Firewall A # Create VLAN 100, and assign port GigabitEthernet 0/1 to VLAN 100. system-view [FirewallA] vlan 100 [FirewallA-vlan100] port GigabitEthernet 0/1 [FirewallA-vlan100] quit # Create VLAN 200, and assign port GigabitEthernet 0/2 to VLAN 200.
GigabitEthernet0/3 Untagged Ports: GigabitEthernet0/1 [FirewallA-GigabitEthernet0/3] display vlan 200 VLAN ID: 200 VLAN Type: static Route Interface: not configured Description: VLAN 0200 Name: VLAN 0200 Broadcast MAX-ratio: 100% Tagged Ports: GigabitEthernet0/3 Untagged Ports: GigabitEthernet0/2 Displaying and maintaining VLAN To do...
MAC address table configuration NOTE: • The MAC address table can contain only Layer 2 Ethernet ports. • This document covers only the configuration of static, dynamic, and blackhole MAC address table entries. The configuration of multicast MAC address entries is not introduced here. Overview An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast. This table describes from which port a MAC address (or host) can be reached.
You can manually add MAC address entries to the MAC address table of the device to bind specific user devices to the port. Because manually configured entries have higher priority than dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses. Types of MAC address table entries A MAC address table can contain the following types of entries: • Static entries, which are manually added and never age out.
Configuring a MAC address table in the web interface Adding a MAC address entry Select Network > MAC > MAC from the navigation tree to enter the MAC address entry list page, as shown in Figure 21. Figure 21 MAC address entry list page Click Add to enter the MAC address entry adding page, as shown in Figure 22. Figure 22 Add a MAC address entry Table 8 Configuration items of adding a MAC address entry Item Description MAC MAC address to be added.
Item Description Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out. Type IMPORTANT: The tab displays the following types of MAC address entries: • • • • • Config static—Static MAC address entries manually configured by the users. Config dynamic—Dynamic MAC address entries manually configured by the users.
• Select static in the Type drop-down list. • Select 1 in the VLAN drop-down list. • Select GigabitEthernet0/1 in the Port drop-down list. • Click Apply. Configuring web filtering in the CLI The configuration tasks discussed in the following sections are all optional and can be performed in any order. NOTE: • The MAC address table can contain only Layer 2 Ethernet ports and Layer 2 aggregate interfaces. Support for MAC address table configuration on ports and interfaces varies with device models.
To do… Use the command… Remarks Add or modify a static or dynamic MAC address entry mac-address { dynamic | static } mac-address vlan vlan-id Required Ensure that you have created the VLAN and assign the interface to the VLAN. Configuring the aging timer for dynamic MAC address entries The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space.
• The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 0/1 of the device. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the device. • The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so that all packets destined for the host will be dropped.
MSTP Configuration Overview As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). This chapter describes the characteristics of STP, RSTP, and MSTP and the relationship among them.
Root port On a non-root bridge, the port nearest to the root bridge is called the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port. Designated bridge and designated port The following table describes designated bridges and designated ports.
How STP works The devices on a network exchange BPDUs to identify the network topology. Configuration BPDUs contain sufficient information for the network devices to complete spanning tree calculation. Important fields in a configuration BPDU include: • Root bridge ID: consisting of the priority and MAC address of the root bridge. • Root path cost: the path cost to the root bridge. • Designated bridge ID: consisting of the priority and MAC address of the designated bridge.
NOTE: The following are the principles of configuration BPDU comparison: • The configuration BPDU that has the lowest root bridge ID has the highest priority. • If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. Assume that the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The configuration BPDU with the smallest S value has the highest priority.
Figure 26 Network diagram for the STP algorithm • Initial state of each device The following table shows the initial state of each device. Table 13 Initial state of each device Device Device A Device B Device C • Port name BPDU of port AP1 {0, 0, 0, AP1} AP2 {0, 0, 0, AP2} BP1 {1, 0, 1, BP1} BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} CP2 {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device.
Device BPDU of port after comparison Comparison process • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1. BP1: {0, 0, 0, AP1} • Port BP2 receives the configuration BPDU of Device C {2, 0, 2, CP2}.
Device BPDU of port after comparison Comparison process After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is elected as the optimum BPDU, and CP2 is elected as the root port, the messages of which will not be changed.
generate configuration BPDUs with itself as the root and send out the BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity. However, the newly calculated configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path.
point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment. The Rapid Spanning Tree Protocol (RSTP) is an optimized version of STP. RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP. As a result, it takes a shorter time for the network to converge.
Figure 28 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. These devices have the following characteristics: • All are MSTP-enabled, • They have the same region name, • They have the same VLAN-to-MSTI mapping configuration, • They have the same MSTP revision level configuration, and • They are physically linked with one another.
VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 28, for example, the VLAN-to-MSTI mapping table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-MSTI mapping table. IST An internal spanning tree (IST) is a spanning tree that runs in an MST region.
the common root bridge of the entire switched network is located in region A0, the first port of that device in region D0 is the boundary port of region D0. Roles of ports MSTP calculation involves these port roles: root port, designated port, master port, boundary port, alternate port, backup port, and so on. • Root port: a port responsible for forwarding data to the root bridge. • Designated port: a port responsible for forwarding data to the downstream network segment or device.
• Forwarding: the port learns MAC addresses and forwards user traffic; • Learning: the port learns MAC addresses but does not forward user traffic; • Discarding: the port does not learn MAC addresses or forwards user traffic. NOTE: A port can have different port states in different MSTIs. A port state is not exclusively associated with a port role. Table 15 lists the port state(s) supported by each port role.
In addition to basic MSTP functions, the device provides the following functions for ease of management: • Root bridge hold • Root bridge backup • Root guard • BPDU guard • Loop guard • TC-BPDU guard • Support for the hot swapping of interface boards and switchover of the active and standby main boards Protocols and standards • IEEE 802.1d, Spanning Tree Protocol • IEEE 802.1w, Rapid Spanning Tree Protocol • IEEE 802.
Figure 30 MSTP region Click Modify to enter the MSTP Region Configuration page, as shown in Figure 31. Figure 31 Modify an MSTP region Table 17 Configuration items of configuring an MST region Item Region Name Revision Level Description MST region name. The MST region name is the bridge MAC address of the firewall by default. Revision level of the MST region • Instance ID ID of the MSTI to be configured. Manual • VLAN ID VLAN IDs to be mapped to the MSTI.
Return to MSTP configuration task list. Configuring MSTP globally Select Network > MSTP > Global from the navigation tree to enter the Global MSTP Configuration page, as shown in Figure 32. Figure 32 Configure MSTP globally Table 18 Configuration items of configuring MSTP globally Item Description Whether to enable STP globally: Enable STP Globally • Enable—Globally enable STP. • Disable—Globally disable STP. Other MSTP configurations can take effect only after you enable STP globally.
Item Description Whether to enable BPDU guard globally: • Enable—Globally enable BPDU guard. BPDU Guard • Disable—Globally disable BPDU guard. BPDU guard can protect the firewall from malicious BPDU attacks, thus making the network topology stable. STP can operate in the following mode: • STP—All ports of the firewall send out STP BPDUs. • RSTP—All ports of the firewall send out RSTP BPDUs.
Item Description 1. Instance ID ID of the MSTI to be configured 2. Root Type Role of the firewall in the MSTI: • Not Set—The bridge role is not set. • Primary—Configure the firewall as the root bridge. Instance • Secondary—Configure the firewall as a secondary root bridge. After specifying the firewall as the primary root bridge or a secondary root bridge, you cannot change the priority of the firewall. 3.
Table 19 Configuration items of configuring MSTP on a port Item Description Whether to enable STP on the port: STP Status • Enable—Enable STP on the port. • Disable—Disable STP on the port. Type of protection enabled on the port: Protection Type • Not Set—no protection is enabled on the port. • Edged Port, Root Protection, Loop Protection—For more information, see Table 20.
Protection type Description Enable the root guard function. Root Protection Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology change to occur. The root guard function is used to address such a problem. Enable the loop guard function.
Configuration procedure 1. Configure Device A. # Configure an MST region. • Log in to Device A. Select Network > MSTP > Region from the navigation tree and then click Modify. • Configure the region name as example. • Set the revision level to 0. • Select the Manual radio button. • Select 1 in the Instance ID drop-down list. • Set the VLAN ID to 10. • Click Apply. • Repeat the steps above to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4. • Click Activate. # Configure MSTP globally.
• Set the Instance ID field to 4. • Set the Root Type field to Primary. • Click Apply. 4. Configure Device D. # Configure an MST region. (The procedure here is the same as that of configuring an MST region on Device A.) # Configure MSTP globally. • Select Network > MSTP > Global from the navigation tree. • Select Enable in the Enable STP Globally drop-down list. • Select MSTP in the Mode drop-down list. • Click Apply.
Task Remarks Configuring the port priority Optional Configuring the mode a port uses to recognize/send MSTP packets Optional Enabling the spanning tree feature Required Configuring protection functions Optional Complete the following tasks to configure RSTP: Task Remarks Required Setting the spanning tree mode Configuring the root bridge Configure the device to work in RSTP mode.
Task Remarks Configuring protection functions Optional Complete the following tasks to configure MSTP: Task Remarks Optional Configuring the root bridge Configuring the leaf nodes Setting the spanning tree mode By default, the device works in MSTP mode.
NOTE: • The spanning tree configurations are mutually exclusive with any of the following functions on a port: service loopback, RRPP, Smart Link, and BPDU tunneling. • The spanning tree configurations made in system view take effect globally. Configurations made in Ethernet interface view take effect on the interface only. Configurations made in Layer 2 aggregate interface view take effect only on the aggregate interface.
To do... Use the command... Remarks Enter MST region view stp region-configuration — Configure the MST region name region-name name Optional The MST region name is the MAC address by default. instance instance-id vlan vlan-list Optional Use either command.
specified multiple secondary root bridges for an instance, when the root bridge fails, the secondary root bridge with the lowest MAC address is selected as the new root bridge. 1. Configuring the current device as the root bridge of a specific spanning tree Follow these steps to configure the current device as the root bridge of a specific spanning tree: To do... Use the command...
To do... Use the command... Configure the priority of the current device (in STP/RSTP mode) stp priority priority Configure the priority of the current device (in MSTP mode) stp [ instance instance-id ] priority priority Remarks Required Use either command. 32768 by default. NOTE: • After configuring a device as the root bridge or a secondary root bridge, you cannot change the priority of the device.
NOTE: • Based on the network diameter you configured, the system automatically sets an optimal hello time, forward delay, and max age for the device. • In STP/RSTP/MSTP mode, each MST region is considered as a device and the configured network diameter is effective only for the CIST (or the common root bridge), but not for MSTIs. Configuring spanning tree timers The following timers are used for spanning tree calculation: • Forward delay It is the delay time for port state transition.
NOTE: • The length of the forward delay timer is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. If the forward delay timer is too short, temporary redundant paths may be introduced. If the forward delay timer is too long, it may take a long time for the network to converge. HP recommends you to use the default setting.
NOTE: The higher the maximum port rate is, the more BPDUs will be sent within each hello time, and the more system resources will be used. By setting an appropriate maximum port rate, you can limit the rate at which the port sends BPDUs and prevent spanning tree protocols from using excessive network resources when the network becomes instable. HP recommends you to use the default setting.
To do... Use the command... Remarks Specify a standard for the device to use when calculating the default path costs of its ports stp pathcost-standard { dot1d-1998 | dot1t | legacy } Optional legacy by default. CAUTION: If you change the standard that the device uses in calculating the default path costs, you restore the path costs to the default. NOTE: When calculating path cost for an aggregate interface, IEEE 802.
Path cost Link speed 1000 Mbps 10 Gbps Port type IEEE 802.1d-1998 IEEE 802.1t Private standard Single port 20,000 20 Aggregate interface containing 2 Selected ports 10,000 18 6666 16 Aggregate interface containing 4 Selected ports 5000 14 Single port 2000 2 Aggregate interface containing 2 Selected ports 1000 1 666 1 500 1 Aggregate interface containing 3 Selected ports Aggregate interface containing 3 Selected ports 4 2 Aggregate interface containing 4 Selected ports 2.
NOTE: When the path cost of a port changes, the system re-calculates the role of the port and initiates a state transition. 3. Configuration example # In MSTP mode, specify the device to calculate the default path costs of its ports by using IEEE 802.1d-1998, and set the path cost of GigabitEthernet 0/3 to 200 on MSTI 2.
To do... Use the command... Remarks Required Configure the port link type stp point-to-point { auto | force-false | force-true } By default, the link type is auto where the port automatically detects the link type. NOTE: • You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that works in full duplex mode. HP recommends you to use the default setting and let the device to automatically detect the port link type.
Enabling the spanning tree feature You must enable the spanning tree feature for the device before any other spanning tree related configurations can take effect. 1. Enabling the spanning tree feature (in STP/RSTP/MSPT mode) In STP/RSTP/MSTP mode, make sure that the spanning tree feature is enabled globally and on the desired ports. Follow these steps to enable the spanning tree feature in STP/RSTP/MSTP mode: To do... Use the command...
Follow these steps to perform mCheck in interface view: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface view or Layer 2 aggregate interface view interface interface-type interface-number — Perform mCheck stp mcheck Required NOTE: An mCheck operation takes effect on a device that operates in MSTP or RSTP mode. Configuring Digest Snooping As defined in IEEE 802.
NOTE: • With the Digest Snooping feature enabled, comparison of configuration digest is not needed for in-the-same-region check, so the VLAN-to-instance mappings must be the same on associated ports. • With global Digest Snooping enabled, modification of VLAN-to-instance mappings and removing of the current region configuration using the undo stp region-configuration command are not allowed. You can only modify the region name and revision level.
# Enable Digest Snooping on GigabitEthernet 0/1 of Firewall B and enable global Digest Snooping on Firewall B.
If the upstream device is a third-party device, the rapid state transition implementation may be limited. For example, when the upstream device uses a rapid transition mechanism similar to that of RSTP, and the downstream device adopts MSTP and does not work in RSTP mode, the root port on the downstream device receives no agreement packet from the upstream device and sends no agreement packets to the upstream device.
[Firewall-GigabitEthernet0/1] stp no-agreement-check Configuring protection functions A spanning tree device supports the following protection functions: • BPDU guard • Root guard • Loop guard • TC-BPDU guard 1. Configuration prerequisites The spanning tree feature has been correctly configured on the device. 2. Enabling BPDU guard For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file servers.
with this port in the MSTI). If the port receives no BPDUs with a higher priority within twice the forwarding delay, it will revert to its original state. Configure root guard on a designated port. Follow these steps to enable root guard: To do... Use the command...
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address entry flushes that the device can perform every a certain period of time (10 seconds). For TC-BPDUs received in excess of the limit, the device performs a forwarding address entry flush when the time period expires. This prevents frequent flushing of forwarding address entries. Follow these steps to enable TC-BPDU guard: To do... Use the command...
To do... Use the command... Remarks Display the root bridge information of all MSTIs display stp root Available in any view Clear the spanning tree statistics reset stp [ interface interface-list ] Available in user view MSTP configuration example Network requirements As shown in Figure 39: • All devices on the network are in the same MST region. Device A and Device B work at the distribution layer. Firewall and Device C work at the access layer.
system-view [DeviceA] stp region-configuration [DeviceA-mst-region] region-name example [DeviceA-mst-region] instance 1 vlan 10 [DeviceA-mst-region] instance 3 vlan 30 [DeviceA-mst-region] instance 4 vlan 40 [DeviceA-mst-region] revision-level 0 # Activate MST region configuration. [DeviceA-mst-region] active region-configuration [DeviceA-mst-region] quit # Specify the current device as the root bridge of MSTI 1. [DeviceA] stp instance 1 root primary # Enable the spanning tree feature globally.
[Firewall-mst-region] quit # Specify the current device as the root bridge of MSTI 4. [Firewall] stp instance 4 root primary # Enable the spanning tree feature globally. [Firewall] stp enable Configuration on Device C. 5. # Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0.
[Firewall] display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet0/1 DESI FORWARDING NONE 0 GigabitEthernet0/2 ROOT FORWARDING NONE 0 GigabitEthernet0/3 DESI FORWARDING NONE 1 GigabitEthernet0/1 ROOT FORWARDING NONE 1 GigabitEthernet0/2 ALTE DISCARDING NONE 4 GigabitEthernet0/3 DESI FORWARDING NONE # Display brief spanning tree information on Device C.
• After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device. • If two or more devices have been designated to be root bridges of the same spanning tree instance, MSTP will select the device with the lowest MAC address as the root bridge. • The values of forward delay, hello time, and max age are interdependent. Inappropriate settings of these values may cause network flapping.
Layer 2 forwarding configuration Layer 2 forwarding overview Layer 2 forwarding involves general, inline, and inter-VLAN Layer 2 forwarding. The former two are supported on physical ports on the front panel of the firewall. Do not use these physical ports as service ports. General Layer 2 forwarding If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer 3 interface, the firewall forwards the packet through that interface.
Configure subinterfaces for the Ethernet port of the firewall card and use the IDs of the two VLANs created on the switch as their interface numbers respectively. • Inter-VLAN Layer 2 forwarding operates as follows: 1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and if the packet is not destined to the VLAN the switch tagged, sends the packet to the firewall card through the trunk port in between. 2.
Figure 42 Inline forwarding list Figure 43 Inline forwarding policy configuration page Table 21 Configuration items for creating a Layer 2 inline forwarding policy Item Description Policy ID Set the ID for identifying an inline forwarding policy Policy Type Select the inline forwarding type, which can be forward, blackhole, or reflect. Port 1 Assign a port to the inline forwarding policy. Port 2 Assign a port to the inline forwarding policy.
Blackhole-type inline forwarding configuration example 1. Network requirements Packets coming from GigabitEthernet 0/1 must be discarded. In this case, you can configure blackhole-type inline forwarding on Ethernet 0/1. 2. Configuration procedure # Create a blackhole-type inline forwarding policy. • Select Network > Forwarding in the navigation tree. On the page, click Add. • Type policy ID 1. • Select Blackhole as the policy type. • Select GigabitEthernet0/1 from the Port 1 drop-down list.
To do… Use the command… Remarks Required Assign an interface to the inline forwarding entry port inline-interfaces id By default, the interface does not belong to any inline forwarding entry. Two interfaces must be assigned to the forward-type inline forwarding entry while one interface is required for the reflect or blackhole type. CAUTION: • An interface can only belong to one inline forwarding entry, and the last configured port inline-interfaces id command on an interface takes effect.
[Sysname-GigabitEthernet0/1] port inline-interfaces 1 # Assign GigabitEthernet 0/2 to forward-type inline Layer 2 forwarding entry 1. [Sysname-GigabitEthernet0/1] interface GigabitEthernet 0/2 [Sysname-GigabitEthernet0/2] port inline-interfaces 1 Blackhole-type inline Layer 2 forwarding configuration example Network requirements Configure blackhole-type inline Layer 2 forwarding on GigabitEthernet 0/1. Then packets received on GigabitEthernet 0/1 are directly dropped.
• Add the two subinterfaces of the ten-GigabitEthernet interface to different security zones. NOTE: To achieve Layer 2 forwarding between VLANs, you can create these VLANs on the switch and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall card. Then add the subinterfaces to security zones.
To do… Use the command… Remarks Required Configure the operating mode of the interface as Layer 2 port link-mode bridge The default operating mode is Layer 3. Configure the link type of the ten-GigabitEthernet interface as trunk port link-type trunk Required Required Assign the trunk port to the specified VLANs port trunk permit vlan { vlan-id-list | all } Create a subinterface of the ten-GigabitEthernet interface and enter subinterface view interface ten-gigabitethernet interface-number.
Displaying and maintaining inter-VLAN Layer 2 forwarding To do… Use the command… Remarks Display brief interface information display brief interface [ interface-type [ interface-number | interface-number.subnumber ] ] [ | { begin | include | exclude } text ] Available in any view Display interface/subinterface state and related information display interface [ interface-type [interface-number | interface-number.
Configuration Procedure 1. Configure the ports on the switch. # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103. system-view [Sysname] vlan 102 [Sysname-vlan102] port GigabitEthernet 3/0/1 [Sysname-vlan102] vlan 103 [Sysname-vlan103] port GigabitEthernet 3/0/2 [Sysname-vlan103] quit # Configure the link type of Ten-GigabitEthernet 2/0/1 as trunk and assign the trunk port to VLAN 102, and VLAN 103.
# Add ten-GigabitEthernet 0/0.103 to security zone Untrust. Frame forwarding statistics Frame forwarding statistics overview The frame forwarding statistics module allows you to display the frame forwarding statistics of all the Layer 2 interfaces on the firewall. Viewing frame forwarding statistics Select Network > Statistics > L2 Statistics from the navigation tree to enter the page for displaying frame forwarding statistics, as shown in Figure 45.
Figure 45 Frame forwarding statistics You can click Eliminate to clear the statistics, and click Refresh to update the statistics on the page.
DHCP overview NOTE: After DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates user configuration and centralized management. For detailed configuration, see the chapter “Interface management configuration.” Introduction The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts.
• Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most clients obtain their addresses in this way. Dynamic IP address allocation process Figure 47 Dynamic IP address allocation process As shown in Figure 47, a DHCP client obtains an IP address from a DHCP server via four steps: 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2.
DHCP message format Figure 48 gives the DHCP message format, which is based on the BOOTP message format and involves eight types. These types of messages have the same format except that some fields have different values. The numbers in parentheses indicate the size of each field in bytes.
• RFC 1542, Clarifications and Extensions for the Bootstrap Protocol • RFC 3046, DHCP Relay Agent Information Option 106
DHCP server configuration Introduction to DHCP server Application environment The DHCP server is well suited to the network where: • It is hard to implement manual configuration and centralized management. • The hosts are more than the assignable IP addresses and it is impossible to assign a fixed IP address to each host. For example, an ISP limits the number of hosts accessing the Internet at a time, so lots of hosts need to acquire IP addresses dynamically. • A few hosts need fixed IP addresses.
DHCP relay agent is in-between). If no IP address is available in the address pool, the DHCP server will fail to assign an address to the client because it cannot assign an IP address from the father address pool to the client. For example, two address pools, 1.1.1.0/24 and 1.1.1.0/25, are configured on the DHCP server. If the IP address of the interface receiving DHCP requests is 1.1.1.1/25, the DHCP server will select IP addresses for clients from address pool 1.1.1.0/25.
Task Remarks Optional With the DHCP server enabled on an interface, upon receiving a client’s request, the DHCP server will assign an IP address from its address pool to the DHCP client. Enabling the DHCP server on an interface With DHCP enabled, interfaces work in the DHCP server mode. IMPORTANT: • An interface cannot serve as both the DHCP server and the DHCP relay agent. The latest configuration takes effect. • The DHCP server works on interfaces with IP addresses manually configured only.
Creating a static address pool for the DHCP server Select Network > DHCP > DHCP Server from the navigation tree to enter the page shown in Figure 49. Click on the Static radio button in the Address Pool field to view all static address pools. Click Add to enter the page shown in Figure 50. Figure 50 Create a static address pool Table 22 Static address pool configuration items Item Description IP Pool Name Type the name of a static address pool.
Item Description Type the gateway addresses for the client. Gateway Address A DHCP client that wants to access an external host needs to send requests to a gateway. You can specify gateways in each address pool and the DHCP server will assign gateway addresses while assigning an IP address to the client. Up to eight gateways can be specified in a DHCP address pool, separated by commas. Type the DNS server addresses for the client.
Figure 51 Create a dynamic address pool Table 23 Dynamic address pool configuration items Item Description IP Pool Name Type the name of a dynamic address pool. IP Address Type an IP address segment for dynamic allocation. Mask To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation. Lease Duration Unlimited Configure the address lease duration for the address pool.
Item Description Type the WINS server addresses for the client. WINS Server Address If b-node is specified for the client, you do not need to specify any WINS server address. Up to eight WINS servers can be specified in a DHCP address pool, separated by commas. NetBIOS Node Type Select the NetBIOS node type for the client. Return to DHCP server configuration task list.
Figure 53 Network diagram for static IP address assignment 2. Configuration procedure # Specify IP addresses for interfaces (omitted) # Enable DHCP. • Select Network > DHCP > DHCP Server from the navigation tree, perform the following operations, as shown in Figure 54. Figure 54 Enable DHCP • Click on the Enable radio button in the DHCP Service field. # Configure a static address pool.
Figure 55 Configure a static address pool • Type static-pool for IP Pool Name. • Type 10.1.1.5 for IP Address. • Select 255.255.255.128 for Mask. • Type 000f-e200-0002 for Client MAC Address. • Type 10.1.1.126 for Gateway Address. • Type 10.1.1.2 for DNS Server Address. • Click Apply. # Enable the DHCP server on GigabitEthernet 0/1. With DHCP enabled, interfaces work in the DHCP server mode. • In the Interface Configuration field, click the following operations, as shown in Figure 56.
• Address pool 10.1.1.0/25 has the address lease duration ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, WINS server address 10.1.1.4/25, and gateway address 10.1.1.126/25. • Address pool 10.1.1.128/25 has the address lease duration five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, and gateway address 10.1.1.254/25 and has no WINS server address. • The domain name suffix and DNS server address in address pools 10.1.1.0/25 and 10.1.1.
Figure 58 Enable DHCP • Click on the Enable radio button in the DHCP Service field. # Configure DHCP address pool 0 (address range, client domain name suffix and DNS server address). • Click on the Dynamic radio button in the Address Pool field, click Add, and perform the following operations, as shown in Figure 59.
• Type pool0 for IP Pool Name. • Type 10.1.1.0 for IP Address. • Select 255.255.255.0 for Mask. • Type aabbcc.com for Client Domain Name. • Type 10.1.1.2 for DNS Server Address. • Click Apply. # Configure DHCP address pool 1 (address range, gateway, lease duration, and WINS server address). • Click on the Dynamic radio button in the Address Pool field, click Add, and then perform the following operations, as shown in Figure 60.
Figure 61 Configure address pool 2 • Type pool2 for IP Pool Name. • Type 10.1.1.128 for IP Address. • Type 255.255.255.128 for Mask. • Set Lease Duration to 5 days, 0 hours, and 0 minutes. • Type 10.1.1.254 for Gateway Address. • Click Apply.
Configuring an address pool for the DHCP server Configuration task list Complete the following tasks to configure an address pool: Task Remarks Creating a DHCP address pool Required Configuring address allocation mode for a common address pool Configuring static address allocation Configuring dynamic address allocation Configuring dynamic address allocation for an extended address pool Required to configure either of the two for the common address pool configuration Required for the extended address
Configuring address allocation mode for a common address pool CAUTION: You can configure either a static binding or dynamic address allocation for a common address pool, but not both. You need to specify a subnet for dynamic address allocation. A static binding is a special address pool containing only one IP address. 1. Configuring static address allocation Some DHCP clients, such as a WWW server, need fixed IP addresses.
NOTE: • Use the static-bind ip-address command together with static-bind mac-address or static-bind client-identifier to accomplish a static binding configuration. • In a DHCP address pool, if you execute the static-bind mac-address command before the static-bind client-identifier command, the latter overwrites the former and vice versa.
NOTE: • In common address pool view, using the network or network ip range command repeatedly overwrites the previous configuration. • After you exclude IP addresses from automatic allocation by using the dhcp server forbidden-ip command, neither a common address pool nor an extended address pool can assign these IP addresses through dynamic address allocation. • Using the dhcp server forbidden-ip command repeatedly can exclude multiple IP address ranges from allocation.
To do… Use the command… Remarks Enter system view system-view — Enter DHCP address pool view dhcp server ip-pool pool-name [ extended ] — Specify a domain name suffix domain-name domain-name Required Not specified by default. Configuring DNS servers for the client A DHCP client contacts a Domain Name System (DNS) server to resolve names. You can specify up to eight DNS servers in the DHCP address pool.
To do… Use the command… Remarks Specify the NetBIOS node type netbios-type { b-node | h-node | m-node | p-node } Required Not specified by default. NOTE: If b-node is specified for the client, you do not need to specify any WINS server address. Configuring BIMS server information for the client Some DHCP clients perform regular software update and backup by using configuration files obtained from a branch intelligent management system (BIMS) server.
To do… Use the command… Specify the IP address of the primary network calling processor voice-config ncp-ip ip-address Specify the IP address of the backup network calling processor voice-config as-ip ip-address Configure the voice VLAN voice-config voice-vlan vlan-id { disable | enable } Specify the failover IP address and dialer string voice-config fail-over ip-address dialer-string Remarks Required Not specified by default. Optional Not specified by default. Optional Not configured by default.
Configuring self-defined DHCP options CAUTION: Be cautious when configuring self-defined DHCP options because such configuration may affect the operation of DHCP. By configuring self-defined DHCP options, you can • Define new DHCP options. New configuration options come out with DHCP development. To support these new options, you can add them into the attribute list of the DHCP server. • Define existing DHCP options. Vendors use Option 43 to define options that have no unified definitions in RFC 2132.
Enabling DHCP Enable DHCP before performing other configurations. Follow these steps to enable DHCP: To do… Use the command… Remarks Enter system view system-view — Enable DHCP dhcp enable Required Disabled by default. Enabling the DHCP server on an interface With the DHCP server enabled on an interface, upon receiving a client’s request, the DHCP server assigns an IP address from its address pool to the DHCP client.
Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network may assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option). If yes, the DHCP server records the IP address in the option, which is the IP address of the DHCP server that assigned an IP address to the DHCP client and records the receiving interface.
• Enable DHCP • Configure the DHCP address pool 2. Enable Option 82 handling Follow these steps to enable the DHCP server to handle Option 82: To do… Use the command… Remarks Enter system view system-view — Enable the server to handle Option 82 dhcp server relay information enable Optional Enabled by default. NOTE: To support Option 82 requires configuring both the DHCP server and relay agent. For more information, see the chapter “DHCP relay agent configuration.
DHCP server configuration examples DHCP networking involves two types: • The DHCP server and client are on the same subnet and perform direct message delivery. • The DHCP server and client are not on the same subnet and communicate with each other via a DHCP relay agent. The DHCP server configuration for the two types is the same. Static IP address assignment configuration example 1.
[Firewall-dhcp-pool-0] static-bind client-identifier 3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30 [Firewall-dhcp-pool-0] dns-list 10.1.1.2 [Firewall-dhcp-pool-0] gateway-list 10.1.1.126 [Firewall-dhcp-pool-0] quit # Create DHCP address pool 1, and configure a static binding, DNS server and gateway in it. [Firewall] dhcp server ip-pool 1 [Firewall-dhcp-pool-1] static-bind ip-address 10.1.1.6 [Firewall-dhcp-pool-1] static-bind mac-address 000f-e200-01c0 [Firewall-dhcp-pool-1] dns-list 10.
2. Configuration procedure a. Specify IP addresses for interfaces (omitted) b. Configure the DHCP server # Enable DHCP. system-view [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1 and GigabitEthernet 0/2.
As shown in Figure 64, the DHCP client (Router) obtains its IP address and PXE server addresses from the DHCP server (Firewall). The IP address belongs to subnet 10.1.1.0/24. The PXE server addresses are 1.2.3.4 and 2.2.2.2. The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a self-defined option. The value of Option 43 configured on the DHCP server in this example is 80 0B 00 00 02 01 02 03 04 02 02 02 02. The number 80 is the value of the sub-option type.
2. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation. Enable the network adapter or connect the network cable. Release the IP address and obtain another one on the client. Take WINDOW XP as an example, run cmd to enter DOS window. Type ipconfig/release to relinquish the IP address and then ipconfig/renew to obtain another IP address.
DHCP relay agent configuration Introduction to DHCP relay agent Application environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with a DHCP server on another subnet to obtain configuration parameters.
Figure 66 DHCP replay agent work process DHCP client DHCP relay DHCP-DISCOVER (broadcast) DHCP server DHCP-DISCOVER (unicast) DHCP-OFFER (unicast) DHCP-OFFER DHCP-REQUEST (broadcast) DHCP-REQUEST (unicast) DHCP-ACK (unicast) DHCP-ACK As shown in Figure 66, the DHCP relay agent works in the following steps: 1.
Task Remarks Required Enable the DHCP relay agent on an interface, and correlate the interface with a DHCP server group. With DHCP enabled, interfaces work in the DHCP server mode. IMPORTANT: Enabling the DHCP relay agent on an interface • An interface cannot serve as both the DHCP server and the DHCP relay agent. The latest configuration takes effect.
Figure 67 DHCP relay agent configuration page Table 26 DHCP service and advanced DHCP relay agent configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
Item Description Enable or disable periodic refresh of dynamic client entries, and set the refresh interval. Dynamic Bindings Refresh Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from dynamic client entries. To solve this problem, the periodic refresh of dynamic client entries feature is introduced.
Enabling the DHCP relay agent on an interface Select Network > DHCP > DHCP Relay from the navigation tree to enter the page shown in Figure 67. In the Interface Config field, the DHCP relay agent state of interfaces is displayed. Click the to a specific interface to enter the page shown in Figure 69. icon next Figure 69 Configure a DHCP relay agent interface Table 28 DHCP relay agent interface configuration items Item Description Interface Name This field displays the name of a specific interface.
Figure 71 Create a static IP-to-MAC binding Table 29 Static IP-to-MAC binding configuration items Item Description IP Address Type the IP address of a DHCP client. MAC Address Type the MAC address of the DHCP client. Select the Layer 3 interface connected with the DHCP client. IMPORTANT: Interface Name The interface of a static binding entry must be configured as a DHCP relay agent; otherwise, address entry conflicts may occur. Return to DHCP relay agent configuration task list.
# Enable DHCP. • Select Network > DHCP > DHCP Relay from the navigation tree and perform the following operations, as shown in Figure 73. Figure 73 Enable DHCP • Click on the Enable radio button in the DHCP Service field. • Click Apply. # Configure a DHCP server group. • In the Server Group field, click Add, and perform the following operations, as shown in Figure 74. Figure 74 Configure DHCP server group 1 • Type 1 for Server Group ID. • Type 10.1.1.1 for IP Address.
• Click Apply. # Enable the DHCP relay agent on GigabitEthernet 0/1. • In the Interface Config field, click the operations, as shown in Figure 75. icon of GigabitEthernet 0/1 and perform the following Figure 75 Enable the DHCP relay agent on GigabitEthernet 0/1 • Click on the Enable radio button in the DHCP Relay field. • Select 1 for Server Group ID. • Click Apply.
To do… Use the command… Remarks Enter system view system-view — Enable DHCP dhcp enable Required Disabled by default. Enabling the DHCP relay agent on an interface With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server for address allocation.
NOTE: • You can specify up to twenty DHCP server groups on the relay agent. • By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP server addresses for each DHCP server group. • The IP addresses of DHCP servers and those of relay agent’s interfaces that connect DHCP clients cannot be on the same subnet. Otherwise, the client cannot obtain an IP address.
NOTE: • The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces (including sub-interfaces). • Before enabling address check on an interface, you must enable the DHCP service, and enable the DHCP relay agent on the interface; otherwise, the address check configuration is ineffective. • The dhcp relay address-check enable command only checks IP addresses but not interfaces.
NOTE: The relay agent logs a DHCP server only once. Configuring the DHCP relay agent to release an IP address You can configure the relay agent to release a client’s IP address. The relay agent sends a DHCP-RELEASE message that contains the specified IP address. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address; meanwhile, the client entry is removed from the DHCP relay agent.
To do… Use the command… Enable the relay agent to support Option 82 dhcp relay information enable Configure the handling strategy for requesting messages containing Option 82 dhcp relay information strategy { drop | keep | replace } Configure the padding format for Option 82 Remarks Required Disabled by default. dhcp relay information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } Optional replace by default. Optional normal by default.
To do… Use the command… Remarks Display statistics information about bindings of DHCP relay agents display dhcp relay security statistics Available in any view Display information about the refreshing interval for entries of dynamic IP-to-MAC bindings display dhcp relay security tracker Available in any view Display information about the configuration of a specified or all DHCP server groups display dhcp relay server-group { group-id | all Available in any view Display packet statistics on relay
[Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] dhcp select relay # Correlate GigabitEthernet 0/1 to DHCP server group 1. [Firewall-GigabitEthernet0/1] dhcp relay server-select 1 After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network parameters through the DHCP relay agent from the DHCP server. You can use the display dhcp relay statistics command to view statistics of DHCP packets forwarded by DHCP relay agents.
NOTE: Configurations on the DHCP server are also required to make the Option 82 configurations function normally. Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent. Analysis Some problems may occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.
DHCP client configuration NOTE: • The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces) and Layer 3 aggregate interfaces. • You cannot configure an interface of an aggregation group as a DHCP client. • The firewall supports DHCP client configuration in the command line interface (CLI). Introduction to DHCP client With the DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server.
Displaying and maintaining the DHCP client To do… Use the command… Remarks Display specified configuration information display dhcp client [ verbose ] [ interface interface-type interface-number ] Available in any view DHCP client configuration example Network requirements As shown in Figure 78, on a LAN, Firewall contacts the DHCP server via GigabitEthernet 0/1 to obtain an IP address, DNS server address, and static route information. The IP address resides on network 10.1.1.0/24.
# Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from automatic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 2.
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
BOOTP client configuration NOTE: • BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including sub-interfaces), Layer 3 aggregate interfaces. • You cannot configure an interface of an aggregation group as a BOOTP client. • The firewall supports BOOTP client configuration in the command line interface (CLI).
• RFC 2132, DHCP Options and BOOTP Vendor Extensions • RFC 1542, Clarifications and Extensions for the Bootstrap Protocol Configuring an interface to dynamically obtain an IP address through BOOTP Follow these steps to configure an interface to dynamically obtain an IP address: To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Configure an interface to dynamically obtain an IP address through BOOTP Required ip addre
DNS configuration Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. There are two types of DNS services, static and dynamic. After a user specifies a name, the firewall checks the local static name resolution table for an IP address.
Figure 79 Dynamic domain name resolution Figure 79 shows the relationship between the user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client can run on the same device or different devices, while the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache.
Figure 80 DNS proxy networking application Operation of a DNS proxy 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table after receiving the request. If the requested information exists in the table, the DNS proxy returns a DNS reply to the client. 3.
Table 30 Static name resolution table configuration task list Task Remarks Required Configuring static name resolution table By default, no host name-to-IP address mappings are configured in the static domain name resolution table. Configuring dynamic domain name resolution Table 31 Dynamic domain name resolution configuration task list Task Remarks Required Enable dynamic domain name resolution. Configuring dynamic domain name resolution This function is disabled by default.
Figure 82 Create a static domain name resolution entry Table 33 Static domain name resolution configuration items Item Description Host Name Host name Host IP Address IP address that corresponds to the host name Each host name corresponds to only one IP address. If you configure multiple IP addresses for a host name, the last configured one takes effect. You can create up to 50 static host name-to-IP address mappings. Return to Static name resolution table configuration task list.
Table 34 Dynamic domain name resolution configuration items Item Description Dynamic DNS Enable or disable dynamic domain name resolution. Clear Dynamic DNS cache Remove all the information from the dynamic DNS cache. Return to Dynamic domain name resolution configuration task list. Configuring DNS proxy Select Network > DNS > Dynamic from the navigation tree to enter the page as shown in Figure 83.
Figure 85 Configure a DNS domain name suffix Table 37 Domain name suffix configuration items Item DNS Domain Name Suffix Description Configure domain name suffixes. You can configure up to 10 domain name suffixes. Return to Dynamic domain name resolution configuration task list. Dynamic domain name resolution configuration example Network requirements • The IP address of the DNS server is 2.1.1.2/16 and the domain name suffix is com.
• Click Apply. # Configure the DNS server address. • Select Network > DNS > Dynamic from the navigation tree, and then click Add IP. • Type 2.1.1.2 in DNS Server IP Address. • Click Apply. # Configure the domain name suffix. • Select Network > DNS > Dynamic from the navigation tree, and then click Add Suffix. • Type com in DNS Domain Name Suffix. • Click Apply.
To do… Use the command… System view Specify a DNS server dns server ip-address interface interface-type interface-number Interface view Remarks dns server ip-address Required Not specified by default. quit Optional Configure a DNS suffix dns domain domain-name Not configured by default. Only the provided domain name is resolved. NOTE: • A DNS server configured in system view has a higher priority than one configured in interface view.
To do… Use the command… Remarks Display IPv4 DNS server information display dns server [ dynamic ] Available in any view Display DNS suffixes display dns domain [ dynamic ] Available in any view IPv4 DNS configuration examples Static domain name resolution configuration example Network requirements 1. As shown in Figure 87, the Firewall wants to access the host by using an easy-to-remember domain name rather than an IP address.
dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16. Configure dynamic domain name resolution and the domain name suffix com on the Firewall that serves as a DNS client so that the Firewall can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/16. Figure 88 Network diagram for dynamic domain name resolution 2.
# Create a mapping between host name and IP address. Figure 90 Add a host In Figure 90, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 91. Enter host name host and IP address 3.1.1.1. Figure 91 Add a mapping between domain name and IP address b.
# Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2.1.1.2. [Firewall] dns server 2.1.1.2 # Configure com as the name suffix. [Firewall] dns domain com c. Configuration verification # Use the ping host command on theFirewall to verify that the communication between the Firewall and the host is normal and that the corresponding destination IP address is 3.1.1.1.
Figure 92 Network diagram for DNS proxy Configuration procedure 2. NOTE: Before performing the following configuration, assume that Firewall, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 92. a. Configure the DNS server This configuration may vary with DNS servers. When a Windows server 2000 PC acts as the DNS server, see “Dynamic domain name resolution configuration example” for related configuration information. b.
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms Troubleshooting IPv4 DNS configuration Symptom After enabling the dynamic domain name resolution, the user cannot get the correct IP address.
DDNS configuration DDNS overview Introduction Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access will fail because DNS leads you to the IP address that is no longer where the node resides.
NOTE: • The DDNS update process does not have a unified standard and depends on the DDNS server that the DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (Oray calls its DDNS service “PeanutHull”), and www.dyndns.com. • With the DDNS client configured, the firewall can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers at www.3322.org or www.oray.cn for example.
Figure 95 Create a DDNS entry Table 38 DDNS configuration items Item Description DDNS Entry Name Specify the DDNS entry name, which is the only identifier of the DDNS entry. Server Type Select the DDNS server type, which can be 3322.org or PeanutHull. Server Name Specify the domain name of the DDNS server for domain name resolution. Specify the interval for sending DDNS update requests after DDNS update is enabled.
Item Description Specify the Full Qualified Domain Name (FQDN) in the IP-to-FQDN mapping for update. • If the DDNS service is provided by www.3322.org, the FQDN must be specified; FQDN otherwise, DDNS update may fail. • If the DDNS server is a PeanutHull server and no FQDN is specified, the DDNS server will update all the corresponding domain names of the DDNS client account; if an FQDN is specified, the DDNS server will update only the specified IP-to-FQDN mapping.
• Select Network > DNS > Dynamic from the navigation tree, and then click Add IP. • Type 1.1.1.1 in DNS Server IP Address. • Click Apply. # Configure DDNS. • Select Network > DNS > DDNS from the navigation tree, and then click Add. • Type 3322 in DDNS Entry Name. • Select 3322.org from the Server Type drop-down list. • Type steven in Username. • Type nevets in Password. • Select GigabitEthernet0/1 from the Associated Interface drop-down list. • Type whatever.3322.org in FQDN.
• members.3322.org and phservice2.oray.net are the domain names of DDNS servers. The domain names of PeanutHull DDNS servers can be phservice2.oray.net, phddns60.oray.net, client.oray.net, ph031.oray.net, and so on. Determine the domain name in the URL according to the actual situation.
NOTE: • The URL address for an update request can start with http://, https://, or oray://. http:// indicates the HTTP-based DDNS server. https:// indicates the HTTPS-based DDNS server. oray:// indicates the TCP-based PeanutHull server. • You need to associate an SSL client policy with the DDNS policy using command ssl client policy when HTTPS is used to contact the DDNS server. For the configuration procedure of the SSL client policy, see the chapter “SSL configuration.
DDNS configuration examples DDNS configuration example I 1. Network requirements • As shown in Figure 97, Firewall is a Web server with the domain name whatever.3322.org. • Firewall acquires the IP address through DHCP. Through DDNS service provided by www.3322.org, Firewall informs the DNS server of the latest mapping between its domain name and IP address. • The IP address of the DNS server is 1.1.1.1. Firewall uses the DNS server to translate www.3322.org into the corresponding IP address.
# Apply DDNS policy 3322.org to interface GigabitEthernet0/1 to enable DDNS update and dynamically update the mapping between domain name whatever.3322.org and the primary IP address of GiagbitEthernet 0/1. [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ddns apply policy 3322.org fqdn whatever.3322.org After the preceding configuration is completed, Firewall will notify the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.
# Enable dynamic domain name resolution on Firewall. [Firewall] dns resolve # Specify the IP address of the DNS server as 1.1.1.1. [Firewall] dns server 1.1.1.1 # Apply the DDNS policy to interface GigabitEthernet0/1 to enable DDNS update and dynamically update the mapping between whatever.gicp.cn and the primary IP address of GigabitEthernet0/1. [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ddns apply policy oray.cn fqdn whatever.gicp.
ARP configuration ARP overview ARP function The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address (Ethernet MAC address, for example). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of that device to the corresponding MAC address. ARP message format ARP messages are classified into ARP requests and ARP replies. Figure 99 shows the format of the ARP request/reply.
• Target protocol address: This field specifies the protocol address of the device the message is being sent to. ARP operation Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 100. The resolution process is as follows: 1. Host A looks into its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2.
Dynamic ARP entry A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed. Static ARP entry A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security.
Creating a Static ARP Entry Select Firewall > ARP Management > ARP Table from the navigation tree to enter the page shown in Figure 101. Click Add to enter the New Static ARP Entry page. Select the Advanced Options checkbox to expand advanced configuration items, as shown in Figure 102. Figure 102 Add a static ARP entry Table 39 Static ARP entry configuration items Item Description IP Address Type an IP address for the static ARP entry. MAC Address Type a MAC address for the static ARP entry.
Figure 103 Network diagram for configuring static ARP entries 2. Configuration procedure # Create VLAN 10. • Select Network > VLAN > VLAN from the navigation tree, and click Add. • Type 10 for VLAN ID. • Click Apply. # Add GigabitEthernet 0/1 to VLAN 10. • Click corresponding to VLAN 10 on the VLAN page. • Set GigabitEthernet 0/1 as an untagged member of VLAN 10. • Click Apply. # Create VLAN-interface 10, and configure the IP address of VLAN-interface 10.
Configuring ARP entries in the CLI Configuring a static ARP entry A static ARP entry is effective when the device works normally. However, when a VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if long, will be deleted, and if short and resolved, will become unresolved.
To do… Use the command… Set the aging time for dynamic ARP entries arp timer aging aging-time Remarks Optional 20 minutes by default. Enabling the ARP entry check The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.
Figure 104 Network diagram for configuring static ARP entries 2. Configuration procedure Configure Firewall. # Create VLAN 10. system-view [Firewall] vlan 10 [Firewall-vlan10] quit # Add interface GigabitEthernet 0/0 to VLAN 10. [Firewall] interface gigabitethernet 0/0 [Firewall-GigabitEthernet0/0] port access vlan 10 [Firewall-GigabitEthernet0/0] quit # Create interface VLAN-interace 10 and configure its IP address.
Configuring gratuitous ARP Introduction to gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. A device implements the following functions by sending gratuitous ARP packets: • Determining whether its IP address is already used by another device.
To do… Use the command… Enable the gratuitous ARP packet learning function gratuitous-arp-learning enable Remarks Optional Enabled by default.
Proxy ARP configuration NOTE: The firewall supports configuring proxy ARP only in the command line interface (CLI).
Local proxy ARP As shown in Figure 107, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects to Ethernet 1/3 and Host B connects to Ethernet 1/1. Enable local proxy ARP on Firewall to allow Layer 3 communication between the two hosts. Figure 107 Application environment of local proxy ARP In one of the following cases, you need to enable local proxy ARP: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3.
Displaying and maintaining proxy ARP To do… Use the command… Remarks Display whether proxy ARP is enabled display proxy-arp [ interface interface-type interface-number ] Available in any view Display whether local proxy ARP is enabled display local-proxy-arp [ interface interface-type interface-number ] Available in any view Proxy ARP configuration examples Proxy ARP configuration example Network requirements As shown in Figure 108, Host A and Host D have the same prefix and mask (the IP addresses
[Firewall-GigabitEthernet0/1] quit # Specify the IP address of interface GigabitEthernet 0/0. [Firewall] interface gigabitethernet 0/0 [Firewall-GigabitEthernet0/0] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/0. [Firewall-GigabitEthernet0/0] proxy-arp enable [Firewall-GigabitEthernet0/0] quit After completing preceding configurations, use the ping command to verify the connectivity between Host A and Host D.
[Switch] port-isolate group 2 [Switch] vlan 2 [Switch-vlan2] port ethernet 1/3 [Switch-vlan2] port ethernet 1/1 [Switch-vlan2] port ethernet 1/2 [Switch-vlan2] quit [Switch] interface ethernet 1/3 [Switch-Ethernet1/3] port-isolate enable group 2 [Switch-Ethernet1/3] interface ethernet 1/1 [Switch-Ethernet1/1] port-isolate enable group 2 [Switch-Ethernet1/1] interface ethernet 1/2 [Switch-Ethernet1/2] port-isolate uplink-port group 2 2. Configure Firewall # Specify the IP address of GigabitEthernet 0/0.
Figure 110 Network diagram for local proxy ARP configuration in isolate-user-VLAN Firewall Configuration procedure 1. Configure Switch # Create VLAN 2, VLAN 3, and VLAN 5 on Switch. Add Ethernet 1/3 to VLAN 2, Ethernet 1/1 to VLAN 3, and Ethernet 1/2 to VLAN 5. Configure VLAN 5 as the isolate-user-VLAN, and VLAN 2 and VLAN 3 as secondary VLANs. Configure the mappings between isolate-user-VLAN and the secondary VLANs.
Layer 3 forwarding configuration NOTE: For the configurations on a switch, see “Configuring Layer 3 subinterface forwarding.” Layer 3 forwarding overview Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding. Layer 3 subinterface forwarding If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.
Inter-VLAN Layer 3 forwarding If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface, the firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine. The following prerequisites are necessary for inter-VLAN Layer 3 forwarding: • The ingress interface and egress interface on the switch belong to different VLANs.
• Create two subinterfaces for the firewall card's ten-GigabitEthernet port. Associate them with the VLANs created on the switch and set the encapsulation type as dot1q. • Assign IP addresses for the two subinterfaces. • Add these two subinterfaces to security zones. NOTE: To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the swtich and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall card.
To do… Use the command Remarks Optional Configure the operating mode of the interface as Layer 3 port link-mode route Create a subinterface of the ten-GigabitEthernet interface and enter subinterface view interface ten-gigabitEthernet interface-number.subnumber The default operating mode is Layer 3.
Configuring inter-VLAN Layer 3 forwarding NOTE: For the Layer 3 subinteface forwarding configuration commands, see Interface Configuration Commands in Network Management Command Reference. Configuring inter-VLAN Layer 3 forwarding Perform the following configurations to achieve inter-VLAN Layer 3 forwarding. 1. Configure the ports of the switch • Create two VLANs. Assign the ingress port to one VLAN and the egress port to the other.
To do… Use the command Remarks Enter the view of the ten-GigabitEthernet interface that connects to the firewall card interface ten-gigabitethernet interface-number Required Configure the link type of the interface as trunk port link-type trunk Required Assign the trunk port to the two VLANs port trunk permit vlan { vlan-id-list | all } Required Optional Configure the default VLAN for the trunk port port trunk pvid vlan vlan-id The default VLAN cannot be one of the previously configured two VL
To do… Use the command… Add the interface and the VLAN interface to a security zone. Enter the Web page and select System > Zone. On the modify zone page, add the ten-GigabitEthernet interface and the VLAN interface to the security zone.
Layer 3 subinterface forwarding configuration example Network requirements As shown in Figure 112, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a firewall card, and Layer 3 subinterface forwarding needs to be configured. • Configure the operating mode of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of the switch as access. Assign them to VLAN 102 and VLAN 103 respectively.
[Sysname-Ten-GigabitEthernet2/0/1] port trunk permit vlan 102 103 2. Configure the firewall card. # Configure the operating mode of ten-GigabitEthernet 0/0 as Layer 3. [Sysname] interface Ten-GigabitEthernet 0/0 [Sysname-Ten-GigabitEthernet0/0] port link-mode route # Configure two subinterfaces for ten-GigabitEthernet 0/0. Set their encapsulation type to dot1q and associate them to with VLANs created on the switch. Assign IP addresses for the subinterfaces.
Inter-VLAN Layer 3 forwarding configuration example Network requirements As shown in the Figure 113, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a firewall card, and inter-VLAN Layer 3 forwarding needs to be configured. • Configure the operating mode of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of the switch as access. Assign them to VLAN 102 and VLAN 103 respectively.
Figure 113 Network diagram for inter-VLAN Layer 3 forwarding Configuration procedure 1. Configure the ports on the switch. # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103. system-view [Sysname] vlan 102 [Sysname-vlan102] port GigabitEthernet 3/0/1 [Sysname-vlan102] vlan 103 [Sysname-vlan103] port GigabitEthernet 3/0/2 [Sysname-vlan103] quit # Configure the link type of ten-GigabitEthernet 2/0/1 as trunk.
# Add ten-GigabitEthernet 0/0 and VLAN-interface 103 to the security zone Untrust.
QoS Overview Introduction to QoS In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones.
Causes, impacts, and countermeasures of congestion Congestion occurs on a link or node when traffic size exceeds the processing capability of the link or node. It is typical of a statistical multiplexing network and can be caused by link failures, insufficient resources, and various other causes.
was introduced to combine PQ and CBQ to transmit delay sensitive flows like voice packets preferentially. When defining traffic classes for LLQ, you can configure a class of packets to be transmitted preferentially. Such a class is called a priority class. The packets of all priority classes are assigned to the same priority queue. It is necessary to check bandwidth restriction of each class of packets before the packets are enqueued.
A typical application of traffic policing is to supervise the specification of certain traffic entering a network and limit it within a reasonable range, or to "discipline" the extra traffic. In this way, the network resources and the interests of the carrier are protected. For example, you can limit bandwidth consumption of HTTP packets to less than 50% of the total. If the traffic of a certain session exceeds the limit, traffic policing can drop the exceeding packets.
Task Remarks Required Associating the classifier and the behavior in the policy Associate a traffic behavior with a class in the QoS policy. A class can be associated with only one traffic behavior in a QoS policy. If a class is associated with multiple traffic behaviors, the last associated one takes effect. Required Applying the policy to an interface Apply the QoS policy to the specified interface.
Configuring match criteria Select Firewall > QoS > Classifier from the navigation tree, click the icon in the Operation column for the class to be configured to enter the page shown in Figure 117. On the upper part of the page, you can modify the basic information of the class; on the lower part of the page, information about all rules of the class is displayed. Click Create to enter the page for creating a match criterion for the class, as shown in Figure 118.
Item Description Define an ACL-based match criterion ACL After selecting the ACL option, you should select or input an ACL number. The available ACLs are those configured in Firewall > ACL. For more information about ACL, see Access Control Configuration Guide. If the specified ACL does not exist, the classifier cannot be applied to the hardware.
Figure 119 Behavior configuration page Figure 120 Create a behavior Table 44 describes the configuration items of creating a behavior.
Table 44 Configuration items of creating a behavior Item Description Specify a name for the behavior to be created. Behavior Name Ensure that the name is different from those of the system-defined traffic behaviors, if any. Return to QoS policy configuration task list. Configuring actions for the traffic behavior Select Firewall > QoS > Behavior from the navigation tree.
Table 45 Configuration items of configuring actions for a traffic behavior Item Description Behavior Name Name of the traffic behavior being configured Enable/Disable Enable or disable CAR. CIR Set the committed information rate (CIR), the average traffic rate. CBS Set the committed burst size (CBS), number of bits that can be sent in each interval. CAR Discard Green Set the action to perform for conforming packets.
Item Description Configure the packet filtering action. After selecting the Filter check box, select one of the following items from the Packet Filter drop-down list: Filter • Permit: Forwards the packet. • Deny: Drops the packet. • Not Set: Cancels the packet filtering action. Return to QoS policy configuration task list. Creating a policy Select Firewall > QoS > Policy from the navigation tree to enter the policy displaying page, as shown in Figure 122.
Figure 124 Associate the classifier and the behavior Table 47 describes the configuration items of configuring a classifier-behavior association in the policy. Table 47 Configuration items of configuring a classifier-behavior association in the policy Item Description Policy Name Name of the policy being configured Classifier Name Select the classifier from the Classifier Name drop-down list. Behavior Name Select the traffic behavior from the Behavior Name drop-down list.
Table 48 Configuration items of applying a policy to an interface Item Description Interface Name Specify the interface to which the policy is to be applied. Policy Name Select the QoS policy to be applied. Specify the direction in which the policy is to be applied. Direction • Inbound: Applies the policy to the incoming packets on the specified interface. • Outbound: Applies the policy to the outgoing packets on the specified interface. Return to QoS policy configuration task list.
Figure 127 QoS policy configuration procedure Define a class Define a behavior Define a policy Apply the policy To an interface 1. Defining a class The system pre-defines a classe. A user-defined class cannot be named the same as a system-defined class. You can use pre-defined classes when defining a policy. The system-defined classes is The default class.
• af—Assured forwarding. • be—Best-effort.” • be-flow-based—Uses the weighted random early detection (WRED) drop policy. Follow these steps to define a traffic behavior: To do… Use the command… Remarks Enter system view system-view — Create a traffic behavior and enter traffic behavior view traffic behavior behavior-name Required Configure actions in the traffic behavior See the subsequent chapters, depending on the purpose of the traffic behavior: traffic policing. 3.
To do… Use the command… Remarks Display traffic class configuration display traffic classifier { system-defined | user-defined } [ tcl-name ] Available in any view Display traffic behavior configuration display traffic behavior { system-defined | user-defined } [ behavior-name ] Available in any view Display system-defined or user-defined QoS policy configuration display qos policy { system-defined | user-defined } [ policy-name [ classifier tcl-name ] ] Available in any view Display QoS policy
Figure 129 Create a CAR list Table 50 describes the configuration items of creating a CAR list. Table 50 Configuration items of creating a CAR list Item Description CAR List Index Specify the CAR list index. IP Type Select to configure a source IP-based CAR list or destination IP-based CAR list. Define the way of specifying a set of IP addresses. Two options are available: • Subnet: Specifies a network segment by specifying an IP address and a subnet IP Set mask.
Applying a CAR list to an interface Select Firewall > Traffic Policing > Apply from the navigation tree to enter the page for displaying the CAR lists applied to interfaces, as shown in Figure 130. Click Apply Policy to enter the page for applying a CAR list to an interface, as shown in Figure 131. Figure 130 CAR lists applied to interfaces Figure 131 Apply a CAR list to an interface Table 51 describes the configuration items of applying a CAR list to an interface.
Item Description EBS Set the excess burst size (EBS) Set the action to be taken on conforming packets. • Discard: Drops the packets. Green • Pass: Permits the packets to pass through. Set the action to be taken on excess packets. • Discard: Drops the packets. Red • Pass: Permits the packets to pass through. Return to Traffic policing configuration task list. QoS configuration example 1.
# Create an advanced ACL. • Select Firewall > ACL from the navigation tree and then click Create. • Type the ACL number, 3000 for example. • Select the match order Config. • Click Apply to complete the operation. # Define an ACL rule for traffic from the other departments to the salary server. Step3 • Select ACL 3000 in the ACL list and click its icon. • Click Create. • Select the Rule ID check box, and type rule ID 2. • Select Permit in the Operation drop-down list.
• Select the class name class1 in the drop-down list. • Select behavior1 in the drop-down list. • Click Apply to complete the operation. # Apply the QoS policy in the inbound direction of GigabitEthernet 0/1. • Select Firewall > QoS > Apply from the navigation tree and then click Apply Policy. • Select interface GigabitEthernet 0/1 in the Interface Name drop-down list. • Select policy1 in the Policy Name drop-down list. • Select Inbound in the Direction drop-down list.
To do… Use the command… Remarks Configure a traffic policing action car cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ green action ] [ red action ] Required Return to system view quit — Create a policy and enter policy view qos policy policy-name — Associate the class with the traffic behavior in the QoS policy classifier tcl-name behavior behavior-name — Return to system view quit — Apply the QoS policy to an interface Applying the QoS policy to
To do… Use the command… Remarks Configure an ACL based CAR policy on the interface or port group qos car { inbound | outbound } acl acl-number cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ green action ] [ red action ] Required c.
• Limit the receiving rate on GigabitEthernet 0/1 of Firewall B to 500 kbps, and the excess packets are dropped. • Limit the sending rate on GigabitEthernet 0/2 of Firewall B to 1000 kbps, and the excess packets are dropped. Figure 133 Network diagram for traffic policing configuration 2. Configuration procedure a. Configure Firewall A # Configure ACLs to permit the packets from Server and Host A. [FirewallA] acl number 2001 [FirewallA-acl-basic-2001] rule permit source 1.1.1.
[FirewallB] interface GigabitEthernet 0/2 [FirewallB-GigabitEthernet0/2] qos car outbound any cir 1000 cbs 65000 ebs 0 green pass red discard Configuration guidelines QoS configuration guidelines When configuring QoS, follow these guidelines: 1. The system-defined classifiers, behaviors, and policies cannot be modified or removed. 2. For bursty traffic to be handled effectively, ensure that the ratio of CBS to CIR configured for CAR is at least 100:16. 3.
For example, apply a CAR list to an interface with 10 Mbps of total bandwidth to perform per-IP address rate limiting for the network segment 192.168.0.1 to 192.168.0.100. If the shared bandwidth mode is enabled for the CAR list, you can set the CIR to 10 Mbps at maximum; if the shared bandwidth mode is not enabled for the CAR list, you can set the CIR to 100 kbps at maximum.
IP routing overview Routing in the Internet is achieved through routers. Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path. When the packet reaches the last router, it then forwards the packet to the destination host. Routing tables play a key role in routing.
Static route configuration Static routes are manually configured. If a network’s topology is simple, you only need to configure static routes for the network to work properly. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications. The disadvantage of using static routes is that they cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the routes will be unreachable.
Item Remarks Priority Type the static route preference Static route configuration example Network requirements It is required to add a static route, with destination address 1.1.1.1, mask 255.255.255.0, next hop 2.2.2.2, outbound interface GigabitEthernet 0/0, and priority 80. Configuration procedure # Add a static route. • Select Network > Routing Management > Static Routing from the navigation tree and click Add. • Type 1.1.1.1 as the destination IP address. • Select 255.255.255.
To do… Use the command… ip route-static dest-address { mask | mask-length } { next-hop-address | interface-type interface-number next-hop-address | vpn-instance d-vpn-instance-name next-hop-address } track track-entry-number [ preference preference-value ] [ tag tag-value ] [ description description-text ] Configure a static route Configure the default preference for static routes ip route-static vpn-instance s-vpn-instance-name&<1-6> dest-address { mask | mask-length } { next-hop-address track track-en
Basic static route configuration example Network requirements Configure IP addresses and masks for the interfaces and hosts as shown in Figure 136. Configure static routes so that any two hosts can communicate with each other. Figure 136 Network diagram for static route configuration Configuration procedure 1. Configuring IP addresses for interfaces (omitted) 2. Configuring static routes # Configure a default route on Router A. system-view [Firewall] ip route-static 0.0.0.0 0.0.0.0 1.1.4.
0.0.0.0/0 Static 60 0 1.1.4.2 Eth1/2 1.1.2.0/24 Direct 0 0 1.1.2.3 Eth1/1 1.1.2.3/32 Direct 0 0 127.0.0.1 InLoop0 1.1.4.0/30 Direct 0 0 1.1.4.1 Eth1/2 1.1.4.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 Cost NextHop Interface # Display the IP routing table of Firewall. [Firewall] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Pre 1.1.2.
3 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
RIP configuration RIP is a simple Interior Gateway Protocol (IGP), mainly used in small-sized networks, such as academic networks and simple LANs. RIP is not applicable to complex networks. RIP is still widely used in practical networking because it is easy to implement, configure, and maintain. Configuring RIP in the web interface Configuration prerequisites • Configure the link layer protocol. • Configure an IP address on each interface, and make sure all adjacent routers are reachable to each other.
Table 54 RIP global configuration items Item Description Enable RIP (enable all interfaces automatically) Enable RIP on all interfaces. Import static routes Configure RIP to redistribute static routes. Return to “RIP configuration task list.” Configuring interface RIP Select Network > Routing Management > RIP from the navigation tree to enter the RIP configuration page. If RIP is enabled, the More button is displayed. Click More to display the hidden RIP interface list, as shown in Figure 138.
Table 55 RIP interface configuration items Item Description Interface Displays the RIP interface name Set whether to allow the receiving/sending of RIP packets on the interface. Work State • On: Allows the receiving/sending of RIP packets on the interface. • Off: Disallows the receiving/sending of RIP packets on the interface. Specify a RIP version for the interface.
Figure 140 Network diagram for RIP configuration Configuration procedure 1. Configure an IP address for each interface and configure security zones (Omitted) 2. Enable RIP # Configure Device A. • Select Network > Routing Management > RIP from the navigation tree of Device A. • Select the Enable RIP(Enable all interfaces automatically) check box, as shown in Figure 141. • Click Apply. Figure 141 Enable RIP # Configure Device B.
# Display active routes of Device B. Select Network > Routing Management > Routing Info from the navigation tree of Device B to display learned RIP routes destined for 2.0.0.0/8 and 3.0.0.0/8, as shown in Figure 143. Figure 143 RIP configuration result II Configuring RIP in the CLI Configuring RIP basic functions Configuration prerequisites • Configure the link layer protocol. • Configure an IP address on each interface, and make sure all adjacent routers are reachable to each other.
NOTE: • If you make some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled. • RIP runs only on the interfaces residing on the specified networks. Specify the network after enabling RIP to validate RIP on a specific interface. • You can enable RIP on all interfaces using the command network 0.0.0.0. • If a physical interface is attached to multiple networks, you cannot advertise these networks in different RIP processes. 2.
To do… Use the command… Remarks Enter RIP view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– Optional By default, if an interface has a RIP version specified, the version takes precedence over the global one. If no RIP version is specified for an interface, the interface can send RIPv1 broadcasts, and receive RIPv1 broadcasts and unicasts, and RIPv2 broadcasts, multicasts, and unicasts.
To do… Use the command… Remarks Enter system view system-view –– Enter interface view interface interface-type interface-number –– Define an inbound additional routing metric rip metricin [ route-policy route-policy-name ] value Optional Define an outbound additional routing metric rip metricout [ route-policy route-policy-name ] value Optional 0 by default 1 by default Configuring RIPv2 route summarization Route summarization means that subnets in a natural network are summarized into a nat
NOTE: You need to disable RIPv2 route automatic summarization before advertising a summary route on an interface. Disabling host route reception Sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources. You can disable RIP from receiving host routes to save network resources.
NOTE: The router enabled to advertise a default route does not receive default routes from RIP neighbors. Configuring inbound/outbound route filtering The device supports route filtering. You can filter routes by configuring the inbound and outbound route filtering policies by referencing an ACL or IP prefix list. You can also configure the router to receive only routes from a specified neighbor.
To do… Use the command… Remarks Enter RIP view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– Configure a default metric for redistributed routes default cost value The default metric of a redistributed route is 0 by default. Redistribute routes from another protocol import-route protocol [ process-id | all-processes | allow-ibgp ] [ cost cost | route-policy route-policy-name | tag tag ] * Required Optional No redistribution is configured by default.
The split horizon function disables an interface from sending routes received from the interface to prevent routing loops between adjacent routers. Follow these steps to enable split horizon: To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Enable split horizon rip split-horizon Optional Enabled by default NOTE: • In Frame Relay, X.
Follow these steps to enable zero field check on incoming RIPv1 messages: To do… Use the command… Remarks Enter system view system-view –– Enter RIP view rip [ process-id ] [ vpn-instance vpn-instance-name ] –– Enable zero field check on received RIPv1 messages checkzero Optional Enabled by default Enabling source IP address check on incoming RIP updates You can enable source IP address check on incoming RIP updates.
Specifying a RIP neighbor Usually, RIP sends messages to broadcast or multicast addresses. On non broadcast or multicast links, you must manually specify RIP neighbors.
To do… Use the command… Remarks Display routing information about a specified RIP process display rip process-id route [ ip-address { mask | mask-length } | peer ip-address | statistics ] Reset a RIP process reset rip process-id process Clear the statistics of a RIP process reset rip process-id statistics Available in user view RIP version configuration example Network requirements As shown in Figure 144, enable RIPv2 on all interfaces on Firewall A and Firewall B.
[FirewallA] rip [FirewallA-rip-1] version 2 [FirewallA-rip-1] undo summary # Configure RIPv2 on Firewall B. [FirewallB] rip [FirewallB-rip-1] version 2 [FirewallB-rip-1] undo summary # Display the RIP routing table of Firewall A. [FirewallA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect -------------------------------------------------------------------------Peer 1.1.1.2 on GigabitEthernet0/0 Destination/Mask Flags Sec 10.0.0.
2. Configure RIP basic functions # Enable RIP 100, and configure a RIP version of 2 on Router A. system-view [RouterA] rip 100 [RouterA-rip-100] network 10.0.0.0 [RouterA-rip-100] network 11.0.0.0 [RouterA-rip-100] version 2 [RouterA-rip-100] undo summary [RouterA-rip-100] quit # Enable RIP 100 and RIP 200, configure RIP version as 2 on Firewall. system-view [Firewall] rip 100 [Firewall-rip-100] network 11.0.0.
[RouterB] display ip routing-table Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 10.2.1.0/24 RIP 100 1 12.3.1.1 Eth1/1 11.1.1.0/24 RIP 100 1 12.3.1.1 Eth1/1 12.3.1.0/24 Direct 0 0 12.3.1.2 Eth1/1 12.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 16.4.1.0/24 Direct 0 0 16.4.1.1 Eth1/2 16.4.1.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 4.
Figure 146 Network diagram for RIP interface additional metric configuration Configuration procedure 1. Configure IP addresses for the interfaces (omitted). 2. Configure RIP basic functions. # Configure Firewall. system-view [Firewall] rip [Firewall-rip-1] network 1.0.0.0 [Firewall-rip-1] version 2 [Firewall-rip-1] undo summary [Firewall-rip-1] quit # Configure Router B. system-view [RouterB] rip [RouterB-rip-1] network 1.0.0.
# Display the IP routing table of Firewall. [Firewall] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 1, nexthop 1.1.2.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.2.2 The display shows that there are two RIP routes to network 1.1.5.0/24. Their next hops are Router B (1.1.1.2) and Router C (1.1.2.
Figure 147 Network diagram for route RIP summary route advertisement Configuration procedure 1. Configure IP addresses for interfaces (omitted) 2. Configure OSPF basic functions # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B.
[RouterC] rip 1 [RouterC-rip-1] network 11.0.0.0 [RouterC-rip-1] version 2 [RouterC-rip-1] undo summary [RouterC-rip-1] quit # Configure RIP to redistribute the routes from OSPF process 1 and direct routes on Firewall. [Firewall-rip-1] import-route direct [Firewall-rip-1] import-route ospf 1 # Display the routing table information of Router C. [RouterC] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.
Troubleshooting RIP No RIP updates received Symptom: No RIP updates are received when the links work well. Analysis: After enabling RIP, you must use the network command to enable corresponding interfaces. Make sure no interfaces are disabled from handling RIP messages. If the peer is configured to send multicast messages, the same should be configured on the local end.
OSPF configuration Open Shortest Path First (OSPF) is a link state interior gateway protocol developed by the OSPF working group of the Internet Engineering Task Force (IETF). Now, OSPF version 2 (RFC 2328) is used. OSPF has the following features: • Wide scope—Supports networks of various sizes and up to several hundred routers in an OSPF routing domain • Fast convergence—Transmits updates instantly after network topology changes for routing information synchronization in the AS.
Task Import static routes Remarks Configuring OSPF globally Optional Configure OSPF to redistribute static routes. Required Configure an OSPF area, specify the network segment included in the area, so as to enable OSPF on the interface attached to the specified network segment. Configuring OSPF areas IMPORTANT: This task allows you to configure one or more interfaces in an area.
Configuring OSPF areas Select Network > Routing Management > OSPF from the navigation tree to enter the OSPF configuration page. After you enable OSPF, the page shown in Figure 149 is displayed. Click Add on the Area Configuration tab to enter the OSPF area configuration page, as shown in Figure 150.
Figure 150 OSPF area configuration page Table 58 OSPF area configuration items Item Description Area ID Type an area ID. Select an area type, including Normal, Stub, and NSSA. Area Type IMPORTANT: The type of a backbone area (with area ID 0) can only be configured as Normal. Enable all interfaces Network Address Network Items Network Mask Set whether to enable OSPF on all the interfaces.
Configuring OSPF interfaces Select Network > Routing Management > OSPF from the navigation tree to enter the OSPF configuration page. After you complete OSPF area configurations, click the More button to display the hidden OSPF interface list, as shown in Figure 151. Then, click the icon to enter the configuration page of the specified OSPF interface, as shown in Figure 152.
Item Description Set the OSPF dead interval. Within the dead interval, if the interface receives no hello packet from the neighbor, it declares that the neighbor is down. Dead Interval The default dead interval is 40 seconds on P2P, Broadcast interfaces and 120 seconds on P2MP and NBMA interfaces. The dead interval should be at least four times the hello interval on an interface. The interfaces on a specific network segment must have the same dead interval.
Item Description DR Priority DR priority for the interface Current state of the interface, which can be: • Down, indicating no packet is sent or received through the interface. • Loopback • Waiting, indicating the interface starts to send and receive Hello packets and State attempts to find the DR and BDR on the network. • P-2-P, indicating the interface will send Hello packets at the hello interval, and attempts to establish adjacency with the peer router.
Item Description Current state of the neighbor, which can be: • Down, indicating the initial state of the neighboring relationship. • Init, indicating a Hello packet is received from the neighbor before the neighbor is down, but it does not contain the router ID. In such cases, bidirectional communication is not available. • Attempt, which is available the neighbor of an NBMA network only. It indicates the router receives no information from the neighbor, but it still attempts to contact the neighbor.
• Select Network > Routing Management > OSPF from the navigation tree of Device A. • Select the Enable OSPF check box, as shown in the following figure. Figure 156 Enable OSPF • Click Apply. After you enable OSPF, the following figure is displayed. Figure 157 The web page displayed after OSPF is enabled • Click Add on the Area Configuration tab and make the following configurations on Figure 158. • Type 0 for Area ID. • Select Normal for Area Type. • Type 10.1.1.
Figure 158 Configure area 0 • Click Add on the Area Configuration tab and make the following configurations on Figure 159. • Type 1 for Area ID. • Select NSSA for Area Type. • Type 10.2.1.0 for Network Address, and select 0.0.0.255 for Network Mask. Then, click Add Network. • Click Apply.
Figure 159 Configure area 1 # Configure Device B. • Select Network > Routing Management > OSPF from the navigation tree of Device B. • Select the Enable OSPF check box. • Click Apply. • Click Add on the Area Configuration tab. • Type 0 for Area ID. • Select Normal for Area Type. • Type 10.1.1.0 for Network Address, and select 0.0.0.255 for Network Mask. Then, click Add Network. • Click Apply. • Click Add on the Area Configuration tab. • Type 2 for Area ID.
# Configure Device C. • Select Network > Routing Management > OSPF from the navigation tree of Device C. • Select the Enable OSPF check box. • Select the Import static routes check box. • Click Apply. • Click Add on the Area Configuration tab. • Type 1 for Area ID. • Select NSSA for Area Type. • Type 10.2.1.0 for Network Address, and select 0.0.0.255 for Network Mask. Then, click Add Network. • Type 10.4.1.0 for Network Address, and select 0.0.0.255 for Network Mask.
# Display the routing table of Device A. Select Network > Routing Management > Routing Info from the navigation tree of Device A. The OSPF routes 3.2.1.0/24, 10.3.1.0/24, 10.4.1.0/24 and 10.5.1.0/24 that are learned after OSPF is enabled are displayed in the routing table, as shown in Figure 161. Figure 161 OSPF configuration result II Configuring OSPF in the CLI OSPF configuration task list Make a proper plan before configuring OSPF.
Task Configuring OSPF route control Tuning and optimizing OSPF networks Remarks Configuring OSPF route summarization Optional Configuring OSPF inbound route filtering Optional Configuring ABR Type-3 LSA filtering Optional Configuring an OSPF cost for an interface Optional Configuring the maximum number of OSPF routes Optional Configuring the maximum number of load-balanced routes Optional Configuring OSPF preference Optional Configuring OSPF route redistribution Optional Configuring OSPF
advertises the direct route of the interface. To run OSPF, a router must have a router ID, which is the unique identifier of the router in the AS. • You can specify a router ID when creating the OSPF process. Any two routers in an AS must have different router IDs. In practice, the ID of a router is the IP address of one of its interfaces. • If you specify no router ID when creating the OSPF process, the global router ID will be used. HP recommends specifying a router ID when you create the OSPF process.
Configuring OSPF areas After splitting an OSPF AS into multiple areas, you can further configure some areas as stub areas or NSSA areas as needed. If no connectivity can be achieved between the backbone and a non-backbone area, or within the backbone itself, you can configure virtual links to solve it. Prerequisites Before configuring an OSPF area, you have configured: • IP addresses for interfaces, making neighboring nodes accessible with each other at the network layer.
Follow these steps to configure an NSSA area: To do… Use the command… Remarks Enter system view system-view — Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * — Enter area view area area-id — Configure the area as an NSSA area nssa [ default-route-advertise | no-import-route | no-summary | translate-always | translator-stability-interval value ] * Required Specify a cost for the default route advertised to the NSSA area default-cost cost Not configure
P2P—When the link layer protocol is PPP, LAPB, HDLC, or POS, OSPF considers the network type as P2P by default. • You can change the network type of an interface as needed. • When an NBMA network becomes fully meshed through address mapping—any two routers in the network have a direct virtual link in between—you can change the network type to broadcast to avoid manual configuration of neighbors.
To do… Use the command… Remarks Required Configure the OSPF network type for the interface as NBMA ospf network-type nbma Configure a DR priority for the interface ospf dr-priority priority Exit to system view quit — Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * — Specify a neighbor and its DR priority peer ip-address [ cost value | dr-priority dr-priority ] Required By default, the network type of an interface depends on the link layer protocol.
To do… Use the command… Remarks Specify a neighbor and its DR priority on a P2MP unicast network peer ip-address [ cost value | dr-priority dr-priority ] Required if the interface type is P2MP unicast Configuring the OSPF network type for an interface as P2P Follow these steps to configure the OSPF network type for an interface as P2P: To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Configure the OSPF network typ
To do… Use the command… Remarks Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * — Enter OSPF area view area area-id — Configure ABR route summarization abr-summary ip-address { mask | mask-length } [ advertise | not-advertise ] [ cost cost ] 2. Required The command is available on an ABR only. Not configured by default.
To do… Use the command… Remarks Enter system view system-view — Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * — Configure inbound route filtering filter-policy { acl-number [ gateway ip-prefix-name ] | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] | route-policy route-policy-name } import Required Not configured by default.
To do… Use the command… Remarks Enter system view system-view — Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * — Configure a bandwidth reference value bandwidth-reference value Optional The value defaults to 100 Mbps.
To do… Use the command… Remarks Optional Configure a preference for OSPF preference [ ase ] [ route-policy route-policy-name ] value By default, the preference of OSPF internal routes is 10, and the preference of OSPF external routes is 150. Configuring OSPF route redistribution 1.
NOTE: The default-route-advertise summary cost command is applicable only to VPN, and the default route is redistributed in a Type-3 LSA. The PE router will advertise the default route to the CE router. 3. Configure the default parameters for redistributed routes You can configure default parameters such as the cost, upper limit, tag and type for redistributed routes. Tags indicate information related to protocols. For example, when redistributing BGP routes, OSPF uses tags to identify AS IDs.
• OSPF basic functions. Configuring OSPF packet timers You can configure the following timers on OSPF interfaces as needed: • Hello timer—Interval for sending hello packets. It must be identical on OSPF neighbors. The longer the interval, the lower convergence speed and smaller network load. • Poll timer—Interval for sending hello packets to the neighbor that is down on the NBMA network.
To do… Use the command… Remarks Enter interface view interface interface-type interface-number — Specify an LSA transmission delay ospf trans-delay seconds Optional 1 second by default Specifying SPF calculation interval LSDB changes lead to SPF calculations. When an OSPF network changes frequently, a large amount of network and resources are occupied by SPF calculation. You can adjust the SPF calculation interval to reduce the impact.
To do… Use the command… Remarks Enter system view system-view — Enter OSPF view ospf [ process-id | router-id router-id | vpn-instance instance-name ] * Required Optional Configure the LSA generation interval lsa-generation-interval maximum-interval [ initial-interval [ incremental-interval ] ] By default, the maximum interval is 5 seconds, the minimum interval is 0 milliseconds and the incremental interval is 5000 milliseconds.
To do… Use the command… Configure the router as a stub router stub-router Remarks Required Not configured by default. NOTE: A stub router has nothing to do with a stub area. Configuring OSPF authentication You can configure OSPF packet authentication to ensure the security of packet exchange. After authentication is configured, OSPF only receives packets that pass authentication, so failed packets cannot establish neighboring relationships.
To do… Use the command… Enable OSPF to add the interface MTU into DD packets ospf mtu-enable Remarks Optional Not enabled by default.
• Level-3—fault traps • Level-4—alarm traps • Level-5—normal but important traps • Level-6—notification traps The generated traps are sent to the information center of the device. The output rules of the traps—whether to output the traps and the output direction—are determined according to the information center configuration. (For information center configuration, see System Management and Maintenance Configuration Guide.
packets. Configuring OSPF to give priority to receiving and processing Hello packets helps ensure stable neighbor relationships. Follow these steps to configure OSPF to give priority to receiving and processing Hello packets: To do… Use the command… Remarks Enter system view system-view — Configure OSPF to give priority to receiving and processing Hello packets ospf packet-process prioritized-treatment Required Not configured by default.
To do… Use the command… Display OSPF retransmission queue information display ospf [ process-id ] retrans-queue [ interface-type interface-number ] [ neighbor-id ] Display OSPF ABR and ASBR information display ospf [ process-id ] abr-asbr Display OSPF interface information display ospf [ process-id ] interface [ all | interface-type interface-number ] Display OSPF error information display ospf [ process-id ] error Display OSPF ASBR summarization information display ospf [ process-id ] asbr-summa
[RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.1] quit [RouterA-ospf-1] quit # Configure Router B. system-view [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 2 [RouterB-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.2] quit [RouterB-ospf-1] quit # Configure Router C.
Neighbors Area 0.0.0.1 interface 10.2.1.1(Ethernet1/2)'s neighbors Router ID: 10.4.1.1 State: Full DR: 10.2.1.1 Address: 10.2.1.2 Mode: Nbr is Master BDR: 10.2.1.2 Dead timer due in 32 GR State: Normal Priority: 1 MTU: 0 sec Neighbor is up for 06:03:12 Authentication Sequence: [ 0 ] Neighbor state change count: 5 # Display OSPF routing information on Router A. [RouterA] display ospf routing OSPF Process 1 with Router ID 10.2.1.
Sum-Net 10.1.1.0 10.2.1.1 1069 28 8000000F 1 Sum-Asbr 10.3.1.1 10.2.1.1 1069 28 8000000F 1 # Display OSPF routing information on Firewall. [Firewall] display ospf routing OSPF Process 1 with Router ID 10.5.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10.2.1.0/24 3 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.3.1.0/24 1 Transit 10.3.1.2 10.3.1.1 0.0.0.2 10.4.1.0/24 4 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.5.1.0/24 1 Stub 10.5.1.1 10.5.1.
Figure 163 Network diagram for OSPF redistributing routes from outside of an AS Configuration procedure 1. Configure IP addresses for interfaces (omitted). 2. Configure OSPF basic functions (see “OSPF basic functions configuration example“). 3. Configure OSPF to redistribute routes. # On Router C, configure a static route destined for network 3.1.2.0/24. system-view [RouterC] ip route-static 3.1.2.1 24 10.4.1.2 # On Router C, configure OSPF to redistribute the static route.
10.1.1.0/24 12 Inter 10.3.1.1 10.3.1.1 0.0.0.2 Destination Cost Type Tag NextHop AdvRouter 3.1.2.0/24 1 Type2 1 10.3.1.1 10.4.1.1 Routing for ASEs Total Nets: 6 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0 OSPF summary route advertising configuration example Network requirements As shown in Figure 164: • Router A and Firewall are in AS 200, running OSPF. • Router B, Router D, and Router C are in AS 100, running OSPF.
[RouterA-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure Firewall. system-view [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.
[Firewall] ospf [Firewall-ospf-1] import-route bgp # Display the routing table of Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.0/24 O_ASE 150 1 11.2.1.1 Eth1/1 10.2.1.0/24 O_ASE 150 1 11.2.1.1 Eth1/1 10.3.1.0/24 O_ASE 150 1 11.2.1.1 Eth1/1 10.4.1.0/24 O_ASE 150 1 11.2.1.1 Eth1/1 11.2.1.0/24 Direct 0 0 11.2.1.2 Eth1/1 11.2.1.2/32 Direct 0 0 127.0.0.
Figure 165 OSPF stub area configuration Configuration procedure 1. Configure IP addresses for interfaces (omitted). 2. Configure OSPF basic functions (see “OSPF basic functions configuration example”). 3. Configure Firewall to redistribute static routes. [Firewall] ip route-static 3.1.2.1 24 10.5.1.2 [Firewall] ospf [Firewall-ospf-1] import-route static [Firewall-ospf-1] quit # Display ABR/ASBR information on Router C. [RouterC] display ospf abr-asbr OSPF Process 1 with Router ID 10.4.1.
Destination Cost Type Tag NextHop AdvRouter 3.1.2.0/24 1 Type2 1 10.2.1.1 10.5.1.1 Total Nets: 6 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0 NOTE: In the above output, since Router C resides in a normal OSPF area, its routing table contains an external route. 4. Configure Area1 as a stub area. # Configure Router A. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] stub [RouterA-ospf-1-area-0.0.0.1] quit [RouterA-ospf-1] quit # Configure Router C.
[RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] stub no-summary [RouterA-ospf-1-area-0.0.0.1] quit # Display OSPF routing information on Router C. [RouterC] display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type NextHop 0.0.0.0/0 4 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 Transit 10.2.1.2 10.4.1.1 0.0.0.1 10.4.1.0/24 3 Stub 10.4.1.1 0.0.0.1 10.4.1.
3. Configure Area 1 as an NSSA area. # Configure Router A. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] nssa [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router C. [RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] nssa [RouterC-ospf-1-area-0.0.0.1] quit [RouterC-ospf-1] quit NOTE: HP recommends configuring the nssa command with the keyword default-route-advertise no-summary on Router A (an ABR) to reduce the routing table size on NSSA routers.
10.2.1.0/24 22 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.3.1.0/24 10 Transit 10.3.1.2 10.3.1.1 0.0.0.2 10.4.1.0/24 25 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.5.1.0/24 10 Stub 10.5.1.1 10.5.1.1 0.0.0.2 10.1.1.0/24 12 Inter 10.3.1.1 10.3.1.1 0.0.0.2 Destination Cost Type Tag NextHop AdvRouter 3.1.2.0/24 1 Type2 1 10.3.1.1 10.2.1.
# Configure Router B. system-view [RouterB] router id 2.2.2.2 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] router id 3.3.3.3 [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # Configure Firewall.
DR: 192.168.1.4 BDR: 192.168.1.3 Dead timer due in 31 MTU: 0 sec Neighbor is up for 00:01:28 Authentication Sequence: [ 0 ] Firewall becomes the DR, and Router C becomes the BDR. 3. Configure router priorities on interfaces. # Configure Router A. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ospf dr-priority 100 [RouterA-Ethernet1/1] quit # Configure Router B. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ospf dr-priority 0 [RouterB-Ethernet1/1] quit # Configure Router C.
NOTE: In the above output, you can find the priority configuration does not take effect immediately. 4. Restart the OSPF process (omitted). # Restart the OSPF process on Firewall. reset ospf 1 process Warning : Reset OSPF process? [Y/N]:y # Display neighbor information on Firewall. display ospf peer verbose OSPF Process 1 with Router ID 4.4.4.4 Neighbors Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet0/0)'s neighbors Router ID: 1.1.1.1 State: Full Address: 192.168.1.
IP Address Type 192.168.1.1 Broadcast DR State Cost Pri DR BDR 1 100 192.168.1.1 192.168.1.3 [RouterB] display ospf interface OSPF Process 1 with Router ID 2.2.2.2 Interfaces Area: 0.0.0.0 IP Address Type State 192.168.1.2 Broadcast DROther Cost Pri DR BDR 1 0 192.168.1.1 192.168.1.3 NOTE: The interface state DROther means the interface is not the DR/BDR.
[FirewallA-ospf-1-area-0.0.0.0] quit [FirewallA-ospf-1] area 1 [FirewallA–ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [FirewallA–ospf-1-area-0.0.0.1] quit # Configure Firewall B. system-view [FirewallB] ospf 1 router-id 3.3.3.3 [FirewallB-ospf-1] area 1 [FirewallB-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [FirewallB-ospf-1-area-0.0.0.1] quit [FirewallB-ospf-1] area 2 [FirewallB–ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [FirewallB–ospf-1-area-0.0.0.2] quit # Configure Router B.
# Display OSPF routing information on Firewall A. [FirewallA] display ospf routing OSPF Process 1 with Router ID 2.2.2.2 Routing Tables Routing for Network Destination Cost Type AdvRouter Area 10.2.1.0/24 2 Transit 10.2.1.1 NextHop 3.3.3.3 0.0.0.1 10.3.1.0/24 5 Inter 10.2.1.2 3.3.3.3 0.0.0.0 10.1.1.0/24 2 Transit 10.1.1.2 2.2.2.2 0.0.0.0 Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0 Firewall A has learned the route 10.3.1.0/24 to Area 2.
# On Router C, configure a static route destined for network 3.1.2.0/24. [RouterC] ip route-static 3.1.2.0 24 10.4.1.2 # On Router C, configure a static route destined for network 3.1.3.0/24. [RouterC] ip route-static 3.1.3.0 24 10.4.1.2 # Configure OSPF to redistribute static routes on Router C. [RouterC] ospf 1 [RouterC-ospf-1] import-route static [RouterC-ospf-1] quit # Display the OSPF routing table of Firewall.
10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/1 10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.3.1.0/24 OSPF 10 4 10.1.1.2 GE0/0 10.4.1.0/24 OSPF 10 13 10.2.1.2 GE0/1 10.5.1.0/24 OSPF 10 14 10.1.1.2 GE0/0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 The route destined for network 3.1.3.0/24 is filtered out. 5. Configure Firewall to filter out route 10.5.1.1/24. # Configure the ACL on Firewall.
Analysis If the physical link and lower layer protocols work well, check OSPF parameters configured on interfaces. Two neighbors must have the same parameters, such as the area ID, network segment and mask (a P2P or virtual link may have different network segments and masks). Solution 1. Display OSPF neighbor information using the display ospf peer command. 2. Display OSPF interface information using the display ospf interface command. 3. Ping the neighbor router’s IP address to check connectivity.
4. To configure OSPF packet authentication in and area, configure the same authentication mode (non-authentication, simple authentication or MD5 authentication) on all the routers of the area. The authentication mode and password for interfaces attached to a network segment must be identical. In the web interface configuration, the authentication mode of the interface firstly configured with authentication information is taken as the authentication mode of the area.
BGP configuration The Border Gateway Protocol (BGP) is a dynamic inter-AS Exterior Gateway Protocol. An autonomous system (AS) refers to a group of routers that share the same routing policy and work under the same administration. The three early BGP versions are BGP-1 (RFC 1105), BGP-2 (RFC 1163), and BGP-3 (RFC 1267). The current version in use is BGP-4 (RFC 4271), which is the Internet exterior gateway protocol.
Figure 170 BGP global configuration page Table 63 BGP global configuration items Item Description Enable BGP Enable BGP. AS Specify a local AS number. Import static routes Configure BGP to redistribute static routes. Return to “BGP configuration task list.” Configuring BGP peer Select Network > Routing Management > BGP from the navigation tree to enter the BGP configuration page. After you enable BGP, the tabs shown in Figure 171 are displayed on the page.
Figure 172 Create a BGP peer Table 64 BGP peer configuration items Item Description Peer IP Address Configure the IP address of the BGP peer. Peer AS Specify the AS number of the BGP peer. Return to “BGP configuration task list.” Displaying BGP peer information Select Network > Routing Management > BGP from the navigation tree to enter the BGP configuration page.
BGP configuration example Network requirements In the following figure are all BGP devices. Between Device A and Device B is an eBGP connection. iBGP speakers Device B, Device C, and Device D are fully meshed. Figure 174 Network diagram for BGP configuration AS 65008 AS 65009 GE0/2 9.1.3.2/24 Device C GE0/1 9.1.2.1/24 GE0/1 9.1.2.2/24 GE0/2 9.1.3.1/24 GE0/0 8.1.1.1/8 Device A GE0/1 200.1.1.2/24 GE0/1 200.1.1.1/24 Device B GE0/0 9.1.1.1/24 GE0/0 9.1.1.2/24 Device D Configuration procedure 1.
Figure 176 The web page displayed after you enable BGP • Click Add in the Peer Configuration field and make the following configurations as shown in Figure 177. • Type 9.1.1.2 for Peer IP Address. • Type 65009 for Peer AS. • Click Apply. Figure 177 Add a BGP peer • Click Add in the Peer Configuration field. • Type 9.1.3.2 for Peer IP Address. • Type 65009 for Peer AS. • Click Apply. # Configure Device C. • Select Network > Routing Management > BGP from the navigation tree of Device C.
• Type 9.1.3.1 for Peer IP Address. • Type 65009 for Peer AS. • Click Apply. • Click Add in the Peer Configuration field. • Type 9.1.2.2 for Peer IP Address. • Type 65009 for Peer AS. • Click Apply. # Configure Device D. • Select Network > Routing Management > BGP from the navigation tree of Device D. • Select the Enable BGP check box. • Type 65009 for AS. • Click Apply. • Click Add in the Peer Configuration field. • Type 9.1.1.1 for Peer IP Address. • Type 65009 for Peer AS.
Select Network > Routing Management > BGP from the navigation tree of Device B, and then click Show Peer in the Show Information field. BGP connections are established from Device B to other devices, as shown in Figure 178.
Task Configuring a large scale BGP network Remarks Enabling MD5 authentication for TCP connections Optional Configuring BGP load balancing Optional Forbidding session establishment with a peer or peer group Optional Configuring BGP peer groups Optional Configuring BGP community Optional Configuring a BGP route reflector Optional Configuring a BGP confederation Optional Enable Guard route redistribution Optional Enabling trap Optional Enabling logging of peer state changes Optional Conf
To do… Use the command… Enable BGP and enter BGP view bgp as-number Specify a peer or a peer group and its AS number peer { group-name | ip-address } as-number as-number Enable the default use of IPv4 unicast address family for the peers that are established using the peer as-number command default ipv4-unicast Enable a peer peer ip-address enable Configure a description for a peer/peer group peer { group-name | ip-address } description description-text Remarks — Not enabled by default Required
To do… Use the command… Remarks Required Specify the source interface for establishing TCP connections to a peer or peer group peer { group-name | ip-address } connect-interface interface-type interface-number By default, BGP uses the outbound interface of the best route to the BGP peer/peer group as the source interface for establishing a TCP connection to the peer/peer group.
To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Inject a network to the BGP routing table network ip-address [ mask | mask-length ] route-policy route-policy-name Optional Not injected by default Configuring BGP route redistribution BGP does not find routes by itself. Rather, it redistributes routing information in the local AS from other routing protocols.
After automatic route summarization is configured, BGP summarizes redistributed IGP subnets to advertise only natural networks. Routes injected with the network command can not be summarized. Follow these steps to configure automatic route summarization: To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Configure automatic route summarization summary automatic 2. Required Not configured by default.
For how to configure an IP prefix list, route policy and AS-path ACL, see the chapter “Policy-based routing configuration.” 2.
To do… Use the command… Remarks Filter incoming routes with an ACL or IP prefix list filter-policy { acl-number | ip-prefix ip-prefix-name } import Required Reference a routing policy to filter routes from a peer/peer group peer { group-name | ip-address } route-policy route-policy-name import Reference an ACL to filter routing information from a peer/peer group peer { group-name | ip-address } filter-policy acl-number import Reference an AS path ACL to filter routing information from a peer/peer
To do… Use the command… Specify the maximum number of prefixes that can be received from a peer/peer group. peer { group-name | ip-address } route-limit prefix-number reconnect reconnect-time [ percentage-value ] If the number is reached, the router breaks down the BGP connection to the peer and then reestablishes a BGP connection to the peer.
To do… Use the command… Remarks Enter BGP view bgp as-number — Specify a preferred value for routes received from a peer or peer group peer { group-name | ip-address } preferred-value value Optional The preferred value is 0 by default. Configuring preferences for BGP routes A router may run multiple routing protocols, each of which has a preference specified. If they find the same route, the route found by the routing protocol with the highest preference is selected.
To do… Use the command… Configure the default MED value default med med-value 2. Remarks Optional 0 by default Enable the comparison of MED of routes from different ASs Follow these steps to enable the comparison of MED of routes from different ASs: To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Enable the comparison of MED of routes from different ASs compare-different-as-med 3.
Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.0.0.0 3.3.3.3 50 0 200e * i 10.0.0.0 2.2.2.2 50 0 300e 1.1.1.1 60 0 200e * i BGP load balancing cannot be implemented because load balanced routes must have the same AS-path attribute.
Figure 180 Next hop attribute configuration If a BGP router has two peers on a common broadcast network, it does not set itself as the next hop for routes sent to an eBGP peer by default. As shown below, Router A and Router B establish an eBGP neighbor relationship, and Router B and Router C establish an iBGP neighbor relationship. They are on the same broadcast network 1.1.1.0/24. When Router B sends eBGP routes to Router A, it does not set itself as the next hop by default.
To do… Use the command… Permit local AS number to appear in routes from a peer/peer group and specify the appearance times peer { group-name | ip-address } allow-as-loop [ number ] 2. Remarks Optional By default, the local AS number is not allowed.
Configuring BGP keepalive interval and holdtime After establishing a BGP connection, two routers send keepalive messages periodically to each other to keep the connection. If a router receives no keepalive or update message from the peer within the holdtime, it tears down the connection. If the holdtime settings on the local and peer routers are different, the smaller one is used.
Follow these steps to enable BGP route refresh for a peer/peer group: To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Enable BGP route refresh for a peer/peer group peer { group-name | ip-address } capability-advertise route-refresh Optional 2.
To do… Use the command… Remarks Enable BGP route refresh for a peer/peer group peer { group-name | ip-address } capability-advertise route-refresh Required Enabled by default.
Follow these steps to enable MD5 authentication for TCP connections: To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Enable MD5 authentication when establishing a TCP connection to the peer/peer group peer { group-name | ip-address } password { cipher | simple } password Optional Not enabled by default Configuring BGP load balancing If multiple paths to a destination exist, you can configure load balancing over such paths to improve link utilization
A peer group is an iBGP peer group if peers in it belong to the same AS, and is an eBGP peer group if peers in it belong to different ASs. If a peer group has peers added, you cannot remove its AS number by using the undo form of the command, and you cannot change its AS number. 1. Configure an iBGP peer group After you create an iBGP peer group and then add a peer into it, the system creates the peer in BGP view and specifies the local AS number for the peer.
To do… Use the command… Remarks Specify an AS number for a peer peer ip-address as-number as-number Required Required Add the peer into the group peer ip-address group group-name [ as-number as-number ] The AS number can be either specified or not specified in the command. If specified, the AS number must be the same as that specified for the peer with the peer ip-address as-number as-number command. NOTE: Peers added in the group can have different AS numbers.
To do… Use the command… Remarks Enter BGP view bgp as-number — Advertise the community attribute to a peer/peer group peer { group-name | ip-address } advertise-community Required Advertise the extended community attribute to a peer/peer group peer { group-name | ip-address } advertise-ext-community Advertise the community attribute to a peer/peer group Apply a routing policy to routes advertised to a peer/peer group peer { group-name | ip-address } route-policy route-policy-name export Not co
1. Configure a BGP confederation After you split an AS into multiple sub ASs, you can configure a router in a sub AS in the following way: • Enable BGP and specify the AS number of the router. • Specify the confederation ID. From an outsider’s perspective, the sub ASs of the confederation is a single AS, which is identified by the confederation ID. • If the router needs to establish eBGP connections to other sub ASs, you need to specify the peering sub ASs in the confederation.
To do… Use the command… Remarks Enable Guard route redistribution into BGP import-route guard [ med med-value | route-policy route-policy-name ] * Required Disabled by default NOTE: • A Guard route configured on a router is neither installed into the FIB nor used by the router to forward IP packets. • Guard routes redistributed into the BGP route table have an ORIGIN attribute of incomplete. Enabling trap After trap is enabled for BGP, BGP generates Level-4 traps to report important events of it.
To do… Use the command… Remarks Display BGP peer/peer group information display bgp peer [ ip-address { log-info | verbose } | group-name log-info | verbose ] Display the prefix information in the ORF packet from the specified BGP peer display bgp peer ip-address received ip-prefix Display BGP routing information display bgp routing-table [ ip-address [ { mask | mask-length } [ longer-prefixes ] ] ] Display routing information matching the AS path ACL display bgp routing-table as-path-acl as-path-
To do… Use the command… Reset the BGP connections to a peer group reset bgp group group-name Reset all iBGP connections reset bgp internal Reset all IPv4 unicast BGP connections reset bgp ipv4 all Remarks Clearing BGP information To do… Use the command… Clear dampened MBGP routing information and release suppressed routes reset bgp dampening [ ip-address [ mask | mask-length ] ] Clear route flap information reset bgp flap-info [ ip-address [ mask-length | mask ] | as-path-acl as-path-acl-numbe
[Firewall-bgp] peer 3.3.3.3 as-number 65009 [Firewall-bgp] peer 3.3.3.3 connect-interface loopback 0 [Firewall-bgp] quit [Firewall] ospf 1 [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 32 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.1 24 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router B. system-view [RouterB] bgp 65009 [RouterB-bgp] router-id 3.3.3.3 [RouterB-bgp] peer 2.2.2.2 as-number 65009 [RouterB-bgp] peer 2.2.2.
[Firewall] bgp 65009 [Firewall-bgp] peer 3.1.1.2 as-number 65008 [Firewall-bgp] quit # Display BGP peer information on Firewall. [Firewall] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 3.3.3.3 65009 12 10 0 3 00:09:16 Established 3.1.1.
BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn i 8.1.1.0/24 3.1.1.2 0 100 0 65008i NOTE: From above outputs, you can find Router A has learned no route to AS65009, and Router B has learned network 8.1.1.0 but the next hop 3.1.1.2 is unreachable, and thus the route is invalid. 4. Redistribute direct routes.
Network NextHop MED LocPrf PrefVal Path/Ogn i 2.2.2.2/32 2.2.2.2 0 100 0 ? *>i 3.1.1.0/24 2.2.2.2 0 100 0 ? *>i 8.1.1.0/24 3.1.1.2 0 100 0 65008i * i 9.1.1.0/24 2.2.2.2 0 100 0 ? You can find the route 8.1.1.0 becomes valid with the next hop as Router A. 5. Verify the configuration # Ping 8.1.1.1 on Router B. [RouterB] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 8.1.1.
[Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 32 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.0 24 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router B. system-view [RouterB] ospf 1 [RouterB-ospf-1] import-route direct [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 9.1.1.0 24 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit 3. Configure the eBGP connection. Configure the eBGP connection and inject network 8.1.1.
Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *> 3.3.3.3/32 3.1.1.1 1 0 65009? *> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.2.0/24 3.1.1.1 1 0 65009? # Display the routing table on Router B. [RouterB] display ip routing-table Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 2.2.2.2/32 OSPF 10 1 9.1.1.1 GE0/0 3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0 8.1.1.0/24 O_ASE 1 9.1.1.
5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms BGP load balancing configuration example Network requirements This example describes how to configure BGP load balancing. As shown in Figure 184, all routers run BGP, and Firewall resides in AS 65008, Router B and Router A in AS 65009. Between Firewall and Router B, Firewall and Router A are eBGP connections, and between Router B and Router A is an iBGP connection.
[Firewall-bgp] peer 3.1.2.1 as-number 65009 [Firewall-bgp] network 8.1.1.1 24 [Firewall-bgp] quit # Configure Router B. system-view [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 3.1.1.2 as-number 65008 [RouterB-bgp] peer 3.3.3.3 as-number 65009 [RouterB-bgp] peer 3.3.3.3 connect-interface loopback 0 [RouterB-bgp] network 9.1.1.0 24 [RouterB-bgp] quit [RouterB] ip route-static 3.3.3.3 32 9.1.1.2 # Configure Router A.
# Configure Firewall. [Firewall] bgp 65008 [Firewall-bgp] balance 2 [Firewall-bgp] quit 4. Verify the configuration # Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *> *> 8.1.1.0/24 9.1.1.0/24 *> NextHop 0.0.0.0 MED LocPrf 0 PrefVal Path/Ogn 0 i 3.1.1.
2. Configure eBGP connections. # Configure Firewall. system-view [Firewall] bgp 10 [Firewall-bgp] router-id 1.1.1.1 [Firewall-bgp] peer 200.1.2.2 as-number 20 [Firewall-bgp] network 9.1.1.0 255.255.255.0 [Firewall-bgp] quit # Configure Router B. system-view [RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.1 as-number 10 [RouterB-bgp] peer 200.1.3.2 as-number 30 [RouterB-bgp] quit # Configure Router A.
Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 9.1.1.0/24 200.1.3.1 0 LocPrf PrefVal Path/Ogn 0 20 10i Router A has learned the route to the destination 9.1.1.0/24 from Router B. 3. Configure BGP community attribute. # Configure a routing policy. [Firewall] route-policy comm_policy permit node 0 [Firewall-route-policy] apply community no-export [Firewall-route-policy] quit # Apply the routing policy. [Firewall] bgp 10 [Firewall-bgp] peer 200.1.2.
Figure 186 Network diagram for BGP route reflector configuration Configuration procedure 1. Configure IP addresses for interfaces (omitted). 2. Configure BGP connections (omitted). # Configure Router A. system-view [RouterA] bgp 100 [RouterA-bgp] peer 192.1.1.2 as-number 200 # Inject network 1.0.0.0/8 to the BGP routing table. [RouterA-bgp] network 1.0.0.0 [RouterA-bgp] quit # Configure Router B. system-view [RouterB] bgp 200 [RouterB-bgp] peer 192.1.1.
[Firewall-bgp] quit Verify the configuration. 4. # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 1.0.0.0 192.1.1.1 0 LocPrf PrefVal Path/Ogn 0 100i # Display the BGP routing table on Router C.
Figure 187 Network diagram for BGP confederation configuration Router C Router B Eth 1/1 Eth 1/ 1 Eth 1/ 1 S2/ 0 AS 65002 AS 65003 Router E Eth 1/ 4 AS 100 Eth 1/ 1 S2/ 1 Eth 1/ 2 Eth 1/ 2 Router A Eth 1/1 Eth 1/ 3 GE 0/ 1 Router D AS 65001 GE0 /0 Firewall AS 200 Device Interface IP address Device Interface IP address Router A S2/1 200.1.1.1/24 Router D Eth1/1 10.1.5.1/24 Eth1/1 10.1.2.1/24 Eth1/2 10.1.3.2/24 GE0/0 10.1.5.2/24 GE0/1 10.1.4.2/24 Eth1/1 9.1.1.
system-view [RouterC] bgp 65003 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] confederation id 200 [RouterC-bgp] confederation peer-as 65001 65002 [RouterC-bgp] peer 10.1.2.1 as-number 65001 [RouterC-bgp] quit 3. Configure iBGP connections in AS65001. # Configure Router A. [RouterA] bgp 65001 [RouterA-bgp] peer 10.1.3.2 as-number 65001 [RouterA-bgp] peer 10.1.3.2 next-hop-local [RouterA-bgp] peer 10.1.4.2 as-number 65001 [RouterA-bgp] peer 10.1.4.
[RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *>i NextHop 9.1.1.0/24 MED LocPrf 0 100 10.1.1.1 PrefVal Path/Ogn 0 (65001) 100i [RouterB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.2 Local AS number : 65002 Paths: 1 available, 1 best BGP routing table entry information of 9.1.
AS-path : 100 Origin : igp Attribute value : MED 0, localpref 100, pref-val 0, pre 255 State : valid, internal, best, Not advertised to any peers yet The output information indicates the following: • Router E can send route information to Router B and Router C through the confederation by establishing only an eBGP connection with Router A. • Router B and Router D are in the same confederation, but belong to different sub ASs.
[RouterB-ospf] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf] area 0 [RouterC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # Configure Firewall.
4. Configure different attribute values for the route 1.0.0.0/8 to make Firewall give priority to the route learned from Router C. • Specify a higher MED value for the route 1.0.0.0/8 advertised to 192.1.1.2 to make Firewall give priority to the route learned from Router C. # Define ACL 2000 to permit the route 1.0.0.0/8 [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.
[RouterC] route-policy localpref permit node 10 [RouterC-route-policy] if-match acl 2000 [RouterC-route-policy] apply local-preference 200 [RouterC-route-policy] quit # Apply the routing policy localpref to the route from the peer 193.1.1.1 on Router C. [RouterC] bgp 200 [RouterC-bgp] peer 193.1.1.1 route-policy localpref import [RouterC-bgp] quit # Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 2 BGP Local router ID is 194.1.1.
7. Use the display tcp status command to check the TCP connection. 8. Check whether an ACL disabling TCP port 179 is configured.
Route displaying The basic way to locate routing problems is done by displaying routing tables. Displaying routing table in the web interface Select Network > Routing Management > Routing Info from the navigation tree to enter the route display page, as shown in Figure 189. Figure 189 Route display page Table 67 Route display items Item Remarks Destination Destination address/network Mask Together with the destination address, the mask specifies the address of the destination network.
Displaying routing table in the CLI To do… Use the command… Remarks Display brief information about the active routes in the routing table display ip routing-table [ vpn-instance vpn-instance-name ] [ verbose | | { begin | exclude | include } regular-expression ] Available in any view Display information about routes to the specified destination display ip routing-table ip-address [ mask-length | mask ] [ longer-match ] [ verbose ] Available in any view Display information about routes with destina
Policy-based routing configuration Overview Policy-based routing (PBR) is a routing mechanism based on user-defined policies. Different from the traditional destination-based routing mechanism, PBR enables you to use a policy to route packets based on the source address, packet length, and other criteria. In general, PBR takes precedence over destination-based routing. PBR applies to the packets matching the specified criteria, and other packets are forwarded through destination-based routing.
• permit: Specifies the match mode of a policy node as permit. If a packet satisfies all the if-match clauses on the policy node, the apply clause is executed. If not, the packet will go to the next policy node. • deny: Specifies the match mode of a policy node as deny. When a packet satisfies all the if-match clauses on the policy node, the packet will be rejected and will not go to the next policy node. A packet satisfying the match criteria on a node will not go to other nodes.
Figure 190 Policy configuration page Figure 191 Create a policy Table 68 Policy configuration items Item Remarks Type a policy name. Policy Name IMPORTANT: Any spaces entered at the beginning or end of a policy name will be ignored. A policy name containing only spaces is considered as null. Node Index Type a node index of the policy. The node with a smaller number has a higher priority and is matched first. Select a matching mode for the node.
Item Minimum Length Remarks Define an IP packet length match criterion IMPORTANT: Maximum Length To create a packet length match criterion, both the minimum and maximum packet lengths must be set. Leaving either of the text boxes blank will delete the match criterion. Matched ACL Type an ACL number Type an IP packet preference. Preference There are totally eight (in the range 0 to 7) preference levels, as shown in Table 69.
Figure 193 Apply a policy Table 70 Policy application configuration items: Item Remarks Specify the policy application mode: Apply to • Local: Enable local PBR. Unless otherwise required, HP does not recommend enabling local PBR. • Interface: Enable interface PBR. Apply the policy on a selected interface. Policy Name Type the name of the policy to be applied. PBR configuration example Source address based PBR configuration example 1.
Figure 194 Network diagram for source address based PBR 2. Configuration considerations To meet these requirements, make the following configurations: • Configure node 5 of the policy to send the inbound packets matching ACL 3101 to 10.120.1.2. • Configure node 10 of the policy not to process the inbound packets matching ACL 3102. Then packets received from GigabitEthernet 0/1 match against the if-match clauses of node 5 and node 10 in turn.
Figure 195 Add node 5 to policy aaa # Add node 10 to policy aaa. • Click Add on the policy configuration page. • Type aaa as the policy name and 10 as node index, and set the mode to deny. • Type 3102 as the number of the ACL for matching all IP packets. • Click Apply. d. Apply policy aaa to GigabitEthernet 0/1. • Click the Application tab, and then click Add. • Select the Interface check box and select GigabitEthernet 0/1. • Select aaa as the policy name from the drop-down list.
To do… Use the command… Remarks Define a packet length match criterion if-match packet-length min-len max-len Optional Define an ACL match criterion if-match acl acl-number Optional Set VPN instances apply access-vpn vpn-instance vpn-instance-name&<1-6> Optional Set an IP precedence apply ip-precedence value Optional Optional Two interfaces at most can be specified to send matching IP packets. These two interfaces are simultaneously active to achieve load sharing.
CAUTION: • If a policy node has no if-match clause configured, all packets can match the policy node. However, an action is taken according to the match mode, and the packets will not go to the next policy node for a match. • If a permit-mode policy node has no apply clause configured, packets matching all the if-match clauses of the node can pass the policy node, and no action is taken.
and the output direction) depend on the information center configuration. For information center configuration, see System Management and Maintenance Configuration Guide.
PBR configuration examples Configuring local PBR based on packet type 1. Network requirements As shown in Figure 196, configure PBR on Firewall, so that all TCP packets are forwarded via GE0/1 and other packets are forwarded according to the routing table. Firewall is directly connected to Router A and Router B. Router A and Router B are unreachable to each other. Figure 196 Network diagram for local PBR based on packet type 2. Configuration procedure a.
# Configure the IP address of the serial port. system-view [RouterB] interface GigabitEthernet 0/2 [RouterB-GigabitEthernet0/2] ip address 1.1.3.2 255.255.255.0 [RouterB-GigabitEthernet0/2] quit 3. Verification # Telnet to Router A (1.1.2.2/24) from Firewall. The operation succeeds. telnet 1.1.2.2 Trying 1.1.2.2 ... Press CTRL+K to abort Connected to 1.1.2.2 ...
Figure 197 Network diagram for interface PBR based on packet type Router A Router B GE0/1 1.1.2.2/24 GE0/3 1.1.2.1/24 Firewall GE0/1 1.1.3.2/24 GE0/2 1.1.3.1/24 GE0/1 10.110.0.10/24 Subnet 10.110.0.0/24 Host A Host B 10.110.0.20/24 Gateway: 10.110.0.10 2. Configuration procedure NOTE: In this example, static routes are configured to ensure the reachability among devices. a. Configure Firewall # Define ACL 3101 to match TCP packets.
[Firewall-GigabitEthernet0/2] ip address 1.1.3.1 255.255.255.0 b. Configure Router A # Configure a static route to subnet 10.110.0.0/24. system-view [RouterA] ip route-static 10.110.0.0 24 1.1.2.1 # Configure the IP address of the serial port. [RouterA] interface GigabitEthernet 0/1 [RouterA-GigabitEthernet0/1] ip address 1.1.2.2 255.255.255.0 [RouterA-GigabitEthernet0/1] quit c. Configure Router B # Configure a static route to subnet 10.110.0.0/24.
2. Configuration procedure NOTE: In this example, RIP is configured to ensure the reachability among devices. a. Configure Firewall # Configure RIP. system-view [Firewall] rip [Firewall-rip-1] network 192.1.1.0 [Firewall-rip-1] network 150.1.0.0 [Firewall-rip-1] network 151.1.0.0 [Firewall-rip-1] quit # Define Node 10 of policy lab1, so that packets with a length of 64 to 100 bytes are forwarded to the next hop 150.1.1.
[Router-GigabitEthernet0/1] quit [Router] interface GigabitEthernet 0/2 [Router-GigabitEthernet0/2] ip address 151.1.1.2 255.255.255.0 [Router-GigabitEthernet0/2] quit # Configure the loopback interface address. [Router] interface loopback 0 [Router-LoopBack0] ip address 10.1.1.1 32 Verification 3. # Run the debugging ip policy-based-route command on Firewall. debugging ip policy-based-route terminal debugging terminal monitor Configure the IP address of Host A as 192.
Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Ping statistics for 10.1.1.
Multicast routing configuration NOTE: The term router in this document refers to both routers and Layer 3 switches. In multicast implementations, multicast routing and forwarding are implemented by three types of tables: • Each multicast routing protocol has its own multicast routing table, such as PIM routing table. • The information of different multicast routing protocols forms a general multicast routing table.
Enabling multicast routing After you log into the Web interface, select Network > Routing Management > Multicast Routing from the navigation tree to enter the Global Configuration page, as shown in Figure 199. Figure 199 Global configuration page Table 72 Items of the multicast routing configuration Task Remarks Multicast routing Enable or disable multicast routing globally. Return to Multicast routing configuration task list.
Table 73 Items of the multicast routing table Item Source address Group address Incoming interface Number of outgoing interfaces Outgoing interfaces Description An (S, G) entry of the multicast routing table Upstream interface of the (S, G) entry, which multicast packets should arrive at. Number and list of downstream interfaces, which need to forward multicast packets. Return to Multicast routing configuration task list.
Configuring multicast routing and forwarding Configuration Prerequisites Before configuring multicast routing and forwarding, complete the following tasks: • Configure a unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Enable PIM (PIM-DM or PIM-SM).
Configuring the multicast forwarding table size The router maintains the corresponding forwarding entry for each multicast packet it receives. Excessive multicast routing entries, however, can exhaust the router’s memory and thus result in lower router performance. You can set a limit on the number of entries in the multicast forwarding table based on the actual networking situation and the performance requirements.
To do... Use the command...
Network diagram Figure 202 Network diagram for RPF route alteration configuration Configuration procedure 1. Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 202. The detailed configuration steps are omitted here. Enable OSPF on the devices in the PIM-DM domain. Ensure the network-layer interoperation among the devices in the PIM-DM domain.
[DeviceA] interface gigabitEthernet 0/1 [DeviceA-GigabitEthernet0/1] pim dm [DeviceA-GigabitEthernet0/1] quit [DeviceA] interface gigabitEthernet 0/2 [DeviceA-GigabitEthernet0/2] pim dm [DeviceA-GigabitEthernet0/2] quit [DeviceA] interface gigabitEthernet 0/3 [DeviceA-GigabitEthernet0/3] pim dm [DeviceA-GigabitEthernet0/3] quit The configuration on Device C is similar to the configuration on Device A. The specific configuration steps are omitted here.
Network diagram Figure 203 Network diagram for creating an RPF route Configuration procedure 1. Configure IP addresses and unicast routing Configure the IP address and subnet mask for each interface as per Figure 203. The detailed configuration steps are omitted here. Enable OSPF on Firewall B and Firewall C. Ensure the network-layer interoperation among Firewall B and Firewall C. Ensure that the devices can dynamically update their routing information by leveraging the unicast routing protocol.
The configuration on Firewall B is similar to that on Device A. The specific configuration steps are omitted here. # Use the display multicast rpf-info command to view the information of the RPF route to Source 2 on Firewall B and Firewall C. [FirewallB] display multicast rpf-info 50.1.1.100 [FirewallC] display multicast rpf-info 50.1.1.100 No information is displayed. This means that no RPF route to Source 2 exists on Firewall B and Firewall C. 3.
Network diagram Figure 204 Network diagram for configuring multicast forwarding over a GRE tunnel Configuration procedure 1. Configure IP addresses Configure the IP address and mask for each interface as per Figure 204. The detailed configuration steps are omitted here. 2. Configure a GRE tunnel # Create Tunnel 0 on Firewall A and configure the IP address and mask for the interface. system-view [FirewallA] interface tunnel 0 [FirewallA-Tunnel0] ip address 50.1.1.
[FirewallA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] quit [FirewallA-ospf-1] quit # Configure OSPF on Device B. system-view [DeviceB] ospf 1 [DeviceB-ospf-1] area 0 [DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [DeviceB-ospf-1-area-0.0.0.0] quit [DeviceB-ospf-1] quit # Configure OSPF on Firewall C.
# On Firewall C, configure a static multicast route and specify its RPF neighbor leading toward Source is Tunnel 0 on Firewall A. [FirewallC] ip rpf-route-static 50.1.1.0 24 50.1.1.1 6. Verify the configuration Source sends multicast data to the multicast group 225.1.1.1 and Receiver can receive the multicast data after joining the multicast group. You can view the PIM routing table information on firewalls using the display pim routing-table command.
Analysis • If the multicast static route is not configured or updated correctly to match the current network conditions, the route entry and the configuration information of multicast static routes do not exist in the multicast routing table. • If a better route is found, the multicast static route may also fail. 1.
4. In the case of PIM-SM, use the display current-configuration command to check the BSR and RP information.
IGMP configuration As a TCP/IP protocol responsible for IP multicast group member management, the Internet Group Management Protocol (IGMP) is used by IP hosts to establish and maintain their multicast group memberships to immediately neighboring multicast routers. Configuring IGMP in the web interface Configuration prerequisites Before configuring IGMP, complete the following tasks: • Configure a unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Figure 205 IGMP interfaces configuration page Figure 206 Modify the specified interface Table 75 IGMP interface configuration items Item Description Interface Name of the interface to be configured IGMP Enable/Disable IGMP on the interface Version Configure the IGMP version Return to Multicast routing configuration task list.
Figure 208 Group details Table 76 IGMP multicast group information Item Description Interface Name of the interface that has joined the multicast group Group address Multicast group address Group uptime Length of time since the multicast group was reported Group remaining lifetime Remaining lifetime of the multicast group; null means that the multicast group times out when all multicast sources of this group time out.
Network diagram Figure 209 Network diagram for basic IGMP functions configuration Configuration procedure 1. Configure IP addresses and unicast routing Configure the IP address and subnet mask of each interface as per Figure 209. The detailed configuration steps are omitted here. Configure the OSPF protocol for interoperation on the PIM network. Ensure the network-layer interoperation on the PIM network and dynamic update of routing information among the devices through a unicast routing protocol.
Figure 211 Interface configuration page • Specify the working mode PIM-DM and click Apply. • Click the • Specify the working mode PIM-DM and click Apply. • Select Network > Routing Management > IGMP from the navigation tree to enter the Interface Configuration page. • Click the icon corresponding to GigabitEthernet0/0 to enter its configuration page. icon corresponding to GigabitEthernet 0/1 to enter its configuration page.
• Specify the IGMP version as 2. • Click Apply. # On Firewall C, enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 0/1. • After logging in to the Web interface of Firewall C, select Network > Routing Management > Multicast Routing from the navigation tree to enter the Global Configuration page. • Enable multicast routing by selecting Enable from the drop-down list. • Click Apply.
Configuring IGMP in the CLI IGMP configuration task list Complete these tasks to configure IGMP: Task Configuring basic functions of IGMP Adjusting IGMP performance Configuring IGMP SSM mapping Configuring IGMP proxying Remarks Enabling IGMP Required Configuring IGMP versions Optional Configuring static joining Optional Configuring a multicast group filter Optional Configuring IGMP message options Optional Configuring IGMP query and response parameters Optional Configuring IGMP fast-leave p
Enabling IGMP First, IGMP must be enabled on the interface on which the multicast group memberships are to be established and maintained. Follow these steps to enable IGMP in the public instance: To do... Use the command...
To do... Use the command... Remarks Enter interface view interface interface-type interface-number — Configure the interface as a static member of a multicast group or a multicast source and group igmp static-group group-address [ source source-address ] Required An interface is not a static member of any multicast group or multicast source and group by default.
• Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer.
To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Configure the interface to discard any IGMP message that does not carry the Router-Alert option igmp require-router-alert Enable insertion of the Router-Alert option into IGMP messages Optional By default, the device does not check the Router-Alert option. Optional igmp send-router-alert By default, IGMP messages carry the Router-Alert option.
To do... Use the command...
To do... Use the command... Configure the other querier present interval igmp timer other-querier-present interval Remarks Optional For the system default, see the note below. NOTE: • If not statically configured, the startup query interval is 1/4 of the “IGMP query interval”. By default, the IGMP query interval is 60 seconds, so the startup query interval = 60 / 4 = 15 (seconds). • If not statically configured, the startup query count is set to the IGMP querier robustness variable.
To do... Use the command... Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Configure IGMP fast-leave processing igmp fast-leave [ group-policy acl-number ] Required Disabled by default CAUTION: The IGMP fast-leave processing configuration is effective only if the device is running IGMPv2 or IGMPv3. Configuring IGMP SSM mapping Due to some possible restrictions, some receiver hosts on an SSM network may run IGMPv1 or IGMPv2.
To do… Use the command… Configure an IGMP SSM mapping ssm-mapping group-address { mask | mask-length } source-address Remarks Required No IGMP mappings are configured by default. Configuring IGMP proxying Configuration prerequisites Before configuring the IGMP proxying feature, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Enable IP multicast routing.
To do… Use the command… Remarks Enter system view system-view — Enter interface view interface interface-type interface-number — Enable multicast forwarding on a non-querier downstream interface igmp proxying forwarding Required Disabled by default.
Basic IGMP functions configuration example Network requirements • Receivers receive VOD information through multicast. Receivers of different organizations form stub networks N1 and N2, and Host A and Host C are receivers in N1 and N2 respectively. • Firewall A in the PIM network connects to N1, and both Firewall B and Firewall C connect to another stub network, N2. • Firewall A connects to N1 through GigabitEthernet 0/1, and to other devices in the PIM network through GigabitEthernet 0/0.
[FirewallA] multicast routing-enable [FirewallA] interface gigabitEthernet 0/1 [FirewallA-GigabitEthernet0/1] igmp enable [FirewallA-GigabitEthernet0/1] pim dm [FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitEthernet 0/0 [FirewallA-GigabitEthernet0/0] pim dm [FirewallA-GigabitEthernet0/0] quit # Enable IP multicast routing on Firewall B, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 0/1.
SSM mapping configuration example Network requirements • The PIM-SM domain applies both the ASM model and SSM model for multicast delivery. Firewall D’s GigabitEthernet 0/3 serves as the C-BSR and C-RP. The SSM group range is 232.1.1.0/24. • IGMPv3 runs on Firewall D’s GigabitEthernet 0/1. The Receiver host runs IGMPv2, and does not support IGMPv3. Therefore, the Receiver host cannot specify expected multicast sources in its membership reports.
# Enable IP multicast routing on Firewall D, enable PIM-SM on each interface and enable IGMPv3 and IGMP SSM mapping on GigabitEthernet 0/1.
[FirewallD] igmp [FirewallD-igmp] ssm-mapping 232.1.1.1 24 133.133.1.1 [FirewallD-igmp] ssm-mapping 232.1.1.1 24 133.133.3.1 [FirewallD-igmp] quit 6. Verify the configuration Use the display igmp ssm-mapping command to view the IGMP SSM mappings on the firewall. # Display the IGMP SSM mapping information for multicast group 232.1.1.1 in the public instance on Firewall D. [FirewallD] display igmp ssm-mapping 232.1.1.1 Vpn-Instance: public net Group: 232.1.1.1 Source list: 133.133.1.1 133.133.3.
Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:13:25, Expires: - IGMP proxying configuration example Network requirements • PIM-DM is required to run on the core network. Host A and Host C in the stub network receive VOD information sent to multicast group 224.1.1.1. • It is required to configure the IGMP proxying feature on Firewall so that Firewall can maintain group memberships and forward multicast traffic without running PIM-DM.
[Firewall] multicast routing-enable [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] igmp proxying enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface GigabitEthernet 0/2 [Firewall-GigabitEthernet0/2] igmp enable [Firewall-GigabitEthernet0/2] quit 3. Verify the configuration Use the display igmp interface command to view the IGMP configuration and operation information on an interface.
• If the igmp group-policy command has been configured on the interface, the interface cannot receive report messages that fail to pass filtering. 1. Check that the networking, interface connection, and IP address configuration are correct. Check the interface information with the display igmp interface command. If there is no information output, the interface is in an abnormal state.
PIM configruation Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging unicast static routes or unicast routing tables generated by any unicast routing protocol, such as routing information protocol (RIP), open shortest path first (OSPF), intermediate system to intermediate system (IS-IS), or border gateway protocol (BGP).
Configuring PIM-SM Table 78 PIM-SM configuration task list Task Remarks Required Globally enable multicast routing Globally enable multicast routing after selecting Network > Routing Management > Multicast Routing. For more information, see “Multicast routing configuration.” Required Configuring PIM interfaces Enable PIM-SM on an interface. By default, PIM is disabled on an interface. Optional Configuring advanced PIM features • Enable the auto-RP function, which is disabled by default.
Figure 217 PIM interfaces configuration page Figure 218 Modify the specified PIM interface Table 80 IGMP interface configuration items Item Description Interface Display the name of the interface to be configured. Working mode Enable PIM-DM or PIM-SM on the interface; null means not to enable PIM on this interface. Return to Multicast routing configuration task list. Return to PIM-SM configuration task list. Return to PIM-SSM configuration task list.
Table 81 PIM advanced configuration items Item Description Enable or disable auto-RP. IMPORTANT: Auto-RP Auto-RP announcement and discovery messages are addressed to the multicast group addresses 224.0.1.39 and 224.0.1.40 respectively. With auto-RP enabled on a device, the device can receive these two types of messages and record the RP information carried in such messages. Calculate the register message checksum based on the entire register messages or the header parts.
Figure 220 PIM neighbor information Table 82 PIM neighbor information Item Description Interface Name of the interface connecting to a PIM neighbor Neighbor address IP address of a PIM neighbor Uptime Length of time for which the PIM neighbor has been up, where a “01:02:11:32:18” value means that the neighbor has been up for 1 week, 2 days, 11 hours, 32 minutes, and 18 seconds.
Network diagram Figure 221 Network diagram for PIM-DM configuration Configuration procedure 1. Configure IP addresses and unicast routing Configure the IP address for each interface as per Figure 221 and configure the security zone. Detailed configuration steps are omitted here. Configure the OSPF protocol for interoperation in the PIM-DM domain. Ensure the network-layer interoperation in the PIM-DM domain and enable dynamic update of routing information through a unicast routing protocol.
Figure 223 Interface configuration page • Select Enable from the drop-down list to enable IGMP. • Specify the IGMP version as 2. • Click Apply. • Select Network > Routing Management > PIM from the navigation tree to enter the Interface Configuration page. • Click the icon corresponding to GigabitEthernet 0/1 to enter its configuration page. Figure 224 Interface configuration page • Specify the working mode as PIM-DM and click Apply.
# View the PIM neighbor information on Firewall C. After logging in to the Web interface of Firewall C, select Network > Routing Management > PIM from the navigation tree and click Neighbor Information to enter the page as shown in Figure 225.
To do... Use the command... Remarks Enter system view system-view — Enable IP multicast routing multicast routing-enable Enter interface view interface interface-type interface-number Enable PIM-DM pim dm Required Disable by default — Required Disabled by default CAUTION: PIM-DM does not work with multicast groups in the SSM group grange. Enabling State-Refresh capability Pruned interfaces resume multicast forwarding when the pruned state times out.
To do... Use the command...
Task Remarks Configuring administrative scoping Enabling administrative scoping Optional Configuring an admin-scope zone boundary Optional Configuring C-BSRs for each admin-scope zone and the global-scope zone Optional Configuring multicast source registration Optional Configuring SPT switchover Optional Configuring PIM common features Optional Configuration prerequisites Before configuring PIM-SM, complete the following task: • Configure any unicast routing protocol so that all devices in t
To do... Use the command... Enable IP multicast routing multicast routing-enable Enter interface view interface interface-type interface-number Enable PIM-SM pim sm Remarks Required Disable by default — Required Disabled by default Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism. For a large PIM network, static RP configuration is a tedious job.
To do... Use the command... Configure an interface to be a C-RP c-rp interface-type interface-number [ group-policy acl-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] * Configure a legal C-RP address range and the range of multicast groups to be served crp-policy acl-number Remarks Required No C-RPs are configured by default.
To do... Use the command... Configure C-RP timeout time c-rp holdtime interval Remarks Optional 150 seconds by default NOTE: For the configuration of other timers in PIM-SM, see “Configuring PIM common timers.” Configuring a BSR A PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP information in the PIM-SM domain. 1.
To do... Use the command... Remarks Configure an interface as a C-BSR c-bsr interface-type interface-number [ hash-length [ priority ] ] Required Configure a legal BSR address range No C-BSRs are configured by default.
To do... Use the command... Configure the Hash mask length c-bsr hash-length hash-length Configure the C-BSR priority c-bsr priority priority Remarks Optional 30 by default Optional By default, the C-BSR priority is 0. NOTE: About the Hash mask length and C-BSR priority: • You can configure these parameters at three levels: global configuration level, global scope zone level, and admin-scope zone level.
NOTE: About the BS period: • By default, the BS period is determined by this formula: BS period = (BS timeout – 10) / 2. The default BS timeout is 130 seconds, so the default BS period = (130 – 10) / 2 = 60 (seconds). • If this parameter is manually configured, the system will use the configured value. About the BS timeout: • By default, the BS timeout value is determined by this formula: BS timeout = BS period × 2 + 10.
To do... Use the command... Configure a multicast forwarding boundary multicast boundary group-address { mask | mask-length } Remarks Required By default, no multicast forwarding boundary is configured. NOTE: The group-address { mask | mask-length } parameter of the multicast boundary command can be used to specify the multicast groups an admin-scope zone serves, in the range of 239.0.0.0/8. For details about the multicast boundary command, see “Multicast routing configuration.” 3.
NOTE: About the Hash mask length and C-BSR priority: • You can configure these parameters at three levels: global configuration level, global scope zone level, and admin-scope zone level. • The value of these parameters configured at the global scope zone level or admin-scope zone level have preference over the global values. • If you do not configure these parameters at the global scope zone level or admin-scope zone level, the corresponding global values will be used.
To do... Use the command... Remarks Configure the register suppression time register-suppression-timeout interval Optional Configure the register probe time probe-interval interval 60 seconds by default Optional 5 seconds by default Configuring SPT switchover Both the receiver-side DR and the RP can periodically check the traffic rate of passing-by multicast packets (this function is not available with switches or multi-core devices) and thus trigger an SPT switchover process.
Before configuring PIM-SSM, prepare the following data: • The SSM group range Enabling PIM-SM The SSM model is implemented based on some subsets of PIM-SM. Therefore, a router is PIM-SSM capable after you enable PIM-SM on it. When deploying a PIM-SM domain, enable PIM-SM on non-border interfaces of the routers. Follow these steps to enable PIM-SM globally in the public instance: To do... Use the command...
Configuring PIM common features NOTE: For the functions or parameters that can be configured in both PIM view and interface view described in this section: • Configurations performed in PIM view are effective to all interfaces, while configurations performed in interface view are effective to the current interface only.
• Maximum size of join/prune messages • Maximum number of (S, G) entries in a join/prune message Configuring a multicast data filter No matter in a PIM-DM domain or a PIM-SM domain, routers can check passing-by multicast data based on the configured filtering rules and determine whether to continue forwarding the multicast data. In other words, PIM routers can act as multicast data filters.
• DR_Priority (for PIM-SM only): priority for DR election. The device with the highest priority wins the DR election. You can configure this parameter on all the routers in a multi-access network directly connected to multicast sources or receivers. • Holdtime: the timeout time of PIM neighbor reachability state. When this timer times out, if the router has received no hello message from a neighbor, it assumes that this neighbor has expired or become unreachable.
2. Configuring hello options on an interface Follow these steps to configure hello options on an interface: To do... Use the command...
Any router that has lost assert election will prune its downstream interface and maintain the assert state for a period of time. When the assert state times out, the assert losers will resume multicast forwarding. When a router fails to receive subsequent multicast data from multicast source S, the router does not immediately delete the corresponding (S, G) entry; instead, it maintains the (S, G) entry for a period of time, namely the multicast source lifetime, before deleting the (S, G) entry. 1.
Configuring join/prune message sizes A larger join/prune message size will result in loss of a larger amount of information when a message is lost; with a reduced join/message size, the loss of a single message will bring relatively minor impact. By controlling the maximum number of (S, G) entries in a join/prune message, you can effectively reduce the number of (S, G) entries sent per unit of time. Follow these steps to configure join/prune message sizes: To do... Use the command...
To do... Use the command...
Network diagram Figure 226 Network diagram for PIM-DM configuration Receiver Host A Firewall A G E0 /1 GE0/0 Host B G E 0/ 3 Receiver GE0/0 GE0/1 GE0/1 GE0/0 Source G Firewall B 0/ E Firewall D Host C 2 G / E0 1 10.110.5.100/ 24 GE0/0 PIM-DM Firewall C Host D Device Interface IP address Device Interface IP address Firewall A GE0/0 10.110.1.1/24 Firewall D GE0/0 10.110.5.1/24 GE0/1 192.168.1.1/24 GE0/3 192.168.1.2/24 GE0/0 10.110.2.1/24 GE0/1 192.168.2.
[FirewallA] interface gigabitEthernet 0/1 [FirewallA-GigabitEthernet0/1] pim dm [FirewallA-GigabitEthernet0/1] quit The configuration on Firewall B and Firewall C is similar to that on Firewall A. # Enable IP multicast routing on Firewall D, and enable PIM-DM on each interface.
# View the PIM routing table information on Firewall A. [FirewallA] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.1) Protocol: pim-dm, Flag: WC UpTime: 00:04:25 Upstream interface: NULL Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/0 Protocol: igmp, UpTime: 00:04:25, Expires: never (10.110.5.100, 225.1.1.
PIM-SM non-scoped zone configuration example Network requirements • Receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire PIM-SM domain contains only one BSR. • Host A and Host C are multicast receivers in two stub networks N1 and N2. Firewall D connects to the network that comprises the multicast source (Source) through GigabitEthernet 0/0.
Network diagram Ethernet G Ethernet E0 /3 N2 G E0 / 3 Ethernet N1 Figure 227 Network diagram for PIM-SM non-scoped zone configuration Device Interface IP address Device Device A GE0/1 10.110.1.1/24 Firewall D GE0/0 192.168.1.1/24 Device B Device C Interface IP address GE0/0 10.110.5.1/24 GE0/1 192.168.1.2/24 GE0/2 192.168.4.2/24 GE0/0 192.168.3.2/24 GE0/2 192.168.9.1/24 GE0/1 10.110.2.1/24 GE0/0 192.168.2.1/24 GE0/1 192.168.2.2/24 GE0/1 10.110.2.2/24 GE0/2 192.168.
[DeviceA-GigabitEthernet0/1] pim sm [DeviceA-GigabitEthernet0/1] quit [DeviceA] interface gigabitEthernet 0/0 [DeviceA-GigabitEthernet0/0] pim sm [DeviceA-GigabitEthernet0/0] quit [DeviceA] interface gigabitEthernet 0/2 [DeviceA-GigabitEthernet0/2] pim sm [DeviceA-GigabitEthernet0/2] quit The configuration on Device B and Device C is similar to that on Device A.
VPN-Instance: public net Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Accept Preferred Scope: Not scoped Uptime: 00:40:40 Expires: 00:01:42 # View the BSR information and the locally configured C-RP information in effect on Firewall D. [FirewallD] display pim bsr-info VPN-Instance: public net Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Accept Preferred Scope: Not scoped Uptime: 00:05:26 Expires: 00:01:45 Candidate BSR Address: 192.168.4.
Next advertisement scheduled at: 00:00:48 To view the RP information discovered on a device, use the display pim rp-info command. For example: # View the RP information on Device A. [DeviceA] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 225.1.1.0/24 RP: 192.168.4.2 Priority: 0 HoldTime: 150 Uptime: 00:51:45 Expires: 00:02:22 RP: 192.168.9.
Upstream interface: GigabitEthernet0/0 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: pim-sm, UpTime: 00:00:42, Expires: 00:03:06 The information on Device B and Device C is similar to that on Device A. # View the PIM routing table information on Firewall D. [FirewallD] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.0) RP: 192.
• Source 1 and Source 2 send different multicast information to multicast group 239.1.1.1. Host A receives the multicast information from Source 1 only, while Host B receives the multicast information from Source 2 only. Source 3 sends multicast information to multicast group 224.1.1.1. Host C is a multicast receiver for this multicast group. • GigabitEthernet0/2 of Firewall B acts as a C-BSR and C-RP of admin-scope zone 1, which serve the multicast group range 239.0.0.0/8.
Network diagram Figure 228 Network diagram for PIM-SM admin-scope zone configuration /1 S5 PO 2 Et h1 / / S2 1 /1 S5 PO /1 h1 Et /1 S2 Device Device A Firewall B Firewall C Device H Device I Interface IP address Device Firewall D GE0/1 192.168.1.1/24 GE0/2 10.110.1.1/24 GE0/1 192.168.2.1/24 GE0/2 10.110.1.2/24 GE0/3 10.110.2.1/24 GE0/4 10.110.3.1/24 GE0/0 192.168.3.1/24 GE0/1 10.110.4.1/24 GE0/2 10.110.5.1/24 GE0/3 10.110.2.
Configure OSPF for interoperation among the devices in the PIM-SM domain. Ensure the network-layer interoperation among the devices in the PIM-SM domain and enable dynamic update of routing information among the devices through a unicast routing protocol. Detailed configuration steps are omitted here. 2.
[FirewallB-GigabitEthernet0/3] quit [FirewallB] interface gigabitethernet 0/4 [FirewallB-GigabitEthernet0/4] multicast boundary 239.0.0.0 8 [FirewallB-GigabitEthernet0/4] quit # On Firewall C, configure GigabitEthernet0/3 and GigabitEthernet0/4 as the boundary of admin-scope zone 2. system-view [FirewallC] interface gigabitethernet 0/3 [FirewallC-GigabitEthernet0/3] multicast boundary 239.0.0.
5. Verify the configuration To view the BSR election information and the C-RP information on a firewall, use the display pim bsr-info command. For example: # View the BSR information and the locally configured C-RP information on Firewall B. [FirewallB] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.1 Priority: 0 Hash mask length: 30 State: Accept Preferred Scope: Global Uptime: 00:01:45 Expires: 00:01:25 Elected BSR Address: 10.110.1.
Next BSR message scheduled at: 00:01:12 Candidate BSR Address: 10.110.4.2 Priority: 0 Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Candidate RP: 10.110.4.2(GigabitEthernet0/1) Priority: 0 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:10 # View the BSR information and the locally configured C-RP information on Firewall F. [FirewallF] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.
Priority: 0 HoldTime: 150 Uptime: 00:07:44 Expires: 00:01:51 # View the RP information on Firewall D. [FirewallD] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.1 Priority: 0 HoldTime: 150 Uptime: 00:03:42 Expires: 00:01:48 Group/MaskLen: 239.0.0.0/8 RP: 10.110.4.2 (local) Priority: 0 HoldTime: 150 Uptime: 00:06:54 Expires: 00:02:41 # View the RP information on Firewall F.
• The SSM group range is 232.1.1.0/24. • IGMPv3 is to run between Firewall A and N1, and between Firewall B/Firewall C and N2. Network diagram Ethernet G Ethernet E0 /1 N2 G E0 / 0 Ethernet N1 Figure 229 Network diagram for PIM-SSM configuration Device Interface IP address Device Interface IP address Firewall A GE0/0 10.110.1.1/24 Firewall D GE0/0 10.110.5.1/24 GE0/1 192.168.1.1/24 GE0/1 192.168.1.2/24 GE0/2 192.168.9.1/24 GE0/2 192.168.4.2/24 GE0/0 10.110.2.
[FirewallA] multicast routing-enable [FirewallA] interface gigabitethernet 0/0 [FirewallA-GigabitEthernet0/0] igmp enable [FirewallA-GigabitEthernet0/0] igmp version 3 [FirewallA-GigabitEthernet0/0] pim sm [FirewallA-GigabitEthernet0/0] quit [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] pim sm [FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim sm [FirewallA-GigabitEthernet0/2] quit The configuration on Firewall B and F
UpTime: 00:13:25 Upstream interface: GigabitEthernet0/1 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/0 Protocol: igmp, UpTime: 00:13:25, Expires: 00:03:25 The information on Firewall B and Firewall C is similar to that on Firewall A. # View the PIM routing table information on Firewall D. [FirewallD] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.
interface and the next hop will be taken as the RPF neighbor. The RPF interface completely relies on the existing unicast route, and is independent of PIM. The RPF interface must be PIM-enabled, and the RPF neighbor must also be a PIM neighbor. If PIM is not enabled on the router where the RPF interface or the RPF neighbor resides, the establishment of a multicast distribution tree will surely fail, causing abnormal multicast forwarding.
• In addition, the source-policy command is used to filter received multicast packets. If the multicast data fails to pass the ACL rule defined in this command, PIM cannot create the route entry, either. 1. Check the minimum TTL value for multicast forwarding. Use the display current-configuration command to check the minimum TTL value for multicast forwarding. Increase the TTL value or remove the multicast minimum-ttl command configured on the interface. 2.
• In addition, if the BSR does not have a unicast router to a C-RP, it will discard the C-RP-Adv messages from that C-RP, and therefore the bootstrap messages of the BSR will not contain the information of that C-RP. • The RP is the core of a PIM-SM domain. Make sure that the RP information on all routers is exactly the same, a specific group G is mapped to the same RP, and unicast routes are available to the RP. 1. Check whether routes to C-RPs and the BSR are available.
MSDP configuration NOTE: The firewall supports MSDP configuration only in the CLI. Multicast source discovery protocol (MSDP) is an inter-domain multicast solution developed to address the interconnection of protocol independent multicast sparse mode (PIM-SM) domains. It is used to discover multicast source information in other PIM-SM domains.
NOTE: All the configuration tasks should be carried out on RPs in PIM-SM domains, and each of these RPs acts as an MSDP peer.. Configuring basic functions of MSDP NOTE: All the configuration tasks should be carried out on RPs in PIM-SM domains, and each of these RPs acts as an MSDP peer. Configuration prerequisites Before configuring the basic functions of MSDP, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer.
To do... Use the command... Create an MSDP peer connection peer peer-address connect-interface interface-type interface-number Remarks Required No MSDP peer connection created by default NOTE: If an interface of the router is shared by an MSDP peer and a BGP/MBGP peer at the same time, we recommend that you use the IP address of the BGP/MBGP peer as the IP address of the for the MSDP peer. Configuring a static RPF peer Configuring static RPF peers avoids RPF check of SA messages.
To do... Use the command... Remarks Enter system view system-view — Enter public instance MSDP view msdp — Configure description for an MSDP peer peer peer-address description text Required No description for MSDP peers by default Configuring an MSDP mesh group An AS may contain multiple MSDP peers. You can use the MSDP mesh group mechanism to avoid SA message flooding among these MSDP peers and optimize the multicast traffic.
Follow these steps to configure MSDP peer connection control: To do... Use the command...
Follow these steps to configure the SA message content: To do... Use the command...
• Before creating an SA message with an encapsulated multicast data packet, the router checks the TTL value of the multicast data packet. If the TTL value is less than the threshold, the router does not create an SA message; if the TTL value is greater than or equal to the threshold, the router encapsulates the multicast data in an SA message and sends the SA message out.
To do... Use the command... Remarks Configure the maximum number of (S, G) entries learned from the specified MSDP peer that the router can cache peer peer-address sa-cache-maximum sa-limit Optional 8192 by default Displaying and maintaining MSDP To do... Use the command...
Network diagram Figure 230 Network diagram for inter-AS multicast configuration leveraging BGP routes Device Interface IP address Device Interface IP address Device A GE0/1 10.110.1.2/24 Device D GE0/1 10.110.4.2/24 GE0/2 10.110.2.1/24 GE0/2 10.110.5.1/24 Firewall B Firewall C GE0/3 10.110.3.1/24 GE0/1 10.110.6.1/24 GE0/1 10.110.1.1/24 Firewall E GE0/3 192.168.3.2/24 GE0/0 192.168.1.1/24 Loop0 3.3.3.3/32 GE0/1 10.110.6.2/24 GE0/2 10.110.7.1/24 Loop0 1.1.1.
[DeviceA-GigabitEthernet0/1] pim sm [DeviceA-GigabitEthernet0/1] quit [DeviceA] interface gigabitEthernet 0/2 [DeviceA-GigabitEthernet0/2] pim sm [DeviceA-GigabitEthernet0/2] quit [DeviceA] interface gigabitEthernet 0/3 [DeviceA-GigabitEthernet0/3] igmp enable [DeviceA-GigabitEthernet0/3] pim sm [DeviceA-GigabitEthernet0/3] quit The configuration on Firewall B, Firewall C, Device D, Firewall E, and Device F is similar to the configuration on Device A. # Configure a PIM domain border on Firewall B.
[FirewallB-ospf-1] import-route bgp [FirewallB-ospf-1] quit The configuration on Firewall C and Firewall E is similar to the configuration on Firewall B. 5. Configure MSDP peers # Configure an MSDP peer on Firewall B. [FirewallB] msdp [FirewallB-msdp] peer 192.168.1.2 connect-interface gigabitEthernet 0/0 [FirewallB-msdp] quit # Configure MSDP peers on Firewall C. [FirewallC] msdp [FirewallC-msdp] peer 192.168.1.1 connect-interface gigabitEthernet 0/0 [FirewallC-msdp] peer 192.168.3.
Local AS number : 200 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent 192.168.3.1 4 200 16 14 OutQ PrefRcv Up/Down 0 State 1 00:10:58 Established To view the BGP routing table information on the firewalls, use the display bgp routing-table command. For example: # View the BGP routing table information on Firewall C. [FirewallC] display bgp routing-table Total Number of Routes: 13 BGP Local Firewall ID is 2.2.2.
Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 192.168.3.2 Up 00:15:32 200 8 0 192.168.1.1 UP 00:06:39 100 13 0 # View the brief information about MSDP peering relationships on Firewall E. [Firewall E] display msdp brief MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 192.168.
Inter-AS multicast configuration leveraging static RPF peers Network requirements • There are two ASs in the network, AS 100 and AS 200 respectively. OSPF is running within each AS, and BGP is running between the two ASs. • PIM-SM 1 belongs to AS 100, while PIM-SM 2 and PIM-SM 3 belong to AS 200. • Each PIM-SM domain has zero or one multicast source and receiver. OSPF runs within each domain to provide unicast routes.
Network diagram Figure 231 Network diagram for inter-AS multicast configuration leveraging static RPF peers Device Interface IP address Device Interface IP address Device A GE0/1 10.110.1.2/24 Device D GE0/1 10.110.4.2/24 GE0/2 10.110.2.1/24 GE0/2 10.110.5.1/24 Firewall B Firewall C GE0/3 10.110.3.1/24 GE0/1 10.110.6.1/24 GE0/1 10.110.1.1/24 Firewall E GE0/3 192.168.3.2/24 GE0/0 192.168.1.1/24 Loop0 3.3.3.3/32 GE0/1 10.110.6.2/24 GE0/2 10.110.7.1/24 GE0/3 192.168.3.
[DeviceA-GigabitEthernet0/1] pim sm [DeviceA-GigabitEthernet0/1] quit [DeviceA] interface gigabitEthernet 0/2 [DeviceA-GigabitEthernet0/2] pim sm [DeviceA-GigabitEthernet0/2] quit [DeviceA] interface gigabitEthernet 0/3 [DeviceA-GigabitEthernet0/3] igmp enable [DeviceA-GigabitEthernet0/3] pim sm [DeviceA-GigabitEthernet0/3] quit The configuration on Firewall B, Firewall C, Device D, Firewall E, and Device F is similar to the configuration on Device A. # Configure PIM domain borders on Firewall B.
[FirewallE-msdp] static-rpf-peer 192.168.3.1 rp-policy list-c [FirewallE-msdp] quit Verify the configuration 5. Carry out the display bgp peer command to view the BGP peering relationships between the devices. If the command gives no output information, a BGP peering relationship has not been established between the devices.
The Firewall ID of Firewall B is 1.1.1.1, while the Firewall ID of Firewall D is 2.2.2.2. Set up an MSDP peering relationship between Firewall B and Firewall D.
[FirewallB] multicast routing-enable [FirewallB] interface gigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] igmp enable [FirewallB-GigabitEthernet0/1] pim sm [FirewallB-GigabitEthernet0/1] quit [FirewallB] interface gigabitEthernet 0/3 [FirewallB-GigabitEthernet0/3] pim sm [FirewallB-GigabitEthernet0/3] quit [FirewallB] interface gigabitEthernet 0/0 [FirewallB-GigabitEthernet0/0] pim sm [FirewallB-GigabitEthernet0/0] quit [FirewallB] interface loopback 0 [FirewallB-LoopBack0] pim sm [FirewallB-LoopBack0]
MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 2.2.2.2 Up 00:10:17 ? 0 0 # View the brief MSDP peer information on Firewall D. [FirewallD] display msdp brief MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 1.1.1.
[Firewall D] display pim routing-table No information is output on Firewall D. Host A has left multicast group G, and Source 1 has stopped sending multicast data to multicast group G. When Source 2 (10.110.6.100/24) sends multicast data to G, Host B joins G. By comparing the PIM routing information displayed on Firewall B with that displayed on Firewall D, you can see that Firewall D acts now as the RP for Source 2 and Host B. # View the PIM routing information on Firewall B.
• Set up an MSDP peering relationship between Firewall A and Firewall C and between Firewall C and Firewall D. • Source 1 sends multicast data to multicast groups 225.1.1.0/30 and 226.1.1.0/30, and Source 2 sends multicast data to multicast group 227.1.1.0/30. • Configure SA message filtering rules so that receivers Host A and Host B can receive only the multicast data addressed to multicast groups 225.1.1.0/30 and 226.1.1.
# On Firewall A, enable IP multicast routing, enable PIM-SM on each interface, and enable IGMP on the host-side interface, GigabitEthernet 0/1.
[FirewallC-msdp] peer 192.168.1.1 connect-interface gigabitEthernet 0/1 [FirewallC-msdp] peer 10.110.5.2 connect-interface gigabitEthernet 0/3 [FirewallC-msdp] quit # Configure an MSDP peer on Firewall D. [FirewallD] msdp [FirewallD-msdp] peer 10.110.5.1 connect-interface gigabitEthernet 0/3 [FirewallD-msdp] quit 5. Configure SA message filtering rules # Configure an SA message filter on Firewall C so that Firewall C will not forward SA messages for (Source 1, 225.1.1.0/30) to Firewall D.
MSDP Total Source-Active Cache - 4 entries MSDP matched 4 entries (Source, Group) Origin RP Pro AS Uptime Expires (10.110.3.100, 226.1.1.0) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.1) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.2) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.3) 1.1.1.1 ? ? 00:32:53 00:05:07 Troubleshooting MSDP MSDP peers stay in down state Symptom The configured MSDP peers stay in the down state.
Solution 1. Check that a route is available between the routers. Carry out the display ip routing-table command to check whether the unicast route between the routers is correct. 2. Check that a unicast route is available between the two routers that will become MSDP peers to each other. 3. Check configuration of the import-source command and its acl-number argument and make sure that ACL rule can filter appropriate (S, G) entries.
SSL configuration NOTE: The firewall supports configuring SSL only in the command line interface (CLI). SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online bank fields to ensure secure data transmission over the Internet.
SSL protocol stack As shown in Figure 235, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 235 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end.
Configuration procedure Follow these steps to configure an SSL server policy: To do... Use the command... Remarks Enter system view system-view — Create an SSL server policy and enter its view ssl server-policy policy-name Required Required Specify a PKI domain for the SSL server policy pki-domain domain-name By default, no PKI domain is specified for an SSL server policy.
NOTE: In this example, Windows Server works as the CA and the Simple Certificate Enrollment Protocol (SCEP) plug-in is installed on the CA. Figure 236 Network diagram for SSL server policy configuration Configuration procedure 1. Request a certificate for Firewall # Configure a PKI entity named en. system-view [Firewall] pki entity en [Firewall-pki-entity-en] common-name http-server1 [Firewall-pki-entity-en] fqdn ssl.security.com [Firewall-pki-entity-en] quit # Configure a PKI domain.
3. Associate HTTPS service with the SSL server policy and enable HTTPS service # Configure HTTPS service to use SSL server policy myssl. [Firewall] ip https ssl-server-policy myssl # Enable HTTPS service. [Firewall] ip https enable 4. Verify your configuration Launch IE on the host and enter https://10.1.1.1 in the address bar. You should be able to log in to Firewall and manage it.
Displaying and maintaining SSL To do… Use the command… Display SSL server policy information display ssl server-policy { policy-name | all } Display SSL client policy information display ssl client-policy { policy-name | all } Remarks Available in any view Troubleshooting SSL Symptom As the SSL server, the firewall fails to handshake with the SSL client.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall chassis or a firewall module. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFILMOPRST Configuring gratuitous ARP,192 A Configuring IGMP in the CLI,415 ARP overview,184 Configuring IGMP in the web interface,409 B Configuring inline Layer 2 forwarding,92 Blackhole-type inline Layer 2 forwarding configuration example,96 Configuring inter-VLAN Layer 2 forwarding,96 BOOTP client configuration example,158 Configuring IP addresses,18 C Configuring Layer 3 subinterface forwarding,201 Configuring inter-VLAN Layer 3 forwarding,204 Configuring MSTP in the web interfac
Displaying and maintaining SSL,514 M Displaying and maintaining the DHCP client,154 Managing interfaces in the CLI,7 Displaying routing table in the CLI,376 Managing interfaces in the web interface,1 Displaying routing table in the web interface,375 MSDP configuration examples,490 E MSDP configuration task list,483 Enabling proxy ARP,195 O Enabling the DHCP client on an interface,153 Overview,377 F Overview,43 Forward-type inline Layer 2 forwarding configuration example,95 Overview,212 Fra
